From: Sasha Levin Date: Mon, 13 Mar 2023 12:06:03 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v4.14.310~87^2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c46f1f3b8dbb41e4a4bd67f231fef1237938bde;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/af_unix-fix-struct-pid-leaks-in-oob-support.patch b/queue-6.1/af_unix-fix-struct-pid-leaks-in-oob-support.patch new file mode 100644 index 00000000000..cc07a127191 --- /dev/null +++ b/queue-6.1/af_unix-fix-struct-pid-leaks-in-oob-support.patch @@ -0,0 +1,88 @@ +From 1db4805d336e9d1a1edb85a6fa8b32d834a77fb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 16:45:30 +0000 +Subject: af_unix: fix struct pid leaks in OOB support + +From: Eric Dumazet + +[ Upstream commit 2aab4b96900272885bc157f8b236abf1cdc02e08 ] + +syzbot reported struct pid leak [1]. + +Issue is that queue_oob() calls maybe_add_creds() which potentially +holds a reference on a pid. + +But skb->destructor is not set (either directly or by calling +unix_scm_to_skb()) + +This means that subsequent kfree_skb() or consume_skb() would leak +this reference. + +In this fix, I chose to fully support scm even for the OOB message. + +[1] +BUG: memory leak +unreferenced object 0xffff8881053e7f80 (size 128): +comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s) +hex dump (first 32 bytes): +01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: +[] alloc_pid+0x6a/0x560 kernel/pid.c:180 +[] copy_process+0x169f/0x26c0 kernel/fork.c:2285 +[] kernel_clone+0xf7/0x610 kernel/fork.c:2684 +[] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825 +[] do_syscall_x64 arch/x86/entry/common.c:50 [inline] +[] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 +[] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Reported-by: syzbot+7699d9e5635c10253a27@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Rao Shoaib +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230307164530.771896-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index f0c2293f1d3b8..7d17601ceee79 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2104,7 +2104,8 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768)) + + #if IS_ENABLED(CONFIG_AF_UNIX_OOB) +-static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other) ++static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other, ++ struct scm_cookie *scm, bool fds_sent) + { + struct unix_sock *ousk = unix_sk(other); + struct sk_buff *skb; +@@ -2115,6 +2116,11 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other + if (!skb) + return err; + ++ err = unix_scm_to_skb(scm, skb, !fds_sent); ++ if (err < 0) { ++ kfree_skb(skb); ++ return err; ++ } + skb_put(skb, 1); + err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1); + +@@ -2242,7 +2248,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, + + #if IS_ENABLED(CONFIG_AF_UNIX_OOB) + if (msg->msg_flags & MSG_OOB) { +- err = queue_oob(sock, msg, other); ++ err = queue_oob(sock, msg, other, &scm, fds_sent); + if (err) + goto out_err; + sent++; +-- +2.39.2 + diff --git a/queue-6.1/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch b/queue-6.1/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch new file mode 100644 index 00000000000..6b398b4d1fa --- /dev/null +++ b/queue-6.1/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch @@ -0,0 +1,92 @@ +From ec20ea61e79f1fcc15fab128173282f45724263d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 10:11:56 +0100 +Subject: bgmac: fix *initial* chip reset to support BCM5358 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit f99e6d7c4ed3be2531bd576425a5bd07fb133bd7 ] + +While bringing hardware up we should perform a full reset including the +switch bit (BGMAC_BCMA_IOCTL_SW_RESET aka SICF_SWRST). It's what +specification says and what reference driver does. + +This seems to be critical for the BCM5358. Without this hardware doesn't +get initialized properly and doesn't seem to transmit or receive any +packets. + +Originally bgmac was calling bgmac_chip_reset() before setting +"has_robosw" property which resulted in expected behaviour. That has +changed as a side effect of adding platform device support which +regressed BCM5358 support. + +Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support") +Cc: Jon Mason +Signed-off-by: Rafał Miłecki +Reviewed-by: Leon Romanovsky +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230227091156.19509-1-zajec5@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac.c | 8 ++++++-- + drivers/net/ethernet/broadcom/bgmac.h | 2 ++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index 3038386a5afd8..1761df8fb7f96 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -890,13 +890,13 @@ static void bgmac_chip_reset_idm_config(struct bgmac *bgmac) + + if (iost & BGMAC_BCMA_IOST_ATTACHED) { + flags = BGMAC_BCMA_IOCTL_SW_CLKEN; +- if (!bgmac->has_robosw) ++ if (bgmac->in_init || !bgmac->has_robosw) + flags |= BGMAC_BCMA_IOCTL_SW_RESET; + } + bgmac_clk_enable(bgmac, flags); + } + +- if (iost & BGMAC_BCMA_IOST_ATTACHED && !bgmac->has_robosw) ++ if (iost & BGMAC_BCMA_IOST_ATTACHED && (bgmac->in_init || !bgmac->has_robosw)) + bgmac_idm_write(bgmac, BCMA_IOCTL, + bgmac_idm_read(bgmac, BCMA_IOCTL) & + ~BGMAC_BCMA_IOCTL_SW_RESET); +@@ -1490,6 +1490,8 @@ int bgmac_enet_probe(struct bgmac *bgmac) + struct net_device *net_dev = bgmac->net_dev; + int err; + ++ bgmac->in_init = true; ++ + bgmac_chip_intrs_off(bgmac); + + net_dev->irq = bgmac->irq; +@@ -1542,6 +1544,8 @@ int bgmac_enet_probe(struct bgmac *bgmac) + /* Omit FCS from max MTU size */ + net_dev->max_mtu = BGMAC_RX_MAX_FRAME_SIZE - ETH_FCS_LEN; + ++ bgmac->in_init = false; ++ + err = register_netdev(bgmac->net_dev); + if (err) { + dev_err(bgmac->dev, "Cannot register net device\n"); +diff --git a/drivers/net/ethernet/broadcom/bgmac.h b/drivers/net/ethernet/broadcom/bgmac.h +index e05ac92c06504..d73ef262991d6 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.h ++++ b/drivers/net/ethernet/broadcom/bgmac.h +@@ -472,6 +472,8 @@ struct bgmac { + int irq; + u32 int_mask; + ++ bool in_init; ++ + /* Current MAC state */ + int mac_speed; + int mac_duplex; +-- +2.39.2 + diff --git a/queue-6.1/block-fix-scan-partition-for-exclusively-open-device.patch b/queue-6.1/block-fix-scan-partition-for-exclusively-open-device.patch new file mode 100644 index 00000000000..71b0919100f --- /dev/null +++ b/queue-6.1/block-fix-scan-partition-for-exclusively-open-device.patch @@ -0,0 +1,103 @@ +From 0cf720960d27fac676afbbbdda51180249754a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Feb 2023 10:22:00 +0800 +Subject: block: fix scan partition for exclusively open device again + +From: Yu Kuai + +[ Upstream commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f ] + +As explained in commit 36369f46e917 ("block: Do not reread partition table +on exclusively open device"), reread partition on the device that is +exclusively opened by someone else is problematic. + +This patch will make sure partition scan will only be proceed if current +thread open the device exclusively, or the device is not opened +exclusively, and in the later case, other scanners and exclusive openers +will be blocked temporarily until partition scan is done. + +Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in blk_drop_partitions") +Cc: +Suggested-by: Jan Kara +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/genhd.c | 30 ++++++++++++++++++++++++++---- + block/ioctl.c | 2 +- + 2 files changed, 27 insertions(+), 5 deletions(-) + +diff --git a/block/genhd.c b/block/genhd.c +index 647f7d8d88312..85ae755913e9e 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -359,6 +359,7 @@ EXPORT_SYMBOL_GPL(disk_uevent); + int disk_scan_partitions(struct gendisk *disk, fmode_t mode) + { + struct block_device *bdev; ++ int ret = 0; + + if (disk->flags & (GENHD_FL_NO_PART | GENHD_FL_HIDDEN)) + return -EINVAL; +@@ -368,11 +369,27 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode) + return -EBUSY; + + set_bit(GD_NEED_PART_SCAN, &disk->state); +- bdev = blkdev_get_by_dev(disk_devt(disk), mode, NULL); ++ /* ++ * If the device is opened exclusively by current thread already, it's ++ * safe to scan partitons, otherwise, use bd_prepare_to_claim() to ++ * synchronize with other exclusive openers and other partition ++ * scanners. ++ */ ++ if (!(mode & FMODE_EXCL)) { ++ ret = bd_prepare_to_claim(disk->part0, disk_scan_partitions); ++ if (ret) ++ return ret; ++ } ++ ++ bdev = blkdev_get_by_dev(disk_devt(disk), mode & ~FMODE_EXCL, NULL); + if (IS_ERR(bdev)) +- return PTR_ERR(bdev); +- blkdev_put(bdev, mode); +- return 0; ++ ret = PTR_ERR(bdev); ++ else ++ blkdev_put(bdev, mode); ++ ++ if (!(mode & FMODE_EXCL)) ++ bd_abort_claiming(disk->part0, disk_scan_partitions); ++ return ret; + } + + /** +@@ -498,6 +515,11 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk, + if (ret) + goto out_unregister_bdi; + ++ /* Make sure the first partition scan will be proceed */ ++ if (get_capacity(disk) && !(disk->flags & GENHD_FL_NO_PART) && ++ !test_bit(GD_SUPPRESS_PART_SCAN, &disk->state)) ++ set_bit(GD_NEED_PART_SCAN, &disk->state); ++ + bdev_add(disk->part0, ddev->devt); + if (get_capacity(disk)) + disk_scan_partitions(disk, FMODE_READ); +diff --git a/block/ioctl.c b/block/ioctl.c +index 6dd49d877584a..9c5f637ff153f 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -528,7 +528,7 @@ static int blkdev_common_ioctl(struct block_device *bdev, fmode_t mode, + return -EACCES; + if (bdev_is_partition(bdev)) + return -EINVAL; +- return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL); ++ return disk_scan_partitions(bdev->bd_disk, mode); + case BLKTRACESTART: + case BLKTRACESTOP: + case BLKTRACETEARDOWN: +-- +2.39.2 + diff --git a/queue-6.1/block-fix-wrong-mode-for-blkdev_put-from-disk_scan_p.patch b/queue-6.1/block-fix-wrong-mode-for-blkdev_put-from-disk_scan_p.patch new file mode 100644 index 00000000000..42007c52fd4 --- /dev/null +++ b/queue-6.1/block-fix-wrong-mode-for-blkdev_put-from-disk_scan_p.patch @@ -0,0 +1,44 @@ +From 2ecac0f822e38e6d0ea5b2088009d8a9ac976442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 18:55:52 +0800 +Subject: block: fix wrong mode for blkdev_put() from disk_scan_partitions() + +From: Yu Kuai + +[ Upstream commit 428913bce1e67ccb4dae317fd0332545bf8c9233 ] + +If disk_scan_partitions() is called with 'FMODE_EXCL', +blkdev_get_by_dev() will be called without 'FMODE_EXCL', however, follow +blkdev_put() is still called with 'FMODE_EXCL', which will cause +'bd_holders' counter to leak. + +Fix the problem by using the right mode for blkdev_put(). + +Reported-by: syzbot+2bcc0d79e548c4f62a59@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/f9649d501bc8c3444769418f6c26263555d9d3be.camel@linux.ibm.com/T/ +Tested-by: Julian Ruess +Fixes: e5cfefa97bcc ("block: fix scan partition for exclusively open device again") +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/genhd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/genhd.c b/block/genhd.c +index 85ae755913e9e..0b6928e948f31 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -385,7 +385,7 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode) + if (IS_ERR(bdev)) + ret = PTR_ERR(bdev); + else +- blkdev_put(bdev, mode); ++ blkdev_put(bdev, mode & ~FMODE_EXCL); + + if (!(mode & FMODE_EXCL)) + bd_abort_claiming(disk->part0, disk_scan_partitions); +-- +2.39.2 + diff --git a/queue-6.1/block-revert-block-do-not-reread-partition-table-on-.patch b/queue-6.1/block-revert-block-do-not-reread-partition-table-on-.patch new file mode 100644 index 00000000000..93751cda9f3 --- /dev/null +++ b/queue-6.1/block-revert-block-do-not-reread-partition-table-on-.patch @@ -0,0 +1,123 @@ +From 27defee92721f0488c1a15c04721c41f8fde90da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Feb 2023 10:21:59 +0800 +Subject: block: Revert "block: Do not reread partition table on exclusively + open device" + +From: Yu Kuai + +[ Upstream commit 0f77b29ad14e34a89961f32edc87b92db623bb37 ] + +This reverts commit 36369f46e91785688a5f39d7a5590e3f07981316. + +This patch can't fix the problem in a corner case that device can be +opened exclusively after the checking and before blkdev_get_by_dev(). +We'll use a new solution to fix the problem in the next patch, and +the new solution doesn't need to change apis. + +Signed-off-by: Yu Kuai +Acked-by: Jan Kara +Link: https://lore.kernel.org/r/20230217022200.3092987-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Stable-dep-of: e5cfefa97bcc ("block: fix scan partition for exclusively open device again") +Signed-off-by: Sasha Levin +--- + block/blk.h | 2 +- + block/genhd.c | 7 ++----- + block/ioctl.c | 13 ++++++------- + 3 files changed, 9 insertions(+), 13 deletions(-) + +diff --git a/block/blk.h b/block/blk.h +index 8b75a95b28d60..a186ea20f39d8 100644 +--- a/block/blk.h ++++ b/block/blk.h +@@ -436,7 +436,7 @@ static inline struct kmem_cache *blk_get_queue_kmem_cache(bool srcu) + } + struct request_queue *blk_alloc_queue(int node_id, bool alloc_srcu); + +-int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner); ++int disk_scan_partitions(struct gendisk *disk, fmode_t mode); + + int disk_alloc_events(struct gendisk *disk); + void disk_add_events(struct gendisk *disk); +diff --git a/block/genhd.c b/block/genhd.c +index c4765681a8b4b..647f7d8d88312 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -356,7 +356,7 @@ void disk_uevent(struct gendisk *disk, enum kobject_action action) + } + EXPORT_SYMBOL_GPL(disk_uevent); + +-int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner) ++int disk_scan_partitions(struct gendisk *disk, fmode_t mode) + { + struct block_device *bdev; + +@@ -366,9 +366,6 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner) + return -EINVAL; + if (disk->open_partitions) + return -EBUSY; +- /* Someone else has bdev exclusively open? */ +- if (disk->part0->bd_holder && disk->part0->bd_holder != owner) +- return -EBUSY; + + set_bit(GD_NEED_PART_SCAN, &disk->state); + bdev = blkdev_get_by_dev(disk_devt(disk), mode, NULL); +@@ -503,7 +500,7 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk, + + bdev_add(disk->part0, ddev->devt); + if (get_capacity(disk)) +- disk_scan_partitions(disk, FMODE_READ, NULL); ++ disk_scan_partitions(disk, FMODE_READ); + + /* + * Announce the disk and partitions after all partitions are +diff --git a/block/ioctl.c b/block/ioctl.c +index 96617512982e5..6dd49d877584a 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -467,10 +467,10 @@ static int blkdev_bszset(struct block_device *bdev, fmode_t mode, + * user space. Note the separate arg/argp parameters that are needed + * to deal with the compat_ptr() conversion. + */ +-static int blkdev_common_ioctl(struct file *file, fmode_t mode, unsigned cmd, +- unsigned long arg, void __user *argp) ++static int blkdev_common_ioctl(struct block_device *bdev, fmode_t mode, ++ unsigned int cmd, unsigned long arg, ++ void __user *argp) + { +- struct block_device *bdev = I_BDEV(file->f_mapping->host); + unsigned int max_sectors; + + switch (cmd) { +@@ -528,8 +528,7 @@ static int blkdev_common_ioctl(struct file *file, fmode_t mode, unsigned cmd, + return -EACCES; + if (bdev_is_partition(bdev)) + return -EINVAL; +- return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL, +- file); ++ return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL); + case BLKTRACESTART: + case BLKTRACESTOP: + case BLKTRACETEARDOWN: +@@ -607,7 +606,7 @@ long blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg) + break; + } + +- ret = blkdev_common_ioctl(file, mode, cmd, arg, argp); ++ ret = blkdev_common_ioctl(bdev, mode, cmd, arg, argp); + if (ret != -ENOIOCTLCMD) + return ret; + +@@ -676,7 +675,7 @@ long compat_blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg) + break; + } + +- ret = blkdev_common_ioctl(file, mode, cmd, arg, argp); ++ ret = blkdev_common_ioctl(bdev, mode, cmd, arg, argp); + if (ret == -ENOIOCTLCMD && disk->fops->compat_ioctl) + ret = disk->fops->compat_ioctl(bdev, mode, cmd, arg); + +-- +2.39.2 + diff --git a/queue-6.1/bnxt_en-avoid-order-5-memory-allocation-for-tpa-data.patch b/queue-6.1/bnxt_en-avoid-order-5-memory-allocation-for-tpa-data.patch new file mode 100644 index 00000000000..804a2ad2be5 --- /dev/null +++ b/queue-6.1/bnxt_en-avoid-order-5-memory-allocation-for-tpa-data.patch @@ -0,0 +1,114 @@ +From ccc20fed41b1dbaea0d740d05ba9c8e03eb0ecc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 18:43:57 -0800 +Subject: bnxt_en: Avoid order-5 memory allocation for TPA data + +From: Michael Chan + +[ Upstream commit accd7e23693aaaa9aa0d3e9eca0ae77d1be80ab3 ] + +The driver needs to keep track of all the possible concurrent TPA (GRO/LRO) +completions on the aggregation ring. On P5 chips, the maximum number +of concurrent TPA is 256 and the amount of memory we allocate is order-5 +on systems using 4K pages. Memory allocation failure has been reported: + +NetworkManager: page allocation failure: order:5, mode:0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0-1 +CPU: 15 PID: 2995 Comm: NetworkManager Kdump: loaded Not tainted 5.10.156 #1 +Hardware name: Dell Inc. PowerEdge R660/0M1CC5, BIOS 0.2.25 08/12/2022 +Call Trace: + dump_stack+0x57/0x6e + warn_alloc.cold.120+0x7b/0xdd + ? _cond_resched+0x15/0x30 + ? __alloc_pages_direct_compact+0x15f/0x170 + __alloc_pages_slowpath.constprop.108+0xc58/0xc70 + __alloc_pages_nodemask+0x2d0/0x300 + kmalloc_order+0x24/0xe0 + kmalloc_order_trace+0x19/0x80 + bnxt_alloc_mem+0x1150/0x15c0 [bnxt_en] + ? bnxt_get_func_stat_ctxs+0x13/0x60 [bnxt_en] + __bnxt_open_nic+0x12e/0x780 [bnxt_en] + bnxt_open+0x10b/0x240 [bnxt_en] + __dev_open+0xe9/0x180 + __dev_change_flags+0x1af/0x220 + dev_change_flags+0x21/0x60 + do_setlink+0x35c/0x1100 + +Instead of allocating this big chunk of memory and dividing it up for the +concurrent TPA instances, allocate each small chunk separately for each +TPA instance. This will reduce it to order-0 allocations. + +Fixes: 79632e9ba386 ("bnxt_en: Expand bnxt_tpa_info struct to support 57500 chips.") +Reviewed-by: Somnath Kotur +Reviewed-by: Damodharam Ammepalli +Reviewed-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index cecda545372f9..251b102d2792b 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -3143,7 +3143,7 @@ static int bnxt_alloc_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem) + + static void bnxt_free_tpa_info(struct bnxt *bp) + { +- int i; ++ int i, j; + + for (i = 0; i < bp->rx_nr_rings; i++) { + struct bnxt_rx_ring_info *rxr = &bp->rx_ring[i]; +@@ -3151,8 +3151,10 @@ static void bnxt_free_tpa_info(struct bnxt *bp) + kfree(rxr->rx_tpa_idx_map); + rxr->rx_tpa_idx_map = NULL; + if (rxr->rx_tpa) { +- kfree(rxr->rx_tpa[0].agg_arr); +- rxr->rx_tpa[0].agg_arr = NULL; ++ for (j = 0; j < bp->max_tpa; j++) { ++ kfree(rxr->rx_tpa[j].agg_arr); ++ rxr->rx_tpa[j].agg_arr = NULL; ++ } + } + kfree(rxr->rx_tpa); + rxr->rx_tpa = NULL; +@@ -3161,14 +3163,13 @@ static void bnxt_free_tpa_info(struct bnxt *bp) + + static int bnxt_alloc_tpa_info(struct bnxt *bp) + { +- int i, j, total_aggs = 0; ++ int i, j; + + bp->max_tpa = MAX_TPA; + if (bp->flags & BNXT_FLAG_CHIP_P5) { + if (!bp->max_tpa_v2) + return 0; + bp->max_tpa = max_t(u16, bp->max_tpa_v2, MAX_TPA_P5); +- total_aggs = bp->max_tpa * MAX_SKB_FRAGS; + } + + for (i = 0; i < bp->rx_nr_rings; i++) { +@@ -3182,12 +3183,12 @@ static int bnxt_alloc_tpa_info(struct bnxt *bp) + + if (!(bp->flags & BNXT_FLAG_CHIP_P5)) + continue; +- agg = kcalloc(total_aggs, sizeof(*agg), GFP_KERNEL); +- rxr->rx_tpa[0].agg_arr = agg; +- if (!agg) +- return -ENOMEM; +- for (j = 1; j < bp->max_tpa; j++) +- rxr->rx_tpa[j].agg_arr = agg + j * MAX_SKB_FRAGS; ++ for (j = 0; j < bp->max_tpa; j++) { ++ agg = kcalloc(MAX_SKB_FRAGS, sizeof(*agg), GFP_KERNEL); ++ if (!agg) ++ return -ENOMEM; ++ rxr->rx_tpa[j].agg_arr = agg; ++ } + rxr->rx_tpa_idx_map = kzalloc(sizeof(*rxr->rx_tpa_idx_map), + GFP_KERNEL); + if (!rxr->rx_tpa_idx_map) +-- +2.39.2 + diff --git a/queue-6.1/bpf-sockmap-fix-an-infinite-loop-error-when-len-is-0.patch b/queue-6.1/bpf-sockmap-fix-an-infinite-loop-error-when-len-is-0.patch new file mode 100644 index 00000000000..ccb252bd81a --- /dev/null +++ b/queue-6.1/bpf-sockmap-fix-an-infinite-loop-error-when-len-is-0.patch @@ -0,0 +1,127 @@ +From 2cf6ec251e3a8efbd2c066501047c2862009b8df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 16:09:46 +0800 +Subject: bpf, sockmap: Fix an infinite loop error when len is 0 in + tcp_bpf_recvmsg_parser() + +From: Liu Jian + +[ Upstream commit d900f3d20cc3169ce42ec72acc850e662a4d4db2 ] + +When the buffer length of the recvmsg system call is 0, we got the +flollowing soft lockup problem: + +watchdog: BUG: soft lockup - CPU#3 stuck for 27s! [a.out:6149] +CPU: 3 PID: 6149 Comm: a.out Kdump: loaded Not tainted 6.2.0+ #30 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:remove_wait_queue+0xb/0xc0 +Code: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20 +RSP: 0018:ffff88811b5978b8 EFLAGS: 00000246 +RAX: 0000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768 +RDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040 +RBP: 1ffff110236b2f1b R08: 0000000000000000 R09: ffff88811a7d37e7 +R10: ffffed10234fa6fc R11: 0000000000000001 R12: ffff88811179b800 +R13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0 +FS: 00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000000 CR3: 000000010b6ba002 CR4: 0000000000370ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + tcp_msg_wait_data+0x279/0x2f0 + tcp_bpf_recvmsg_parser+0x3c6/0x490 + inet_recvmsg+0x280/0x290 + sock_recvmsg+0xfc/0x120 + ____sys_recvmsg+0x160/0x3d0 + ___sys_recvmsg+0xf0/0x180 + __sys_recvmsg+0xea/0x1a0 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The logic in tcp_bpf_recvmsg_parser is as follows: + +msg_bytes_ready: + copied = sk_msg_recvmsg(sk, psock, msg, len, flags); + if (!copied) { + wait data; + goto msg_bytes_ready; + } + +In this case, "copied" always is 0, the infinite loop occurs. + +According to the Linux system call man page, 0 should be returned in this +case. Therefore, in tcp_bpf_recvmsg_parser(), if the length is 0, directly +return. Also modify several other functions with the same problem. + +Fixes: 1f5be6b3b063 ("udp: Implement udp_bpf_recvmsg() for sockmap") +Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()") +Fixes: c5d2177a72a1 ("bpf, sockmap: Fix race in ingress receive verdict with redirect to self") +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Cc: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230303080946.1146638-1-liujian56@huawei.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 6 ++++++ + net/ipv4/udp_bpf.c | 3 +++ + net/unix/unix_bpf.c | 3 +++ + 3 files changed, 12 insertions(+) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index cf26d65ca3893..ebf9175119370 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -186,6 +186,9 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + if (unlikely(flags & MSG_ERRQUEUE)) + return inet_recv_error(sk, msg, len, addr_len); + ++ if (!len) ++ return 0; ++ + psock = sk_psock_get(sk); + if (unlikely(!psock)) + return tcp_recvmsg(sk, msg, len, flags, addr_len); +@@ -244,6 +247,9 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + if (unlikely(flags & MSG_ERRQUEUE)) + return inet_recv_error(sk, msg, len, addr_len); + ++ if (!len) ++ return 0; ++ + psock = sk_psock_get(sk); + if (unlikely(!psock)) + return tcp_recvmsg(sk, msg, len, flags, addr_len); +diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c +index e5dc91d0e0793..0735d820e413f 100644 +--- a/net/ipv4/udp_bpf.c ++++ b/net/ipv4/udp_bpf.c +@@ -68,6 +68,9 @@ static int udp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + if (unlikely(flags & MSG_ERRQUEUE)) + return inet_recv_error(sk, msg, len, addr_len); + ++ if (!len) ++ return 0; ++ + psock = sk_psock_get(sk); + if (unlikely(!psock)) + return sk_udp_recvmsg(sk, msg, len, flags, addr_len); +diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c +index e9bf155139612..2f9d8271c6ec7 100644 +--- a/net/unix/unix_bpf.c ++++ b/net/unix/unix_bpf.c +@@ -54,6 +54,9 @@ static int unix_bpf_recvmsg(struct sock *sk, struct msghdr *msg, + struct sk_psock *psock; + int copied; + ++ if (!len) ++ return 0; ++ + psock = sk_psock_get(sk); + if (unlikely(!psock)) + return __unix_recvmsg(sk, msg, len, flags); +-- +2.39.2 + diff --git a/queue-6.1/bpf-test_run-fix-xdp_frame-misplacement-for-live_fra.patch b/queue-6.1/bpf-test_run-fix-xdp_frame-misplacement-for-live_fra.patch new file mode 100644 index 00000000000..acda6d9eb5a --- /dev/null +++ b/queue-6.1/bpf-test_run-fix-xdp_frame-misplacement-for-live_fra.patch @@ -0,0 +1,154 @@ +From fdd4e4594975d2d49df438a686a8225c355febc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 19:54:40 +0100 +Subject: bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexander Lobakin + +[ Upstream commit 6c20822fada1b8adb77fa450d03a0d449686a4a9 ] + +&xdp_buff and &xdp_frame are bound in a way that + +xdp_buff->data_hard_start == xdp_frame + +It's always the case and e.g. xdp_convert_buff_to_frame() relies on +this. +IOW, the following: + + for (u32 i = 0; i < 0xdead; i++) { + xdpf = xdp_convert_buff_to_frame(&xdp); + xdp_convert_frame_to_buff(xdpf, &xdp); + } + +shouldn't ever modify @xdpf's contents or the pointer itself. +However, "live packet" code wrongly treats &xdp_frame as part of its +context placed *before* the data_hard_start. With such flow, +data_hard_start is sizeof(*xdpf) off to the right and no longer points +to the XDP frame. + +Instead of replacing `sizeof(ctx)` with `offsetof(ctx, xdpf)` in several +places and praying that there are no more miscalcs left somewhere in the +code, unionize ::frm with ::data in a flex array, so that both starts +pointing to the actual data_hard_start and the XDP frame actually starts +being a part of it, i.e. a part of the headroom, not the context. +A nice side effect is that the maximum frame size for this mode gets +increased by 40 bytes, as xdp_buff::frame_sz includes everything from +data_hard_start (-> includes xdpf already) to the end of XDP/skb shared +info. +Also update %MAX_PKT_SIZE accordingly in the selftests code. Leave it +hardcoded for 64 bit && 4k pages, it can be made more flexible later on. + +Minor: align `&head->data` with how `head->frm` is assigned for +consistency. +Minor #2: rename 'frm' to 'frame' in &xdp_page_head while at it for +clarity. + +(was found while testing XDP traffic generator on ice, which calls + xdp_convert_frame_to_buff() for each XDP frame) + +Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN") +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Alexander Lobakin +Link: https://lore.kernel.org/r/20230215185440.4126672-1-aleksander.lobakin@intel.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/bpf/test_run.c | 29 +++++++++++++++---- + .../bpf/prog_tests/xdp_do_redirect.c | 7 +++-- + 2 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c +index 6094ef7cffcd2..cd3d713251a26 100644 +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -97,8 +97,11 @@ static bool bpf_test_timer_continue(struct bpf_test_timer *t, int iterations, + struct xdp_page_head { + struct xdp_buff orig_ctx; + struct xdp_buff ctx; +- struct xdp_frame frm; +- u8 data[]; ++ union { ++ /* ::data_hard_start starts here */ ++ DECLARE_FLEX_ARRAY(struct xdp_frame, frame); ++ DECLARE_FLEX_ARRAY(u8, data); ++ }; + }; + + struct xdp_test_data { +@@ -116,6 +119,20 @@ struct xdp_test_data { + #define TEST_XDP_FRAME_SIZE (PAGE_SIZE - sizeof(struct xdp_page_head)) + #define TEST_XDP_MAX_BATCH 256 + ++#if BITS_PER_LONG == 64 && PAGE_SIZE == SZ_4K ++/* tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c:%MAX_PKT_SIZE ++ * must be updated accordingly when any of these changes, otherwise BPF ++ * selftests will fail. ++ */ ++#ifdef __s390x__ ++#define TEST_MAX_PKT_SIZE 3216 ++#else ++#define TEST_MAX_PKT_SIZE 3408 ++#endif ++static_assert(SKB_WITH_OVERHEAD(TEST_XDP_FRAME_SIZE - XDP_PACKET_HEADROOM) == ++ TEST_MAX_PKT_SIZE); ++#endif ++ + static void xdp_test_run_init_page(struct page *page, void *arg) + { + struct xdp_page_head *head = phys_to_virt(page_to_phys(page)); +@@ -132,8 +149,8 @@ static void xdp_test_run_init_page(struct page *page, void *arg) + headroom -= meta_len; + + new_ctx = &head->ctx; +- frm = &head->frm; +- data = &head->data; ++ frm = head->frame; ++ data = head->data; + memcpy(data + headroom, orig_ctx->data_meta, frm_len); + + xdp_init_buff(new_ctx, TEST_XDP_FRAME_SIZE, &xdp->rxq); +@@ -223,7 +240,7 @@ static void reset_ctx(struct xdp_page_head *head) + head->ctx.data = head->orig_ctx.data; + head->ctx.data_meta = head->orig_ctx.data_meta; + head->ctx.data_end = head->orig_ctx.data_end; +- xdp_update_frame_from_buff(&head->ctx, &head->frm); ++ xdp_update_frame_from_buff(&head->ctx, head->frame); + } + + static int xdp_recv_frames(struct xdp_frame **frames, int nframes, +@@ -285,7 +302,7 @@ static int xdp_test_run_batch(struct xdp_test_data *xdp, struct bpf_prog *prog, + head = phys_to_virt(page_to_phys(page)); + reset_ctx(head); + ctx = &head->ctx; +- frm = &head->frm; ++ frm = head->frame; + xdp->frame_cnt++; + + act = bpf_prog_run_xdp(prog, ctx); +diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c +index 15ad336691613..33ae63c01461a 100644 +--- a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c ++++ b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c +@@ -63,12 +63,13 @@ static int attach_tc_prog(struct bpf_tc_hook *hook, int fd) + } + + /* The maximum permissible size is: PAGE_SIZE - sizeof(struct xdp_page_head) - +- * sizeof(struct skb_shared_info) - XDP_PACKET_HEADROOM = 3368 bytes ++ * SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - XDP_PACKET_HEADROOM = ++ * 3408 bytes for 64-byte cacheline and 3216 for 256-byte one. + */ + #if defined(__s390x__) +-#define MAX_PKT_SIZE 3176 ++#define MAX_PKT_SIZE 3216 + #else +-#define MAX_PKT_SIZE 3368 ++#define MAX_PKT_SIZE 3408 + #endif + static void test_max_pkt_size(int fd) + { +-- +2.39.2 + diff --git a/queue-6.1/btf-fix-resolving-btf_kind_var-after-array-struct-un.patch b/queue-6.1/btf-fix-resolving-btf_kind_var-after-array-struct-un.patch new file mode 100644 index 00000000000..70b9cc9a227 --- /dev/null +++ b/queue-6.1/btf-fix-resolving-btf_kind_var-after-array-struct-un.patch @@ -0,0 +1,98 @@ +From f8b7813a30dbb4a73ecc69d8519e4e082866b4af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:21:37 +0000 +Subject: btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR + +From: Lorenz Bauer + +[ Upstream commit 9b459804ff9973e173fabafba2a1319f771e85fa ] + +btf_datasec_resolve contains a bug that causes the following BTF +to fail loading: + + [1] DATASEC a size=2 vlen=2 + type_id=4 offset=0 size=1 + type_id=7 offset=1 size=1 + [2] INT (anon) size=1 bits_offset=0 nr_bits=8 encoding=(none) + [3] PTR (anon) type_id=2 + [4] VAR a type_id=3 linkage=0 + [5] INT (anon) size=1 bits_offset=0 nr_bits=8 encoding=(none) + [6] TYPEDEF td type_id=5 + [7] VAR b type_id=6 linkage=0 + +This error message is printed during btf_check_all_types: + + [1] DATASEC a size=2 vlen=2 + type_id=7 offset=1 size=1 Invalid type + +By tracing btf_*_resolve we can pinpoint the problem: + + btf_datasec_resolve(depth: 1, type_id: 1, mode: RESOLVE_TBD) = 0 + btf_var_resolve(depth: 2, type_id: 4, mode: RESOLVE_TBD) = 0 + btf_ptr_resolve(depth: 3, type_id: 3, mode: RESOLVE_PTR) = 0 + btf_var_resolve(depth: 2, type_id: 4, mode: RESOLVE_PTR) = 0 + btf_datasec_resolve(depth: 1, type_id: 1, mode: RESOLVE_PTR) = -22 + +The last invocation of btf_datasec_resolve should invoke btf_var_resolve +by means of env_stack_push, instead it returns EINVAL. The reason is that +env_stack_push is never executed for the second VAR. + + if (!env_type_is_resolve_sink(env, var_type) && + !env_type_is_resolved(env, var_type_id)) { + env_stack_set_next_member(env, i + 1); + return env_stack_push(env, var_type, var_type_id); + } + +env_type_is_resolve_sink() changes its behaviour based on resolve_mode. +For RESOLVE_PTR, we can simplify the if condition to the following: + + (btf_type_is_modifier() || btf_type_is_ptr) && !env_type_is_resolved() + +Since we're dealing with a VAR the clause evaluates to false. This is +not sufficient to trigger the bug however. The log output and EINVAL +are only generated if btf_type_id_size() fails. + + if (!btf_type_id_size(btf, &type_id, &type_size)) { + btf_verifier_log_vsi(env, v->t, vsi, "Invalid type"); + return -EINVAL; + } + +Most types are sized, so for example a VAR referring to an INT is not a +problem. The bug is only triggered if a VAR points at a modifier. Since +we skipped btf_var_resolve that modifier was also never resolved, which +means that btf_resolved_type_id returns 0 aka VOID for the modifier. +This in turn causes btf_type_id_size to return NULL, triggering EINVAL. + +To summarise, the following conditions are necessary: + +- VAR pointing at PTR, STRUCT, UNION or ARRAY +- Followed by a VAR pointing at TYPEDEF, VOLATILE, CONST, RESTRICT or + TYPE_TAG + +The fix is to reset resolve_mode to RESOLVE_TBD before attempting to +resolve a VAR from a DATASEC. + +Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec") +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230306112138.155352-2-lmb@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 7fcbe5d002070..b73169737a01e 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -4163,6 +4163,7 @@ static int btf_datasec_resolve(struct btf_verifier_env *env, + struct btf *btf = env->btf; + u16 i; + ++ env->resolve_mode = RESOLVE_TBD; + for_each_vsi_from(i, v->next_member, v->t, vsi) { + u32 var_type_id = vsi->type, type_id, type_size = 0; + const struct btf_type *var_type = btf_type_by_id(env->btf, +-- +2.39.2 + diff --git a/queue-6.1/btrfs-fix-extent-map-logging-bit-not-cleared-for-spl.patch b/queue-6.1/btrfs-fix-extent-map-logging-bit-not-cleared-for-spl.patch new file mode 100644 index 00000000000..3456b26efaf --- /dev/null +++ b/queue-6.1/btrfs-fix-extent-map-logging-bit-not-cleared-for-spl.patch @@ -0,0 +1,62 @@ +From b60930eac174391f44c8d9c60483b1c8e446b6ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 12:53:56 +0000 +Subject: btrfs: fix extent map logging bit not cleared for split maps after + dropping range + +From: Filipe Manana + +[ Upstream commit e4cc1483f35940c9288c332dd275f6fad485f8d2 ] + +At btrfs_drop_extent_map_range() we are clearing the EXTENT_FLAG_LOGGING +bit on a 'flags' variable that was not initialized. This makes static +checkers complain about it, so initialize the 'flags' variable before +clearing the bit. + +In practice this has no consequences, because EXTENT_FLAG_LOGGING should +not be set when btrfs_drop_extent_map_range() is called, as an fsync locks +the inode in exclusive mode, locks the inode's mmap semaphore in exclusive +mode too and it always flushes all delalloc. + +Also add a comment about why we clear EXTENT_FLAG_LOGGING on a copy of the +flags of the split extent map. + +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/linux-btrfs/Y%2FyipSVozUDEZKow@kili/ +Fixes: db21370bffbc ("btrfs: drop extent map range more efficiently") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_map.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c +index 6092a4eedc923..b8ae02aa632e3 100644 +--- a/fs/btrfs/extent_map.c ++++ b/fs/btrfs/extent_map.c +@@ -760,7 +760,13 @@ void btrfs_drop_extent_map_range(struct btrfs_inode *inode, u64 start, u64 end, + goto next; + } + ++ flags = em->flags; + clear_bit(EXTENT_FLAG_PINNED, &em->flags); ++ /* ++ * In case we split the extent map, we want to preserve the ++ * EXTENT_FLAG_LOGGING flag on our extent map, but we don't want ++ * it on the new extent maps. ++ */ + clear_bit(EXTENT_FLAG_LOGGING, &flags); + modified = !list_empty(&em->list); + +@@ -771,7 +777,6 @@ void btrfs_drop_extent_map_range(struct btrfs_inode *inode, u64 start, u64 end, + if (em->start >= start && em_end <= end) + goto remove_em; + +- flags = em->flags; + gen = em->generation; + compressed = test_bit(EXTENT_FLAG_COMPRESSED, &em->flags); + +-- +2.39.2 + diff --git a/queue-6.1/bus-mhi-ep-change-state_lock-to-mutex.patch b/queue-6.1/bus-mhi-ep-change-state_lock-to-mutex.patch new file mode 100644 index 00000000000..8781cb6eb40 --- /dev/null +++ b/queue-6.1/bus-mhi-ep-change-state_lock-to-mutex.patch @@ -0,0 +1,210 @@ +From ca1fb2dad4ed43e57a052e9aab6c587bdc208ea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 12:59:45 +0530 +Subject: bus: mhi: ep: Change state_lock to mutex + +From: Manivannan Sadhasivam + +[ Upstream commit 1ddc7618294084fff8d673217a9479550990ee84 ] + +state_lock, the spinlock type is meant to protect race against concurrent +MHI state transitions. In mhi_ep_set_m0_state(), while the state_lock is +being held, the channels are resumed in mhi_ep_resume_channels() if the +previous state was M3. This causes sleeping in atomic bug, since +mhi_ep_resume_channels() use mutex internally. + +Since the state_lock is supposed to be held throughout the state change, +it is not ideal to drop the lock before calling mhi_ep_resume_channels(). +So to fix this issue, let's change the type of state_lock to mutex. This +would also allow holding the lock throughout all state transitions thereby +avoiding any potential race. + +Cc: # 5.19 +Fixes: e4b7b5f0f30a ("bus: mhi: ep: Add support for suspending and resuming channels") +Reported-by: Dan Carpenter +Reviewed-by: Jeffrey Hugo +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/ep/main.c | 8 +++++--- + drivers/bus/mhi/ep/sm.c | 42 ++++++++++++++++++++++----------------- + include/linux/mhi_ep.h | 4 ++-- + 3 files changed, 31 insertions(+), 23 deletions(-) + +diff --git a/drivers/bus/mhi/ep/main.c b/drivers/bus/mhi/ep/main.c +index b06548005985c..edd153dda40c0 100644 +--- a/drivers/bus/mhi/ep/main.c ++++ b/drivers/bus/mhi/ep/main.c +@@ -994,11 +994,11 @@ static void mhi_ep_reset_worker(struct work_struct *work) + + mhi_ep_power_down(mhi_cntrl); + +- spin_lock_bh(&mhi_cntrl->state_lock); ++ mutex_lock(&mhi_cntrl->state_lock); ++ + /* Reset MMIO to signal host that the MHI_RESET is completed in endpoint */ + mhi_ep_mmio_reset(mhi_cntrl); + cur_state = mhi_cntrl->mhi_state; +- spin_unlock_bh(&mhi_cntrl->state_lock); + + /* + * Only proceed further if the reset is due to SYS_ERR. The host will +@@ -1007,6 +1007,8 @@ static void mhi_ep_reset_worker(struct work_struct *work) + */ + if (cur_state == MHI_STATE_SYS_ERR) + mhi_ep_power_up(mhi_cntrl); ++ ++ mutex_unlock(&mhi_cntrl->state_lock); + } + + /* +@@ -1379,8 +1381,8 @@ int mhi_ep_register_controller(struct mhi_ep_cntrl *mhi_cntrl, + + INIT_LIST_HEAD(&mhi_cntrl->st_transition_list); + INIT_LIST_HEAD(&mhi_cntrl->ch_db_list); +- spin_lock_init(&mhi_cntrl->state_lock); + spin_lock_init(&mhi_cntrl->list_lock); ++ mutex_init(&mhi_cntrl->state_lock); + mutex_init(&mhi_cntrl->event_lock); + + /* Set MHI version and AMSS EE before enumeration */ +diff --git a/drivers/bus/mhi/ep/sm.c b/drivers/bus/mhi/ep/sm.c +index 3655c19e23c7b..fd200b2ac0bb2 100644 +--- a/drivers/bus/mhi/ep/sm.c ++++ b/drivers/bus/mhi/ep/sm.c +@@ -63,24 +63,23 @@ int mhi_ep_set_m0_state(struct mhi_ep_cntrl *mhi_cntrl) + int ret; + + /* If MHI is in M3, resume suspended channels */ +- spin_lock_bh(&mhi_cntrl->state_lock); ++ mutex_lock(&mhi_cntrl->state_lock); ++ + old_state = mhi_cntrl->mhi_state; + if (old_state == MHI_STATE_M3) + mhi_ep_resume_channels(mhi_cntrl); + + ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_M0); +- spin_unlock_bh(&mhi_cntrl->state_lock); +- + if (ret) { + mhi_ep_handle_syserr(mhi_cntrl); +- return ret; ++ goto err_unlock; + } + + /* Signal host that the device moved to M0 */ + ret = mhi_ep_send_state_change_event(mhi_cntrl, MHI_STATE_M0); + if (ret) { + dev_err(dev, "Failed sending M0 state change event\n"); +- return ret; ++ goto err_unlock; + } + + if (old_state == MHI_STATE_READY) { +@@ -88,11 +87,14 @@ int mhi_ep_set_m0_state(struct mhi_ep_cntrl *mhi_cntrl) + ret = mhi_ep_send_ee_event(mhi_cntrl, MHI_EE_AMSS); + if (ret) { + dev_err(dev, "Failed sending AMSS EE event\n"); +- return ret; ++ goto err_unlock; + } + } + +- return 0; ++err_unlock: ++ mutex_unlock(&mhi_cntrl->state_lock); ++ ++ return ret; + } + + int mhi_ep_set_m3_state(struct mhi_ep_cntrl *mhi_cntrl) +@@ -100,13 +102,12 @@ int mhi_ep_set_m3_state(struct mhi_ep_cntrl *mhi_cntrl) + struct device *dev = &mhi_cntrl->mhi_dev->dev; + int ret; + +- spin_lock_bh(&mhi_cntrl->state_lock); +- ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_M3); +- spin_unlock_bh(&mhi_cntrl->state_lock); ++ mutex_lock(&mhi_cntrl->state_lock); + ++ ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_M3); + if (ret) { + mhi_ep_handle_syserr(mhi_cntrl); +- return ret; ++ goto err_unlock; + } + + mhi_ep_suspend_channels(mhi_cntrl); +@@ -115,10 +116,13 @@ int mhi_ep_set_m3_state(struct mhi_ep_cntrl *mhi_cntrl) + ret = mhi_ep_send_state_change_event(mhi_cntrl, MHI_STATE_M3); + if (ret) { + dev_err(dev, "Failed sending M3 state change event\n"); +- return ret; ++ goto err_unlock; + } + +- return 0; ++err_unlock: ++ mutex_unlock(&mhi_cntrl->state_lock); ++ ++ return ret; + } + + int mhi_ep_set_ready_state(struct mhi_ep_cntrl *mhi_cntrl) +@@ -127,22 +131,24 @@ int mhi_ep_set_ready_state(struct mhi_ep_cntrl *mhi_cntrl) + enum mhi_state mhi_state; + int ret, is_ready; + +- spin_lock_bh(&mhi_cntrl->state_lock); ++ mutex_lock(&mhi_cntrl->state_lock); ++ + /* Ensure that the MHISTATUS is set to RESET by host */ + mhi_state = mhi_ep_mmio_masked_read(mhi_cntrl, EP_MHISTATUS, MHISTATUS_MHISTATE_MASK); + is_ready = mhi_ep_mmio_masked_read(mhi_cntrl, EP_MHISTATUS, MHISTATUS_READY_MASK); + + if (mhi_state != MHI_STATE_RESET || is_ready) { + dev_err(dev, "READY state transition failed. MHI host not in RESET state\n"); +- spin_unlock_bh(&mhi_cntrl->state_lock); +- return -EIO; ++ ret = -EIO; ++ goto err_unlock; + } + + ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_READY); +- spin_unlock_bh(&mhi_cntrl->state_lock); +- + if (ret) + mhi_ep_handle_syserr(mhi_cntrl); + ++err_unlock: ++ mutex_unlock(&mhi_cntrl->state_lock); ++ + return ret; + } +diff --git a/include/linux/mhi_ep.h b/include/linux/mhi_ep.h +index 478aece170462..f198a8ac7ee72 100644 +--- a/include/linux/mhi_ep.h ++++ b/include/linux/mhi_ep.h +@@ -70,8 +70,8 @@ struct mhi_ep_db_info { + * @cmd_ctx_cache_phys: Physical address of the host command context cache + * @chdb: Array of channel doorbell interrupt info + * @event_lock: Lock for protecting event rings +- * @list_lock: Lock for protecting state transition and channel doorbell lists + * @state_lock: Lock for protecting state transitions ++ * @list_lock: Lock for protecting state transition and channel doorbell lists + * @st_transition_list: List of state transitions + * @ch_db_list: List of queued channel doorbells + * @wq: Dedicated workqueue for handling rings and state changes +@@ -117,8 +117,8 @@ struct mhi_ep_cntrl { + + struct mhi_ep_db_info chdb[4]; + struct mutex event_lock; ++ struct mutex state_lock; + spinlock_t list_lock; +- spinlock_t state_lock; + + struct list_head st_transition_list; + struct list_head ch_db_list; +-- +2.39.2 + diff --git a/queue-6.1/bus-mhi-ep-power-up-down-mhi-stack-during-mhi-reset.patch b/queue-6.1/bus-mhi-ep-power-up-down-mhi-stack-during-mhi-reset.patch new file mode 100644 index 00000000000..3029d238fad --- /dev/null +++ b/queue-6.1/bus-mhi-ep-power-up-down-mhi-stack-during-mhi-reset.patch @@ -0,0 +1,91 @@ +From f5108d175535437ee2d23ee174dbdecb6c8d3fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Dec 2022 21:46:59 +0530 +Subject: bus: mhi: ep: Power up/down MHI stack during MHI RESET + +From: Manivannan Sadhasivam + +[ Upstream commit 47a1dcaea07367c84238e71c08244ae3ed48c1cc ] + +During graceful shutdown scenario, host will issue MHI RESET to the +endpoint device before initiating shutdown. In that case, it makes sense +to completely power down the MHI stack as sooner or later the access to +MMIO registers will be prohibited. Also, the stack needs to be powered +up in the case of SYS_ERR to recover the device. + +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Jeffrey Hugo +Link: https://lore.kernel.org/r/20221228161704.255268-2-manivannan.sadhasivam@linaro.org +Signed-off-by: Manivannan Sadhasivam +Stable-dep-of: 1ddc76182940 ("bus: mhi: ep: Change state_lock to mutex") +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/ep/main.c | 35 +++++++---------------------------- + 1 file changed, 7 insertions(+), 28 deletions(-) + +diff --git a/drivers/bus/mhi/ep/main.c b/drivers/bus/mhi/ep/main.c +index 357c61c12ce5b..b06548005985c 100644 +--- a/drivers/bus/mhi/ep/main.c ++++ b/drivers/bus/mhi/ep/main.c +@@ -990,11 +990,9 @@ static void mhi_ep_abort_transfer(struct mhi_ep_cntrl *mhi_cntrl) + static void mhi_ep_reset_worker(struct work_struct *work) + { + struct mhi_ep_cntrl *mhi_cntrl = container_of(work, struct mhi_ep_cntrl, reset_work); +- struct device *dev = &mhi_cntrl->mhi_dev->dev; + enum mhi_state cur_state; +- int ret; + +- mhi_ep_abort_transfer(mhi_cntrl); ++ mhi_ep_power_down(mhi_cntrl); + + spin_lock_bh(&mhi_cntrl->state_lock); + /* Reset MMIO to signal host that the MHI_RESET is completed in endpoint */ +@@ -1007,27 +1005,8 @@ static void mhi_ep_reset_worker(struct work_struct *work) + * issue reset during shutdown also and we don't need to do re-init in + * that case. + */ +- if (cur_state == MHI_STATE_SYS_ERR) { +- mhi_ep_mmio_init(mhi_cntrl); +- +- /* Set AMSS EE before signaling ready state */ +- mhi_ep_mmio_set_env(mhi_cntrl, MHI_EE_AMSS); +- +- /* All set, notify the host that we are ready */ +- ret = mhi_ep_set_ready_state(mhi_cntrl); +- if (ret) +- return; +- +- dev_dbg(dev, "READY state notification sent to the host\n"); +- +- ret = mhi_ep_enable(mhi_cntrl); +- if (ret) { +- dev_err(dev, "Failed to enable MHI endpoint: %d\n", ret); +- return; +- } +- +- enable_irq(mhi_cntrl->irq); +- } ++ if (cur_state == MHI_STATE_SYS_ERR) ++ mhi_ep_power_up(mhi_cntrl); + } + + /* +@@ -1106,11 +1085,11 @@ EXPORT_SYMBOL_GPL(mhi_ep_power_up); + + void mhi_ep_power_down(struct mhi_ep_cntrl *mhi_cntrl) + { +- if (mhi_cntrl->enabled) ++ if (mhi_cntrl->enabled) { + mhi_ep_abort_transfer(mhi_cntrl); +- +- kfree(mhi_cntrl->mhi_event); +- disable_irq(mhi_cntrl->irq); ++ kfree(mhi_cntrl->mhi_event); ++ disable_irq(mhi_cntrl->irq); ++ } + } + EXPORT_SYMBOL_GPL(mhi_ep_power_down); + +-- +2.39.2 + diff --git a/queue-6.1/cifs-improve-checking-of-dfs-links-over-status_objec.patch b/queue-6.1/cifs-improve-checking-of-dfs-links-over-status_objec.patch new file mode 100644 index 00000000000..20156b7e0bd --- /dev/null +++ b/queue-6.1/cifs-improve-checking-of-dfs-links-over-status_objec.patch @@ -0,0 +1,243 @@ +From bee40ea5662925f67ca21757bdad9b714d7106bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 19:01:54 -0300 +Subject: cifs: improve checking of DFS links over STATUS_OBJECT_NAME_INVALID + +From: Paulo Alcantara + +[ Upstream commit b9ee2e307c6b06384b6f9e393a9b8e048e8fc277 ] + +Do not map STATUS_OBJECT_NAME_INVALID to -EREMOTE under non-DFS +shares, or 'nodfs' mounts or CONFIG_CIFS_DFS_UPCALL=n builds. +Otherwise, in the slow path, get a referral to figure out whether it +is an actual DFS link. + +This could be simply reproduced under a non-DFS share by running the +following + + $ mount.cifs //srv/share /mnt -o ... + $ cat /mnt/$(printf '\U110000') + cat: '/mnt/'$'\364\220\200\200': Object is remote + +Fixes: c877ce47e137 ("cifs: reduce roundtrips on create/qinfo requests") +CC: stable@vger.kernel.org # 6.2 +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsproto.h | 20 ++++++++++---- + fs/cifs/misc.c | 67 +++++++++++++++++++++++++++++++++++++++++++++ + fs/cifs/smb2inode.c | 21 +++++++------- + fs/cifs/smb2ops.c | 23 +++++++++------- + 4 files changed, 106 insertions(+), 25 deletions(-) + +diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h +index eb1a0de9dd553..bc4475f6c0827 100644 +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -664,11 +664,21 @@ static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses, + int match_target_ip(struct TCP_Server_Info *server, + const char *share, size_t share_len, + bool *result); +- +-int cifs_dfs_query_info_nonascii_quirk(const unsigned int xid, +- struct cifs_tcon *tcon, +- struct cifs_sb_info *cifs_sb, +- const char *dfs_link_path); ++int cifs_inval_name_dfs_link_error(const unsigned int xid, ++ struct cifs_tcon *tcon, ++ struct cifs_sb_info *cifs_sb, ++ const char *full_path, ++ bool *islink); ++#else ++static inline int cifs_inval_name_dfs_link_error(const unsigned int xid, ++ struct cifs_tcon *tcon, ++ struct cifs_sb_info *cifs_sb, ++ const char *full_path, ++ bool *islink) ++{ ++ *islink = false; ++ return 0; ++} + #endif + + static inline int cifs_create_options(struct cifs_sb_info *cifs_sb, int options) +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index 062175994e879..4e54736a06996 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -21,6 +21,7 @@ + #include "cifsfs.h" + #ifdef CONFIG_CIFS_DFS_UPCALL + #include "dns_resolve.h" ++#include "dfs_cache.h" + #endif + #include "fs_context.h" + #include "cached_dir.h" +@@ -1314,4 +1315,70 @@ int cifs_update_super_prepath(struct cifs_sb_info *cifs_sb, char *prefix) + cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH; + return 0; + } ++ ++/* ++ * Handle weird Windows SMB server behaviour. It responds with ++ * STATUS_OBJECT_NAME_INVALID code to SMB2 QUERY_INFO request for ++ * "\\\" DFS reference, where contains ++ * non-ASCII unicode symbols. ++ */ ++int cifs_inval_name_dfs_link_error(const unsigned int xid, ++ struct cifs_tcon *tcon, ++ struct cifs_sb_info *cifs_sb, ++ const char *full_path, ++ bool *islink) ++{ ++ struct cifs_ses *ses = tcon->ses; ++ size_t len; ++ char *path; ++ char *ref_path; ++ ++ *islink = false; ++ ++ /* ++ * Fast path - skip check when @full_path doesn't have a prefix path to ++ * look up or tcon is not DFS. ++ */ ++ if (strlen(full_path) < 2 || !cifs_sb || ++ (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS) || ++ !is_tcon_dfs(tcon) || !ses->server->origin_fullpath) ++ return 0; ++ ++ /* ++ * Slow path - tcon is DFS and @full_path has prefix path, so attempt ++ * to get a referral to figure out whether it is an DFS link. ++ */ ++ len = strnlen(tcon->tree_name, MAX_TREE_SIZE + 1) + strlen(full_path) + 1; ++ path = kmalloc(len, GFP_KERNEL); ++ if (!path) ++ return -ENOMEM; ++ ++ scnprintf(path, len, "%s%s", tcon->tree_name, full_path); ++ ref_path = dfs_cache_canonical_path(path + 1, cifs_sb->local_nls, ++ cifs_remap(cifs_sb)); ++ kfree(path); ++ ++ if (IS_ERR(ref_path)) { ++ if (PTR_ERR(ref_path) != -EINVAL) ++ return PTR_ERR(ref_path); ++ } else { ++ struct dfs_info3_param *refs = NULL; ++ int num_refs = 0; ++ ++ /* ++ * XXX: we are not using dfs_cache_find() here because we might ++ * end filling all the DFS cache and thus potentially ++ * removing cached DFS targets that the client would eventually ++ * need during failover. ++ */ ++ if (ses->server->ops->get_dfs_refer && ++ !ses->server->ops->get_dfs_refer(xid, ses, ref_path, &refs, ++ &num_refs, cifs_sb->local_nls, ++ cifs_remap(cifs_sb))) ++ *islink = refs[0].server_type == DFS_TYPE_LINK; ++ free_dfs_info_array(refs, num_refs); ++ kfree(ref_path); ++ } ++ return 0; ++} + #endif +diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c +index e1491440e8f1f..442718cf61b86 100644 +--- a/fs/cifs/smb2inode.c ++++ b/fs/cifs/smb2inode.c +@@ -511,12 +511,13 @@ int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon, + struct cifs_sb_info *cifs_sb, const char *full_path, + struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse) + { +- int rc; + __u32 create_options = 0; + struct cifsFileInfo *cfile; + struct cached_fid *cfid = NULL; + struct kvec err_iov[3] = {}; + int err_buftype[3] = {}; ++ bool islink; ++ int rc, rc2; + + *adjust_tz = false; + *reparse = false; +@@ -563,15 +564,15 @@ int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon, + create_options, ACL_NO_MODE, data, + SMB2_OP_QUERY_INFO, cfile, NULL, NULL); + goto out; +- } else if (rc != -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) && +- hdr->Status == STATUS_OBJECT_NAME_INVALID) { +- /* +- * Handle weird Windows SMB server behaviour. It responds with +- * STATUS_OBJECT_NAME_INVALID code to SMB2 QUERY_INFO request +- * for "\\\" DFS reference, +- * where contains non-ASCII unicode symbols. +- */ +- rc = -EREMOTE; ++ } else if (rc != -EREMOTE && hdr->Status == STATUS_OBJECT_NAME_INVALID) { ++ rc2 = cifs_inval_name_dfs_link_error(xid, tcon, cifs_sb, ++ full_path, &islink); ++ if (rc2) { ++ rc = rc2; ++ goto out; ++ } ++ if (islink) ++ rc = -EREMOTE; + } + if (rc == -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) && cifs_sb && + (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS)) +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 6da495f593e17..0424876d22e5a 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -796,7 +796,6 @@ static int + smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon, + struct cifs_sb_info *cifs_sb, const char *full_path) + { +- int rc; + __le16 *utf16_path; + __u8 oplock = SMB2_OPLOCK_LEVEL_NONE; + int err_buftype = CIFS_NO_BUFFER; +@@ -804,6 +803,8 @@ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon, + struct kvec err_iov = {}; + struct cifs_fid fid; + struct cached_fid *cfid; ++ bool islink; ++ int rc, rc2; + + rc = open_cached_dir(xid, tcon, full_path, cifs_sb, true, &cfid); + if (!rc) { +@@ -833,15 +834,17 @@ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon, + + if (unlikely(!hdr || err_buftype == CIFS_NO_BUFFER)) + goto out; +- /* +- * Handle weird Windows SMB server behaviour. It responds with +- * STATUS_OBJECT_NAME_INVALID code to SMB2 QUERY_INFO request +- * for "\\\" DFS reference, +- * where contains non-ASCII unicode symbols. +- */ +- if (rc != -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) && +- hdr->Status == STATUS_OBJECT_NAME_INVALID) +- rc = -EREMOTE; ++ ++ if (rc != -EREMOTE && hdr->Status == STATUS_OBJECT_NAME_INVALID) { ++ rc2 = cifs_inval_name_dfs_link_error(xid, tcon, cifs_sb, ++ full_path, &islink); ++ if (rc2) { ++ rc = rc2; ++ goto out; ++ } ++ if (islink) ++ rc = -EREMOTE; ++ } + if (rc == -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) && cifs_sb && + (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS)) + rc = -EOPNOTSUPP; +-- +2.39.2 + diff --git a/queue-6.1/drm-amdgpu-fix-return-value-check-in-kfd.patch b/queue-6.1/drm-amdgpu-fix-return-value-check-in-kfd.patch new file mode 100644 index 00000000000..b28e00740b1 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-return-value-check-in-kfd.patch @@ -0,0 +1,41 @@ +From b61f0eae99eb665c32d6825af8c802a0ec0d3c60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 15:42:28 +0100 +Subject: drm/amdgpu: fix return value check in kfd + +From: Shashank Sharma + +[ Upstream commit 20534dbcc7b7bfb447279cdcfb0d88ee3b779a18 ] + +This patch fixes a return value check in kfd doorbell handling. +This function should return 0(error) only when the ida_simple_get +returns < 0(error), return > 0 is a success case. + +Cc: Felix Kuehling +Cc: Alex Deucher +Fixes: 16f0013157bf ("drm/amdkfd: Allocate doorbells only when needed") +Acked-by: Christian Koenig +Reviewed-by: Felix Kuehling +Signed-off-by: Shashank Sharma +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c b/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c +index cd4e61bf04939..3ac599f74fea8 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c +@@ -280,7 +280,7 @@ phys_addr_t kfd_get_process_doorbells(struct kfd_process_device *pdd) + if (!pdd->doorbell_index) { + int r = kfd_alloc_process_doorbells(pdd->dev, + &pdd->doorbell_index); +- if (r) ++ if (r < 0) + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.1/drm-i915-do-panel-vbt-init-early-if-the-vbt-declares.patch b/queue-6.1/drm-i915-do-panel-vbt-init-early-if-the-vbt-declares.patch new file mode 100644 index 00000000000..ac4ca5eaad1 --- /dev/null +++ b/queue-6.1/drm-i915-do-panel-vbt-init-early-if-the-vbt-declares.patch @@ -0,0 +1,296 @@ +From b351a8764573e3d182e037a38df52b8f3c9bb892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 19:31:49 +0200 +Subject: drm/i915: Do panel VBT init early if the VBT declares an explicit + panel type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 3f9ffce5765d68775163b8b134c4d7f156b48eec ] + +Lots of ADL machines out there with bogus VBTs that declare +two eDP child devices. In order for those to work we need to +figure out which power sequencer to use before we try the EDID +read. So let's do the panel VBT init early if we can, falling +back to the post-EDID init otherwise. + +The post-EDID init panel_type=0xff approach of assuming the +power sequencer should already be enabled doesn't really work +with multiple eDP panels, and currently we just end up using +the same power sequencer for both eDP ports, which at least +confuses the wakeref tracking, and potentially also causes us +to toggle the VDD for the panel when we should not. + +Cc: Animesh Manna +Reviewed-by: Jani Nikula +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20221125173156.31689-3-ville.syrjala@linux.intel.com +Stable-dep-of: 14e591a1930c ("drm/i915: Populate encoder->devdata for DSI on icl+") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/icl_dsi.c | 2 +- + drivers/gpu/drm/i915/display/intel_bios.c | 56 ++++++++++++++----- + drivers/gpu/drm/i915/display/intel_bios.h | 11 ++-- + .../drm/i915/display/intel_display_types.h | 2 +- + drivers/gpu/drm/i915/display/intel_dp.c | 7 ++- + drivers/gpu/drm/i915/display/intel_lvds.c | 4 +- + drivers/gpu/drm/i915/display/intel_panel.c | 1 + + drivers/gpu/drm/i915/display/intel_sdvo.c | 2 +- + drivers/gpu/drm/i915/display/vlv_dsi.c | 2 +- + 9 files changed, 61 insertions(+), 26 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/icl_dsi.c b/drivers/gpu/drm/i915/display/icl_dsi.c +index ed4d93942dbd2..34b3ff967a272 100644 +--- a/drivers/gpu/drm/i915/display/icl_dsi.c ++++ b/drivers/gpu/drm/i915/display/icl_dsi.c +@@ -2053,7 +2053,7 @@ void icl_dsi_init(struct drm_i915_private *dev_priv) + /* attach connector to encoder */ + intel_connector_attach_encoder(intel_connector, encoder); + +- intel_bios_init_panel(dev_priv, &intel_connector->panel, NULL, NULL); ++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, NULL); + + mutex_lock(&dev->mode_config.mutex); + intel_panel_add_vbt_lfp_fixed_mode(intel_connector); +diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c +index 178a8cbb75838..2378a2a48716e 100644 +--- a/drivers/gpu/drm/i915/display/intel_bios.c ++++ b/drivers/gpu/drm/i915/display/intel_bios.c +@@ -620,14 +620,14 @@ static void dump_pnp_id(struct drm_i915_private *i915, + + static int opregion_get_panel_type(struct drm_i915_private *i915, + const struct intel_bios_encoder_data *devdata, +- const struct edid *edid) ++ const struct edid *edid, bool use_fallback) + { + return intel_opregion_get_panel_type(i915); + } + + static int vbt_get_panel_type(struct drm_i915_private *i915, + const struct intel_bios_encoder_data *devdata, +- const struct edid *edid) ++ const struct edid *edid, bool use_fallback) + { + const struct bdb_lvds_options *lvds_options; + +@@ -652,7 +652,7 @@ static int vbt_get_panel_type(struct drm_i915_private *i915, + + static int pnpid_get_panel_type(struct drm_i915_private *i915, + const struct intel_bios_encoder_data *devdata, +- const struct edid *edid) ++ const struct edid *edid, bool use_fallback) + { + const struct bdb_lvds_lfp_data *data; + const struct bdb_lvds_lfp_data_ptrs *ptrs; +@@ -701,9 +701,9 @@ static int pnpid_get_panel_type(struct drm_i915_private *i915, + + static int fallback_get_panel_type(struct drm_i915_private *i915, + const struct intel_bios_encoder_data *devdata, +- const struct edid *edid) ++ const struct edid *edid, bool use_fallback) + { +- return 0; ++ return use_fallback ? 0 : -1; + } + + enum panel_type { +@@ -715,13 +715,13 @@ enum panel_type { + + static int get_panel_type(struct drm_i915_private *i915, + const struct intel_bios_encoder_data *devdata, +- const struct edid *edid) ++ const struct edid *edid, bool use_fallback) + { + struct { + const char *name; + int (*get_panel_type)(struct drm_i915_private *i915, + const struct intel_bios_encoder_data *devdata, +- const struct edid *edid); ++ const struct edid *edid, bool use_fallback); + int panel_type; + } panel_types[] = { + [PANEL_TYPE_OPREGION] = { +@@ -744,7 +744,8 @@ static int get_panel_type(struct drm_i915_private *i915, + int i; + + for (i = 0; i < ARRAY_SIZE(panel_types); i++) { +- panel_types[i].panel_type = panel_types[i].get_panel_type(i915, devdata, edid); ++ panel_types[i].panel_type = panel_types[i].get_panel_type(i915, devdata, ++ edid, use_fallback); + + drm_WARN_ON(&i915->drm, panel_types[i].panel_type > 0xf && + panel_types[i].panel_type != 0xff); +@@ -3191,14 +3192,26 @@ void intel_bios_init(struct drm_i915_private *i915) + kfree(oprom_vbt); + } + +-void intel_bios_init_panel(struct drm_i915_private *i915, +- struct intel_panel *panel, +- const struct intel_bios_encoder_data *devdata, +- const struct edid *edid) ++static void intel_bios_init_panel(struct drm_i915_private *i915, ++ struct intel_panel *panel, ++ const struct intel_bios_encoder_data *devdata, ++ const struct edid *edid, ++ bool use_fallback) + { +- init_vbt_panel_defaults(panel); ++ /* already have it? */ ++ if (panel->vbt.panel_type >= 0) { ++ drm_WARN_ON(&i915->drm, !use_fallback); ++ return; ++ } + +- panel->vbt.panel_type = get_panel_type(i915, devdata, edid); ++ panel->vbt.panel_type = get_panel_type(i915, devdata, ++ edid, use_fallback); ++ if (panel->vbt.panel_type < 0) { ++ drm_WARN_ON(&i915->drm, use_fallback); ++ return; ++ } ++ ++ init_vbt_panel_defaults(panel); + + parse_panel_options(i915, panel); + parse_generic_dtd(i915, panel); +@@ -3213,6 +3226,21 @@ void intel_bios_init_panel(struct drm_i915_private *i915, + parse_mipi_sequence(i915, panel); + } + ++void intel_bios_init_panel_early(struct drm_i915_private *i915, ++ struct intel_panel *panel, ++ const struct intel_bios_encoder_data *devdata) ++{ ++ intel_bios_init_panel(i915, panel, devdata, NULL, false); ++} ++ ++void intel_bios_init_panel_late(struct drm_i915_private *i915, ++ struct intel_panel *panel, ++ const struct intel_bios_encoder_data *devdata, ++ const struct edid *edid) ++{ ++ intel_bios_init_panel(i915, panel, devdata, edid, true); ++} ++ + /** + * intel_bios_driver_remove - Free any resources allocated by intel_bios_init() + * @i915: i915 device instance +diff --git a/drivers/gpu/drm/i915/display/intel_bios.h b/drivers/gpu/drm/i915/display/intel_bios.h +index e375405a78284..ff1fdd2e0c1c5 100644 +--- a/drivers/gpu/drm/i915/display/intel_bios.h ++++ b/drivers/gpu/drm/i915/display/intel_bios.h +@@ -232,10 +232,13 @@ struct mipi_pps_data { + } __packed; + + void intel_bios_init(struct drm_i915_private *dev_priv); +-void intel_bios_init_panel(struct drm_i915_private *dev_priv, +- struct intel_panel *panel, +- const struct intel_bios_encoder_data *devdata, +- const struct edid *edid); ++void intel_bios_init_panel_early(struct drm_i915_private *dev_priv, ++ struct intel_panel *panel, ++ const struct intel_bios_encoder_data *devdata); ++void intel_bios_init_panel_late(struct drm_i915_private *dev_priv, ++ struct intel_panel *panel, ++ const struct intel_bios_encoder_data *devdata, ++ const struct edid *edid); + void intel_bios_fini_panel(struct intel_panel *panel); + void intel_bios_driver_remove(struct drm_i915_private *dev_priv); + bool intel_bios_is_valid_vbt(const void *buf, size_t size); +diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h +index 298d00a11f473..135dbcab62b28 100644 +--- a/drivers/gpu/drm/i915/display/intel_display_types.h ++++ b/drivers/gpu/drm/i915/display/intel_display_types.h +@@ -291,7 +291,7 @@ struct intel_vbt_panel_data { + struct drm_display_mode *sdvo_lvds_vbt_mode; /* if any */ + + /* Feature bits */ +- unsigned int panel_type:4; ++ int panel_type; + unsigned int lvds_dither:1; + unsigned int bios_lvds_val; /* initial [PCH_]LVDS reg val in VBIOS */ + +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index b94bcceeff705..2e09899f2f927 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -5179,6 +5179,9 @@ static bool intel_edp_init_connector(struct intel_dp *intel_dp, + return false; + } + ++ intel_bios_init_panel_early(dev_priv, &intel_connector->panel, ++ encoder->devdata); ++ + intel_pps_init(intel_dp); + + /* Cache DPCD and EDID for edp. */ +@@ -5213,8 +5216,8 @@ static bool intel_edp_init_connector(struct intel_dp *intel_dp, + } + intel_connector->edid = edid; + +- intel_bios_init_panel(dev_priv, &intel_connector->panel, +- encoder->devdata, IS_ERR(edid) ? NULL : edid); ++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, ++ encoder->devdata, IS_ERR(edid) ? NULL : edid); + + intel_panel_add_edid_fixed_modes(intel_connector, true); + +diff --git a/drivers/gpu/drm/i915/display/intel_lvds.c b/drivers/gpu/drm/i915/display/intel_lvds.c +index e5352239b2a2f..a749a5a66d624 100644 +--- a/drivers/gpu/drm/i915/display/intel_lvds.c ++++ b/drivers/gpu/drm/i915/display/intel_lvds.c +@@ -967,8 +967,8 @@ void intel_lvds_init(struct drm_i915_private *dev_priv) + } + intel_connector->edid = edid; + +- intel_bios_init_panel(dev_priv, &intel_connector->panel, NULL, +- IS_ERR(edid) ? NULL : edid); ++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, ++ IS_ERR(edid) ? NULL : edid); + + /* Try EDID first */ + intel_panel_add_edid_fixed_modes(intel_connector, +diff --git a/drivers/gpu/drm/i915/display/intel_panel.c b/drivers/gpu/drm/i915/display/intel_panel.c +index 8bd7af99cd2b9..b50db0dd20fc5 100644 +--- a/drivers/gpu/drm/i915/display/intel_panel.c ++++ b/drivers/gpu/drm/i915/display/intel_panel.c +@@ -652,6 +652,7 @@ void intel_panel_init_alloc(struct intel_connector *connector) + { + struct intel_panel *panel = &connector->panel; + ++ connector->panel.vbt.panel_type = -1; + INIT_LIST_HEAD(&panel->fixed_modes); + } + +diff --git a/drivers/gpu/drm/i915/display/intel_sdvo.c b/drivers/gpu/drm/i915/display/intel_sdvo.c +index 774c1dc31a521..a15e09b551708 100644 +--- a/drivers/gpu/drm/i915/display/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/display/intel_sdvo.c +@@ -2891,7 +2891,7 @@ intel_sdvo_lvds_init(struct intel_sdvo *intel_sdvo, int device) + if (!intel_sdvo_create_enhance_property(intel_sdvo, intel_sdvo_connector)) + goto err; + +- intel_bios_init_panel(i915, &intel_connector->panel, NULL, NULL); ++ intel_bios_init_panel_late(i915, &intel_connector->panel, NULL, NULL); + + /* + * Fetch modes from VBT. For SDVO prefer the VBT mode since some +diff --git a/drivers/gpu/drm/i915/display/vlv_dsi.c b/drivers/gpu/drm/i915/display/vlv_dsi.c +index b3f5ca280ef26..90e3e41095b34 100644 +--- a/drivers/gpu/drm/i915/display/vlv_dsi.c ++++ b/drivers/gpu/drm/i915/display/vlv_dsi.c +@@ -1925,7 +1925,7 @@ void vlv_dsi_init(struct drm_i915_private *dev_priv) + + intel_dsi->panel_power_off_time = ktime_get_boottime(); + +- intel_bios_init_panel(dev_priv, &intel_connector->panel, NULL, NULL); ++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, NULL); + + if (intel_connector->panel.vbt.dsi.config->dual_link) + intel_dsi->ports = BIT(PORT_A) | BIT(PORT_C); +-- +2.39.2 + diff --git a/queue-6.1/drm-i915-introduce-intel_panel_init_alloc.patch b/queue-6.1/drm-i915-introduce-intel_panel_init_alloc.patch new file mode 100644 index 00000000000..67f669461c5 --- /dev/null +++ b/queue-6.1/drm-i915-introduce-intel_panel_init_alloc.patch @@ -0,0 +1,75 @@ +From 9e6969e91e662c26a8e05d11815525c78d1680c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 19:31:48 +0200 +Subject: drm/i915: Introduce intel_panel_init_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit f70f8153e3642337b444fbc0c64d546a46bbcd62 ] + +Introduce a place where we can initialize connector->panel +after it's been allocated. We already have a intel_panel_init() +so had to get creative with the name and came up with +intel_panel_init_alloc(). + +Cc: Animesh Manna +Reviewed-by: Jani Nikula +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20221125173156.31689-2-ville.syrjala@linux.intel.com +Stable-dep-of: 14e591a1930c ("drm/i915: Populate encoder->devdata for DSI on icl+") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_connector.c | 2 +- + drivers/gpu/drm/i915/display/intel_panel.c | 7 +++++++ + drivers/gpu/drm/i915/display/intel_panel.h | 1 + + 3 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_connector.c b/drivers/gpu/drm/i915/display/intel_connector.c +index 6d5cbeb8df4da..8bb296f3d6252 100644 +--- a/drivers/gpu/drm/i915/display/intel_connector.c ++++ b/drivers/gpu/drm/i915/display/intel_connector.c +@@ -54,7 +54,7 @@ int intel_connector_init(struct intel_connector *connector) + __drm_atomic_helper_connector_reset(&connector->base, + &conn_state->base); + +- INIT_LIST_HEAD(&connector->panel.fixed_modes); ++ intel_panel_init_alloc(connector); + + return 0; + } +diff --git a/drivers/gpu/drm/i915/display/intel_panel.c b/drivers/gpu/drm/i915/display/intel_panel.c +index f72f4646c0d70..8bd7af99cd2b9 100644 +--- a/drivers/gpu/drm/i915/display/intel_panel.c ++++ b/drivers/gpu/drm/i915/display/intel_panel.c +@@ -648,6 +648,13 @@ intel_panel_mode_valid(struct intel_connector *connector, + return MODE_OK; + } + ++void intel_panel_init_alloc(struct intel_connector *connector) ++{ ++ struct intel_panel *panel = &connector->panel; ++ ++ INIT_LIST_HEAD(&panel->fixed_modes); ++} ++ + int intel_panel_init(struct intel_connector *connector) + { + struct intel_panel *panel = &connector->panel; +diff --git a/drivers/gpu/drm/i915/display/intel_panel.h b/drivers/gpu/drm/i915/display/intel_panel.h +index 5c5b5b7f95b6c..4b51e1c51da62 100644 +--- a/drivers/gpu/drm/i915/display/intel_panel.h ++++ b/drivers/gpu/drm/i915/display/intel_panel.h +@@ -18,6 +18,7 @@ struct intel_connector; + struct intel_crtc_state; + struct intel_encoder; + ++void intel_panel_init_alloc(struct intel_connector *connector); + int intel_panel_init(struct intel_connector *connector); + void intel_panel_fini(struct intel_connector *connector); + enum drm_connector_status +-- +2.39.2 + diff --git a/queue-6.1/drm-i915-populate-encoder-devdata-for-dsi-on-icl.patch b/queue-6.1/drm-i915-populate-encoder-devdata-for-dsi-on-icl.patch new file mode 100644 index 00000000000..c3d0b66e1b0 --- /dev/null +++ b/queue-6.1/drm-i915-populate-encoder-devdata-for-dsi-on-icl.patch @@ -0,0 +1,110 @@ +From 2a15d70f60a7f4c8e3272f0390ae0cb02d677071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Feb 2023 08:43:36 +0200 +Subject: drm/i915: Populate encoder->devdata for DSI on icl+ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 14e591a1930c2790fe862af5b01ee3ca587f752f ] + +We now have some eDP+DSI dual panel systems floating around +where the DSI panel is the secondary LFP and thus needs to +consult "panel type 2" in VBT in order to locate all the +other panel type dependant stuff correctly. + +To that end we need to pass in the devdata to +intel_bios_init_panel_late(), otherwise it'll just assume +we want the primary panel type. So let's try to just populate +the vbt.ports[] stuff and encoder->devdata for icl+ DSI +panels as well. + +We can't do this on older platforms as there we risk a DSI +port aliasing with a HDMI/DP port, which is a totally legal +thing as the DSI ports live in their own little parallel +universe. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8016 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20230207064337.18697-3-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +(cherry picked from commit ba00eb6a4bfbe5194ddda50730aba063951f8ce0) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/icl_dsi.c | 3 ++- + drivers/gpu/drm/i915/display/intel_bios.c | 15 ++++++++++++--- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/icl_dsi.c b/drivers/gpu/drm/i915/display/icl_dsi.c +index 34b3ff967a272..ecd6c5c3f4ded 100644 +--- a/drivers/gpu/drm/i915/display/icl_dsi.c ++++ b/drivers/gpu/drm/i915/display/icl_dsi.c +@@ -2053,7 +2053,8 @@ void icl_dsi_init(struct drm_i915_private *dev_priv) + /* attach connector to encoder */ + intel_connector_attach_encoder(intel_connector, encoder); + +- intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, NULL); ++ encoder->devdata = intel_bios_encoder_data_lookup(dev_priv, port); ++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, encoder->devdata, NULL); + + mutex_lock(&dev->mode_config.mutex); + intel_panel_add_vbt_lfp_fixed_mode(intel_connector); +diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c +index 2378a2a48716e..a70b7061742a8 100644 +--- a/drivers/gpu/drm/i915/display/intel_bios.c ++++ b/drivers/gpu/drm/i915/display/intel_bios.c +@@ -2593,6 +2593,12 @@ intel_bios_encoder_supports_edp(const struct intel_bios_encoder_data *devdata) + devdata->child.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR; + } + ++static bool ++intel_bios_encoder_supports_dsi(const struct intel_bios_encoder_data *devdata) ++{ ++ return devdata->child.device_type & DEVICE_TYPE_MIPI_OUTPUT; ++} ++ + static int _intel_bios_hdmi_level_shift(const struct intel_bios_encoder_data *devdata) + { + if (!devdata || devdata->i915->display.vbt.version < 158) +@@ -2643,7 +2649,7 @@ static void print_ddi_port(const struct intel_bios_encoder_data *devdata, + { + struct drm_i915_private *i915 = devdata->i915; + const struct child_device_config *child = &devdata->child; +- bool is_dvi, is_hdmi, is_dp, is_edp, is_crt, supports_typec_usb, supports_tbt; ++ bool is_dvi, is_hdmi, is_dp, is_edp, is_dsi, is_crt, supports_typec_usb, supports_tbt; + int dp_boost_level, dp_max_link_rate, hdmi_boost_level, hdmi_level_shift, max_tmds_clock; + + is_dvi = intel_bios_encoder_supports_dvi(devdata); +@@ -2651,13 +2657,14 @@ static void print_ddi_port(const struct intel_bios_encoder_data *devdata, + is_crt = intel_bios_encoder_supports_crt(devdata); + is_hdmi = intel_bios_encoder_supports_hdmi(devdata); + is_edp = intel_bios_encoder_supports_edp(devdata); ++ is_dsi = intel_bios_encoder_supports_dsi(devdata); + + supports_typec_usb = intel_bios_encoder_supports_typec_usb(devdata); + supports_tbt = intel_bios_encoder_supports_tbt(devdata); + + drm_dbg_kms(&i915->drm, +- "Port %c VBT info: CRT:%d DVI:%d HDMI:%d DP:%d eDP:%d LSPCON:%d USB-Type-C:%d TBT:%d DSC:%d\n", +- port_name(port), is_crt, is_dvi, is_hdmi, is_dp, is_edp, ++ "Port %c VBT info: CRT:%d DVI:%d HDMI:%d DP:%d eDP:%d DSI:%d LSPCON:%d USB-Type-C:%d TBT:%d DSC:%d\n", ++ port_name(port), is_crt, is_dvi, is_hdmi, is_dp, is_edp, is_dsi, + HAS_LSPCON(i915) && child->lspcon, + supports_typec_usb, supports_tbt, + devdata->dsc != NULL); +@@ -2702,6 +2709,8 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata) + enum port port; + + port = dvo_port_to_port(i915, child->dvo_port); ++ if (port == PORT_NONE && DISPLAY_VER(i915) >= 11) ++ port = dsi_dvo_port_to_port(i915, child->dvo_port); + if (port == PORT_NONE) + return; + +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-a5xx-fix-context-faults-during-ring-switch.patch b/queue-6.1/drm-msm-a5xx-fix-context-faults-during-ring-switch.patch new file mode 100644 index 00000000000..44881e352b2 --- /dev/null +++ b/queue-6.1/drm-msm-a5xx-fix-context-faults-during-ring-switch.patch @@ -0,0 +1,49 @@ +From 1a538b33330ada8efc8e348525fa389c80d7f651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 05:09:56 +0300 +Subject: drm/msm/a5xx: fix context faults during ring switch + +From: Dmitry Baryshkov + +[ Upstream commit 32e7083429d46f29080626fe387ff90c086b1fbe ] + +The rptr_addr is set in the preempt_init_ring(), which is called from +a5xx_gpu_init(). It uses shadowptr() to set the address, however the +shadow_iova is not yet initialized at that time. Move the rptr_addr +setting to the a5xx_preempt_hw_init() which is called after setting the +shadow_iova, getting the correct value for the address. + +Fixes: 8907afb476ac ("drm/msm: Allow a5xx to mark the RPTR shadow as privileged") +Suggested-by: Rob Clark +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/522640/ +Link: https://lore.kernel.org/r/20230214020956.164473-5-dmitry.baryshkov@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index 6e326d851ba53..e0eef47dae632 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -208,6 +208,7 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu) + a5xx_gpu->preempt[i]->wptr = 0; + a5xx_gpu->preempt[i]->rptr = 0; + a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova; ++ a5xx_gpu->preempt[i]->rptr_addr = shadowptr(a5xx_gpu, gpu->rb[i]); + } + + /* Write a 0 to signal that we aren't switching pagetables */ +@@ -259,7 +260,6 @@ static int preempt_init_ring(struct a5xx_gpu *a5xx_gpu, + ptr->data = 0; + ptr->cntl = MSM_GPU_RB_CNTL_DEFAULT | AXXX_CP_RB_CNTL_NO_UPDATE; + +- ptr->rptr_addr = shadowptr(a5xx_gpu, ring); + ptr->counter = counters_iova; + + return 0; +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-a5xx-fix-highest-bank-bit-for-a530.patch b/queue-6.1/drm-msm-a5xx-fix-highest-bank-bit-for-a530.patch new file mode 100644 index 00000000000..f9a9893582b --- /dev/null +++ b/queue-6.1/drm-msm-a5xx-fix-highest-bank-bit-for-a530.patch @@ -0,0 +1,38 @@ +From 6d1b7415ef1e047105706e30410d0fd722761b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 05:09:54 +0300 +Subject: drm/msm/a5xx: fix highest bank bit for a530 + +From: Dmitry Baryshkov + +[ Upstream commit 141f66ebbfa17cc7e2075f06c50107da978c965b ] + +A530 has highest bank bit equal to 15 (like A540). Fix values written to +REG_A5XX_RB_MODE_CNTL and REG_A5XX_TPL1_MODE_CNTL registers. + +Fixes: 1d832ab30ce6 ("drm/msm/a5xx: Add support for Adreno 508, 509, 512 GPUs") +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/522639/ +Link: https://lore.kernel.org/r/20230214020956.164473-3-dmitry.baryshkov@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index f8634fbeffda0..4f0dbeebb79fb 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -808,7 +808,7 @@ static int a5xx_hw_init(struct msm_gpu *gpu) + gpu_write(gpu, REG_A5XX_RBBM_AHB_CNTL2, 0x0000003F); + + /* Set the highest bank bit */ +- if (adreno_is_a540(adreno_gpu)) ++ if (adreno_is_a540(adreno_gpu) || adreno_is_a530(adreno_gpu)) + regbit = 2; + else + regbit = 1; +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-a5xx-fix-setting-of-the-cp_preempt_enable_lo.patch b/queue-6.1/drm-msm-a5xx-fix-setting-of-the-cp_preempt_enable_lo.patch new file mode 100644 index 00000000000..d45ec2772c1 --- /dev/null +++ b/queue-6.1/drm-msm-a5xx-fix-setting-of-the-cp_preempt_enable_lo.patch @@ -0,0 +1,41 @@ +From 6a6dbf610c6b415ce0e2b6e9266267e78dfca0b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 05:09:53 +0300 +Subject: drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register + +From: Dmitry Baryshkov + +[ Upstream commit a7a4c19c36de1e4b99b06e4060ccc8ab837725bc ] + +Rather than writing CP_PREEMPT_ENABLE_GLOBAL twice, follow the vendor +kernel and set CP_PREEMPT_ENABLE_LOCAL register instead. a5xx_submit() +will override it during submission, but let's get the sequence correct. + +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/522638/ +Link: https://lore.kernel.org/r/20230214020956.164473-2-dmitry.baryshkov@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index 3dcec7acb3840..f8634fbeffda0 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -151,8 +151,8 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit) + OUT_RING(ring, 1); + + /* Enable local preemption for finegrain preemption */ +- OUT_PKT7(ring, CP_PREEMPT_ENABLE_GLOBAL, 1); +- OUT_RING(ring, 0x02); ++ OUT_PKT7(ring, CP_PREEMPT_ENABLE_LOCAL, 1); ++ OUT_RING(ring, 0x1); + + /* Allow CP_CONTEXT_SWITCH_YIELD packets in the IB2 */ + OUT_PKT7(ring, CP_YIELD_ENABLE, 1); +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-a5xx-fix-the-emptyness-check-in-the-preempt-.patch b/queue-6.1/drm-msm-a5xx-fix-the-emptyness-check-in-the-preempt-.patch new file mode 100644 index 00000000000..d2018da717f --- /dev/null +++ b/queue-6.1/drm-msm-a5xx-fix-the-emptyness-check-in-the-preempt-.patch @@ -0,0 +1,42 @@ +From 5d4f42363cf02396f26f4e0d76489f1fa3c7daf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 05:09:55 +0300 +Subject: drm/msm/a5xx: fix the emptyness check in the preempt code + +From: Dmitry Baryshkov + +[ Upstream commit b4fb748f0b734ce1d2e7834998cc599fcbd25d67 ] + +Quoting Yassine: ring->memptrs->rptr is never updated and stays 0, so +the comparison always evaluates to false and get_next_ring always +returns ring 0 thinking it isn't empty. + +Fix this by calling get_rptr() instead of reading rptr directly. + +Reported-by: Yassine Oudjana +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/522642/ +Link: https://lore.kernel.org/r/20230214020956.164473-4-dmitry.baryshkov@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index 8abc9a2b114a2..6e326d851ba53 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -63,7 +63,7 @@ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu) + struct msm_ringbuffer *ring = gpu->rb[i]; + + spin_lock_irqsave(&ring->preempt_lock, flags); +- empty = (get_wptr(ring) == ring->memptrs->rptr); ++ empty = (get_wptr(ring) == gpu->funcs->get_rptr(gpu, ring)); + spin_unlock_irqrestore(&ring->preempt_lock, flags); + + if (!empty) +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-clear-dspp-reservations-in-rm-release.patch b/queue-6.1/drm-msm-dpu-clear-dspp-reservations-in-rm-release.patch new file mode 100644 index 00000000000..a1d1b99c85b --- /dev/null +++ b/queue-6.1/drm-msm-dpu-clear-dspp-reservations-in-rm-release.patch @@ -0,0 +1,40 @@ +From 0e43cff182e6a09b0aa52e123d4614e8e0827ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Feb 2023 03:11:41 -0800 +Subject: drm/msm/dpu: clear DSPP reservations in rm release + +From: Kalyan Thota + +[ Upstream commit 5ec498ba86550909f2611b07087d57a71a78c336 ] + +Clear DSPP reservations from the global state during +rm release + +Fixes: e47616df008b ("drm/msm/dpu: add support for color processing blocks in dpu driver") +Signed-off-by: Kalyan Thota +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Marijn Suijten +Patchwork: https://patchwork.freedesktop.org/patch/522443/ +Link: https://lore.kernel.org/r/1676286704-818-2-git-send-email-quic_kalyant@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c +index 7ada957adbbb8..58abf5fe97e20 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c +@@ -572,6 +572,8 @@ void dpu_rm_release(struct dpu_global_state *global_state, + ARRAY_SIZE(global_state->ctl_to_enc_id), enc->base.id); + _dpu_rm_clear_mapping(global_state->dsc_to_enc_id, + ARRAY_SIZE(global_state->dsc_to_enc_id), enc->base.id); ++ _dpu_rm_clear_mapping(global_state->dspp_to_enc_id, ++ ARRAY_SIZE(global_state->dspp_to_enc_id), enc->base.id); + } + + int dpu_rm_reserve( +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-disable-features-unsupported-by-qcm2290.patch b/queue-6.1/drm-msm-dpu-disable-features-unsupported-by-qcm2290.patch new file mode 100644 index 00000000000..d5d6f398a4d --- /dev/null +++ b/queue-6.1/drm-msm-dpu-disable-features-unsupported-by-qcm2290.patch @@ -0,0 +1,75 @@ +From 01a4c1b421b815b3ffbfccdc085bc629b5d06849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 01:12:11 +0200 +Subject: drm/msm/dpu: disable features unsupported by QCM2290 + +From: Dmitry Baryshkov + +[ Upstream commit a2a448b4d9bcb5bff0e0f687b7932a7be9ca898a ] + +QCM2290 doesn't seem to support reg-dma, UBWC and CSC. Drop +corresponding features being incorrectly enabled for qcm2290. + +Cc: Loic Poulain +Fixes: 5334087ee743 ("drm/msm: add support for QCM2290 MDSS") +Reviewed-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/522209/ +Link: https://lore.kernel.org/r/20230211231259.1308718-3-dmitry.baryshkov@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index 365738f40976a..e3f1661b84609 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -12,11 +12,15 @@ + #include "dpu_hw_catalog.h" + #include "dpu_kms.h" + +-#define VIG_MASK \ ++#define VIG_BASE_MASK \ + (BIT(DPU_SSPP_SRC) | BIT(DPU_SSPP_QOS) |\ +- BIT(DPU_SSPP_CSC_10BIT) | BIT(DPU_SSPP_CDP) |\ ++ BIT(DPU_SSPP_CDP) |\ + BIT(DPU_SSPP_TS_PREFILL) | BIT(DPU_SSPP_EXCL_RECT)) + ++#define VIG_MASK \ ++ (VIG_BASE_MASK | \ ++ BIT(DPU_SSPP_CSC_10BIT)) ++ + #define VIG_MSM8998_MASK \ + (VIG_MASK | BIT(DPU_SSPP_SCALER_QSEED3)) + +@@ -29,7 +33,7 @@ + #define VIG_SM8250_MASK \ + (VIG_MASK | BIT(DPU_SSPP_QOS_8LVL) | BIT(DPU_SSPP_SCALER_QSEED3LITE)) + +-#define VIG_QCM2290_MASK (VIG_MASK | BIT(DPU_SSPP_QOS_8LVL)) ++#define VIG_QCM2290_MASK (VIG_BASE_MASK | BIT(DPU_SSPP_QOS_8LVL)) + + #define DMA_MSM8998_MASK \ + (BIT(DPU_SSPP_SRC) | BIT(DPU_SSPP_QOS) |\ +@@ -283,7 +287,6 @@ static const struct dpu_caps qcm2290_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x4, + .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, +- .ubwc_version = DPU_HW_UBWC_VER_20, + .has_dim_layer = true, + .has_idle_pc = true, + .max_linewidth = 2160, +@@ -1918,8 +1921,6 @@ static const struct dpu_mdss_cfg qcm2290_dpu_cfg = { + .intf = qcm2290_intf, + .vbif_count = ARRAY_SIZE(sdm845_vbif), + .vbif = sdm845_vbif, +- .reg_dma_count = 1, +- .dma_cfg = &sdm845_regdma, + .perf = &qcm2290_perf_data, + .mdss_irqs = IRQ_SC7180_MASK, + }; +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-drop-dpu_dim_layer-from-mixer_msm8998_ma.patch b/queue-6.1/drm-msm-dpu-drop-dpu_dim_layer-from-mixer_msm8998_ma.patch new file mode 100644 index 00000000000..1ac6e408aea --- /dev/null +++ b/queue-6.1/drm-msm-dpu-drop-dpu_dim_layer-from-mixer_msm8998_ma.patch @@ -0,0 +1,40 @@ +From 3770b565f6a12d1d86946bfb0c9421dd34c0902d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 01:12:20 +0200 +Subject: drm/msm/dpu: drop DPU_DIM_LAYER from MIXER_MSM8998_MASK + +From: Dmitry Baryshkov + +[ Upstream commit a5045b00a68171de11603812f4304179ef608e60 ] + +The msm8998 doesn't seem to support DIM_LAYER, so drop it from +the supported features mask. + +Fixes: 2d8a4edb672d ("drm/msm/dpu: use feature bit for LM combined alpha check") +Fixes: 94391a14fc27 ("drm/msm/dpu1: Add MSM8998 to hw catalog") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/522231/ +Link: https://lore.kernel.org/r/20230211231259.1308718-12-dmitry.baryshkov@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index 48fedd3f182e6..4c8d1d18b5055 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -55,7 +55,7 @@ + (DMA_MSM8998_MASK | BIT(DPU_SSPP_CURSOR)) + + #define MIXER_MSM8998_MASK \ +- (BIT(DPU_MIXER_SOURCESPLIT) | BIT(DPU_DIM_LAYER)) ++ (BIT(DPU_MIXER_SOURCESPLIT)) + + #define MIXER_SDM845_MASK \ + (BIT(DPU_MIXER_SOURCESPLIT) | BIT(DPU_DIM_LAYER) | BIT(DPU_MIXER_COMBINED_ALPHA)) +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-fix-clocks-settings-for-msm8998-sspp-blo.patch b/queue-6.1/drm-msm-dpu-fix-clocks-settings-for-msm8998-sspp-blo.patch new file mode 100644 index 00000000000..29f22e4f765 --- /dev/null +++ b/queue-6.1/drm-msm-dpu-fix-clocks-settings-for-msm8998-sspp-blo.patch @@ -0,0 +1,46 @@ +From 29694c42b9bb25d4018dcbb7b561cfa38cb481bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 01:12:21 +0200 +Subject: drm/msm/dpu: fix clocks settings for msm8998 SSPP blocks + +From: Dmitry Baryshkov + +[ Upstream commit 0abb6a24aabc1252eae75fe23b0ccd3217c6ee07 ] + +DMA2 and DMA3 planes on msm8998 should use corresponding DMA2 and DMA3 +clocks rather than CURSOR0/1 clocks (which are used for the CURSOR +planes). Correct corresponding SSPP declarations. + +Fixes: 94391a14fc27 ("drm/msm/dpu1: Add MSM8998 to hw catalog") +Cc: AngeloGioacchino Del Regno +Cc: Jami Kettunen +Reviewed-by: Marijn Suijten +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/522230/ +Link: https://lore.kernel.org/r/20230211231259.1308718-13-dmitry.baryshkov@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index 4c8d1d18b5055..41c93a18d5cb3 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -813,9 +813,9 @@ static const struct dpu_sspp_cfg msm8998_sspp[] = { + SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_MSM8998_MASK, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), + SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_MSM8998_MASK, +- sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_CURSOR0), ++ sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), + SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_MSM8998_MASK, +- sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_CURSOR1), ++ sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + + static const struct dpu_sspp_cfg sdm845_sspp[] = { +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-fix-len-of-sc7180-ctl-blocks.patch b/queue-6.1/drm-msm-dpu-fix-len-of-sc7180-ctl-blocks.patch new file mode 100644 index 00000000000..a482aee0be1 --- /dev/null +++ b/queue-6.1/drm-msm-dpu-fix-len-of-sc7180-ctl-blocks.patch @@ -0,0 +1,52 @@ +From a8a727c12b36427f2824e52776b9fff2787640b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 01:12:13 +0200 +Subject: drm/msm/dpu: fix len of sc7180 ctl blocks + +From: Dmitry Baryshkov + +[ Upstream commit ce6bd00abc220e9edf10986234fadba6462b4abf ] + +Change sc7180's ctl block len to 0x1dc. + +Fixes: 7bdc0c4b8126 ("msm:disp:dpu1: add support for display for SC7180 target") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/522210/ +Link: https://lore.kernel.org/r/20230211231259.1308718-5-dmitry.baryshkov@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index e3f1661b84609..48fedd3f182e6 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -607,19 +607,19 @@ static const struct dpu_ctl_cfg sdm845_ctl[] = { + static const struct dpu_ctl_cfg sc7180_ctl[] = { + { + .name = "ctl_0", .id = CTL_0, +- .base = 0x1000, .len = 0xE4, ++ .base = 0x1000, .len = 0x1dc, + .features = BIT(DPU_CTL_ACTIVE_CFG), + .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 9), + }, + { + .name = "ctl_1", .id = CTL_1, +- .base = 0x1200, .len = 0xE4, ++ .base = 0x1200, .len = 0x1dc, + .features = BIT(DPU_CTL_ACTIVE_CFG), + .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 10), + }, + { + .name = "ctl_2", .id = CTL_2, +- .base = 0x1400, .len = 0xE4, ++ .base = 0x1400, .len = 0x1dc, + .features = BIT(DPU_CTL_ACTIVE_CFG), + .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 11), + }, +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-fix-potential-invalid-ptr-free.patch b/queue-6.1/drm-msm-fix-potential-invalid-ptr-free.patch new file mode 100644 index 00000000000..9bfc4a8daf8 --- /dev/null +++ b/queue-6.1/drm-msm-fix-potential-invalid-ptr-free.patch @@ -0,0 +1,49 @@ +From b2dce50a1cd11b33f8a0b9277a58c0de584a149f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 15:50:48 -0800 +Subject: drm/msm: Fix potential invalid ptr free + +From: Rob Clark + +[ Upstream commit 8a86f213f4426f19511a16d886871805b35c3acf ] + +The error path cleanup expects that chain and syncobj are either NULL or +valid pointers. But post_deps was not allocated with __GFP_ZERO. + +Fixes: ab723b7a992a ("drm/msm: Add syncobj support.") +Signed-off-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Dmitry Osipenko +Patchwork: https://patchwork.freedesktop.org/patch/523051/ +Link: https://lore.kernel.org/r/20230215235048.1166484-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index 7c2cc1262c05d..d8c9d184190bb 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -627,8 +627,8 @@ static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev, + int ret = 0; + uint32_t i, j; + +- post_deps = kmalloc_array(nr_syncobjs, sizeof(*post_deps), +- GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); ++ post_deps = kcalloc(nr_syncobjs, sizeof(*post_deps), ++ GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); + if (!post_deps) + return ERR_PTR(-ENOMEM); + +@@ -643,7 +643,6 @@ static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev, + } + + post_deps[i].point = syncobj_desc.point; +- post_deps[i].chain = NULL; + + if (syncobj_desc.flags) { + ret = -EINVAL; +-- +2.39.2 + diff --git a/queue-6.1/drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch b/queue-6.1/drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch new file mode 100644 index 00000000000..f9973e4bb80 --- /dev/null +++ b/queue-6.1/drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch @@ -0,0 +1,64 @@ +From 12bc2b920b9ebb780dcfe4ab0f554d42cae2a8c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 12:42:29 +0100 +Subject: drm/nouveau/kms/nv50: fix nv50_wndw_new_ prototype + +From: Jiri Slaby (SUSE) + +[ Upstream commit 3638a820c5c3b52f327cebb174fd4274bee08aa7 ] + +gcc-13 warns about mismatching types for enums. That revealed switched +arguments of nv50_wndw_new_(): + drivers/gpu/drm/nouveau/dispnv50/wndw.c:696:1: error: conflicting types for 'nv50_wndw_new_' due to enum/integer mismatch; have 'int(const struct nv50_wndw_func *, struct drm_device *, enum drm_plane_type, const char *, int, const u32 *, u32, enum nv50_disp_interlock_type, u32, struct nv50_wndw **)' + drivers/gpu/drm/nouveau/dispnv50/wndw.h:36:5: note: previous declaration of 'nv50_wndw_new_' with type 'int(const struct nv50_wndw_func *, struct drm_device *, enum drm_plane_type, const char *, int, const u32 *, enum nv50_disp_interlock_type, u32, u32, struct nv50_wndw **)' + +It can be barely visible, but the declaration says about the parameters +in the middle: + enum nv50_disp_interlock_type, + u32 interlock_data, + u32 heads, + +While the definition states differently: + u32 heads, + enum nv50_disp_interlock_type interlock_type, + u32 interlock_data, + +Unify/fix the declaration to match the definition. + +Fixes: 53e0a3e70de6 ("drm/nouveau/kms/nv50-: simplify tracking of channel interlocks") +Cc: Martin Liska +Cc: Ben Skeggs +Cc: Karol Herbst +Cc: Lyude Paul +Cc: David Airlie +Cc: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: nouveau@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Jiri Slaby (SUSE) +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20221031114229.10289-1-jirislaby@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv50/wndw.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/wndw.h b/drivers/gpu/drm/nouveau/dispnv50/wndw.h +index 591c852f326b9..76a6ae5d56526 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/wndw.h ++++ b/drivers/gpu/drm/nouveau/dispnv50/wndw.h +@@ -35,8 +35,9 @@ struct nv50_wndw { + + int nv50_wndw_new_(const struct nv50_wndw_func *, struct drm_device *, + enum drm_plane_type, const char *name, int index, +- const u32 *format, enum nv50_disp_interlock_type, +- u32 interlock_data, u32 heads, struct nv50_wndw **); ++ const u32 *format, u32 heads, ++ enum nv50_disp_interlock_type, u32 interlock_data, ++ struct nv50_wndw **); + void nv50_wndw_flush_set(struct nv50_wndw *, u32 *interlock, + struct nv50_wndw_atom *); + void nv50_wndw_flush_clr(struct nv50_wndw *, u32 *interlock, bool flush, +-- +2.39.2 + diff --git a/queue-6.1/erofs-revert-erofs-fix-kvcalloc-misuse-with-__gfp_no.patch b/queue-6.1/erofs-revert-erofs-fix-kvcalloc-misuse-with-__gfp_no.patch new file mode 100644 index 00000000000..9faebd50ec2 --- /dev/null +++ b/queue-6.1/erofs-revert-erofs-fix-kvcalloc-misuse-with-__gfp_no.patch @@ -0,0 +1,71 @@ +From 25d56dae17aa91811ea6d7e705a6cc19a78506fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 13:31:47 +0800 +Subject: erofs: Revert "erofs: fix kvcalloc() misuse with __GFP_NOFAIL" + +From: Gao Xiang + +[ Upstream commit 647dd2c3f0e16b71a1a77897d038164d48eea154 ] + +Let's revert commit 12724ba38992 ("erofs: fix kvcalloc() misuse with +__GFP_NOFAIL") since kvmalloc() already supports __GFP_NOFAIL in commit +a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc"). So +the original fix was wrong. + +Actually there was some issue as [1] discussed, so before that mm fix +is landed, the warn could still happen but applying this commit first +will cause less. + +[1] https://lore.kernel.org/r/20230305053035.1911-1-hsiangkao@linux.alibaba.com + +Fixes: 12724ba38992 ("erofs: fix kvcalloc() misuse with __GFP_NOFAIL") +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20230309053148.9223-1-hsiangkao@linux.alibaba.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index ee7c88c9b5afa..cf4871834ebb2 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1047,12 +1047,12 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be, + + if (!be->decompressed_pages) + be->decompressed_pages = +- kcalloc(be->nr_pages, sizeof(struct page *), +- GFP_KERNEL | __GFP_NOFAIL); ++ kvcalloc(be->nr_pages, sizeof(struct page *), ++ GFP_KERNEL | __GFP_NOFAIL); + if (!be->compressed_pages) + be->compressed_pages = +- kcalloc(pclusterpages, sizeof(struct page *), +- GFP_KERNEL | __GFP_NOFAIL); ++ kvcalloc(pclusterpages, sizeof(struct page *), ++ GFP_KERNEL | __GFP_NOFAIL); + + z_erofs_parse_out_bvecs(be); + err2 = z_erofs_parse_in_bvecs(be, &overlapped); +@@ -1100,7 +1100,7 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be, + } + if (be->compressed_pages < be->onstack_pages || + be->compressed_pages >= be->onstack_pages + Z_EROFS_ONSTACK_PAGES) +- kfree(be->compressed_pages); ++ kvfree(be->compressed_pages); + z_erofs_fill_other_copies(be, err); + + for (i = 0; i < be->nr_pages; ++i) { +@@ -1119,7 +1119,7 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be, + } + + if (be->decompressed_pages != be->onstack_pages) +- kfree(be->decompressed_pages); ++ kvfree(be->decompressed_pages); + + pcl->length = 0; + pcl->partial = true; +-- +2.39.2 + diff --git a/queue-6.1/ethernet-ice-avoid-gcc-9-integer-overflow-warning.patch b/queue-6.1/ethernet-ice-avoid-gcc-9-integer-overflow-warning.patch new file mode 100644 index 00000000000..96d06551988 --- /dev/null +++ b/queue-6.1/ethernet-ice-avoid-gcc-9-integer-overflow-warning.patch @@ -0,0 +1,73 @@ +From c99de60c032bba6fae728709e15487a0b7ac46a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 16:25:36 +0100 +Subject: ethernet: ice: avoid gcc-9 integer overflow warning + +From: Arnd Bergmann + +[ Upstream commit 8f5c5a790e3025d6eca96bf7ee5e3873dc92373f ] + +With older compilers like gcc-9, the calculation of the vlan +priority field causes a false-positive warning from the byteswap: + +In file included from drivers/net/ethernet/intel/ice/ice_tc_lib.c:4: +drivers/net/ethernet/intel/ice/ice_tc_lib.c: In function 'ice_parse_cls_flower': +include/uapi/linux/swab.h:15:15: error: integer overflow in expression '(int)(short unsigned int)((int)match.key->..vlan_priority << 13) & 57344 & 255' of type 'int' results in '0' [-Werror=overflow] + 15 | (((__u16)(x) & (__u16)0x00ffU) << 8) | \ + | ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~ +include/uapi/linux/swab.h:106:2: note: in expansion of macro '___constant_swab16' + 106 | ___constant_swab16(x) : \ + | ^~~~~~~~~~~~~~~~~~ +include/uapi/linux/byteorder/little_endian.h:42:43: note: in expansion of macro '__swab16' + 42 | #define __cpu_to_be16(x) ((__force __be16)__swab16((x))) + | ^~~~~~~~ +include/linux/byteorder/generic.h:96:21: note: in expansion of macro '__cpu_to_be16' + 96 | #define cpu_to_be16 __cpu_to_be16 + | ^~~~~~~~~~~~~ +drivers/net/ethernet/intel/ice/ice_tc_lib.c:1458:5: note: in expansion of macro 'cpu_to_be16' + 1458 | cpu_to_be16((match.key->vlan_priority << + | ^~~~~~~~~~~ + +After a change to be16_encode_bits(), the code becomes more +readable to both people and compilers, which avoids the warning. + +Fixes: 34800178b302 ("ice: Add support for VLAN priority filters in switchdev") +Suggested-by: Alexander Lobakin +Signed-off-by: Arnd Bergmann +Reviewed-by: Alexander Lobakin +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_tc_lib.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +index f68c555be4e9a..71cb15fcf63b9 100644 +--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +@@ -1322,8 +1322,8 @@ ice_parse_cls_flower(struct net_device *filter_dev, struct ice_vsi *vsi, + if (match.mask->vlan_priority) { + fltr->flags |= ICE_TC_FLWR_FIELD_VLAN_PRIO; + headers->vlan_hdr.vlan_prio = +- cpu_to_be16((match.key->vlan_priority << +- VLAN_PRIO_SHIFT) & VLAN_PRIO_MASK); ++ be16_encode_bits(match.key->vlan_priority, ++ VLAN_PRIO_MASK); + } + + if (match.mask->vlan_tpid) +@@ -1356,8 +1356,8 @@ ice_parse_cls_flower(struct net_device *filter_dev, struct ice_vsi *vsi, + if (match.mask->vlan_priority) { + fltr->flags |= ICE_TC_FLWR_FIELD_CVLAN_PRIO; + headers->cvlan_hdr.vlan_prio = +- cpu_to_be16((match.key->vlan_priority << +- VLAN_PRIO_SHIFT) & VLAN_PRIO_MASK); ++ be16_encode_bits(match.key->vlan_priority, ++ VLAN_PRIO_MASK); + } + } + +-- +2.39.2 + diff --git a/queue-6.1/ext4-fix-possible-corruption-when-moving-a-directory.patch b/queue-6.1/ext4-fix-possible-corruption-when-moving-a-directory.patch new file mode 100644 index 00000000000..cc82428e50a --- /dev/null +++ b/queue-6.1/ext4-fix-possible-corruption-when-moving-a-directory.patch @@ -0,0 +1,59 @@ +From 8fbf8c13113dcaa25028825ccd4923d0b0e071c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 12:22:21 +0100 +Subject: ext4: Fix possible corruption when moving a directory + +From: Jan Kara + +[ Upstream commit 0813299c586b175d7edb25f56412c54b812d0379 ] + +When we are renaming a directory to a different directory, we need to +update '..' entry in the moved directory. However nothing prevents moved +directory from being modified and even converted from the inline format +to the normal format. When such race happens the rename code gets +confused and we crash. Fix the problem by locking the moved directory. + +CC: stable@vger.kernel.org +Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 9799ed2fdbc09..dc8f8a435a7ea 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3873,9 +3873,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) + goto end_rename; + } ++ /* ++ * We need to protect against old.inode directory getting ++ * converted from inline directory format into a normal one. ++ */ ++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2); + retval = ext4_rename_dir_prepare(handle, &old); +- if (retval) ++ if (retval) { ++ inode_unlock(old.inode); + goto end_rename; ++ } + } + /* + * If we're renaming a file within an inline_data dir and adding or +@@ -4007,6 +4014,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + } else { + ext4_journal_stop(handle); + } ++ if (old.dir_bh) ++ inode_unlock(old.inode); + release_bh: + brelse(old.dir_bh); + brelse(old.bh); +-- +2.39.2 + diff --git a/queue-6.1/fd-dlm-trace-send-recv-of-dlm-message-and-rcom.patch b/queue-6.1/fd-dlm-trace-send-recv-of-dlm-message-and-rcom.patch new file mode 100644 index 00000000000..0ca217b9b2d --- /dev/null +++ b/queue-6.1/fd-dlm-trace-send-recv-of-dlm-message-and-rcom.patch @@ -0,0 +1,584 @@ +From 5a7f18c60d1c8cc36193030ebf2d69fb0fd6c0a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:45:15 -0400 +Subject: fd: dlm: trace send/recv of dlm message and rcom + +From: Alexander Aring + +[ Upstream commit e01c4b7bd41522ae0299c07e2ee8c721fee02595 ] + +This patch adds tracepoints for send and recv cases of dlm messages and +dlm rcom messages. In case of send and dlm message we add the dlm rsb +resource name this dlm messages belongs to. This has the advantage to +follow dlm messages on a per lock basis. In case of recv message the +resource name can be extracted by follow the send message sequence +number. + +The dlm message DLM_MSG_PURGE doesn't belong to a lock request and will +not set the resource name in a dlm_message trace. The same for all rcom +messages. + +There is additional handling required for this debugging functionality +which is tried to be small as possible. Also the midcomms layer gets +aware of lock resource names, for now this is required to make a +connection between sequence number and lock resource names. It is for +debugging purpose only. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Stable-dep-of: 724b6bab0d75 ("fs: dlm: fix use after free in midcomms commit") +Signed-off-by: Sasha Levin +--- + fs/dlm/lock.c | 21 +-- + fs/dlm/midcomms.c | 45 +++++- + fs/dlm/midcomms.h | 3 +- + fs/dlm/rcom.c | 4 +- + include/trace/events/dlm.h | 297 +++++++++++++++++++++++++++++++++++++ + 5 files changed, 353 insertions(+), 17 deletions(-) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index b246d71b5e17a..0b1bc24536ceb 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -3611,9 +3611,10 @@ static int create_message(struct dlm_rsb *r, struct dlm_lkb *lkb, + /* further lowcomms enhancements or alternate implementations may make + the return value from this function useful at some point */ + +-static int send_message(struct dlm_mhandle *mh, struct dlm_message *ms) ++static int send_message(struct dlm_mhandle *mh, struct dlm_message *ms, ++ const void *name, int namelen) + { +- dlm_midcomms_commit_mhandle(mh); ++ dlm_midcomms_commit_mhandle(mh, name, namelen); + return 0; + } + +@@ -3679,7 +3680,7 @@ static int send_common(struct dlm_rsb *r, struct dlm_lkb *lkb, int mstype) + + send_args(r, lkb, ms); + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, r->res_name, r->res_length); + if (error) + goto fail; + return 0; +@@ -3742,7 +3743,7 @@ static int send_grant(struct dlm_rsb *r, struct dlm_lkb *lkb) + + ms->m_result = 0; + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, r->res_name, r->res_length); + out: + return error; + } +@@ -3763,7 +3764,7 @@ static int send_bast(struct dlm_rsb *r, struct dlm_lkb *lkb, int mode) + + ms->m_bastmode = cpu_to_le32(mode); + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, r->res_name, r->res_length); + out: + return error; + } +@@ -3786,7 +3787,7 @@ static int send_lookup(struct dlm_rsb *r, struct dlm_lkb *lkb) + + send_args(r, lkb, ms); + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, r->res_name, r->res_length); + if (error) + goto fail; + return 0; +@@ -3811,7 +3812,7 @@ static int send_remove(struct dlm_rsb *r) + memcpy(ms->m_extra, r->res_name, r->res_length); + ms->m_hash = cpu_to_le32(r->res_hash); + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, r->res_name, r->res_length); + out: + return error; + } +@@ -3833,7 +3834,7 @@ static int send_common_reply(struct dlm_rsb *r, struct dlm_lkb *lkb, + + ms->m_result = cpu_to_le32(to_dlm_errno(rv)); + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, r->res_name, r->res_length); + out: + return error; + } +@@ -3874,7 +3875,7 @@ static int send_lookup_reply(struct dlm_ls *ls, struct dlm_message *ms_in, + ms->m_result = cpu_to_le32(to_dlm_errno(rv)); + ms->m_nodeid = cpu_to_le32(ret_nodeid); + +- error = send_message(mh, ms); ++ error = send_message(mh, ms, ms_in->m_extra, receive_extralen(ms_in)); + out: + return error; + } +@@ -6300,7 +6301,7 @@ static int send_purge(struct dlm_ls *ls, int nodeid, int pid) + ms->m_nodeid = cpu_to_le32(nodeid); + ms->m_pid = cpu_to_le32(pid); + +- return send_message(mh, ms); ++ return send_message(mh, ms, NULL, 0); + } + + int dlm_user_purge(struct dlm_ls *ls, struct dlm_user_proc *proc, +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index 4a8721ab9f149..8d11f104a97eb 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -132,6 +132,7 @@ + */ + #define DLM_DEBUG_FENCE_TERMINATION 0 + ++#include + #include + + #include "dlm_internal.h" +@@ -415,7 +416,7 @@ static int dlm_send_fin(struct midcomms_node *node, + m_header->h_cmd = DLM_FIN; + + pr_debug("sending fin msg to node %d\n", node->nodeid); +- dlm_midcomms_commit_mhandle(mh); ++ dlm_midcomms_commit_mhandle(mh, NULL, 0); + set_bit(DLM_NODE_FLAG_STOP_TX, &node->flags); + + return 0; +@@ -474,6 +475,20 @@ static void dlm_pas_fin_ack_rcv(struct midcomms_node *node) + spin_unlock(&node->state_lock); + } + ++static void dlm_receive_buffer_3_2_trace(uint32_t seq, union dlm_packet *p) ++{ ++ switch (p->header.h_cmd) { ++ case DLM_MSG: ++ trace_dlm_recv_message(seq, &p->message); ++ break; ++ case DLM_RCOM: ++ trace_dlm_recv_rcom(seq, &p->rcom); ++ break; ++ default: ++ break; ++ } ++} ++ + static void dlm_midcomms_receive_buffer(union dlm_packet *p, + struct midcomms_node *node, + uint32_t seq) +@@ -534,6 +549,7 @@ static void dlm_midcomms_receive_buffer(union dlm_packet *p, + break; + default: + WARN_ON(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags)); ++ dlm_receive_buffer_3_2_trace(seq, p); + dlm_receive_buffer(p, node->nodeid); + set_bit(DLM_NODE_ULP_DELIVERED, &node->flags); + break; +@@ -1124,11 +1140,30 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len, + } + #endif + +-static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh) ++static void dlm_midcomms_commit_msg_3_2_trace(const struct dlm_mhandle *mh, ++ const void *name, int namelen) ++{ ++ switch (mh->inner_p->header.h_cmd) { ++ case DLM_MSG: ++ trace_dlm_send_message(mh->seq, &mh->inner_p->message, ++ name, namelen); ++ break; ++ case DLM_RCOM: ++ trace_dlm_send_rcom(mh->seq, &mh->inner_p->rcom); ++ break; ++ default: ++ /* nothing to trace */ ++ break; ++ } ++} ++ ++static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh, ++ const void *name, int namelen) + { + /* nexthdr chain for fast lookup */ + mh->opts->o_nextcmd = mh->inner_p->header.h_cmd; + mh->committed = true; ++ dlm_midcomms_commit_msg_3_2_trace(mh, name, namelen); + dlm_lowcomms_commit_msg(mh->msg); + } + +@@ -1136,8 +1171,10 @@ static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh) + * dlm_midcomms_get_mhandle + */ + #ifndef __CHECKER__ +-void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh) ++void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh, ++ const void *name, int namelen) + { ++ + switch (mh->node->version) { + case DLM_VERSION_3_1: + srcu_read_unlock(&nodes_srcu, mh->idx); +@@ -1148,7 +1185,7 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh) + dlm_free_mhandle(mh); + break; + case DLM_VERSION_3_2: +- dlm_midcomms_commit_msg_3_2(mh); ++ dlm_midcomms_commit_msg_3_2(mh, name, namelen); + srcu_read_unlock(&nodes_srcu, mh->idx); + break; + default: +diff --git a/fs/dlm/midcomms.h b/fs/dlm/midcomms.h +index f61fce622e93d..69296552d5add 100644 +--- a/fs/dlm/midcomms.h ++++ b/fs/dlm/midcomms.h +@@ -17,7 +17,8 @@ struct midcomms_node; + int dlm_process_incoming_buffer(int nodeid, unsigned char *buf, int buflen); + struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len, + gfp_t allocation, char **ppc); +-void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh); ++void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh, const void *name, ++ int namelen); + int dlm_midcomms_close(int nodeid); + int dlm_midcomms_start(void); + void dlm_midcomms_stop(void); +diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c +index f19860315043a..b76d52e2f6bdd 100644 +--- a/fs/dlm/rcom.c ++++ b/fs/dlm/rcom.c +@@ -91,7 +91,7 @@ static int create_rcom_stateless(struct dlm_ls *ls, int to_nodeid, int type, + + static void send_rcom(struct dlm_mhandle *mh, struct dlm_rcom *rc) + { +- dlm_midcomms_commit_mhandle(mh); ++ dlm_midcomms_commit_mhandle(mh, NULL, 0); + } + + static void send_rcom_stateless(struct dlm_msg *msg, struct dlm_rcom *rc) +@@ -516,7 +516,7 @@ int dlm_send_ls_not_ready(int nodeid, struct dlm_rcom *rc_in) + rf = (struct rcom_config *) rc->rc_buf; + rf->rf_lvblen = cpu_to_le32(~0U); + +- dlm_midcomms_commit_mhandle(mh); ++ dlm_midcomms_commit_mhandle(mh, NULL, 0); + + return 0; + } +diff --git a/include/trace/events/dlm.h b/include/trace/events/dlm.h +index da0eaae98fa34..4ec47828d55ed 100644 +--- a/include/trace/events/dlm.h ++++ b/include/trace/events/dlm.h +@@ -46,6 +46,56 @@ + { DLM_SBF_VALNOTVALID, "VALNOTVALID" }, \ + { DLM_SBF_ALTMODE, "ALTMODE" }) + ++#define show_lkb_flags(flags) __print_flags(flags, "|", \ ++ { DLM_IFL_MSTCPY, "MSTCPY" }, \ ++ { DLM_IFL_RESEND, "RESEND" }, \ ++ { DLM_IFL_DEAD, "DEAD" }, \ ++ { DLM_IFL_OVERLAP_UNLOCK, "OVERLAP_UNLOCK" }, \ ++ { DLM_IFL_OVERLAP_CANCEL, "OVERLAP_CANCEL" }, \ ++ { DLM_IFL_ENDOFLIFE, "ENDOFLIFE" }, \ ++ { DLM_IFL_DEADLOCK_CANCEL, "DEADLOCK_CANCEL" }, \ ++ { DLM_IFL_STUB_MS, "STUB_MS" }, \ ++ { DLM_IFL_USER, "USER" }, \ ++ { DLM_IFL_ORPHAN, "ORPHAN" }) ++ ++#define show_header_cmd(cmd) __print_symbolic(cmd, \ ++ { DLM_MSG, "MSG"}, \ ++ { DLM_RCOM, "RCOM"}, \ ++ { DLM_OPTS, "OPTS"}, \ ++ { DLM_ACK, "ACK"}, \ ++ { DLM_FIN, "FIN"}) ++ ++#define show_message_version(version) __print_symbolic(version, \ ++ { DLM_VERSION_3_1, "3.1"}, \ ++ { DLM_VERSION_3_2, "3.2"}) ++ ++#define show_message_type(type) __print_symbolic(type, \ ++ { DLM_MSG_REQUEST, "REQUEST"}, \ ++ { DLM_MSG_CONVERT, "CONVERT"}, \ ++ { DLM_MSG_UNLOCK, "UNLOCK"}, \ ++ { DLM_MSG_CANCEL, "CANCEL"}, \ ++ { DLM_MSG_REQUEST_REPLY, "REQUEST_REPLY"}, \ ++ { DLM_MSG_CONVERT_REPLY, "CONVERT_REPLY"}, \ ++ { DLM_MSG_UNLOCK_REPLY, "UNLOCK_REPLY"}, \ ++ { DLM_MSG_CANCEL_REPLY, "CANCEL_REPLY"}, \ ++ { DLM_MSG_GRANT, "GRANT"}, \ ++ { DLM_MSG_BAST, "BAST"}, \ ++ { DLM_MSG_LOOKUP, "LOOKUP"}, \ ++ { DLM_MSG_REMOVE, "REMOVE"}, \ ++ { DLM_MSG_LOOKUP_REPLY, "LOOKUP_REPLY"}, \ ++ { DLM_MSG_PURGE, "PURGE"}) ++ ++#define show_rcom_type(type) __print_symbolic(type, \ ++ { DLM_RCOM_STATUS, "STATUS"}, \ ++ { DLM_RCOM_NAMES, "NAMES"}, \ ++ { DLM_RCOM_LOOKUP, "LOOKUP"}, \ ++ { DLM_RCOM_LOCK, "LOCK"}, \ ++ { DLM_RCOM_STATUS_REPLY, "STATUS_REPLY"}, \ ++ { DLM_RCOM_NAMES_REPLY, "NAMES_REPLY"}, \ ++ { DLM_RCOM_LOOKUP_REPLY, "LOOKUP_REPLY"}, \ ++ { DLM_RCOM_LOCK_REPLY, "LOCK_REPLY"}) ++ ++ + /* note: we begin tracing dlm_lock_start() only if ls and lkb are found */ + TRACE_EVENT(dlm_lock_start, + +@@ -290,6 +340,253 @@ TRACE_EVENT(dlm_unlock_end, + + ); + ++DECLARE_EVENT_CLASS(dlm_rcom_template, ++ ++ TP_PROTO(uint32_t seq, const struct dlm_rcom *rc), ++ ++ TP_ARGS(seq, rc), ++ ++ TP_STRUCT__entry( ++ __field(uint32_t, seq) ++ __field(uint32_t, h_version) ++ __field(uint32_t, h_lockspace) ++ __field(uint32_t, h_nodeid) ++ __field(uint16_t, h_length) ++ __field(uint8_t, h_cmd) ++ __field(uint32_t, rc_type) ++ __field(int32_t, rc_result) ++ __field(uint64_t, rc_id) ++ __field(uint64_t, rc_seq) ++ __field(uint64_t, rc_seq_reply) ++ __dynamic_array(unsigned char, rc_buf, ++ le16_to_cpu(rc->rc_header.h_length) - sizeof(*rc)) ++ ), ++ ++ TP_fast_assign( ++ __entry->seq = seq; ++ __entry->h_version = le32_to_cpu(rc->rc_header.h_version); ++ __entry->h_lockspace = le32_to_cpu(rc->rc_header.u.h_lockspace); ++ __entry->h_nodeid = le32_to_cpu(rc->rc_header.h_nodeid); ++ __entry->h_length = le16_to_cpu(rc->rc_header.h_length); ++ __entry->h_cmd = rc->rc_header.h_cmd; ++ __entry->rc_type = le32_to_cpu(rc->rc_type); ++ __entry->rc_result = le32_to_cpu(rc->rc_result); ++ __entry->rc_id = le64_to_cpu(rc->rc_id); ++ __entry->rc_seq = le64_to_cpu(rc->rc_seq); ++ __entry->rc_seq_reply = le64_to_cpu(rc->rc_seq_reply); ++ memcpy(__get_dynamic_array(rc_buf), rc->rc_buf, ++ __get_dynamic_array_len(rc_buf)); ++ ), ++ ++ TP_printk("seq=%u, h_version=%s h_lockspace=%u h_nodeid=%u " ++ "h_length=%u h_cmd=%s rc_type=%s rc_result=%d " ++ "rc_id=%llu rc_seq=%llu rc_seq_reply=%llu " ++ "rc_buf=0x%s", __entry->seq, ++ show_message_version(__entry->h_version), ++ __entry->h_lockspace, __entry->h_nodeid, __entry->h_length, ++ show_header_cmd(__entry->h_cmd), ++ show_rcom_type(__entry->rc_type), ++ __entry->rc_result, __entry->rc_id, __entry->rc_seq, ++ __entry->rc_seq_reply, ++ __print_hex_str(__get_dynamic_array(rc_buf), ++ __get_dynamic_array_len(rc_buf))) ++ ++); ++ ++DEFINE_EVENT(dlm_rcom_template, dlm_send_rcom, ++ TP_PROTO(uint32_t seq, const struct dlm_rcom *rc), ++ TP_ARGS(seq, rc)); ++ ++DEFINE_EVENT(dlm_rcom_template, dlm_recv_rcom, ++ TP_PROTO(uint32_t seq, const struct dlm_rcom *rc), ++ TP_ARGS(seq, rc)); ++ ++TRACE_EVENT(dlm_send_message, ++ ++ TP_PROTO(uint32_t seq, const struct dlm_message *ms, ++ const void *name, int namelen), ++ ++ TP_ARGS(seq, ms, name, namelen), ++ ++ TP_STRUCT__entry( ++ __field(uint32_t, seq) ++ __field(uint32_t, h_version) ++ __field(uint32_t, h_lockspace) ++ __field(uint32_t, h_nodeid) ++ __field(uint16_t, h_length) ++ __field(uint8_t, h_cmd) ++ __field(uint32_t, m_type) ++ __field(uint32_t, m_nodeid) ++ __field(uint32_t, m_pid) ++ __field(uint32_t, m_lkid) ++ __field(uint32_t, m_remid) ++ __field(uint32_t, m_parent_lkid) ++ __field(uint32_t, m_parent_remid) ++ __field(uint32_t, m_exflags) ++ __field(uint32_t, m_sbflags) ++ __field(uint32_t, m_flags) ++ __field(uint32_t, m_lvbseq) ++ __field(uint32_t, m_hash) ++ __field(int32_t, m_status) ++ __field(int32_t, m_grmode) ++ __field(int32_t, m_rqmode) ++ __field(int32_t, m_bastmode) ++ __field(int32_t, m_asts) ++ __field(int32_t, m_result) ++ __dynamic_array(unsigned char, m_extra, ++ le16_to_cpu(ms->m_header.h_length) - sizeof(*ms)) ++ __dynamic_array(unsigned char, res_name, namelen) ++ ), ++ ++ TP_fast_assign( ++ __entry->seq = seq; ++ __entry->h_version = le32_to_cpu(ms->m_header.h_version); ++ __entry->h_lockspace = le32_to_cpu(ms->m_header.u.h_lockspace); ++ __entry->h_nodeid = le32_to_cpu(ms->m_header.h_nodeid); ++ __entry->h_length = le16_to_cpu(ms->m_header.h_length); ++ __entry->h_cmd = ms->m_header.h_cmd; ++ __entry->m_type = le32_to_cpu(ms->m_type); ++ __entry->m_nodeid = le32_to_cpu(ms->m_nodeid); ++ __entry->m_pid = le32_to_cpu(ms->m_pid); ++ __entry->m_lkid = le32_to_cpu(ms->m_lkid); ++ __entry->m_remid = le32_to_cpu(ms->m_remid); ++ __entry->m_parent_lkid = le32_to_cpu(ms->m_parent_lkid); ++ __entry->m_parent_remid = le32_to_cpu(ms->m_parent_remid); ++ __entry->m_exflags = le32_to_cpu(ms->m_exflags); ++ __entry->m_sbflags = le32_to_cpu(ms->m_sbflags); ++ __entry->m_flags = le32_to_cpu(ms->m_flags); ++ __entry->m_lvbseq = le32_to_cpu(ms->m_lvbseq); ++ __entry->m_hash = le32_to_cpu(ms->m_hash); ++ __entry->m_status = le32_to_cpu(ms->m_status); ++ __entry->m_grmode = le32_to_cpu(ms->m_grmode); ++ __entry->m_rqmode = le32_to_cpu(ms->m_rqmode); ++ __entry->m_bastmode = le32_to_cpu(ms->m_bastmode); ++ __entry->m_asts = le32_to_cpu(ms->m_asts); ++ __entry->m_result = le32_to_cpu(ms->m_result); ++ memcpy(__get_dynamic_array(m_extra), ms->m_extra, ++ __get_dynamic_array_len(m_extra)); ++ memcpy(__get_dynamic_array(res_name), name, ++ __get_dynamic_array_len(res_name)); ++ ), ++ ++ TP_printk("seq=%u h_version=%s h_lockspace=%u h_nodeid=%u " ++ "h_length=%u h_cmd=%s m_type=%s m_nodeid=%u " ++ "m_pid=%u m_lkid=%u m_remid=%u m_parent_lkid=%u " ++ "m_parent_remid=%u m_exflags=%s m_sbflags=%s m_flags=%s " ++ "m_lvbseq=%u m_hash=%u m_status=%d m_grmode=%s " ++ "m_rqmode=%s m_bastmode=%s m_asts=%d m_result=%d " ++ "m_extra=0x%s res_name=0x%s", ++ __entry->seq, show_message_version(__entry->h_version), ++ __entry->h_lockspace, __entry->h_nodeid, __entry->h_length, ++ show_header_cmd(__entry->h_cmd), ++ show_message_type(__entry->m_type), ++ __entry->m_nodeid, __entry->m_pid, __entry->m_lkid, ++ __entry->m_remid, __entry->m_parent_lkid, ++ __entry->m_parent_remid, show_lock_flags(__entry->m_exflags), ++ show_dlm_sb_flags(__entry->m_sbflags), ++ show_lkb_flags(__entry->m_flags), __entry->m_lvbseq, ++ __entry->m_hash, __entry->m_status, ++ show_lock_mode(__entry->m_grmode), ++ show_lock_mode(__entry->m_rqmode), ++ show_lock_mode(__entry->m_bastmode), ++ __entry->m_asts, __entry->m_result, ++ __print_hex_str(__get_dynamic_array(m_extra), ++ __get_dynamic_array_len(m_extra)), ++ __print_hex_str(__get_dynamic_array(res_name), ++ __get_dynamic_array_len(res_name))) ++ ++); ++ ++TRACE_EVENT(dlm_recv_message, ++ ++ TP_PROTO(uint32_t seq, const struct dlm_message *ms), ++ ++ TP_ARGS(seq, ms), ++ ++ TP_STRUCT__entry( ++ __field(uint32_t, seq) ++ __field(uint32_t, h_version) ++ __field(uint32_t, h_lockspace) ++ __field(uint32_t, h_nodeid) ++ __field(uint16_t, h_length) ++ __field(uint8_t, h_cmd) ++ __field(uint32_t, m_type) ++ __field(uint32_t, m_nodeid) ++ __field(uint32_t, m_pid) ++ __field(uint32_t, m_lkid) ++ __field(uint32_t, m_remid) ++ __field(uint32_t, m_parent_lkid) ++ __field(uint32_t, m_parent_remid) ++ __field(uint32_t, m_exflags) ++ __field(uint32_t, m_sbflags) ++ __field(uint32_t, m_flags) ++ __field(uint32_t, m_lvbseq) ++ __field(uint32_t, m_hash) ++ __field(int32_t, m_status) ++ __field(int32_t, m_grmode) ++ __field(int32_t, m_rqmode) ++ __field(int32_t, m_bastmode) ++ __field(int32_t, m_asts) ++ __field(int32_t, m_result) ++ __dynamic_array(unsigned char, m_extra, ++ le16_to_cpu(ms->m_header.h_length) - sizeof(*ms)) ++ ), ++ ++ TP_fast_assign( ++ __entry->seq = seq; ++ __entry->h_version = le32_to_cpu(ms->m_header.h_version); ++ __entry->h_lockspace = le32_to_cpu(ms->m_header.u.h_lockspace); ++ __entry->h_nodeid = le32_to_cpu(ms->m_header.h_nodeid); ++ __entry->h_length = le16_to_cpu(ms->m_header.h_length); ++ __entry->h_cmd = ms->m_header.h_cmd; ++ __entry->m_type = le32_to_cpu(ms->m_type); ++ __entry->m_nodeid = le32_to_cpu(ms->m_nodeid); ++ __entry->m_pid = le32_to_cpu(ms->m_pid); ++ __entry->m_lkid = le32_to_cpu(ms->m_lkid); ++ __entry->m_remid = le32_to_cpu(ms->m_remid); ++ __entry->m_parent_lkid = le32_to_cpu(ms->m_parent_lkid); ++ __entry->m_parent_remid = le32_to_cpu(ms->m_parent_remid); ++ __entry->m_exflags = le32_to_cpu(ms->m_exflags); ++ __entry->m_sbflags = le32_to_cpu(ms->m_sbflags); ++ __entry->m_flags = le32_to_cpu(ms->m_flags); ++ __entry->m_lvbseq = le32_to_cpu(ms->m_lvbseq); ++ __entry->m_hash = le32_to_cpu(ms->m_hash); ++ __entry->m_status = le32_to_cpu(ms->m_status); ++ __entry->m_grmode = le32_to_cpu(ms->m_grmode); ++ __entry->m_rqmode = le32_to_cpu(ms->m_rqmode); ++ __entry->m_bastmode = le32_to_cpu(ms->m_bastmode); ++ __entry->m_asts = le32_to_cpu(ms->m_asts); ++ __entry->m_result = le32_to_cpu(ms->m_result); ++ memcpy(__get_dynamic_array(m_extra), ms->m_extra, ++ __get_dynamic_array_len(m_extra)); ++ ), ++ ++ TP_printk("seq=%u h_version=%s h_lockspace=%u h_nodeid=%u " ++ "h_length=%u h_cmd=%s m_type=%s m_nodeid=%u " ++ "m_pid=%u m_lkid=%u m_remid=%u m_parent_lkid=%u " ++ "m_parent_remid=%u m_exflags=%s m_sbflags=%s m_flags=%s " ++ "m_lvbseq=%u m_hash=%u m_status=%d m_grmode=%s " ++ "m_rqmode=%s m_bastmode=%s m_asts=%d m_result=%d " ++ "m_extra=0x%s", ++ __entry->seq, show_message_version(__entry->h_version), ++ __entry->h_lockspace, __entry->h_nodeid, __entry->h_length, ++ show_header_cmd(__entry->h_cmd), ++ show_message_type(__entry->m_type), ++ __entry->m_nodeid, __entry->m_pid, __entry->m_lkid, ++ __entry->m_remid, __entry->m_parent_lkid, ++ __entry->m_parent_remid, show_lock_flags(__entry->m_exflags), ++ show_dlm_sb_flags(__entry->m_sbflags), ++ show_lkb_flags(__entry->m_flags), __entry->m_lvbseq, ++ __entry->m_hash, __entry->m_status, ++ show_lock_mode(__entry->m_grmode), ++ show_lock_mode(__entry->m_rqmode), ++ show_lock_mode(__entry->m_bastmode), ++ __entry->m_asts, __entry->m_result, ++ __print_hex_str(__get_dynamic_array(m_extra), ++ __get_dynamic_array_len(m_extra))) ++ ++); ++ + TRACE_EVENT(dlm_send, + + TP_PROTO(int nodeid, int ret), +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-add-midcomms-init-start-functions.patch b/queue-6.1/fs-dlm-add-midcomms-init-start-functions.patch new file mode 100644 index 00000000000..8b2172a9bc1 --- /dev/null +++ b/queue-6.1/fs-dlm-add-midcomms-init-start-functions.patch @@ -0,0 +1,202 @@ +From 92b8a5c275456f27362c78593d327059a7980541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 17:11:46 -0500 +Subject: fs: dlm: add midcomms init/start functions + +From: Alexander Aring + +[ Upstream commit 8b0188b0d60b6f6183b48380bac49fe080c5ded9 ] + +This patch introduces leftovers of init, start, stop and exit +functionality. The dlm application layer should always call the midcomms +layer which getting aware of such event and redirect it to the lowcomms +layer. Some functionality which is currently handled inside the start +functionality of midcomms and lowcomms should be handled in the init +functionality as it only need to be initialized once when dlm is loaded. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Stable-dep-of: aad633dc0cf9 ("fs: dlm: start midcomms before scand") +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 5 ++--- + fs/dlm/lowcomms.c | 16 ++++++++++------ + fs/dlm/lowcomms.h | 1 + + fs/dlm/main.c | 7 +++++-- + fs/dlm/midcomms.c | 17 ++++++++++++++++- + fs/dlm/midcomms.h | 3 +++ + 6 files changed, 37 insertions(+), 12 deletions(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 04e1b4fe366dc..c3cf2e7996f6c 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -17,7 +17,6 @@ + #include "recoverd.h" + #include "dir.h" + #include "midcomms.h" +-#include "lowcomms.h" + #include "config.h" + #include "memory.h" + #include "lock.h" +@@ -726,7 +725,7 @@ static int __dlm_new_lockspace(const char *name, const char *cluster, + if (!ls_count) { + dlm_scand_stop(); + dlm_midcomms_shutdown(); +- dlm_lowcomms_stop(); ++ dlm_midcomms_stop(); + } + out: + mutex_unlock(&ls_lock); +@@ -929,7 +928,7 @@ int dlm_release_lockspace(void *lockspace, int force) + if (!error) + ls_count--; + if (!ls_count) +- dlm_lowcomms_stop(); ++ dlm_midcomms_stop(); + mutex_unlock(&ls_lock); + + return error; +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 871d4e9f49fb6..6ed09edabea0c 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -1982,10 +1982,6 @@ static const struct dlm_proto_ops dlm_sctp_ops = { + int dlm_lowcomms_start(void) + { + int error = -EINVAL; +- int i; +- +- for (i = 0; i < CONN_HASH_SIZE; i++) +- INIT_HLIST_HEAD(&connection_hash[i]); + + init_local(); + if (!dlm_local_count) { +@@ -1994,8 +1990,6 @@ int dlm_lowcomms_start(void) + goto fail; + } + +- INIT_WORK(&listen_con.rwork, process_listen_recv_socket); +- + error = work_start(); + if (error) + goto fail_local; +@@ -2034,6 +2028,16 @@ int dlm_lowcomms_start(void) + return error; + } + ++void dlm_lowcomms_init(void) ++{ ++ int i; ++ ++ for (i = 0; i < CONN_HASH_SIZE; i++) ++ INIT_HLIST_HEAD(&connection_hash[i]); ++ ++ INIT_WORK(&listen_con.rwork, process_listen_recv_socket); ++} ++ + void dlm_lowcomms_exit(void) + { + struct dlm_node_addr *na, *safe; +diff --git a/fs/dlm/lowcomms.h b/fs/dlm/lowcomms.h +index 29369feea9916..bbce7a18416dc 100644 +--- a/fs/dlm/lowcomms.h ++++ b/fs/dlm/lowcomms.h +@@ -35,6 +35,7 @@ extern int dlm_allow_conn; + int dlm_lowcomms_start(void); + void dlm_lowcomms_shutdown(void); + void dlm_lowcomms_stop(void); ++void dlm_lowcomms_init(void); + void dlm_lowcomms_exit(void); + int dlm_lowcomms_close(int nodeid); + struct dlm_msg *dlm_lowcomms_new_msg(int nodeid, int len, gfp_t allocation, +diff --git a/fs/dlm/main.c b/fs/dlm/main.c +index 1c5be4b70ac1b..a77338be32371 100644 +--- a/fs/dlm/main.c ++++ b/fs/dlm/main.c +@@ -17,7 +17,7 @@ + #include "user.h" + #include "memory.h" + #include "config.h" +-#include "lowcomms.h" ++#include "midcomms.h" + + #define CREATE_TRACE_POINTS + #include +@@ -30,6 +30,8 @@ static int __init init_dlm(void) + if (error) + goto out; + ++ dlm_midcomms_init(); ++ + error = dlm_lockspace_init(); + if (error) + goto out_mem; +@@ -66,6 +68,7 @@ static int __init init_dlm(void) + out_lockspace: + dlm_lockspace_exit(); + out_mem: ++ dlm_midcomms_exit(); + dlm_memory_exit(); + out: + return error; +@@ -79,7 +82,7 @@ static void __exit exit_dlm(void) + dlm_config_exit(); + dlm_memory_exit(); + dlm_lockspace_exit(); +- dlm_lowcomms_exit(); ++ dlm_midcomms_exit(); + dlm_unregister_debugfs(); + } + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index 546c52c46b1c9..095f2005fb621 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -1160,13 +1160,28 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh) + #endif + + int dlm_midcomms_start(void) ++{ ++ return dlm_lowcomms_start(); ++} ++ ++void dlm_midcomms_stop(void) ++{ ++ dlm_lowcomms_stop(); ++} ++ ++void dlm_midcomms_init(void) + { + int i; + + for (i = 0; i < CONN_HASH_SIZE; i++) + INIT_HLIST_HEAD(&node_hash[i]); + +- return dlm_lowcomms_start(); ++ dlm_lowcomms_init(); ++} ++ ++void dlm_midcomms_exit(void) ++{ ++ dlm_lowcomms_exit(); + } + + static void dlm_act_fin_ack_rcv(struct midcomms_node *node) +diff --git a/fs/dlm/midcomms.h b/fs/dlm/midcomms.h +index 82bcd96619228..f61fce622e93d 100644 +--- a/fs/dlm/midcomms.h ++++ b/fs/dlm/midcomms.h +@@ -20,6 +20,9 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len, + void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh); + int dlm_midcomms_close(int nodeid); + int dlm_midcomms_start(void); ++void dlm_midcomms_stop(void); ++void dlm_midcomms_init(void); ++void dlm_midcomms_exit(void); + void dlm_midcomms_shutdown(void); + void dlm_midcomms_add_member(int nodeid); + void dlm_midcomms_remove_member(int nodeid); +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-be-sure-to-call-dlm_send_queue_flush.patch b/queue-6.1/fs-dlm-be-sure-to-call-dlm_send_queue_flush.patch new file mode 100644 index 00000000000..446ddf4578c --- /dev/null +++ b/queue-6.1/fs-dlm-be-sure-to-call-dlm_send_queue_flush.patch @@ -0,0 +1,39 @@ +From 2360bbb166d1923d89ae2615462602af245e7ff9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 17:10:33 -0500 +Subject: fs: dlm: be sure to call dlm_send_queue_flush() + +From: Alexander Aring + +[ Upstream commit 7354fa4ef697191effedc2ae9a8293427708bbf5 ] + +If we release a midcomms node structure, there should be nothing left +inside the dlm midcomms send queue. However, sometimes this is not true +because I believe some DLM_FIN message was not acked... if we run +into a shutdown timeout, then we should be sure there is no pending send +dlm message inside this queue when releasing midcomms node structure. + +Cc: stable@vger.kernel.org +Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/midcomms.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index b53d7a281be93..d976c2009b185 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -1367,6 +1367,7 @@ static void midcomms_node_release(struct rcu_head *rcu) + struct midcomms_node *node = container_of(rcu, struct midcomms_node, rcu); + + WARN_ON_ONCE(atomic_read(&node->send_queue_cnt)); ++ dlm_send_queue_flush(node); + kfree(node); + } + +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-fix-log-of-lowcomms-vs-midcomms.patch b/queue-6.1/fs-dlm-fix-log-of-lowcomms-vs-midcomms.patch new file mode 100644 index 00000000000..6aca3c80a1f --- /dev/null +++ b/queue-6.1/fs-dlm-fix-log-of-lowcomms-vs-midcomms.patch @@ -0,0 +1,38 @@ +From b9ec90687720c2530144e2fe364d7e8c948d3e88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:45:26 -0400 +Subject: fs: dlm: fix log of lowcomms vs midcomms + +From: Alexander Aring + +[ Upstream commit 3e54c9e80e68b765d8877023d93f1eea1b9d1c54 ] + +This patch will fix a small issue when printing out that +dlm_midcomms_start() failed to start and it was printing out that the +dlm subcomponent lowcomms was failed but lowcomms is behind the midcomms +layer. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Stable-dep-of: aad633dc0cf9 ("fs: dlm: start midcomms before scand") +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index bae050df7abff..04e1b4fe366dc 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -391,7 +391,7 @@ static int threads_start(void) + /* Thread for sending/receiving messages for all lockspace's */ + error = dlm_midcomms_start(); + if (error) { +- log_print("cannot start dlm lowcomms %d", error); ++ log_print("cannot start dlm midcomms %d", error); + goto scand_fail; + } + +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-fix-race-setting-stop-tx-flag.patch b/queue-6.1/fs-dlm-fix-race-setting-stop-tx-flag.patch new file mode 100644 index 00000000000..6f574079e19 --- /dev/null +++ b/queue-6.1/fs-dlm-fix-race-setting-stop-tx-flag.patch @@ -0,0 +1,50 @@ +From 70e7ce139b9d14a1c60a8e80afe184889f3051df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 17:10:34 -0500 +Subject: fs: dlm: fix race setting stop tx flag + +From: Alexander Aring + +[ Upstream commit 164272113b685927126c938b4a9cbd2075eb15ee ] + +This patch sets the stop tx flag before we commit the dlm message. +This flag will report about unexpected transmissions after we +send the DLM_FIN message out, which should be the last message sent. +When we commit the dlm fin message, it could be that we already +got an ack back and the CLOSED state change already happened. +We should not set this flag when we are in CLOSED state. To avoid this +race we simply set the tx flag before the state change can be in +progress by moving it before dlm_midcomms_commit_mhandle(). + +Cc: stable@vger.kernel.org +Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/midcomms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index d976c2009b185..b2a25a33a1488 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -406,6 +406,7 @@ static int dlm_send_fin(struct midcomms_node *node, + if (!mh) + return -ENOMEM; + ++ set_bit(DLM_NODE_FLAG_STOP_TX, &node->flags); + mh->ack_rcv = ack_rcv; + + m_header = (struct dlm_header *)ppc; +@@ -417,7 +418,6 @@ static int dlm_send_fin(struct midcomms_node *node, + + pr_debug("sending fin msg to node %d\n", node->nodeid); + dlm_midcomms_commit_mhandle(mh, NULL, 0); +- set_bit(DLM_NODE_FLAG_STOP_TX, &node->flags); + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-fix-use-after-free-in-midcomms-commit.patch b/queue-6.1/fs-dlm-fix-use-after-free-in-midcomms-commit.patch new file mode 100644 index 00000000000..5b24bf608f8 --- /dev/null +++ b/queue-6.1/fs-dlm-fix-use-after-free-in-midcomms-commit.patch @@ -0,0 +1,183 @@ +From 687a2942061ac9c7e091ef7848bd8bc264fe4ba6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 17:10:32 -0500 +Subject: fs: dlm: fix use after free in midcomms commit + +From: Alexander Aring + +[ Upstream commit 724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba ] + +While working on processing dlm message in softirq context I experienced +the following KASAN use-after-free warning: + +[ 151.760477] ================================================================== +[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347 + +[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828 +[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014 +[ 151.768726] Call Trace: +[ 151.769277] +[ 151.769748] dump_stack_lvl+0x5b/0x86 +[ 151.770556] print_report+0x180/0x4c8 +[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0 +[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.773069] kasan_report+0x93/0x1a0 +[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.774514] __asan_load4+0x7e/0xa0 +[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0 +[ 151.776770] send_common+0x19f/0x1b0 +[ 151.777342] ? remove_from_waiters+0x60/0x60 +[ 151.778017] ? lock_downgrade+0x410/0x410 +[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20 +[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0 +[ 151.780292] _convert_lock+0x46/0x150 +[ 151.780893] convert_lock+0x7b/0xc0 +[ 151.781459] dlm_lock+0x3ac/0x580 +[ 151.781993] ? 0xffffffffc0540000 +[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture] +[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70 +[ 151.784003] ? preempt_count_sub+0xd6/0x130 +[ 151.784661] ? is_module_address+0x47/0x70 +[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture] +[ 151.786166] ? 0xffffffffc0540000 +[ 151.786693] ? lockdep_init_map_type+0xc3/0x360 +[ 151.787414] ? 0xffffffffc0540000 +[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture] +[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture] +[ 151.789858] ? 0xffffffffc0540000 +[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture] +[ 151.791347] ? delay_tsc+0x94/0xc0 +[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture] +[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture] +[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture] +[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture] +[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] +[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0 +[ 151.797152] ? mark_held_locks+0x34/0xb0 +[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70 +[ 151.798581] ? __kthread_parkme+0x79/0x110 +[ 151.799246] ? trace_preempt_on+0x2a/0xf0 +[ 151.799902] ? __kthread_parkme+0x79/0x110 +[ 151.800579] ? preempt_count_sub+0xd6/0x130 +[ 151.801271] ? __kasan_check_read+0x11/0x20 +[ 151.801963] ? __kthread_parkme+0xec/0x110 +[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] +[ 151.803569] kthread+0x192/0x1d0 +[ 151.804104] ? kthread_complete_and_exit+0x30/0x30 +[ 151.804881] ret_from_fork+0x1f/0x30 +[ 151.805480] + +[ 151.806111] Allocated by task 1347: +[ 151.806681] kasan_save_stack+0x26/0x50 +[ 151.807308] kasan_set_track+0x25/0x30 +[ 151.807920] kasan_save_alloc_info+0x1e/0x30 +[ 151.808609] __kasan_slab_alloc+0x63/0x80 +[ 151.809263] kmem_cache_alloc+0x1ad/0x830 +[ 151.809916] dlm_allocate_mhandle+0x17/0x20 +[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260 +[ 151.811344] _create_message+0x95/0x180 +[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0 +[ 151.812880] send_common+0x129/0x1b0 +[ 151.813467] _convert_lock+0x46/0x150 +[ 151.814074] convert_lock+0x7b/0xc0 +[ 151.814648] dlm_lock+0x3ac/0x580 +[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture] +[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture] +[ 151.817129] lock_torture+0x177/0x270 [dlm_locktorture] +[ 151.817986] kthread+0x192/0x1d0 +[ 151.818518] ret_from_fork+0x1f/0x30 + +[ 151.819369] Freed by task 1336: +[ 151.819890] kasan_save_stack+0x26/0x50 +[ 151.820514] kasan_set_track+0x25/0x30 +[ 151.821128] kasan_save_free_info+0x2e/0x50 +[ 151.821812] __kasan_slab_free+0x107/0x1a0 +[ 151.822483] kmem_cache_free+0x204/0x5e0 +[ 151.823152] dlm_free_mhandle+0x18/0x20 +[ 151.823781] dlm_mhandle_release+0x2e/0x40 +[ 151.824454] rcu_core+0x583/0x1330 +[ 151.825047] rcu_core_si+0xe/0x20 +[ 151.825594] __do_softirq+0xf4/0x5c2 + +[ 151.826450] Last potentially related work creation: +[ 151.827238] kasan_save_stack+0x26/0x50 +[ 151.827870] __kasan_record_aux_stack+0xa2/0xc0 +[ 151.828609] kasan_record_aux_stack_noalloc+0xb/0x20 +[ 151.829415] call_rcu+0x4c/0x760 +[ 151.829954] dlm_mhandle_delete+0x97/0xb0 +[ 151.830718] dlm_process_incoming_buffer+0x2fc/0xb30 +[ 151.831524] process_dlm_messages+0x16e/0x470 +[ 151.832245] process_one_work+0x505/0xa10 +[ 151.832905] worker_thread+0x67/0x650 +[ 151.833507] kthread+0x192/0x1d0 +[ 151.834046] ret_from_fork+0x1f/0x30 + +[ 151.834900] The buggy address belongs to the object at ffff88811a980c30 + which belongs to the cache dlm_mhandle of size 88 +[ 151.836894] The buggy address is located 48 bytes inside of + 88-byte region [ffff88811a980c30, ffff88811a980c88) + +[ 151.839007] The buggy address belongs to the physical page: +[ 151.839904] page:0000000076cf5d62 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a980 +[ 151.841378] flags: 0x8000000000000200(slab|zone=2) +[ 151.842141] raw: 8000000000000200 0000000000000000 dead000000000122 ffff8881089b43c0 +[ 151.843401] raw: 0000000000000000 0000000000220022 00000001ffffffff 0000000000000000 +[ 151.844640] page dumped because: kasan: bad access detected + +[ 151.845822] Memory state around the buggy address: +[ 151.846602] ffff88811a980b00: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb +[ 151.847761] ffff88811a980b80: fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb +[ 151.848921] >ffff88811a980c00: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb +[ 151.850076] ^ +[ 151.851085] ffff88811a980c80: fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb +[ 151.852269] ffff88811a980d00: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fc +[ 151.853428] ================================================================== +[ 151.855618] Disabling lock debugging due to kernel taint + +It is accessing a mhandle in dlm_midcomms_commit_mhandle() and the mhandle +was freed by a call_rcu() call in dlm_process_incoming_buffer(), +dlm_mhandle_delete(). It looks like it was freed because an ack of +this message was received. There is a short race between committing the +dlm message to be transmitted and getting an ack back. If the ack is +faster than returning from dlm_midcomms_commit_msg_3_2(), then we run +into a use-after free because we still need to reference the mhandle when +calling srcu_read_unlock(). + +To avoid that, we don't allow that mhandle to be freed between +dlm_midcomms_commit_msg_3_2() and srcu_read_unlock() by using rcu read +lock. We can do that because mhandle is protected by rcu handling. + +Cc: stable@vger.kernel.org +Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/midcomms.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index 8d11f104a97eb..0477493706edb 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -1185,8 +1185,15 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh, + dlm_free_mhandle(mh); + break; + case DLM_VERSION_3_2: ++ /* held rcu read lock here, because we sending the ++ * dlm message out, when we do that we could receive ++ * an ack back which releases the mhandle and we ++ * get a use after free. ++ */ ++ rcu_read_lock(); + dlm_midcomms_commit_msg_3_2(mh, name, namelen); + srcu_read_unlock(&nodes_srcu, mh->idx); ++ rcu_read_unlock(); + break; + default: + srcu_read_unlock(&nodes_srcu, mh->idx); +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-remove-send-repeat-remove-handling.patch b/queue-6.1/fs-dlm-remove-send-repeat-remove-handling.patch new file mode 100644 index 00000000000..336b111ba6f --- /dev/null +++ b/queue-6.1/fs-dlm-remove-send-repeat-remove-handling.patch @@ -0,0 +1,128 @@ +From 342ed3afabada1a9276f30720ddde270c595d850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:45:13 -0400 +Subject: fs: dlm: remove send repeat remove handling + +From: Alexander Aring + +[ Upstream commit 57a5724ef0b332eb6e78250157910a006b01bf6e ] + +This patch removes the send repeat remove handling. This handling is +there to repeatingly DLM_MSG_REMOVE messages in cases the dlm stack +thinks it was not received at the first time. In cases of message drops +this functionality is necessary, but since the DLM midcomms layer +guarantees there are no messages drops between cluster nodes this +feature became not strict necessary anymore. Due message +delays/processing it could be that two send_repeat_remove() are sent out +while the other should be still on it's way. We remove the repeat remove +handling because we are sure that the message cannot be dropped due +communication errors. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Stable-dep-of: 724b6bab0d75 ("fs: dlm: fix use after free in midcomms commit") +Signed-off-by: Sasha Levin +--- + fs/dlm/lock.c | 74 --------------------------------------------------- + 1 file changed, 74 deletions(-) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 94a72ede57646..b246d71b5e17a 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -4044,66 +4044,6 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + return error; + } + +-static void send_repeat_remove(struct dlm_ls *ls, char *ms_name, int len) +-{ +- char name[DLM_RESNAME_MAXLEN + 1]; +- struct dlm_message *ms; +- struct dlm_mhandle *mh; +- struct dlm_rsb *r; +- uint32_t hash, b; +- int rv, dir_nodeid; +- +- memset(name, 0, sizeof(name)); +- memcpy(name, ms_name, len); +- +- hash = jhash(name, len, 0); +- b = hash & (ls->ls_rsbtbl_size - 1); +- +- dir_nodeid = dlm_hash2nodeid(ls, hash); +- +- log_error(ls, "send_repeat_remove dir %d %s", dir_nodeid, name); +- +- spin_lock(&ls->ls_rsbtbl[b].lock); +- rv = dlm_search_rsb_tree(&ls->ls_rsbtbl[b].keep, name, len, &r); +- if (!rv) { +- spin_unlock(&ls->ls_rsbtbl[b].lock); +- log_error(ls, "repeat_remove on keep %s", name); +- return; +- } +- +- rv = dlm_search_rsb_tree(&ls->ls_rsbtbl[b].toss, name, len, &r); +- if (!rv) { +- spin_unlock(&ls->ls_rsbtbl[b].lock); +- log_error(ls, "repeat_remove on toss %s", name); +- return; +- } +- +- /* use ls->remove_name2 to avoid conflict with shrink? */ +- +- spin_lock(&ls->ls_remove_spin); +- ls->ls_remove_len = len; +- memcpy(ls->ls_remove_name, name, DLM_RESNAME_MAXLEN); +- spin_unlock(&ls->ls_remove_spin); +- spin_unlock(&ls->ls_rsbtbl[b].lock); +- +- rv = _create_message(ls, sizeof(struct dlm_message) + len, +- dir_nodeid, DLM_MSG_REMOVE, &ms, &mh); +- if (rv) +- goto out; +- +- memcpy(ms->m_extra, name, len); +- ms->m_hash = cpu_to_le32(hash); +- +- send_message(mh, ms); +- +-out: +- spin_lock(&ls->ls_remove_spin); +- ls->ls_remove_len = 0; +- memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN); +- spin_unlock(&ls->ls_remove_spin); +- wake_up(&ls->ls_remove_wait); +-} +- + static int receive_request(struct dlm_ls *ls, struct dlm_message *ms) + { + struct dlm_lkb *lkb; +@@ -4173,25 +4113,11 @@ static int receive_request(struct dlm_ls *ls, struct dlm_message *ms) + ENOTBLK request failures when the lookup reply designating us + as master is delayed. */ + +- /* We could repeatedly return -EBADR here if our send_remove() is +- delayed in being sent/arriving/being processed on the dir node. +- Another node would repeatedly lookup up the master, and the dir +- node would continue returning our nodeid until our send_remove +- took effect. +- +- We send another remove message in case our previous send_remove +- was lost/ignored/missed somehow. */ +- + if (error != -ENOTBLK) { + log_limit(ls, "receive_request %x from %d %d", + le32_to_cpu(ms->m_lkid), from_nodeid, error); + } + +- if (namelen && error == -EBADR) { +- send_repeat_remove(ls, ms->m_extra, namelen); +- msleep(1000); +- } +- + setup_stub_lkb(ls, ms); + send_request_reply(&ls->ls_stub_rsb, &ls->ls_stub_lkb, error); + return error; +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-start-midcomms-before-scand.patch b/queue-6.1/fs-dlm-start-midcomms-before-scand.patch new file mode 100644 index 00000000000..6f2faeac2d7 --- /dev/null +++ b/queue-6.1/fs-dlm-start-midcomms-before-scand.patch @@ -0,0 +1,62 @@ +From dd5c12d61887cd055ca77639f69755dcc17d5d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 17:10:31 -0500 +Subject: fs: dlm: start midcomms before scand + +From: Alexander Aring + +[ Upstream commit aad633dc0cf90093998b1ae0ba9f19b5f1dab644 ] + +The scand kthread can send dlm messages out, especially dlm remove +messages to free memory for unused rsb on other nodes. To send out dlm +messages, midcomms must be initialized. This patch moves the midcomms +start before scand is started. + +Cc: stable@vger.kernel.org +Fixes: e7fd41792fc0 ("[DLM] The core of the DLM for GFS2/CLVM") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index c3cf2e7996f6c..7b29ea7bfb416 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -381,23 +381,23 @@ static int threads_start(void) + { + int error; + +- error = dlm_scand_start(); ++ /* Thread for sending/receiving messages for all lockspace's */ ++ error = dlm_midcomms_start(); + if (error) { +- log_print("cannot start dlm_scand thread %d", error); ++ log_print("cannot start dlm midcomms %d", error); + goto fail; + } + +- /* Thread for sending/receiving messages for all lockspace's */ +- error = dlm_midcomms_start(); ++ error = dlm_scand_start(); + if (error) { +- log_print("cannot start dlm midcomms %d", error); +- goto scand_fail; ++ log_print("cannot start dlm_scand thread %d", error); ++ goto midcomms_fail; + } + + return 0; + +- scand_fail: +- dlm_scand_stop(); ++ midcomms_fail: ++ dlm_midcomms_stop(); + fail: + return error; + } +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-use-packet-in-dlm_mhandle.patch b/queue-6.1/fs-dlm-use-packet-in-dlm_mhandle.patch new file mode 100644 index 00000000000..0f2f620cbf7 --- /dev/null +++ b/queue-6.1/fs-dlm-use-packet-in-dlm_mhandle.patch @@ -0,0 +1,55 @@ +From 3caf2f8a5d7a02a3e33d0df6030f66f4f9d0e107 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:45:14 -0400 +Subject: fs: dlm: use packet in dlm_mhandle + +From: Alexander Aring + +[ Upstream commit 5b787667e87a373a2f8f70e6be2b5d99c408462f ] + +To allow more than just dereferencing the inner header we directly point +to the inner dlm packet which allows us to dereference the header, rcom +or message structure. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Stable-dep-of: 724b6bab0d75 ("fs: dlm: fix use after free in midcomms commit") +Signed-off-by: Sasha Levin +--- + fs/dlm/midcomms.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index 095f2005fb621..4a8721ab9f149 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -194,7 +194,7 @@ struct midcomms_node { + }; + + struct dlm_mhandle { +- const struct dlm_header *inner_hd; ++ const union dlm_packet *inner_p; + struct midcomms_node *node; + struct dlm_opts *opts; + struct dlm_msg *msg; +@@ -1049,7 +1049,7 @@ static struct dlm_msg *dlm_midcomms_get_msg_3_2(struct dlm_mhandle *mh, int node + dlm_fill_opts_header(opts, len, mh->seq); + + *ppc += sizeof(*opts); +- mh->inner_hd = (const struct dlm_header *)*ppc; ++ mh->inner_p = (const union dlm_packet *)*ppc; + return msg; + } + +@@ -1127,7 +1127,7 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len, + static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh) + { + /* nexthdr chain for fast lookup */ +- mh->opts->o_nextcmd = mh->inner_hd->h_cmd; ++ mh->opts->o_nextcmd = mh->inner_p->header.h_cmd; + mh->committed = true; + dlm_lowcomms_commit_msg(mh->msg); + } +-- +2.39.2 + diff --git a/queue-6.1/fs-dlm-use-warn_on_once-instead-of-warn_on.patch b/queue-6.1/fs-dlm-use-warn_on_once-instead-of-warn_on.patch new file mode 100644 index 00000000000..2ca81ad060f --- /dev/null +++ b/queue-6.1/fs-dlm-use-warn_on_once-instead-of-warn_on.patch @@ -0,0 +1,107 @@ +From 2d80727685f8ef9aeb85017ad0d319895076617b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:45:27 -0400 +Subject: fs: dlm: use WARN_ON_ONCE() instead of WARN_ON() + +From: Alexander Aring + +[ Upstream commit 775af207464bd28a2086f8399c0b2a3f1f40c7ae ] + +To not get the console spammed about WARN_ON() of invalid states in the +dlm midcomms hot path handling we switch to WARN_ON_ONCE() to get it +only once that there might be an issue with the midcomms state handling. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Stable-dep-of: 7354fa4ef697 ("fs: dlm: be sure to call dlm_send_queue_flush()") +Signed-off-by: Sasha Levin +--- + fs/dlm/midcomms.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index 0477493706edb..b53d7a281be93 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -469,7 +469,7 @@ static void dlm_pas_fin_ack_rcv(struct midcomms_node *node) + spin_unlock(&node->state_lock); + log_print("%s: unexpected state: %d\n", + __func__, node->state); +- WARN_ON(1); ++ WARN_ON_ONCE(1); + return; + } + spin_unlock(&node->state_lock); +@@ -542,13 +542,13 @@ static void dlm_midcomms_receive_buffer(union dlm_packet *p, + spin_unlock(&node->state_lock); + log_print("%s: unexpected state: %d\n", + __func__, node->state); +- WARN_ON(1); ++ WARN_ON_ONCE(1); + return; + } + spin_unlock(&node->state_lock); + break; + default: +- WARN_ON(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags)); ++ WARN_ON_ONCE(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags)); + dlm_receive_buffer_3_2_trace(seq, p); + dlm_receive_buffer(p, node->nodeid); + set_bit(DLM_NODE_ULP_DELIVERED, &node->flags); +@@ -764,7 +764,7 @@ static void dlm_midcomms_receive_buffer_3_2(union dlm_packet *p, int nodeid) + goto out; + } + +- WARN_ON(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags)); ++ WARN_ON_ONCE(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags)); + dlm_receive_buffer(p, nodeid); + break; + case DLM_OPTS: +@@ -1089,7 +1089,7 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len, + } + + /* this is a bug, however we going on and hope it will be resolved */ +- WARN_ON(test_bit(DLM_NODE_FLAG_STOP_TX, &node->flags)); ++ WARN_ON_ONCE(test_bit(DLM_NODE_FLAG_STOP_TX, &node->flags)); + + mh = dlm_allocate_mhandle(); + if (!mh) +@@ -1121,7 +1121,7 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len, + break; + default: + dlm_free_mhandle(mh); +- WARN_ON(1); ++ WARN_ON_ONCE(1); + goto err; + } + +@@ -1197,7 +1197,7 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh, + break; + default: + srcu_read_unlock(&nodes_srcu, mh->idx); +- WARN_ON(1); ++ WARN_ON_ONCE(1); + break; + } + } +@@ -1254,7 +1254,7 @@ static void dlm_act_fin_ack_rcv(struct midcomms_node *node) + spin_unlock(&node->state_lock); + log_print("%s: unexpected state: %d\n", + __func__, node->state); +- WARN_ON(1); ++ WARN_ON_ONCE(1); + return; + } + spin_unlock(&node->state_lock); +@@ -1366,7 +1366,7 @@ static void midcomms_node_release(struct rcu_head *rcu) + { + struct midcomms_node *node = container_of(rcu, struct midcomms_node, rcu); + +- WARN_ON(atomic_read(&node->send_queue_cnt)); ++ WARN_ON_ONCE(atomic_read(&node->send_queue_cnt)); + kfree(node); + } + +-- +2.39.2 + diff --git a/queue-6.1/ice-copy-last-block-omitted-in-ice_get_module_eeprom.patch b/queue-6.1/ice-copy-last-block-omitted-in-ice_get_module_eeprom.patch new file mode 100644 index 00000000000..f76862fe4e6 --- /dev/null +++ b/queue-6.1/ice-copy-last-block-omitted-in-ice_get_module_eeprom.patch @@ -0,0 +1,115 @@ +From d6c2d08395ec1ce93c425f0bcb134623ca47831f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 21:47:07 +0100 +Subject: ice: copy last block omitted in ice_get_module_eeprom() + +From: Petr Oros + +[ Upstream commit 84cba1840e68430325ac133a11be06bfb2f7acd8 ] + +ice_get_module_eeprom() is broken since commit e9c9692c8a81 ("ice: +Reimplement module reads used by ethtool") In this refactor, +ice_get_module_eeprom() reads the eeprom in blocks of size 8. +But the condition that should protect the buffer overflow +ignores the last block. The last block always contains zeros. + +Bug uncovered by ethtool upstream commit 9538f384b535 +("netlink: eeprom: Defer page requests to individual parsers") +After this commit, ethtool reads a block with length = 1; +to read the SFF-8024 identifier value. + +unpatched driver: +$ ethtool -m enp65s0f0np0 offset 0x90 length 8 +Offset Values +------ ------ +0x0090: 00 00 00 00 00 00 00 00 +$ ethtool -m enp65s0f0np0 offset 0x90 length 12 +Offset Values +------ ------ +0x0090: 00 00 01 a0 4d 65 6c 6c 00 00 00 00 +$ + +$ ethtool -m enp65s0f0np0 +Offset Values +------ ------ +0x0000: 11 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 +0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 00 +0x0070: 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +patched driver: +$ ethtool -m enp65s0f0np0 offset 0x90 length 8 +Offset Values +------ ------ +0x0090: 00 00 01 a0 4d 65 6c 6c +$ ethtool -m enp65s0f0np0 offset 0x90 length 12 +Offset Values +------ ------ +0x0090: 00 00 01 a0 4d 65 6c 6c 61 6e 6f 78 +$ ethtool -m enp65s0f0np0 + Identifier : 0x11 (QSFP28) + Extended identifier : 0x00 + Extended identifier description : 1.5W max. Power consumption + Extended identifier description : No CDR in TX, No CDR in RX + Extended identifier description : High Power Class (> 3.5 W) not enabled + Connector : 0x23 (No separable connector) + Transceiver codes : 0x88 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + Transceiver type : 40G Ethernet: 40G Base-CR4 + Transceiver type : 25G Ethernet: 25G Base-CR CA-N + Encoding : 0x05 (64B/66B) + BR, Nominal : 25500Mbps + Rate identifier : 0x00 + Length (SMF,km) : 0km + Length (OM3 50um) : 0m + Length (OM2 50um) : 0m + Length (OM1 62.5um) : 0m + Length (Copper or Active cable) : 1m + Transmitter technology : 0xa0 (Copper cable unequalized) + Attenuation at 2.5GHz : 4db + Attenuation at 5.0GHz : 5db + Attenuation at 7.0GHz : 7db + Attenuation at 12.9GHz : 10db + ........ + .... + +Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +Signed-off-by: Petr Oros +Reviewed-by: Jesse Brandeburg +Tested-by: Jesse Brandeburg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index e1f6373a3a2c0..02eb78df2378e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -4145,6 +4145,8 @@ ice_get_module_eeprom(struct net_device *netdev, + * SFP modules only ever use page 0. + */ + if (page == 0 || !(data[0x2] & 0x4)) { ++ u32 copy_len; ++ + /* If i2c bus is busy due to slow page change or + * link management access, call can fail. This is normal. + * So we retry this a few times. +@@ -4168,8 +4170,8 @@ ice_get_module_eeprom(struct net_device *netdev, + } + + /* Make sure we have enough room for the new block */ +- if ((i + SFF_READ_BLOCK_SIZE) < ee->len) +- memcpy(data + i, value, SFF_READ_BLOCK_SIZE); ++ copy_len = min_t(u32, SFF_READ_BLOCK_SIZE, ee->len - i); ++ memcpy(data + i, value, copy_len); + } + } + return 0; +-- +2.39.2 + diff --git a/queue-6.1/ice-fix-dscp-pfc-tlv-creation.patch b/queue-6.1/ice-fix-dscp-pfc-tlv-creation.patch new file mode 100644 index 00000000000..fe126100f08 --- /dev/null +++ b/queue-6.1/ice-fix-dscp-pfc-tlv-creation.patch @@ -0,0 +1,43 @@ +From b7944f580fa73db6345ba8823e26cd12426416da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:24:10 +0100 +Subject: ice: Fix DSCP PFC TLV creation + +From: Dave Ertman + +[ Upstream commit fef3f92e8a4214652d8f33f50330dc5a92efbf11 ] + +When creating the TLV to send to the FW for configuring DSCP mode PFC,the +PFCENABLE field was being masked with a 4 bit mask (0xF), but this is an 8 +bit bitmask for enabled classes for PFC. This means that traffic classes +4-7 could not be enabled for PFC. + +Remove the mask completely, as it is not necessary, as we are assigning 8 +bits to an 8 bit field. + +Fixes: 2a87bd73e50d ("ice: Add DSCP support") +Signed-off-by: Dave Ertman +Signed-off-by: Karen Ostrowska +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_dcb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_dcb.c b/drivers/net/ethernet/intel/ice/ice_dcb.c +index 0b146a0d42058..6375372f87294 100644 +--- a/drivers/net/ethernet/intel/ice/ice_dcb.c ++++ b/drivers/net/ethernet/intel/ice/ice_dcb.c +@@ -1372,7 +1372,7 @@ ice_add_dscp_pfc_tlv(struct ice_lldp_org_tlv *tlv, struct ice_dcbx_cfg *dcbcfg) + tlv->ouisubtype = htonl(ouisubtype); + + buf[0] = dcbcfg->pfc.pfccap & 0xF; +- buf[1] = dcbcfg->pfc.pfcena & 0xF; ++ buf[1] = dcbcfg->pfc.pfcena; + } + + /** +-- +2.39.2 + diff --git a/queue-6.1/ila-do-not-generate-empty-messages-in-ila_xlat_nl_cm.patch b/queue-6.1/ila-do-not-generate-empty-messages-in-ila_xlat_nl_cm.patch new file mode 100644 index 00000000000..37bc1492ad2 --- /dev/null +++ b/queue-6.1/ila-do-not-generate-empty-messages-in-ila_xlat_nl_cm.patch @@ -0,0 +1,113 @@ +From 35acac485956f1cb6055cb068ab8e63e4d0b7dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 15:30:24 +0000 +Subject: ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() + +From: Eric Dumazet + +[ Upstream commit 693aa2c0d9b6d5b1f2745d31b6e70d09dbbaf06e ] + +ila_xlat_nl_cmd_get_mapping() generates an empty skb, +triggerring a recent sanity check [1]. + +Instead, return an error code, so that user space +can get it. + +[1] +skb_assert_len +WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 skb_assert_len include/linux/skbuff.h:2527 [inline] +WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +Modules linked in: +CPU: 0 PID: 5923 Comm: syz-executor269 Not tainted 6.2.0-syzkaller-18300-g2ebd1fbb946d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : skb_assert_len include/linux/skbuff.h:2527 [inline] +pc : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +lr : skb_assert_len include/linux/skbuff.h:2527 [inline] +lr : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +sp : ffff80001e0d6c40 +x29: ffff80001e0d6e60 x28: dfff800000000000 x27: ffff0000c86328c0 +x26: dfff800000000000 x25: ffff0000c8632990 x24: ffff0000c8632a00 +x23: 0000000000000000 x22: 1fffe000190c6542 x21: ffff0000c8632a10 +x20: ffff0000c8632a00 x19: ffff80001856e000 x18: ffff80001e0d5fc0 +x17: 0000000000000000 x16: ffff80001235d16c x15: 0000000000000000 +x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 +x11: ff80800008353a30 x10: 0000000000000000 x9 : 21567eaf25bfb600 +x8 : 21567eaf25bfb600 x7 : 0000000000000001 x6 : 0000000000000001 +x5 : ffff80001e0d6558 x4 : ffff800015c74760 x3 : ffff800008596744 +x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000000e +Call trace: +skb_assert_len include/linux/skbuff.h:2527 [inline] +__dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +dev_queue_xmit include/linux/netdevice.h:3033 [inline] +__netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] +__netlink_deliver_tap+0x45c/0x6f8 net/netlink/af_netlink.c:325 +netlink_deliver_tap+0xf4/0x174 net/netlink/af_netlink.c:338 +__netlink_sendskb net/netlink/af_netlink.c:1283 [inline] +netlink_sendskb+0x6c/0x154 net/netlink/af_netlink.c:1292 +netlink_unicast+0x334/0x8d4 net/netlink/af_netlink.c:1380 +nlmsg_unicast include/net/netlink.h:1099 [inline] +genlmsg_unicast include/net/genetlink.h:433 [inline] +genlmsg_reply include/net/genetlink.h:443 [inline] +ila_xlat_nl_cmd_get_mapping+0x620/0x7d0 net/ipv6/ila/ila_xlat.c:493 +genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline] +genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] +genl_rcv_msg+0x938/0xc1c net/netlink/genetlink.c:1065 +netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574 +genl_rcv+0x38/0x50 net/netlink/genetlink.c:1076 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x800/0xae0 net/netlink/af_netlink.c:1942 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg net/socket.c:734 [inline] +____sys_sendmsg+0x558/0x844 net/socket.c:2479 +___sys_sendmsg net/socket.c:2533 [inline] +__sys_sendmsg+0x26c/0x33c net/socket.c:2562 +__do_sys_sendmsg net/socket.c:2571 [inline] +__se_sys_sendmsg net/socket.c:2569 [inline] +__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2569 +__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] +invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 +el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 +do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193 +el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 +el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 +el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 +irq event stamp: 136484 +hardirqs last enabled at (136483): [] __up_console_sem+0x60/0xb4 kernel/printk/printk.c:345 +hardirqs last disabled at (136484): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405 +softirqs last enabled at (136418): [] softirq_handle_end kernel/softirq.c:414 [inline] +softirqs last enabled at (136418): [] __do_softirq+0xd4c/0xfa4 kernel/softirq.c:600 +softirqs last disabled at (136371): [] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80 +---[ end trace 0000000000000000 ]--- +skb len=0 headroom=0 headlen=0 tailroom=192 +mac=(0,0) net=(0,-1) trans=-1 +shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0)) +csum(0x0 ip_summed=0 complete_sw=0 valid=0 level=0) +hash(0x0 sw=0 l4=0) proto=0x0010 pkttype=6 iif=0 +dev name=nlmon0 feat=0x0000000000005861 + +Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ila/ila_xlat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c +index 47447f0241df6..bee45dfeb1874 100644 +--- a/net/ipv6/ila/ila_xlat.c ++++ b/net/ipv6/ila/ila_xlat.c +@@ -477,6 +477,7 @@ int ila_xlat_nl_cmd_get_mapping(struct sk_buff *skb, struct genl_info *info) + + rcu_read_lock(); + ++ ret = -ESRCH; + ila = ila_lookup_by_params(&xp, ilan); + if (ila) { + ret = ila_dump_info(ila, +-- +2.39.2 + diff --git a/queue-6.1/input-exc3000-properly-stop-timer-on-shutdown.patch b/queue-6.1/input-exc3000-properly-stop-timer-on-shutdown.patch new file mode 100644 index 00000000000..82e2d576bab --- /dev/null +++ b/queue-6.1/input-exc3000-properly-stop-timer-on-shutdown.patch @@ -0,0 +1,53 @@ +From 450804da63fbddcc07053920e1d8c53c22f8dbed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 16:43:29 -0800 +Subject: Input: exc3000 - properly stop timer on shutdown + +From: Dmitry Torokhov + +[ Upstream commit 79c81d137d36f9635bbcbc3916c0cccb418a61dd ] + +We need to stop the timer on driver unbind or probe failures, otherwise +we get UAF/Oops. + +Fixes: 7e577a17f2ee ("Input: add I2C attached EETI EXC3000 multi touch driver") +Reported-by: "Stahl, Michael" +Link: https://lore.kernel.org/r/Y9dK57BFqtlf8NmN@google.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/exc3000.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/input/touchscreen/exc3000.c b/drivers/input/touchscreen/exc3000.c +index 4b7eee01c6aad..615646a03039b 100644 +--- a/drivers/input/touchscreen/exc3000.c ++++ b/drivers/input/touchscreen/exc3000.c +@@ -109,6 +109,11 @@ static inline void exc3000_schedule_timer(struct exc3000_data *data) + mod_timer(&data->timer, jiffies + msecs_to_jiffies(EXC3000_TIMEOUT_MS)); + } + ++static void exc3000_shutdown_timer(void *timer) ++{ ++ del_timer_sync(timer); ++} ++ + static int exc3000_read_frame(struct exc3000_data *data, u8 *buf) + { + struct i2c_client *client = data->client; +@@ -386,6 +391,11 @@ static int exc3000_probe(struct i2c_client *client) + if (error) + return error; + ++ error = devm_add_action_or_reset(&client->dev, exc3000_shutdown_timer, ++ &data->timer); ++ if (error) ++ return error; ++ + error = devm_request_threaded_irq(&client->dev, client->irq, + NULL, exc3000_interrupt, IRQF_ONESHOT, + client->name, data); +-- +2.39.2 + diff --git a/queue-6.1/ipmi-ssif-add-a-timer-between-request-retries.patch b/queue-6.1/ipmi-ssif-add-a-timer-between-request-retries.patch new file mode 100644 index 00000000000..8c28ab26883 --- /dev/null +++ b/queue-6.1/ipmi-ssif-add-a-timer-between-request-retries.patch @@ -0,0 +1,135 @@ +From a737cfa29d9fb1aea7b857efaac2ed558ff637a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 10:34:47 -0600 +Subject: ipmi:ssif: Add a timer between request retries + +From: Corey Minyard + +[ Upstream commit 00bb7e763ec9f384cb382455cb6ba5588b5375cf ] + +The IPMI spec has a time (T6) specified between request retries. Add +the handling for that. + +Reported by: Tony Camuso +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index c25c4b1a03ae0..a5ddebb1edea4 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -74,7 +74,8 @@ + /* + * Timer values + */ +-#define SSIF_MSG_USEC 60000 /* 60ms between message tries. */ ++#define SSIF_MSG_USEC 60000 /* 60ms between message tries (T3). */ ++#define SSIF_REQ_RETRY_USEC 60000 /* 60ms between send retries (T6). */ + #define SSIF_MSG_PART_USEC 5000 /* 5ms for a message part */ + + /* How many times to we retry sending/receiving the message. */ +@@ -82,7 +83,9 @@ + #define SSIF_RECV_RETRIES 250 + + #define SSIF_MSG_MSEC (SSIF_MSG_USEC / 1000) ++#define SSIF_REQ_RETRY_MSEC (SSIF_REQ_RETRY_USEC / 1000) + #define SSIF_MSG_JIFFIES ((SSIF_MSG_USEC * 1000) / TICK_NSEC) ++#define SSIF_REQ_RETRY_JIFFIES ((SSIF_REQ_RETRY_USEC * 1000) / TICK_NSEC) + #define SSIF_MSG_PART_JIFFIES ((SSIF_MSG_PART_USEC * 1000) / TICK_NSEC) + + /* +@@ -229,6 +232,9 @@ struct ssif_info { + bool got_alert; + bool waiting_alert; + ++ /* Used to inform the timeout that it should do a resend. */ ++ bool do_resend; ++ + /* + * If set to true, this will request events the next time the + * state machine is idle. +@@ -531,22 +537,28 @@ static void start_get(struct ssif_info *ssif_info) + ssif_info->recv, I2C_SMBUS_BLOCK_DATA); + } + ++static void start_resend(struct ssif_info *ssif_info); ++ + static void retry_timeout(struct timer_list *t) + { + struct ssif_info *ssif_info = from_timer(ssif_info, t, retry_timer); + unsigned long oflags, *flags; +- bool waiting; ++ bool waiting, resend; + + if (ssif_info->stopping) + return; + + flags = ipmi_ssif_lock_cond(ssif_info, &oflags); ++ resend = ssif_info->do_resend; ++ ssif_info->do_resend = false; + waiting = ssif_info->waiting_alert; + ssif_info->waiting_alert = false; + ipmi_ssif_unlock_cond(ssif_info, flags); + + if (waiting) + start_get(ssif_info); ++ if (resend) ++ start_resend(ssif_info); + } + + static void watch_timeout(struct timer_list *t) +@@ -595,8 +607,6 @@ static void ssif_alert(struct i2c_client *client, enum i2c_alert_protocol type, + start_get(ssif_info); + } + +-static void start_resend(struct ssif_info *ssif_info); +- + static void msg_done_handler(struct ssif_info *ssif_info, int result, + unsigned char *data, unsigned int len) + { +@@ -901,7 +911,13 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result, + if (result < 0) { + ssif_info->retries_left--; + if (ssif_info->retries_left > 0) { +- start_resend(ssif_info); ++ /* ++ * Wait the retry timeout time per the spec, ++ * then redo the send. ++ */ ++ ssif_info->do_resend = true; ++ mod_timer(&ssif_info->retry_timer, ++ jiffies + SSIF_REQ_RETRY_JIFFIES); + return; + } + +@@ -1311,8 +1327,10 @@ static int do_cmd(struct i2c_client *client, int len, unsigned char *msg, + ret = i2c_smbus_write_block_data(client, SSIF_IPMI_REQUEST, len, msg); + if (ret) { + retry_cnt--; +- if (retry_cnt > 0) ++ if (retry_cnt > 0) { ++ msleep(SSIF_REQ_RETRY_MSEC); + goto retry1; ++ } + return -ENODEV; + } + +@@ -1453,8 +1471,10 @@ static int start_multipart_test(struct i2c_client *client, + 32, msg); + if (ret) { + retry_cnt--; +- if (retry_cnt > 0) ++ if (retry_cnt > 0) { ++ msleep(SSIF_REQ_RETRY_MSEC); + goto retry_write; ++ } + dev_err(&client->dev, "Could not write multi-part start, though the BMC said it could handle it. Just limit sends to one part.\n"); + return ret; + } +-- +2.39.2 + diff --git a/queue-6.1/ipmi-ssif-increase-the-message-retry-time.patch b/queue-6.1/ipmi-ssif-increase-the-message-retry-time.patch new file mode 100644 index 00000000000..afc0b16006d --- /dev/null +++ b/queue-6.1/ipmi-ssif-increase-the-message-retry-time.patch @@ -0,0 +1,36 @@ +From 321ee5a94bb8ac4cd9701b68f8575b899296d6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 15:03:11 -0500 +Subject: ipmi:ssif: Increase the message retry time + +From: Corey Minyard + +[ Upstream commit 39721d62bbc16ebc9bb2bdc2c163658f33da3b0b ] + +The spec states that the minimum message retry time is 60ms, but it was +set to 20ms. Correct it. + +Reported by: Tony Camuso +Signed-off-by: Corey Minyard +Stable-dep-of: 00bb7e763ec9 ("ipmi:ssif: Add a timer between request retries") +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index cbd56886f1d2a..c25c4b1a03ae0 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -74,7 +74,7 @@ + /* + * Timer values + */ +-#define SSIF_MSG_USEC 20000 /* 20ms between message tries. */ ++#define SSIF_MSG_USEC 60000 /* 60ms between message tries. */ + #define SSIF_MSG_PART_USEC 5000 /* 5ms for a message part */ + + /* How many times to we retry sending/receiving the message. */ +-- +2.39.2 + diff --git a/queue-6.1/ipmi-ssif-remove-rtc_us_timer.patch b/queue-6.1/ipmi-ssif-remove-rtc_us_timer.patch new file mode 100644 index 00000000000..dae8223e6a1 --- /dev/null +++ b/queue-6.1/ipmi-ssif-remove-rtc_us_timer.patch @@ -0,0 +1,62 @@ +From 58e0f56006ac8cde826c4d39bc766a41bc0a4223 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 10:41:48 -0600 +Subject: ipmi:ssif: Remove rtc_us_timer + +From: Corey Minyard + +[ Upstream commit 9e8b89926fb87e5625bdde6fd5de2c31fb1d83bf ] + +It was cruft left over from older handling of run to completion. + +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index 7c606c49cd535..cbd56886f1d2a 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -241,12 +241,6 @@ struct ssif_info { + */ + bool req_flags; + +- /* +- * Used to perform timer operations when run-to-completion +- * mode is on. This is a countdown timer. +- */ +- int rtc_us_timer; +- + /* Used for sending/receiving data. +1 for the length. */ + unsigned char data[IPMI_MAX_MSG_LENGTH + 1]; + unsigned int data_len; +@@ -530,7 +524,6 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + + static void start_get(struct ssif_info *ssif_info) + { +- ssif_info->rtc_us_timer = 0; + ssif_info->multi_pos = 0; + + ssif_i2c_send(ssif_info, msg_done_handler, I2C_SMBUS_READ, +@@ -622,7 +615,6 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + + flags = ipmi_ssif_lock_cond(ssif_info, &oflags); + ssif_info->waiting_alert = true; +- ssif_info->rtc_us_timer = SSIF_MSG_USEC; + if (!ssif_info->stopping) + mod_timer(&ssif_info->retry_timer, + jiffies + SSIF_MSG_JIFFIES); +@@ -973,7 +965,6 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result, + /* Wait a jiffie then request the next message */ + ssif_info->waiting_alert = true; + ssif_info->retries_left = SSIF_RECV_RETRIES; +- ssif_info->rtc_us_timer = SSIF_MSG_PART_USEC; + if (!ssif_info->stopping) + mod_timer(&ssif_info->retry_timer, + jiffies + SSIF_MSG_PART_JIFFIES); +-- +2.39.2 + diff --git a/queue-6.1/kvm-vmx-do-_all_-initialization-before-exposing-dev-.patch b/queue-6.1/kvm-vmx-do-_all_-initialization-before-exposing-dev-.patch new file mode 100644 index 00000000000..fde8a367a8d --- /dev/null +++ b/queue-6.1/kvm-vmx-do-_all_-initialization-before-exposing-dev-.patch @@ -0,0 +1,117 @@ +From 9ea0c293e8d832329a97da81fcbc0af7177091cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 23:08:58 +0000 +Subject: KVM: VMX: Do _all_ initialization before exposing /dev/kvm to + userspace + +From: Sean Christopherson + +[ Upstream commit e32b120071ea114efc0b4ddd439547750b85f618 ] + +Call kvm_init() only after _all_ setup is complete, as kvm_init() exposes +/dev/kvm to userspace and thus allows userspace to create VMs (and call +other ioctls). E.g. KVM will encounter a NULL pointer when attempting to +add a vCPU to the per-CPU loaded_vmcss_on_cpu list if userspace is able to +create a VM before vmx_init() configures said list. + + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 0 P4D 0 + Oops: 0002 [#1] SMP + CPU: 6 PID: 1143 Comm: stable Not tainted 6.0.0-rc7+ #988 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:vmx_vcpu_load_vmcs+0x68/0x230 [kvm_intel] + + vmx_vcpu_load+0x16/0x60 [kvm_intel] + kvm_arch_vcpu_load+0x32/0x1f0 [kvm] + vcpu_load+0x2f/0x40 [kvm] + kvm_arch_vcpu_create+0x231/0x310 [kvm] + kvm_vm_ioctl+0x79f/0xe10 [kvm] + ? handle_mm_fault+0xb1/0x220 + __x64_sys_ioctl+0x80/0xb0 + do_syscall_64+0x2b/0x50 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + RIP: 0033:0x7f5a6b05743b + + Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel(+) kvm irqbypass + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20221130230934.1014142-15-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/vmx.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 81a23ae4f872b..bc868958e91fe 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -8456,19 +8456,23 @@ static void vmx_cleanup_l1d_flush(void) + l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO; + } + +-static void vmx_exit(void) ++static void __vmx_exit(void) + { ++ allow_smaller_maxphyaddr = false; ++ + #ifdef CONFIG_KEXEC_CORE + RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL); + synchronize_rcu(); + #endif ++ vmx_cleanup_l1d_flush(); ++} + ++static void vmx_exit(void) ++{ + kvm_exit(); + kvm_x86_vendor_exit(); + +- vmx_cleanup_l1d_flush(); +- +- allow_smaller_maxphyaddr = false; ++ __vmx_exit(); + } + module_exit(vmx_exit); + +@@ -8513,11 +8517,6 @@ static int __init vmx_init(void) + if (r) + return r; + +- r = kvm_init(&vmx_init_ops, sizeof(struct vcpu_vmx), +- __alignof__(struct vcpu_vmx), THIS_MODULE); +- if (r) +- goto err_kvm_init; +- + /* + * Must be called after common x86 init so enable_ept is properly set + * up. Hand the parameter mitigation value in which was stored in +@@ -8551,11 +8550,20 @@ static int __init vmx_init(void) + if (!enable_ept) + allow_smaller_maxphyaddr = true; + ++ /* ++ * Common KVM initialization _must_ come last, after this, /dev/kvm is ++ * exposed to userspace! ++ */ ++ r = kvm_init(&vmx_init_ops, sizeof(struct vcpu_vmx), ++ __alignof__(struct vcpu_vmx), THIS_MODULE); ++ if (r) ++ goto err_kvm_init; ++ + return 0; + +-err_l1d_flush: +- vmx_exit(); + err_kvm_init: ++ __vmx_exit(); ++err_l1d_flush: + kvm_x86_vendor_exit(); + return r; + } +-- +2.39.2 + diff --git a/queue-6.1/kvm-vmx-don-t-bother-disabling-evmcs-static-key-on-m.patch b/queue-6.1/kvm-vmx-don-t-bother-disabling-evmcs-static-key-on-m.patch new file mode 100644 index 00000000000..0a6bdf5ce74 --- /dev/null +++ b/queue-6.1/kvm-vmx-don-t-bother-disabling-evmcs-static-key-on-m.patch @@ -0,0 +1,40 @@ +From 3aa38d02e59e21e4bca67f2706535ea6166070e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 23:08:55 +0000 +Subject: KVM: VMX: Don't bother disabling eVMCS static key on module exit + +From: Sean Christopherson + +[ Upstream commit da66de44b01e9b7fa09731057593850394bf32e4 ] + +Don't disable the eVMCS static key on module exit, kvm_intel.ko owns the +key so there can't possibly be users after the kvm_intel.ko is unloaded, +at least not without much bigger issues. + +Signed-off-by: Sean Christopherson +Message-Id: <20221130230934.1014142-12-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Stable-dep-of: e32b120071ea ("KVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/vmx.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 87874b22ba4bf..d3d84563a7f9c 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -8465,10 +8465,6 @@ static void vmx_exit(void) + + kvm_exit(); + +-#if IS_ENABLED(CONFIG_HYPERV) +- if (static_branch_unlikely(&enable_evmcs)) +- static_branch_disable(&enable_evmcs); +-#endif + vmx_cleanup_l1d_flush(); + + allow_smaller_maxphyaddr = false; +-- +2.39.2 + diff --git a/queue-6.1/kvm-vmx-reset-evmcs-controls-in-vp-assist-page-durin.patch b/queue-6.1/kvm-vmx-reset-evmcs-controls-in-vp-assist-page-durin.patch new file mode 100644 index 00000000000..1dbe8b0c145 --- /dev/null +++ b/queue-6.1/kvm-vmx-reset-evmcs-controls-in-vp-assist-page-durin.patch @@ -0,0 +1,113 @@ +From fa66ad216fac394653b9d0ee43dc44f1a0e722ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 23:08:54 +0000 +Subject: KVM: VMX: Reset eVMCS controls in VP assist page during hardware + disabling + +From: Sean Christopherson + +[ Upstream commit 2916b70fc342719f570640de07251b7f91feebdb ] + +Reset the eVMCS controls in the per-CPU VP assist page during hardware +disabling instead of waiting until kvm-intel's module exit. The controls +are activated if and only if KVM creates a VM, i.e. don't need to be +reset if hardware is never enabled. + +Doing the reset during hardware disabling will naturally fix a potential +NULL pointer deref bug once KVM disables CPU hotplug while enabling and +disabling hardware (which is necessary to fix a variety of bugs). If the +kernel is running as the root partition, the VP assist page is unmapped +during CPU hot unplug, and so KVM's clearing of the eVMCS controls needs +to occur with CPU hot(un)plug disabled, otherwise KVM could attempt to +write to a CPU's VP assist page after it's unmapped. + +Reported-by: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Reviewed-by: Vitaly Kuznetsov +Message-Id: <20221130230934.1014142-11-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Stable-dep-of: e32b120071ea ("KVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/vmx.c | 50 +++++++++++++++++++++++++----------------- + 1 file changed, 30 insertions(+), 20 deletions(-) + +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index f5c1cb7cec8a7..87874b22ba4bf 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -551,6 +551,33 @@ static int hv_enable_direct_tlbflush(struct kvm_vcpu *vcpu) + return 0; + } + ++static void hv_reset_evmcs(void) ++{ ++ struct hv_vp_assist_page *vp_ap; ++ ++ if (!static_branch_unlikely(&enable_evmcs)) ++ return; ++ ++ /* ++ * KVM should enable eVMCS if and only if all CPUs have a VP assist ++ * page, and should reject CPU onlining if eVMCS is enabled the CPU ++ * doesn't have a VP assist page allocated. ++ */ ++ vp_ap = hv_get_vp_assist_page(smp_processor_id()); ++ if (WARN_ON_ONCE(!vp_ap)) ++ return; ++ ++ /* ++ * Reset everything to support using non-enlightened VMCS access later ++ * (e.g. when we reload the module with enlightened_vmcs=0) ++ */ ++ vp_ap->nested_control.features.directhypercall = 0; ++ vp_ap->current_nested_vmcs = 0; ++ vp_ap->enlighten_vmentry = 0; ++} ++ ++#else /* IS_ENABLED(CONFIG_HYPERV) */ ++static void hv_reset_evmcs(void) {} + #endif /* IS_ENABLED(CONFIG_HYPERV) */ + + /* +@@ -2501,6 +2528,8 @@ static void vmx_hardware_disable(void) + if (cpu_vmxoff()) + kvm_spurious_fault(); + ++ hv_reset_evmcs(); ++ + intel_pt_handle_vmx(0); + } + +@@ -8437,27 +8466,8 @@ static void vmx_exit(void) + kvm_exit(); + + #if IS_ENABLED(CONFIG_HYPERV) +- if (static_branch_unlikely(&enable_evmcs)) { +- int cpu; +- struct hv_vp_assist_page *vp_ap; +- /* +- * Reset everything to support using non-enlightened VMCS +- * access later (e.g. when we reload the module with +- * enlightened_vmcs=0) +- */ +- for_each_online_cpu(cpu) { +- vp_ap = hv_get_vp_assist_page(cpu); +- +- if (!vp_ap) +- continue; +- +- vp_ap->nested_control.features.directhypercall = 0; +- vp_ap->current_nested_vmcs = 0; +- vp_ap->enlighten_vmentry = 0; +- } +- ++ if (static_branch_unlikely(&enable_evmcs)) + static_branch_disable(&enable_evmcs); +- } + #endif + vmx_cleanup_l1d_flush(); + +-- +2.39.2 + diff --git a/queue-6.1/kvm-x86-move-guts-of-kvm_arch_init-to-standalone-hel.patch b/queue-6.1/kvm-x86-move-guts-of-kvm_arch_init-to-standalone-hel.patch new file mode 100644 index 00000000000..9410dbfdb72 --- /dev/null +++ b/queue-6.1/kvm-x86-move-guts-of-kvm_arch_init-to-standalone-hel.patch @@ -0,0 +1,183 @@ +From d09c939d196cdeb3c83d11c761a6644f86b37fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 23:08:57 +0000 +Subject: KVM: x86: Move guts of kvm_arch_init() to standalone helper + +From: Sean Christopherson + +[ Upstream commit 4f8396b96a9fc672964842fe7adbe8ddca8a3adf ] + +Move the guts of kvm_arch_init() to a new helper, kvm_x86_vendor_init(), +so that VMX can do _all_ arch and vendor initialization before calling +kvm_init(). Calling kvm_init() must be the _very_ last step during init, +as kvm_init() exposes /dev/kvm to userspace, i.e. allows creating VMs. + +No functional change intended. + +Signed-off-by: Sean Christopherson +Message-Id: <20221130230934.1014142-14-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Stable-dep-of: e32b120071ea ("KVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 3 +++ + arch/x86/kvm/svm/svm.c | 23 +++++++++++++++++++++-- + arch/x86/kvm/vmx/vmx.c | 21 +++++++++++++++------ + arch/x86/kvm/x86.c | 15 +++++++++++++-- + 4 files changed, 52 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index f05ebaa26f0ff..ef8cabfbe8540 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1695,6 +1695,9 @@ extern struct kvm_x86_ops kvm_x86_ops; + #define KVM_X86_OP_OPTIONAL_RET0 KVM_X86_OP + #include + ++int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops); ++void kvm_x86_vendor_exit(void); ++ + #define __KVM_HAVE_ARCH_VM_ALLOC + static inline struct kvm *kvm_arch_alloc_vm(void) + { +diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c +index bfe93a1c4f92e..3629dd979667c 100644 +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -5080,15 +5080,34 @@ static struct kvm_x86_init_ops svm_init_ops __initdata = { + + static int __init svm_init(void) + { ++ int r; ++ + __unused_size_checks(); + +- return kvm_init(&svm_init_ops, sizeof(struct vcpu_svm), +- __alignof__(struct vcpu_svm), THIS_MODULE); ++ r = kvm_x86_vendor_init(&svm_init_ops); ++ if (r) ++ return r; ++ ++ /* ++ * Common KVM initialization _must_ come last, after this, /dev/kvm is ++ * exposed to userspace! ++ */ ++ r = kvm_init(&svm_init_ops, sizeof(struct vcpu_svm), ++ __alignof__(struct vcpu_svm), THIS_MODULE); ++ if (r) ++ goto err_kvm_init; ++ ++ return 0; ++ ++err_kvm_init: ++ kvm_x86_vendor_exit(); ++ return r; + } + + static void __exit svm_exit(void) + { + kvm_exit(); ++ kvm_x86_vendor_exit(); + } + + module_init(svm_init) +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index d3d84563a7f9c..81a23ae4f872b 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -8464,6 +8464,7 @@ static void vmx_exit(void) + #endif + + kvm_exit(); ++ kvm_x86_vendor_exit(); + + vmx_cleanup_l1d_flush(); + +@@ -8508,23 +8509,25 @@ static int __init vmx_init(void) + } + #endif + ++ r = kvm_x86_vendor_init(&vmx_init_ops); ++ if (r) ++ return r; ++ + r = kvm_init(&vmx_init_ops, sizeof(struct vcpu_vmx), + __alignof__(struct vcpu_vmx), THIS_MODULE); + if (r) +- return r; ++ goto err_kvm_init; + + /* +- * Must be called after kvm_init() so enable_ept is properly set ++ * Must be called after common x86 init so enable_ept is properly set + * up. Hand the parameter mitigation value in which was stored in + * the pre module init parser. If no parameter was given, it will + * contain 'auto' which will be turned into the default 'cond' + * mitigation mode. + */ + r = vmx_setup_l1d_flush(vmentry_l1d_flush_param); +- if (r) { +- vmx_exit(); +- return r; +- } ++ if (r) ++ goto err_l1d_flush; + + vmx_setup_fb_clear_ctrl(); + +@@ -8549,5 +8552,11 @@ static int __init vmx_init(void) + allow_smaller_maxphyaddr = true; + + return 0; ++ ++err_l1d_flush: ++ vmx_exit(); ++err_kvm_init: ++ kvm_x86_vendor_exit(); ++ return r; + } + module_init(vmx_init); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 68827b8dc37a5..ab09d292bdede 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -9351,7 +9351,16 @@ static struct notifier_block pvclock_gtod_notifier = { + + int kvm_arch_init(void *opaque) + { +- struct kvm_x86_init_ops *ops = opaque; ++ return 0; ++} ++ ++void kvm_arch_exit(void) ++{ ++ ++} ++ ++int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops) ++{ + u64 host_pat; + int r; + +@@ -9441,8 +9450,9 @@ int kvm_arch_init(void *opaque) + kmem_cache_destroy(x86_emulator_cache); + return r; + } ++EXPORT_SYMBOL_GPL(kvm_x86_vendor_init); + +-void kvm_arch_exit(void) ++void kvm_x86_vendor_exit(void) + { + #ifdef CONFIG_X86_64 + if (hypervisor_is_type(X86_HYPER_MS_HYPERV)) +@@ -9468,6 +9478,7 @@ void kvm_arch_exit(void) + WARN_ON(static_branch_unlikely(&kvm_xen_enabled.key)); + #endif + } ++EXPORT_SYMBOL_GPL(kvm_x86_vendor_exit); + + static int __kvm_emulate_halt(struct kvm_vcpu *vcpu, int state, int reason) + { +-- +2.39.2 + diff --git a/queue-6.1/m68k-mm-move-initrd-phys_to_virt-handling-after-pagi.patch b/queue-6.1/m68k-mm-move-initrd-phys_to_virt-handling-after-pagi.patch new file mode 100644 index 00000000000..2da3f95547b --- /dev/null +++ b/queue-6.1/m68k-mm-move-initrd-phys_to_virt-handling-after-pagi.patch @@ -0,0 +1,73 @@ +From ac1bc6d5a7ff148e28cb5c9902d4cac96dd6e302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 21:14:13 +0100 +Subject: m68k: mm: Move initrd phys_to_virt handling after paging_init() + +From: Geert Uytterhoeven + +[ Upstream commit d4b97925e87eb133e400fe4a482d750c74ce392f ] + +When booting with an initial ramdisk on platforms where physical memory +does not start at address zero (e.g. on Amiga): + + initrd: 0ef0602c - 0f800000 + Zone ranges: + DMA [mem 0x0000000008000000-0x000000f7ffffffff] + Normal empty + Movable zone start for each node + Early memory node ranges + node 0: [mem 0x0000000008000000-0x000000000f7fffff] + Initmem setup node 0 [mem 0x0000000008000000-0x000000000f7fffff] + Unable to handle kernel access at virtual address (ptrval) + Oops: 00000000 + Modules linked in: + PC: [<00201d3c>] memcmp+0x28/0x56 + +As phys_to_virt() relies on m68k_memoffset and module_fixup(), it must +not be called before paging_init(). Hence postpone the phys_to_virt +handling for the initial ramdisk until after calling paging_init(). + +While at it, reduce #ifdef clutter by using IS_ENABLED() instead. + +Fixes: 376e3fdecb0dcae2 ("m68k: Enable memtest functionality") +Reported-by: Stephen Walsh +Link: https://lists.debian.org/debian-68k/2022/09/msg00007.html +Reported-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/4f45f05f377bf3f5baf88dbd5c3c8aeac59d94f0.camel@physik.fu-berlin.de +Signed-off-by: Geert Uytterhoeven +Acked-by: Finn Thain +Link: https://lore.kernel.org/r/dff216da09ab7a60217c3fc2147e671ae07d636f.1677528627.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/setup_mm.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/m68k/kernel/setup_mm.c b/arch/m68k/kernel/setup_mm.c +index 3a2bb2e8fdad4..fbff1cea62caa 100644 +--- a/arch/m68k/kernel/setup_mm.c ++++ b/arch/m68k/kernel/setup_mm.c +@@ -326,16 +326,16 @@ void __init setup_arch(char **cmdline_p) + panic("No configuration setup"); + } + +-#ifdef CONFIG_BLK_DEV_INITRD +- if (m68k_ramdisk.size) { ++ if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && m68k_ramdisk.size) + memblock_reserve(m68k_ramdisk.addr, m68k_ramdisk.size); ++ ++ paging_init(); ++ ++ if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && m68k_ramdisk.size) { + initrd_start = (unsigned long)phys_to_virt(m68k_ramdisk.addr); + initrd_end = initrd_start + m68k_ramdisk.size; + pr_info("initrd: %08lx - %08lx\n", initrd_start, initrd_end); + } +-#endif +- +- paging_init(); + + #ifdef CONFIG_NATFEAT + nf_init(); +-- +2.39.2 + diff --git a/queue-6.1/net-caif-fix-use-after-free-in-cfusbl_device_notify.patch b/queue-6.1/net-caif-fix-use-after-free-in-cfusbl_device_notify.patch new file mode 100644 index 00000000000..ed9a28335ed --- /dev/null +++ b/queue-6.1/net-caif-fix-use-after-free-in-cfusbl_device_notify.patch @@ -0,0 +1,86 @@ +From aafae0194c76b13d3afed2fe425be6132a952d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 01:39:13 +0900 +Subject: net: caif: Fix use-after-free in cfusbl_device_notify() + +From: Shigeru Yoshida + +[ Upstream commit 9781e98a97110f5e76999058368b4be76a788484 ] + +syzbot reported use-after-free in cfusbl_device_notify() [1]. This +causes a stack trace like below: + +BUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 +Read of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214 + +CPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313 + print_report mm/kasan/report.c:429 [inline] + kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 + cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 + call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] + call_netdevice_notifiers net/core/dev.c:1997 [inline] + netdev_wait_allrefs_any net/core/dev.c:10227 [inline] + netdev_run_todo+0xbc0/0x10f0 net/core/dev.c:10341 + default_device_exit_batch+0x44e/0x590 net/core/dev.c:11334 + ops_exit_list+0x125/0x170 net/core/net_namespace.c:167 + cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 + process_one_work+0x996/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e9/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 + + +When unregistering a net device, unregister_netdevice_many_notify() +sets the device's reg_state to NETREG_UNREGISTERING, calls notifiers +with NETDEV_UNREGISTER, and adds the device to the todo list. + +Later on, devices in the todo list are processed by netdev_run_todo(). +netdev_run_todo() waits devices' reference count become 1 while +rebdoadcasting NETDEV_UNREGISTER notification. + +When cfusbl_device_notify() is called with NETDEV_UNREGISTER multiple +times, the parent device might be freed. This could cause UAF. +Processing NETDEV_UNREGISTER multiple times also causes inbalance of +reference count for the module. + +This patch fixes the issue by accepting only first NETDEV_UNREGISTER +notification. + +Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface") +CC: sjur.brandeland@stericsson.com +Reported-by: syzbot+b563d33852b893653a9e@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=c3bfd8e2450adab3bffe4d80821fbbced600407f [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20230301163913.391304-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/caif/caif_usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c +index ebc202ffdd8d8..bf61ea4b8132d 100644 +--- a/net/caif/caif_usb.c ++++ b/net/caif/caif_usb.c +@@ -134,6 +134,9 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what, + struct usb_device *usbdev; + int res; + ++ if (what == NETDEV_UNREGISTER && dev->reg_state >= NETREG_UNREGISTERED) ++ return 0; ++ + /* Check whether we have a NCM device, and find its VID/PID. */ + if (!(dev->dev.parent && dev->dev.parent->driver && + strcmp(dev->dev.parent->driver->name, "cdc_ncm") == 0)) +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-mt7530-permit-port-5-to-work-without-port-6-.patch b/queue-6.1/net-dsa-mt7530-permit-port-5-to-work-without-port-6-.patch new file mode 100644 index 00000000000..36f49b58dd2 --- /dev/null +++ b/queue-6.1/net-dsa-mt7530-permit-port-5-to-work-without-port-6-.patch @@ -0,0 +1,151 @@ +From 8bf323c3275c83a3dbb5d0dc0b6f7779894f34f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 17:54:11 +0200 +Subject: net: dsa: mt7530: permit port 5 to work without port 6 on MT7621 SoC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Oltean + +[ Upstream commit c8b8a3c601f2cfad25ab5ce5b04df700048aef6e ] + +The MT7530 switch from the MT7621 SoC has 2 ports which can be set up as +internal: port 5 and 6. Arınç reports that the GMAC1 attached to port 5 +receives corrupted frames, unless port 6 (attached to GMAC0) has been +brought up by the driver. This is true regardless of whether port 5 is +used as a user port or as a CPU port (carrying DSA tags). + +Offline debugging (blind for me) which began in the linked thread showed +experimentally that the configuration done by the driver for port 6 +contains a step which is needed by port 5 as well - the write to +CORE_GSWPLL_GRP2 (note that I've no idea as to what it does, apart from +the comment "Set core clock into 500Mhz"). Prints put by Arınç show that +the reset value of CORE_GSWPLL_GRP2 is RG_GSWPLL_POSDIV_500M(1) | +RG_GSWPLL_FBKDIV_500M(40) (0x128), both on the MCM MT7530 from the +MT7621 SoC, as well as on the standalone MT7530 from MT7623NI Bananapi +BPI-R2. Apparently, port 5 on the standalone MT7530 can work under both +values of the register, while on the MT7621 SoC it cannot. + +The call path that triggers the register write is: + +mt753x_phylink_mac_config() for port 6 +-> mt753x_pad_setup() + -> mt7530_pad_clk_setup() + +so this fully explains the behavior noticed by Arınç, that bringing port +6 up is necessary. + +The simplest fix for the problem is to extract the register writes which +are needed for both port 5 and 6 into a common mt7530_pll_setup() +function, which is called at mt7530_setup() time, immediately after +switch reset. We can argue that this mirrors the code layout introduced +in mt7531_setup() by commit 42bc4fafe359 ("net: mt7531: only do PLL once +after the reset"), in that the PLL setup has the exact same positioning, +and further work to consolidate the separate setup() functions is not +hindered. + +Testing confirms that: + +- the slight reordering of writes to MT7530_P6ECR and to + CORE_GSWPLL_GRP1 / CORE_GSWPLL_GRP2 introduced by this change does not + appear to cause problems for the operation of port 6 on MT7621 and on + MT7623 (where port 5 also always worked) + +- packets sent through port 5 are not corrupted anymore, regardless of + whether port 6 is enabled by phylink or not (or even present in the + device tree) + +My algorithm for determining the Fixes: tag is as follows. Testing shows +that some logic from mt7530_pad_clk_setup() is needed even for port 5. +Prior to commit ca366d6c889b ("net: dsa: mt7530: Convert to PHYLINK +API"), a call did exist for all phy_is_pseudo_fixed_link() ports - so +port 5 included. That commit replaced it with a temporary "Port 5 is not +supported!" comment, and the following commit 38f790a80560 ("net: dsa: +mt7530: Add support for port 5") replaced that comment with a +configuration procedure in mt7530_setup_port5() which was insufficient +for port 5 to work. I'm laying the blame on the patch that claimed +support for port 5, although one would have also needed the change from +commit c3b8e07909db ("net: dsa: mt7530: setup core clock even in TRGMII +mode") for the write to be performed completely independently from port +6's configuration. + +Thanks go to Arınç for describing the problem, for debugging and for +testing. + +Reported-by: Arınç ÜNAL +Link: https://lore.kernel.org/netdev/f297c2c4-6e7c-57ac-2394-f6025d309b9d@arinc9.com/ +Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5") +Signed-off-by: Vladimir Oltean +Tested-by: Arınç ÜNAL +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230307155411.868573-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index a884f6f6a8c2c..1e0b8bcd59e6c 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -393,6 +393,24 @@ mt7530_fdb_write(struct mt7530_priv *priv, u16 vid, + mt7530_write(priv, MT7530_ATA1 + (i * 4), reg[i]); + } + ++/* Set up switch core clock for MT7530 */ ++static void mt7530_pll_setup(struct mt7530_priv *priv) ++{ ++ /* Disable PLL */ ++ core_write(priv, CORE_GSWPLL_GRP1, 0); ++ ++ /* Set core clock into 500Mhz */ ++ core_write(priv, CORE_GSWPLL_GRP2, ++ RG_GSWPLL_POSDIV_500M(1) | ++ RG_GSWPLL_FBKDIV_500M(25)); ++ ++ /* Enable PLL */ ++ core_write(priv, CORE_GSWPLL_GRP1, ++ RG_GSWPLL_EN_PRE | ++ RG_GSWPLL_POSDIV_200M(2) | ++ RG_GSWPLL_FBKDIV_200M(32)); ++} ++ + /* Setup TX circuit including relevant PAD and driving */ + static int + mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) +@@ -453,21 +471,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + core_clear(priv, CORE_TRGMII_GSW_CLK_CG, + REG_GSWCK_EN | REG_TRGMIICK_EN); + +- /* Setup core clock for MT7530 */ +- /* Disable PLL */ +- core_write(priv, CORE_GSWPLL_GRP1, 0); +- +- /* Set core clock into 500Mhz */ +- core_write(priv, CORE_GSWPLL_GRP2, +- RG_GSWPLL_POSDIV_500M(1) | +- RG_GSWPLL_FBKDIV_500M(25)); +- +- /* Enable PLL */ +- core_write(priv, CORE_GSWPLL_GRP1, +- RG_GSWPLL_EN_PRE | +- RG_GSWPLL_POSDIV_200M(2) | +- RG_GSWPLL_FBKDIV_200M(32)); +- + /* Setup the MT7530 TRGMII Tx Clock */ + core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1)); + core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0)); +@@ -2201,6 +2204,8 @@ mt7530_setup(struct dsa_switch *ds) + SYS_CTRL_PHY_RST | SYS_CTRL_SW_RST | + SYS_CTRL_REG_RST); + ++ mt7530_pll_setup(priv); ++ + /* Enable Port 6 only; P5 as GMAC5 which currently is not supported */ + val = mt7530_read(priv, MT7530_MHWTRAP); + val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS; +-- +2.39.2 + diff --git a/queue-6.1/net-ethernet-mtk_eth_soc-fix-rx-data-corruption-issu.patch b/queue-6.1/net-ethernet-mtk_eth_soc-fix-rx-data-corruption-issu.patch new file mode 100644 index 00000000000..fd94c2a4f39 --- /dev/null +++ b/queue-6.1/net-ethernet-mtk_eth_soc-fix-rx-data-corruption-issu.patch @@ -0,0 +1,71 @@ +From f42ae603071a7de77909525fdc621ad2a1a61846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 13:43:20 +0000 +Subject: net: ethernet: mtk_eth_soc: fix RX data corruption issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Golle + +[ Upstream commit 193250ace270fecd586dd2d0dfbd9cbd2ade977f ] + +Fix data corruption issue with SerDes connected PHYs operating at 1.25 +Gbps speed where we could previously observe about 30% packet loss while +the bad packet counter was increasing. + +As almost all boards with MediaTek MT7622 or MT7986 use either the MT7531 +switch IC operating at 3.125Gbps SerDes rate or single-port PHYs using +rate-adaptation to 2500Base-X mode, this issue only got exposed now when +we started trying to use SFP modules operating with 1.25 Gbps with the +BananaPi R3 board. + +The fix is to set bit 12 which disables the RX FIFO clear function when +setting up MAC MCR, MediaTek SDK did the same change stating: +"If without this patch, kernel might receive invalid packets that are +corrupted by GMAC."[1] + +[1]: https://git01.mediatek.com/plugins/gitiles/openwrt/feeds/mtk-openwrt-feeds/+/d8a2975939a12686c4a95c40db21efdc3f821f63 + +Fixes: 42c03844e93d ("net-next: mediatek: add support for MediaTek MT7622 SoC") +Tested-by: Bjørn Mork +Signed-off-by: Daniel Golle +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/138da2735f92c8b6f8578ec2e5a794ee515b665f.1677937317.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 ++- + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 53ee9dea66388..49975924e2426 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -561,7 +561,8 @@ static int mtk_mac_finish(struct phylink_config *config, unsigned int mode, + mcr_cur = mtk_r32(mac->hw, MTK_MAC_MCR(mac->id)); + mcr_new = mcr_cur; + mcr_new |= MAC_MCR_IPG_CFG | MAC_MCR_FORCE_MODE | +- MAC_MCR_BACKOFF_EN | MAC_MCR_BACKPR_EN | MAC_MCR_FORCE_LINK; ++ MAC_MCR_BACKOFF_EN | MAC_MCR_BACKPR_EN | MAC_MCR_FORCE_LINK | ++ MAC_MCR_RX_FIFO_CLR_DIS; + + /* Only update control register when needed! */ + if (mcr_new != mcr_cur) +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 306fdc2c608a4..dafa9a0baa58c 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -357,6 +357,7 @@ + #define MAC_MCR_FORCE_MODE BIT(15) + #define MAC_MCR_TX_EN BIT(14) + #define MAC_MCR_RX_EN BIT(13) ++#define MAC_MCR_RX_FIFO_CLR_DIS BIT(12) + #define MAC_MCR_BACKOFF_EN BIT(9) + #define MAC_MCR_BACKPR_EN BIT(8) + #define MAC_MCR_FORCE_RX_FC BIT(5) +-- +2.39.2 + diff --git a/queue-6.1/net-lan78xx-fix-accessing-the-lan7800-s-internal-phy.patch b/queue-6.1/net-lan78xx-fix-accessing-the-lan7800-s-internal-phy.patch new file mode 100644 index 00000000000..8436a6db6a5 --- /dev/null +++ b/queue-6.1/net-lan78xx-fix-accessing-the-lan7800-s-internal-phy.patch @@ -0,0 +1,126 @@ +From 23bd047bc09253f3bd6b97835129616389d4fc35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 08:43:07 -0700 +Subject: net: lan78xx: fix accessing the LAN7800's internal phy specific + registers from the MAC driver + +From: Yuiko Oshino + +[ Upstream commit e57cf3639c323eeed05d3725fd82f91b349adca8 ] + +Move the LAN7800 internal phy (phy ID 0x0007c132) specific register +accesses to the phy driver (microchip.c). + +Fix the error reported by Enguerrand de Ribaucourt in December 2022, +"Some operations during the cable switch workaround modify the register +LAN88XX_INT_MASK of the PHY. However, this register is specific to the +LAN8835 PHY. For instance, if a DP8322I PHY is connected to the LAN7801, +that register (0x19), corresponds to the LED and MAC address +configuration, resulting in unapropriate behavior." + +I did not test with the DP8322I PHY, but I tested with an EVB-LAN7800 +with the internal PHY. + +Fixes: 14437e3fa284 ("lan78xx: workaround of forced 100 Full/Half duplex mode error") +Signed-off-by: Yuiko Oshino +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230301154307.30438-1-yuiko.oshino@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/microchip.c | 32 ++++++++++++++++++++++++++++++++ + drivers/net/usb/lan78xx.c | 27 +-------------------------- + 2 files changed, 33 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c +index ccecee2524ce6..0b88635f4fbca 100644 +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -342,6 +342,37 @@ static int lan88xx_config_aneg(struct phy_device *phydev) + return genphy_config_aneg(phydev); + } + ++static void lan88xx_link_change_notify(struct phy_device *phydev) ++{ ++ int temp; ++ ++ /* At forced 100 F/H mode, chip may fail to set mode correctly ++ * when cable is switched between long(~50+m) and short one. ++ * As workaround, set to 10 before setting to 100 ++ * at forced 100 F/H mode. ++ */ ++ if (!phydev->autoneg && phydev->speed == 100) { ++ /* disable phy interrupt */ ++ temp = phy_read(phydev, LAN88XX_INT_MASK); ++ temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_; ++ phy_write(phydev, LAN88XX_INT_MASK, temp); ++ ++ temp = phy_read(phydev, MII_BMCR); ++ temp &= ~(BMCR_SPEED100 | BMCR_SPEED1000); ++ phy_write(phydev, MII_BMCR, temp); /* set to 10 first */ ++ temp |= BMCR_SPEED100; ++ phy_write(phydev, MII_BMCR, temp); /* set to 100 later */ ++ ++ /* clear pending interrupt generated while workaround */ ++ temp = phy_read(phydev, LAN88XX_INT_STS); ++ ++ /* enable phy interrupt back */ ++ temp = phy_read(phydev, LAN88XX_INT_MASK); ++ temp |= LAN88XX_INT_MASK_MDINTPIN_EN_; ++ phy_write(phydev, LAN88XX_INT_MASK, temp); ++ } ++} ++ + static struct phy_driver microchip_phy_driver[] = { + { + .phy_id = 0x0007c132, +@@ -359,6 +390,7 @@ static struct phy_driver microchip_phy_driver[] = { + + .config_init = lan88xx_config_init, + .config_aneg = lan88xx_config_aneg, ++ .link_change_notify = lan88xx_link_change_notify, + + .config_intr = lan88xx_phy_config_intr, + .handle_interrupt = lan88xx_handle_interrupt, +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index f18ab8e220db7..068488890d57b 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2115,33 +2115,8 @@ static void lan78xx_remove_mdio(struct lan78xx_net *dev) + static void lan78xx_link_status_change(struct net_device *net) + { + struct phy_device *phydev = net->phydev; +- int temp; +- +- /* At forced 100 F/H mode, chip may fail to set mode correctly +- * when cable is switched between long(~50+m) and short one. +- * As workaround, set to 10 before setting to 100 +- * at forced 100 F/H mode. +- */ +- if (!phydev->autoneg && (phydev->speed == 100)) { +- /* disable phy interrupt */ +- temp = phy_read(phydev, LAN88XX_INT_MASK); +- temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_; +- phy_write(phydev, LAN88XX_INT_MASK, temp); + +- temp = phy_read(phydev, MII_BMCR); +- temp &= ~(BMCR_SPEED100 | BMCR_SPEED1000); +- phy_write(phydev, MII_BMCR, temp); /* set to 10 first */ +- temp |= BMCR_SPEED100; +- phy_write(phydev, MII_BMCR, temp); /* set to 100 later */ +- +- /* clear pending interrupt generated while workaround */ +- temp = phy_read(phydev, LAN88XX_INT_STS); +- +- /* enable phy interrupt back */ +- temp = phy_read(phydev, LAN88XX_INT_MASK); +- temp |= LAN88XX_INT_MASK_MDINTPIN_EN_; +- phy_write(phydev, LAN88XX_INT_MASK, temp); +- } ++ phy_print_status(phydev); + } + + static int irq_map(struct irq_domain *d, unsigned int irq, +-- +2.39.2 + diff --git a/queue-6.1/net-lan966x-fix-port-police-support-using-tc-matchal.patch b/queue-6.1/net-lan966x-fix-port-police-support-using-tc-matchal.patch new file mode 100644 index 00000000000..3ecdcba1c01 --- /dev/null +++ b/queue-6.1/net-lan966x-fix-port-police-support-using-tc-matchal.patch @@ -0,0 +1,45 @@ +From 848b5361d47e6b919be76be4515369298032150f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 21:47:42 +0100 +Subject: net: lan966x: Fix port police support using tc-matchall + +From: Horatiu Vultur + +[ Upstream commit 81563d8548b0478075c720666be348d4199b8591 ] + +When the police was removed from the port, then it was trying to +remove the police from the police id and not from the actual +police index. +The police id represents the id of the police and police index +represents the position in HW where the police is situated. +The port police id can be any number while the port police index +is a number based on the port chip port. +Fix this by deleting the police from HW that is situated at the +police index and not police id. + +Fixes: 5390334b59a3 ("net: lan966x: Add port police support using tc-matchall") +Signed-off-by: Horatiu Vultur +Reviewed-by: Simon Horman +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan966x/lan966x_police.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_police.c b/drivers/net/ethernet/microchip/lan966x/lan966x_police.c +index a9aec900d608d..7d66fe75cd3bf 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_police.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_police.c +@@ -194,7 +194,7 @@ int lan966x_police_port_del(struct lan966x_port *port, + return -EINVAL; + } + +- err = lan966x_police_del(port, port->tc.police_id); ++ err = lan966x_police_del(port, POL_IDX_PORT + port->chip_port); + if (err) { + NL_SET_ERR_MSG_MOD(extack, + "Failed to add policer to port"); +-- +2.39.2 + diff --git a/queue-6.1/net-phy-smsc-fix-link-up-detection-in-forced-irq-mod.patch b/queue-6.1/net-phy-smsc-fix-link-up-detection-in-forced-irq-mod.patch new file mode 100644 index 00000000000..9747af988d9 --- /dev/null +++ b/queue-6.1/net-phy-smsc-fix-link-up-detection-in-forced-irq-mod.patch @@ -0,0 +1,79 @@ +From 8bd20e26ca7344d5240558a6eead51ac2d77aa4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 11:52:44 +0100 +Subject: net: phy: smsc: fix link up detection in forced irq mode + +From: Heiner Kallweit + +[ Upstream commit 58aac3a2ef414fea6d7fdf823ea177744a087d13 ] + +Currently link up can't be detected in forced mode if polling +isn't used. Only link up interrupt source we have is aneg +complete which isn't applicable in forced mode. Therefore we +have to use energy-on as link up indicator. + +Fixes: 7365494550f6 ("net: phy: smsc: skip ENERGYON interrupt if disabled") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index ac7481ce2fc16..00d9eff91dcfa 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -44,7 +44,6 @@ static struct smsc_hw_stat smsc_hw_stats[] = { + }; + + struct smsc_phy_priv { +- u16 intmask; + bool energy_enable; + }; + +@@ -57,7 +56,6 @@ static int smsc_phy_ack_interrupt(struct phy_device *phydev) + + static int smsc_phy_config_intr(struct phy_device *phydev) + { +- struct smsc_phy_priv *priv = phydev->priv; + int rc; + + if (phydev->interrupts == PHY_INTERRUPT_ENABLED) { +@@ -65,14 +63,9 @@ static int smsc_phy_config_intr(struct phy_device *phydev) + if (rc) + return rc; + +- priv->intmask = MII_LAN83C185_ISF_INT4 | MII_LAN83C185_ISF_INT6; +- if (priv->energy_enable) +- priv->intmask |= MII_LAN83C185_ISF_INT7; +- +- rc = phy_write(phydev, MII_LAN83C185_IM, priv->intmask); ++ rc = phy_write(phydev, MII_LAN83C185_IM, ++ MII_LAN83C185_ISF_INT_PHYLIB_EVENTS); + } else { +- priv->intmask = 0; +- + rc = phy_write(phydev, MII_LAN83C185_IM, 0); + if (rc) + return rc; +@@ -85,7 +78,6 @@ static int smsc_phy_config_intr(struct phy_device *phydev) + + static irqreturn_t smsc_phy_handle_interrupt(struct phy_device *phydev) + { +- struct smsc_phy_priv *priv = phydev->priv; + int irq_status; + + irq_status = phy_read(phydev, MII_LAN83C185_ISF); +@@ -96,7 +88,7 @@ static irqreturn_t smsc_phy_handle_interrupt(struct phy_device *phydev) + return IRQ_NONE; + } + +- if (!(irq_status & priv->intmask)) ++ if (!(irq_status & MII_LAN83C185_ISF_INT_PHYLIB_EVENTS)) + return IRQ_NONE; + + phy_trigger_machine(phydev); +-- +2.39.2 + diff --git a/queue-6.1/net-phylib-get-rid-of-unnecessary-locking.patch b/queue-6.1/net-phylib-get-rid-of-unnecessary-locking.patch new file mode 100644 index 00000000000..14d62aba5c2 --- /dev/null +++ b/queue-6.1/net-phylib-get-rid-of-unnecessary-locking.patch @@ -0,0 +1,174 @@ +From c715fbc1dbc29303d89d41c6db0ac79289464c89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 16:37:54 +0000 +Subject: net: phylib: get rid of unnecessary locking + +From: Russell King (Oracle) + +[ Upstream commit f4b47a2e9463950df3e7c8b70e017877c1d4eb11 ] + +The locking in phy_probe() and phy_remove() does very little to prevent +any races with e.g. phy_attach_direct(), but instead causes lockdep ABBA +warnings. Remove it. + +====================================================== +WARNING: possible circular locking dependency detected +6.2.0-dirty #1108 Tainted: G W E +------------------------------------------------------ +ip/415 is trying to acquire lock: +ffff5c268f81ef50 (&dev->lock){+.+.}-{3:3}, at: phy_attach_direct+0x17c/0x3a0 [libphy] + +but task is already holding lock: +ffffaef6496cb518 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x154/0x560 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (rtnl_mutex){+.+.}-{3:3}: + __lock_acquire+0x35c/0x6c0 + lock_acquire.part.0+0xcc/0x220 + lock_acquire+0x68/0x84 + __mutex_lock+0x8c/0x414 + mutex_lock_nested+0x34/0x40 + rtnl_lock+0x24/0x30 + sfp_bus_add_upstream+0x34/0x150 + phy_sfp_probe+0x4c/0x94 [libphy] + mv3310_probe+0x148/0x184 [marvell10g] + phy_probe+0x8c/0x200 [libphy] + call_driver_probe+0xbc/0x15c + really_probe+0xc0/0x320 + __driver_probe_device+0x84/0x120 + driver_probe_device+0x44/0x120 + __device_attach_driver+0xc4/0x160 + bus_for_each_drv+0x80/0xe0 + __device_attach+0xb0/0x1f0 + device_initial_probe+0x1c/0x2c + bus_probe_device+0xa4/0xb0 + device_add+0x360/0x53c + phy_device_register+0x60/0xa4 [libphy] + fwnode_mdiobus_phy_device_register+0xc0/0x190 [fwnode_mdio] + fwnode_mdiobus_register_phy+0x160/0xd80 [fwnode_mdio] + of_mdiobus_register+0x140/0x340 [of_mdio] + orion_mdio_probe+0x298/0x3c0 [mvmdio] + platform_probe+0x70/0xe0 + call_driver_probe+0x34/0x15c + really_probe+0xc0/0x320 + __driver_probe_device+0x84/0x120 + driver_probe_device+0x44/0x120 + __driver_attach+0x104/0x210 + bus_for_each_dev+0x78/0xdc + driver_attach+0x2c/0x3c + bus_add_driver+0x184/0x240 + driver_register+0x80/0x13c + __platform_driver_register+0x30/0x3c + xt_compat_calc_jump+0x28/0xa4 [x_tables] + do_one_initcall+0x50/0x1b0 + do_init_module+0x50/0x1fc + load_module+0x684/0x744 + __do_sys_finit_module+0xc4/0x140 + __arm64_sys_finit_module+0x28/0x34 + invoke_syscall+0x50/0x120 + el0_svc_common.constprop.0+0x6c/0x1b0 + do_el0_svc+0x34/0x44 + el0_svc+0x48/0xf0 + el0t_64_sync_handler+0xb8/0xc0 + el0t_64_sync+0x1a0/0x1a4 + +-> #0 (&dev->lock){+.+.}-{3:3}: + check_prev_add+0xb4/0xc80 + validate_chain+0x414/0x47c + __lock_acquire+0x35c/0x6c0 + lock_acquire.part.0+0xcc/0x220 + lock_acquire+0x68/0x84 + __mutex_lock+0x8c/0x414 + mutex_lock_nested+0x34/0x40 + phy_attach_direct+0x17c/0x3a0 [libphy] + phylink_fwnode_phy_connect.part.0+0x70/0xe4 [phylink] + phylink_fwnode_phy_connect+0x48/0x60 [phylink] + mvpp2_open+0xec/0x2e0 [mvpp2] + __dev_open+0x104/0x214 + __dev_change_flags+0x1d4/0x254 + dev_change_flags+0x2c/0x7c + do_setlink+0x254/0xa50 + __rtnl_newlink+0x430/0x514 + rtnl_newlink+0x58/0x8c + rtnetlink_rcv_msg+0x17c/0x560 + netlink_rcv_skb+0x64/0x150 + rtnetlink_rcv+0x20/0x30 + netlink_unicast+0x1d4/0x2b4 + netlink_sendmsg+0x1a4/0x400 + ____sys_sendmsg+0x228/0x290 + ___sys_sendmsg+0x88/0xec + __sys_sendmsg+0x70/0xd0 + __arm64_sys_sendmsg+0x2c/0x40 + invoke_syscall+0x50/0x120 + el0_svc_common.constprop.0+0x6c/0x1b0 + do_el0_svc+0x34/0x44 + el0_svc+0x48/0xf0 + el0t_64_sync_handler+0xb8/0xc0 + el0t_64_sync+0x1a0/0x1a4 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(rtnl_mutex); + lock(&dev->lock); + lock(rtnl_mutex); + lock(&dev->lock); + + *** DEADLOCK *** + +Fixes: 298e54fa810e ("net: phy: add core phylib sfp support") +Reported-by: Marc Zyngier +Signed-off-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 8cff61dbc4b57..7fbb0904b3c0f 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3041,8 +3041,6 @@ static int phy_probe(struct device *dev) + if (phydrv->flags & PHY_IS_INTERNAL) + phydev->is_internal = true; + +- mutex_lock(&phydev->lock); +- + /* Deassert the reset signal */ + phy_device_reset(phydev, 0); + +@@ -3110,12 +3108,10 @@ static int phy_probe(struct device *dev) + phydev->state = PHY_READY; + + out: +- /* Assert the reset signal */ ++ /* Re-assert the reset signal on error */ + if (err) + phy_device_reset(phydev, 1); + +- mutex_unlock(&phydev->lock); +- + return err; + } + +@@ -3125,9 +3121,7 @@ static int phy_remove(struct device *dev) + + cancel_delayed_work_sync(&phydev->state_queue); + +- mutex_lock(&phydev->lock); + phydev->state = PHY_DOWN; +- mutex_unlock(&phydev->lock); + + sfp_bus_del_upstream(phydev->sfp_bus); + phydev->sfp_bus = NULL; +-- +2.39.2 + diff --git a/queue-6.1/net-smc-fix-fallback-failed-while-sendmsg-with-fasto.patch b/queue-6.1/net-smc-fix-fallback-failed-while-sendmsg-with-fasto.patch new file mode 100644 index 00000000000..d905c376af5 --- /dev/null +++ b/queue-6.1/net-smc-fix-fallback-failed-while-sendmsg-with-fasto.patch @@ -0,0 +1,74 @@ +From eeac0e89886ce9143d4f893ff78d3b34f0cd9c0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 11:23:46 +0800 +Subject: net/smc: fix fallback failed while sendmsg with fastopen + +From: D. Wythe + +[ Upstream commit ce7ca794712f186da99719e8b4e97bd5ddbb04c3 ] + +Before determining whether the msg has unsupported options, it has been +prematurely terminated by the wrong status check. + +For the application, the general usages of MSG_FASTOPEN likes + +fd = socket(...) +/* rather than connect */ +sendto(fd, data, len, MSG_FASTOPEN) + +Hence, We need to check the flag before state check, because the sock +state here is always SMC_INIT when applications tries MSG_FASTOPEN. +Once we found unsupported options, fallback it to TCP. + +Fixes: ee9dfbef02d1 ("net/smc: handle sockopts forcing fallback") +Signed-off-by: D. Wythe +Signed-off-by: Simon Horman + +v2 -> v1: Optimize code style +Reviewed-by: Tony Lu + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index d9413d43b1045..e8018b0fb7676 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2644,16 +2644,14 @@ static int smc_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + { + struct sock *sk = sock->sk; + struct smc_sock *smc; +- int rc = -EPIPE; ++ int rc; + + smc = smc_sk(sk); + lock_sock(sk); +- if ((sk->sk_state != SMC_ACTIVE) && +- (sk->sk_state != SMC_APPCLOSEWAIT1) && +- (sk->sk_state != SMC_INIT)) +- goto out; + ++ /* SMC does not support connect with fastopen */ + if (msg->msg_flags & MSG_FASTOPEN) { ++ /* not connected yet, fallback */ + if (sk->sk_state == SMC_INIT && !smc->connect_nonblock) { + rc = smc_switch_to_fallback(smc, SMC_CLC_DECL_OPTUNSUPP); + if (rc) +@@ -2662,6 +2660,11 @@ static int smc_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + rc = -EINVAL; + goto out; + } ++ } else if ((sk->sk_state != SMC_ACTIVE) && ++ (sk->sk_state != SMC_APPCLOSEWAIT1) && ++ (sk->sk_state != SMC_INIT)) { ++ rc = -EPIPE; ++ goto out; + } + + if (smc->use_fallback) { +-- +2.39.2 + diff --git a/queue-6.1/net-stmmac-add-to-set-device-wake-up-flag-when-stmma.patch b/queue-6.1/net-stmmac-add-to-set-device-wake-up-flag-when-stmma.patch new file mode 100644 index 00000000000..3bb01d9033b --- /dev/null +++ b/queue-6.1/net-stmmac-add-to-set-device-wake-up-flag-when-stmma.patch @@ -0,0 +1,50 @@ +From e7f6bd21c17480db6ca47e2d3a5b3b84cfb96696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 14:21:43 +0800 +Subject: net: stmmac: add to set device wake up flag when stmmac init phy + +From: Rongguang Wei + +[ Upstream commit a9334b702a03b693f54ebd3b98f67bf722b74870 ] + +When MAC is not support PMT, driver will check PHY's WoL capability +and set device wakeup capability in stmmac_init_phy(). We can enable +the WoL through ethtool, the driver would enable the device wake up +flag. Now the device_may_wakeup() return true. + +But if there is a way which enable the PHY's WoL capability derectly, +like in BIOS. The driver would not know the enable thing and would not +set the device wake up flag. The phy_suspend may failed like this: + +[ 32.409063] PM: dpm_run_callback(): mdio_bus_phy_suspend+0x0/0x50 returns -16 +[ 32.409065] PM: Device stmmac-1:00 failed to suspend: error -16 +[ 32.409067] PM: Some devices failed to suspend, or early wake event detected + +Add to set the device wakeup enable flag according to the get_wol +function result in PHY can fix the error in this scene. + +v2: add a Fixes tag. + +Fixes: 1d8e5b0f3f2c ("net: stmmac: Support WOL with phy") +Signed-off-by: Rongguang Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 84e1740b12f1b..3c1d4b27668fe 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1168,6 +1168,7 @@ static int stmmac_init_phy(struct net_device *dev) + + phylink_ethtool_get_wol(priv->phylink, &wol); + device_set_wakeup_capable(priv->device, !!wol.supported); ++ device_set_wakeup_enable(priv->device, !!wol.wolopts); + } + + return ret; +-- +2.39.2 + diff --git a/queue-6.1/net-tls-fix-device-offloaded-sendpage-straddling-rec.patch b/queue-6.1/net-tls-fix-device-offloaded-sendpage-straddling-rec.patch new file mode 100644 index 00000000000..352f4e0c648 --- /dev/null +++ b/queue-6.1/net-tls-fix-device-offloaded-sendpage-straddling-rec.patch @@ -0,0 +1,42 @@ +From a43334e699d8036362f8bbf20cea2c33c5707d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 11:26:10 -0800 +Subject: net: tls: fix device-offloaded sendpage straddling records + +From: Jakub Kicinski + +[ Upstream commit e539a105f947b9db470fec39fe91d85fe737a432 ] + +Adrien reports that incorrect data is transmitted when a single +page straddles multiple records. We would transmit the same +data in all iterations of the loop. + +Reported-by: Adrien Moulin +Link: https://lore.kernel.org/all/61481278.42813558.1677845235112.JavaMail.zimbra@corp.free.fr +Fixes: c1318b39c7d3 ("tls: Add opt-in zerocopy mode of sendfile()") +Tested-by: Adrien Moulin +Reviewed-by: Tariq Toukan +Acked-by: Maxim Mikityanskiy +Link: https://lore.kernel.org/r/20230304192610.3818098-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 6c593788dc250..a7cc4f9faac28 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -508,6 +508,8 @@ static int tls_push_data(struct sock *sk, + zc_pfrag.offset = iter_offset.offset; + zc_pfrag.size = copy; + tls_append_frag(record, &zc_pfrag, copy); ++ ++ iter_offset.offset += copy; + } else if (copy) { + copy = min_t(size_t, copy, pfrag->size - pfrag->offset); + +-- +2.39.2 + diff --git a/queue-6.1/net-tls-fix-possible-race-condition-between-do_tls_g.patch b/queue-6.1/net-tls-fix-possible-race-condition-between-do_tls_g.patch new file mode 100644 index 00000000000..efa8cc86203 --- /dev/null +++ b/queue-6.1/net-tls-fix-possible-race-condition-between-do_tls_g.patch @@ -0,0 +1,176 @@ +From b3c067645e0833e013988d7174b70c460ad18cd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 10:33:44 +0800 +Subject: net: tls: fix possible race condition between + do_tls_getsockopt_conf() and do_tls_setsockopt_conf() + +From: Hangyu Hua + +[ Upstream commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 ] + +ctx->crypto_send.info is not protected by lock_sock in +do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() +and error paths of do_tls_setsockopt_conf() may lead to a use-after-free +or null-deref. + +More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 23 +++++------------------ + 1 file changed, 5 insertions(+), 18 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 3735cb00905df..b32c112984dd9 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -405,13 +405,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aes_gcm_128->iv, + cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, + TLS_CIPHER_AES_GCM_128_IV_SIZE); + memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aes_gcm_128, + sizeof(*crypto_info_aes_gcm_128))) +@@ -429,13 +427,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aes_gcm_256->iv, + cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE, + TLS_CIPHER_AES_GCM_256_IV_SIZE); + memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aes_gcm_256, + sizeof(*crypto_info_aes_gcm_256))) +@@ -451,13 +447,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(aes_ccm_128->iv, + cctx->iv + TLS_CIPHER_AES_CCM_128_SALT_SIZE, + TLS_CIPHER_AES_CCM_128_IV_SIZE); + memcpy(aes_ccm_128->rec_seq, cctx->rec_seq, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, aes_ccm_128, sizeof(*aes_ccm_128))) + rc = -EFAULT; + break; +@@ -472,13 +466,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(chacha20_poly1305->iv, + cctx->iv + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); + memcpy(chacha20_poly1305->rec_seq, cctx->rec_seq, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, chacha20_poly1305, + sizeof(*chacha20_poly1305))) + rc = -EFAULT; +@@ -493,13 +485,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(sm4_gcm_info->iv, + cctx->iv + TLS_CIPHER_SM4_GCM_SALT_SIZE, + TLS_CIPHER_SM4_GCM_IV_SIZE); + memcpy(sm4_gcm_info->rec_seq, cctx->rec_seq, + TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, sm4_gcm_info, sizeof(*sm4_gcm_info))) + rc = -EFAULT; + break; +@@ -513,13 +503,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(sm4_ccm_info->iv, + cctx->iv + TLS_CIPHER_SM4_CCM_SALT_SIZE, + TLS_CIPHER_SM4_CCM_IV_SIZE); + memcpy(sm4_ccm_info->rec_seq, cctx->rec_seq, + TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, sm4_ccm_info, sizeof(*sm4_ccm_info))) + rc = -EFAULT; + break; +@@ -535,13 +523,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aria_gcm_128->iv, + cctx->iv + TLS_CIPHER_ARIA_GCM_128_SALT_SIZE, + TLS_CIPHER_ARIA_GCM_128_IV_SIZE); + memcpy(crypto_info_aria_gcm_128->rec_seq, cctx->rec_seq, + TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aria_gcm_128, + sizeof(*crypto_info_aria_gcm_128))) +@@ -559,13 +545,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aria_gcm_256->iv, + cctx->iv + TLS_CIPHER_ARIA_GCM_256_SALT_SIZE, + TLS_CIPHER_ARIA_GCM_256_IV_SIZE); + memcpy(crypto_info_aria_gcm_256->rec_seq, cctx->rec_seq, + TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aria_gcm_256, + sizeof(*crypto_info_aria_gcm_256))) +@@ -614,11 +598,9 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval, + if (len < sizeof(value)) + return -EINVAL; + +- lock_sock(sk); + value = -EINVAL; + if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW) + value = ctx->rx_no_pad; +- release_sock(sk); + if (value < 0) + return value; + +@@ -635,6 +617,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname, + { + int rc = 0; + ++ lock_sock(sk); ++ + switch (optname) { + case TLS_TX: + case TLS_RX: +@@ -651,6 +635,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, + rc = -ENOPROTOOPT; + break; + } ++ ++ release_sock(sk); ++ + return rc; + } + +-- +2.39.2 + diff --git a/queue-6.1/net-use-indirect-calls-helpers-for-sk_exit_memory_pr.patch b/queue-6.1/net-use-indirect-calls-helpers-for-sk_exit_memory_pr.patch new file mode 100644 index 00000000000..b7492669fa8 --- /dev/null +++ b/queue-6.1/net-use-indirect-calls-helpers-for-sk_exit_memory_pr.patch @@ -0,0 +1,70 @@ +From 2cce7b4b4f0a92a0035f45101eb87d29dfe49366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 13:32:47 +0000 +Subject: net: use indirect calls helpers for sk_exit_memory_pressure() + +From: Brian Vazquez + +[ Upstream commit 5c1ebbfabcd61142a4551bfc0e51840f9bdae7af ] + +Florian reported a regression and sent a patch with the following +changelog: + + + There is a noticeable tcp performance regression (loopback or cross-netns), + seen with iperf3 -Z (sendfile mode) when generic retpolines are needed. + + With SK_RECLAIM_THRESHOLD checks gone number of calls to enter/leave + memory pressure happen much more often. For TCP indirect calls are + used. + + We can't remove the if-set-return short-circuit check in + tcp_enter_memory_pressure because there are callers other than + sk_enter_memory_pressure. Doing a check in the sk wrapper too + reduces the indirect calls enough to recover some performance. + + Before, + 0.00-60.00 sec 322 GBytes 46.1 Gbits/sec receiver + + After: + 0.00-60.04 sec 359 GBytes 51.4 Gbits/sec receiver + + "iperf3 -c $peer -t 60 -Z -f g", connected via veth in another netns. + + +It seems we forgot to upstream this indirect call mitigation we +had for years, lets do this instead. + +[edumazet] - It seems we forgot to upstream this indirect call + mitigation we had for years, let's do this instead. + - Changed to INDIRECT_CALL_INET_1() to avoid bots reports. + +Fixes: 4890b686f408 ("net: keep sk->sk_forward_alloc as small as possible") +Reported-by: Florian Westphal +Link: https://lore.kernel.org/netdev/20230227152741.4a53634b@kernel.org/T/ +Signed-off-by: Brian Vazquez +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230301133247.2346111-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 4dfdcdfd00114..eb0b76acd9df1 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2805,7 +2805,8 @@ static void sk_enter_memory_pressure(struct sock *sk) + static void sk_leave_memory_pressure(struct sock *sk) + { + if (sk->sk_prot->leave_memory_pressure) { +- sk->sk_prot->leave_memory_pressure(sk); ++ INDIRECT_CALL_INET_1(sk->sk_prot->leave_memory_pressure, ++ tcp_leave_memory_pressure, sk); + } else { + unsigned long *memory_pressure = sk->sk_prot->memory_pressure; + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-conntrack-adopt-safer-max-chain-length.patch b/queue-6.1/netfilter-conntrack-adopt-safer-max-chain-length.patch new file mode 100644 index 00000000000..b89526faf02 --- /dev/null +++ b/queue-6.1/netfilter-conntrack-adopt-safer-max-chain-length.patch @@ -0,0 +1,53 @@ +From d4207695fb07d77483d725a8cb313e97e7accdbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 05:22:54 +0000 +Subject: netfilter: conntrack: adopt safer max chain length + +From: Eric Dumazet + +[ Upstream commit c77737b736ceb50fdf150434347dbd81ec76dbb1 ] + +Customers using GKE 1.25 and 1.26 are facing conntrack issues +root caused to commit c9c3b6811f74 ("netfilter: conntrack: make +max chain length random"). + +Even if we assume Uniform Hashing, a bucket often reachs 8 chained +items while the load factor of the hash table is smaller than 0.5 + +With a limit of 16, we reach load factors of 3. +With a limit of 32, we reach load factors of 11. +With a limit of 40, we reach load factors of 15. +With a limit of 50, we reach load factors of 24. + +This patch changes MIN_CHAINLEN to 50, to minimize risks. + +Ideally, we could in the future add a cushion based on expected +load factor (2 * nf_conntrack_max / nf_conntrack_buckets), +because some setups might expect unusual values. + +Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random") +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 7f0f3bcaae031..30ed45b1b57df 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex); + #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10) + #define GC_SCAN_EXPIRED_MAX (64000u / HZ) + +-#define MIN_CHAINLEN 8u +-#define MAX_CHAINLEN (32u - MIN_CHAINLEN) ++#define MIN_CHAINLEN 50u ++#define MAX_CHAINLEN (80u - MIN_CHAINLEN) + + static struct conntrack_gc_work conntrack_gc_work; + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-ctnetlink-revert-to-dumping-mark-regardles.patch b/queue-6.1/netfilter-ctnetlink-revert-to-dumping-mark-regardles.patch new file mode 100644 index 00000000000..c0969d6eccc --- /dev/null +++ b/queue-6.1/netfilter-ctnetlink-revert-to-dumping-mark-regardles.patch @@ -0,0 +1,80 @@ +From 5d0209ba2d749d875800d11d3f02624279515ee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 17:48:31 -0800 +Subject: netfilter: ctnetlink: revert to dumping mark regardless of event type + +From: Ivan Delalande + +[ Upstream commit 9f7dd42f0db1dc6915a52d4a8a96ca18dd8cc34e ] + +It seems that change was unintentional, we have userspace code that +needs the mark while listening for events like REPLY, DESTROY, etc. +Also include 0-marks in requested dumps, as they were before that fix. + +Fixes: 1feeae071507 ("netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark") +Signed-off-by: Ivan Delalande +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 733bb56950c14..d095d3c1ceca6 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -328,11 +328,12 @@ ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +-static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) ++static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct, ++ bool dump) + { + u32 mark = READ_ONCE(ct->mark); + +- if (!mark) ++ if (!mark && !dump) + return 0; + + if (nla_put_be32(skb, CTA_MARK, htonl(mark))) +@@ -343,7 +344,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) + return -1; + } + #else +-#define ctnetlink_dump_mark(a, b) (0) ++#define ctnetlink_dump_mark(a, b, c) (0) + #endif + + #ifdef CONFIG_NF_CONNTRACK_SECMARK +@@ -548,7 +549,7 @@ static int ctnetlink_dump_extinfo(struct sk_buff *skb, + static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) + { + if (ctnetlink_dump_status(skb, ct) < 0 || +- ctnetlink_dump_mark(skb, ct) < 0 || ++ ctnetlink_dump_mark(skb, ct, true) < 0 || + ctnetlink_dump_secctx(skb, ct) < 0 || + ctnetlink_dump_id(skb, ct) < 0 || + ctnetlink_dump_use(skb, ct) < 0 || +@@ -831,8 +832,7 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +- if (events & (1 << IPCT_MARK) && +- ctnetlink_dump_mark(skb, ct) < 0) ++ if (ctnetlink_dump_mark(skb, ct, events & (1 << IPCT_MARK))) + goto nla_put_failure; + #endif + nlmsg_end(skb, nlh); +@@ -2735,7 +2735,7 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) + goto nla_put_failure; + + #ifdef CONFIG_NF_CONNTRACK_MARK +- if (ctnetlink_dump_mark(skb, ct) < 0) ++ if (ctnetlink_dump_mark(skb, ct, true) < 0) + goto nla_put_failure; + #endif + if (ctnetlink_dump_labels(skb, ct) < 0) +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nft_last-copy-content-when-cloning-express.patch b/queue-6.1/netfilter-nft_last-copy-content-when-cloning-express.patch new file mode 100644 index 00000000000..e1f765406a3 --- /dev/null +++ b/queue-6.1/netfilter-nft_last-copy-content-when-cloning-express.patch @@ -0,0 +1,42 @@ +From e783b408844577a55476cd479a55a91be0e4d9d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 17:09:03 +0100 +Subject: netfilter: nft_last: copy content when cloning expression + +From: Pablo Neira Ayuso + +[ Upstream commit 860e874290fb3be08e966c9c8ffc510c5b0f2bd8 ] + +If the ruleset contains last timestamps, restore them accordingly. +Otherwise, listing after restoration shows never used items. + +Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_last.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c +index bb15a55dad5c0..eaa54964cf23c 100644 +--- a/net/netfilter/nft_last.c ++++ b/net/netfilter/nft_last.c +@@ -104,11 +104,15 @@ static void nft_last_destroy(const struct nft_ctx *ctx, + static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src) + { + struct nft_last_priv *priv_dst = nft_expr_priv(dst); ++ struct nft_last_priv *priv_src = nft_expr_priv(src); + + priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC); + if (!priv_dst->last) + return -ENOMEM; + ++ priv_dst->last->set = priv_src->last->set; ++ priv_dst->last->jiffies = priv_src->last->jiffies; ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nft_quota-copy-content-when-cloning-expres.patch b/queue-6.1/netfilter-nft_quota-copy-content-when-cloning-expres.patch new file mode 100644 index 00000000000..22ee90450a2 --- /dev/null +++ b/queue-6.1/netfilter-nft_quota-copy-content-when-cloning-expres.patch @@ -0,0 +1,46 @@ +From 76f85dbdf24f33d1ee17df73eb62fda5fb315193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 20:43:02 +0100 +Subject: netfilter: nft_quota: copy content when cloning expression + +From: Pablo Neira Ayuso + +[ Upstream commit aabef97a35160461e9c576848ded737558d89055 ] + +If the ruleset contains consumed quota, restore them accordingly. +Otherwise, listing after restoration shows never used items. + +Restore the user-defined quota and flags too. + +Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_quota.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c +index e6b0df68feeaf..410a5fcf88309 100644 +--- a/net/netfilter/nft_quota.c ++++ b/net/netfilter/nft_quota.c +@@ -235,12 +235,16 @@ static void nft_quota_destroy(const struct nft_ctx *ctx, + static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src) + { + struct nft_quota *priv_dst = nft_expr_priv(dst); ++ struct nft_quota *priv_src = nft_expr_priv(src); ++ ++ priv_dst->quota = priv_src->quota; ++ priv_dst->flags = priv_src->flags; + + priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC); + if (!priv_dst->consumed) + return -ENOMEM; + +- atomic64_set(priv_dst->consumed, 0); ++ *priv_dst->consumed = *priv_src->consumed; + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/netfilter-tproxy-fix-deadlock-due-to-missing-bh-disa.patch b/queue-6.1/netfilter-tproxy-fix-deadlock-due-to-missing-bh-disa.patch new file mode 100644 index 00000000000..3e019afb458 --- /dev/null +++ b/queue-6.1/netfilter-tproxy-fix-deadlock-due-to-missing-bh-disa.patch @@ -0,0 +1,83 @@ +From d3a1affa4540ecfabcb6a7a506757861d43f1762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 10:58:56 +0100 +Subject: netfilter: tproxy: fix deadlock due to missing BH disable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Westphal + +[ Upstream commit 4a02426787bf024dafdb79b362285ee325de3f5e ] + +The xtables packet traverser performs an unconditional local_bh_disable(), +but the nf_tables evaluation loop does not. + +Functions that are called from either xtables or nftables must assume +that they can be called in process context. + +inet_twsk_deschedule_put() assumes that no softirq interrupt can occur. +If tproxy is used from nf_tables its possible that we'll deadlock +trying to aquire a lock already held in process context. + +Add a small helper that takes care of this and use it. + +Link: https://lore.kernel.org/netfilter-devel/401bd6ed-314a-a196-1cdc-e13c720cc8f2@balasys.hu/ +Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") +Reported-and-tested-by: Major Dávid +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tproxy.h | 7 +++++++ + net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 +- + net/ipv6/netfilter/nf_tproxy_ipv6.c | 2 +- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/net/netfilter/nf_tproxy.h b/include/net/netfilter/nf_tproxy.h +index 82d0e41b76f22..faa108b1ba675 100644 +--- a/include/net/netfilter/nf_tproxy.h ++++ b/include/net/netfilter/nf_tproxy.h +@@ -17,6 +17,13 @@ static inline bool nf_tproxy_sk_is_transparent(struct sock *sk) + return false; + } + ++static inline void nf_tproxy_twsk_deschedule_put(struct inet_timewait_sock *tw) ++{ ++ local_bh_disable(); ++ inet_twsk_deschedule_put(tw); ++ local_bh_enable(); ++} ++ + /* assign a socket to the skb -- consumes sk */ + static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) + { +diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c b/net/ipv4/netfilter/nf_tproxy_ipv4.c +index b22b2c745c76c..69e3317996043 100644 +--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c ++++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c +@@ -38,7 +38,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, + hp->source, lport ? lport : hp->dest, + skb->dev, NF_TPROXY_LOOKUP_LISTENER); + if (sk2) { +- inet_twsk_deschedule_put(inet_twsk(sk)); ++ nf_tproxy_twsk_deschedule_put(inet_twsk(sk)); + sk = sk2; + } + } +diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c b/net/ipv6/netfilter/nf_tproxy_ipv6.c +index 929502e51203b..52f828bb5a83d 100644 +--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c ++++ b/net/ipv6/netfilter/nf_tproxy_ipv6.c +@@ -63,7 +63,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, + lport ? lport : hp->dest, + skb->dev, NF_TPROXY_LOOKUP_LISTENER); + if (sk2) { +- inet_twsk_deschedule_put(inet_twsk(sk)); ++ nf_tproxy_twsk_deschedule_put(inet_twsk(sk)); + sk = sk2; + } + } +-- +2.39.2 + diff --git a/queue-6.1/nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_.patch b/queue-6.1/nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_.patch new file mode 100644 index 00000000000..816271e477e --- /dev/null +++ b/queue-6.1/nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_.patch @@ -0,0 +1,49 @@ +From ffb5596b75a509dcf9336b1a9bf576a0a2d4792f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 17:30:37 +0800 +Subject: nfc: fdp: add null check of devm_kmalloc_array in + fdp_nci_i2c_read_device_properties + +From: Kang Chen + +[ Upstream commit 11f180a5d62a51b484e9648f9b310e1bd50b1a57 ] + +devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause +out-of-bounds write in device_property_read_u8_array later. + +Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver") +Signed-off-by: Kang Chen +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230227093037.907654-1-void0red@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/nfc/fdp/i2c.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c +index 2d53e0f88d2f9..1e0f2297f9c66 100644 +--- a/drivers/nfc/fdp/i2c.c ++++ b/drivers/nfc/fdp/i2c.c +@@ -247,6 +247,9 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev, + len, sizeof(**fw_vsc_cfg), + GFP_KERNEL); + ++ if (!*fw_vsc_cfg) ++ goto alloc_err; ++ + r = device_property_read_u8_array(dev, FDP_DP_FW_VSC_CFG_NAME, + *fw_vsc_cfg, len); + +@@ -260,6 +263,7 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev, + *fw_vsc_cfg = NULL; + } + ++alloc_err: + dev_dbg(dev, "Clock type: %d, clock frequency: %d, VSC: %s", + *clock_type, *clock_freq, *fw_vsc_cfg != NULL ? "yes" : "no"); + } +-- +2.39.2 + diff --git a/queue-6.1/nfsd-protect-against-filesystem-freezing.patch b/queue-6.1/nfsd-protect-against-filesystem-freezing.patch new file mode 100644 index 00000000000..f8ef9a42517 --- /dev/null +++ b/queue-6.1/nfsd-protect-against-filesystem-freezing.patch @@ -0,0 +1,42 @@ +From 7a4fd97c533e8f53d7ee04116df69b1c2cbf4bec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 10:43:47 -0500 +Subject: NFSD: Protect against filesystem freezing + +From: Chuck Lever + +[ Upstream commit fd9a2e1d513823e840960cb3bc26d8b7749d4ac2 ] + +Flole observes this WARNING on occasion: + +[1210423.486503] WARNING: CPU: 8 PID: 1524732 at fs/ext4/ext4_jbd2.c:75 ext4_journal_check_start+0x68/0xb0 + +Reported-by: +Suggested-by: Jan Kara +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217123 +Fixes: 73da852e3831 ("nfsd: use vfs_iter_read/write") +Reviewed-by: Jeff Layton +Reviewed-by: Jan Kara +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/vfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 0d49c6bb22eb1..59f9a8cee012a 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1037,7 +1037,9 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct nfsd_file *nf, + since = READ_ONCE(file->f_wb_err); + if (verf) + nfsd_copy_write_verifier(verf, nn); ++ file_start_write(file); + host_err = vfs_iter_write(file, &iter, &pos, flags); ++ file_end_write(file); + if (host_err < 0) { + nfsd_reset_write_verifier(nn); + trace_nfsd_writeverf_reset(nn, rqstp, host_err); +-- +2.39.2 + diff --git a/queue-6.1/octeontx2-af-unlock-contexts-in-the-queue-context-ca.patch b/queue-6.1/octeontx2-af-unlock-contexts-in-the-queue-context-ca.patch new file mode 100644 index 00000000000..15baa512179 --- /dev/null +++ b/queue-6.1/octeontx2-af-unlock-contexts-in-the-queue-context-ca.patch @@ -0,0 +1,229 @@ +From c4caebee531663b7ebd324b352391d64caeb119a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 16:19:08 +0530 +Subject: octeontx2-af: Unlock contexts in the queue context cache in case of + fault detection + +From: Suman Ghosh + +[ Upstream commit ea9dd2e5c6d12c8b65ce7514c8359a70eeaa0e70 ] + +NDC caches contexts of frequently used queue's (Rx and Tx queues) +contexts. Due to a HW errata when NDC detects fault/poision while +accessing contexts it could go into an illegal state where a cache +line could get locked forever. To makesure all cache lines in NDC +are available for optimum performance upon fault/lockerror/posion +errors scan through all cache lines in NDC and clear the lock bit. + +Fixes: 4a3581cd5995 ("octeontx2-af: NPA AQ instruction enqueue support") +Signed-off-by: Suman Ghosh +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: Sai Krishna +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.h | 5 ++ + .../marvell/octeontx2/af/rvu_debugfs.c | 7 +-- + .../ethernet/marvell/octeontx2/af/rvu_nix.c | 16 ++++- + .../ethernet/marvell/octeontx2/af/rvu_npa.c | 58 ++++++++++++++++++- + .../ethernet/marvell/octeontx2/af/rvu_reg.h | 3 + + 5 files changed, 82 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h +index 76474385a6027..b07c6f51b461b 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h +@@ -859,6 +859,9 @@ int rvu_cpt_lf_teardown(struct rvu *rvu, u16 pcifunc, int blkaddr, int lf, + int slot); + int rvu_cpt_ctx_flush(struct rvu *rvu, u16 pcifunc); + ++#define NDC_AF_BANK_MASK GENMASK_ULL(7, 0) ++#define NDC_AF_BANK_LINE_MASK GENMASK_ULL(31, 16) ++ + /* CN10K RVU */ + int rvu_set_channels_base(struct rvu *rvu); + void rvu_program_channels(struct rvu *rvu); +@@ -874,6 +877,8 @@ static inline void rvu_dbg_init(struct rvu *rvu) {} + static inline void rvu_dbg_exit(struct rvu *rvu) {} + #endif + ++int rvu_ndc_fix_locked_cacheline(struct rvu *rvu, int blkaddr); ++ + /* RVU Switch */ + void rvu_switch_enable(struct rvu *rvu); + void rvu_switch_disable(struct rvu *rvu); +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +index f66dde2b0f926..abef0fd4259a3 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -198,9 +198,6 @@ enum cpt_eng_type { + CPT_IE_TYPE = 3, + }; + +-#define NDC_MAX_BANK(rvu, blk_addr) (rvu_read64(rvu, \ +- blk_addr, NDC_AF_CONST) & 0xFF) +- + #define rvu_dbg_NULL NULL + #define rvu_dbg_open_NULL NULL + +@@ -1448,6 +1445,7 @@ static int ndc_blk_hits_miss_stats(struct seq_file *s, int idx, int blk_addr) + struct nix_hw *nix_hw; + struct rvu *rvu; + int bank, max_bank; ++ u64 ndc_af_const; + + if (blk_addr == BLKADDR_NDC_NPA0) { + rvu = s->private; +@@ -1456,7 +1454,8 @@ static int ndc_blk_hits_miss_stats(struct seq_file *s, int idx, int blk_addr) + rvu = nix_hw->rvu; + } + +- max_bank = NDC_MAX_BANK(rvu, blk_addr); ++ ndc_af_const = rvu_read64(rvu, blk_addr, NDC_AF_CONST); ++ max_bank = FIELD_GET(NDC_AF_BANK_MASK, ndc_af_const); + for (bank = 0; bank < max_bank; bank++) { + seq_printf(s, "BANK:%d\n", bank); + seq_printf(s, "\tHits:\t%lld\n", +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index a62c1b3220120..84f2ba53b8b68 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -790,6 +790,7 @@ static int nix_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block, + struct nix_aq_res_s *result; + int timeout = 1000; + u64 reg, head; ++ int ret; + + result = (struct nix_aq_res_s *)aq->res->base; + +@@ -813,9 +814,22 @@ static int nix_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block, + return -EBUSY; + } + +- if (result->compcode != NIX_AQ_COMP_GOOD) ++ if (result->compcode != NIX_AQ_COMP_GOOD) { + /* TODO: Replace this with some error code */ ++ if (result->compcode == NIX_AQ_COMP_CTX_FAULT || ++ result->compcode == NIX_AQ_COMP_LOCKERR || ++ result->compcode == NIX_AQ_COMP_CTX_POISON) { ++ ret = rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX0_RX); ++ ret |= rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX0_TX); ++ ret |= rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX1_RX); ++ ret |= rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX1_TX); ++ if (ret) ++ dev_err(rvu->dev, ++ "%s: Not able to unlock cachelines\n", __func__); ++ } ++ + return -EBUSY; ++ } + + return 0; + } +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c +index 70bd036ed76e4..4f5ca5ab13a40 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c +@@ -4,7 +4,7 @@ + * Copyright (C) 2018 Marvell. + * + */ +- ++#include + #include + #include + +@@ -42,9 +42,18 @@ static int npa_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block, + return -EBUSY; + } + +- if (result->compcode != NPA_AQ_COMP_GOOD) ++ if (result->compcode != NPA_AQ_COMP_GOOD) { + /* TODO: Replace this with some error code */ ++ if (result->compcode == NPA_AQ_COMP_CTX_FAULT || ++ result->compcode == NPA_AQ_COMP_LOCKERR || ++ result->compcode == NPA_AQ_COMP_CTX_POISON) { ++ if (rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NPA0)) ++ dev_err(rvu->dev, ++ "%s: Not able to unlock cachelines\n", __func__); ++ } ++ + return -EBUSY; ++ } + + return 0; + } +@@ -545,3 +554,48 @@ void rvu_npa_lf_teardown(struct rvu *rvu, u16 pcifunc, int npalf) + + npa_ctx_free(rvu, pfvf); + } ++ ++/* Due to an Hardware errata, in some corner cases, AQ context lock ++ * operations can result in a NDC way getting into an illegal state ++ * of not valid but locked. ++ * ++ * This API solves the problem by clearing the lock bit of the NDC block. ++ * The operation needs to be done for each line of all the NDC banks. ++ */ ++int rvu_ndc_fix_locked_cacheline(struct rvu *rvu, int blkaddr) ++{ ++ int bank, max_bank, line, max_line, err; ++ u64 reg, ndc_af_const; ++ ++ /* Set the ENABLE bit(63) to '0' */ ++ reg = rvu_read64(rvu, blkaddr, NDC_AF_CAMS_RD_INTERVAL); ++ rvu_write64(rvu, blkaddr, NDC_AF_CAMS_RD_INTERVAL, reg & GENMASK_ULL(62, 0)); ++ ++ /* Poll until the BUSY bits(47:32) are set to '0' */ ++ err = rvu_poll_reg(rvu, blkaddr, NDC_AF_CAMS_RD_INTERVAL, GENMASK_ULL(47, 32), true); ++ if (err) { ++ dev_err(rvu->dev, "Timed out while polling for NDC CAM busy bits.\n"); ++ return err; ++ } ++ ++ ndc_af_const = rvu_read64(rvu, blkaddr, NDC_AF_CONST); ++ max_bank = FIELD_GET(NDC_AF_BANK_MASK, ndc_af_const); ++ max_line = FIELD_GET(NDC_AF_BANK_LINE_MASK, ndc_af_const); ++ for (bank = 0; bank < max_bank; bank++) { ++ for (line = 0; line < max_line; line++) { ++ /* Check if 'cache line valid bit(63)' is not set ++ * but 'cache line lock bit(60)' is set and on ++ * success, reset the lock bit(60). ++ */ ++ reg = rvu_read64(rvu, blkaddr, ++ NDC_AF_BANKX_LINEX_METADATA(bank, line)); ++ if (!(reg & BIT_ULL(63)) && (reg & BIT_ULL(60))) { ++ rvu_write64(rvu, blkaddr, ++ NDC_AF_BANKX_LINEX_METADATA(bank, line), ++ reg & ~BIT_ULL(60)); ++ } ++ } ++ } ++ ++ return 0; ++} +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h +index 0e0d536645ac7..39f7a7cb27558 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h +@@ -690,6 +690,7 @@ + #define NDC_AF_INTR_ENA_W1S (0x00068) + #define NDC_AF_INTR_ENA_W1C (0x00070) + #define NDC_AF_ACTIVE_PC (0x00078) ++#define NDC_AF_CAMS_RD_INTERVAL (0x00080) + #define NDC_AF_BP_TEST_ENABLE (0x001F8) + #define NDC_AF_BP_TEST(a) (0x00200 | (a) << 3) + #define NDC_AF_BLK_RST (0x002F0) +@@ -705,6 +706,8 @@ + (0x00F00 | (a) << 5 | (b) << 4) + #define NDC_AF_BANKX_HIT_PC(a) (0x01000 | (a) << 3) + #define NDC_AF_BANKX_MISS_PC(a) (0x01100 | (a) << 3) ++#define NDC_AF_BANKX_LINEX_METADATA(a, b) \ ++ (0x10000 | (a) << 12 | (b) << 3) + + /* LBK */ + #define LBK_CONST (0x10ull) +-- +2.39.2 + diff --git a/queue-6.1/perf-stat-fix-counting-when-initial-delay-configured.patch b/queue-6.1/perf-stat-fix-counting-when-initial-delay-configured.patch new file mode 100644 index 00000000000..c0a8646eecc --- /dev/null +++ b/queue-6.1/perf-stat-fix-counting-when-initial-delay-configured.patch @@ -0,0 +1,178 @@ +From 086de55f818ebacf207803aff7a09c1b94e8c5c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 11:11:44 +0800 +Subject: perf stat: Fix counting when initial delay configured + +From: Changbin Du + +[ Upstream commit 25f69c69bc3ca8c781a94473f28d443d745768e3 ] + +When creating counters with initial delay configured, the enable_on_exec +field is not set. So we need to enable the counters later. The problem +is, when a workload is specified the target__none() is true. So we also +need to check stat_config.initial_delay. + +In this change, we add a new field 'initial_delay' for struct target +which could be shared by other subcommands. And define +target__enable_on_exec() which returns whether enable_on_exec should be +set on normal cases. + +Before this fix the event is not counted: + + $ ./perf stat -e instructions -D 100 sleep 2 + Events disabled + Events enabled + + Performance counter stats for 'sleep 2': + + instructions + + 1.901661124 seconds time elapsed + + 0.001602000 seconds user + 0.000000000 seconds sys + +After fix it works: + + $ ./perf stat -e instructions -D 100 sleep 2 + Events disabled + Events enabled + + Performance counter stats for 'sleep 2': + + 404,214 instructions + + 1.901743475 seconds time elapsed + + 0.001617000 seconds user + 0.000000000 seconds sys + +Fixes: c587e77e100fa40e ("perf stat: Do not delay the workload with --delay") +Signed-off-by: Changbin Du +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Hui Wang +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230302031146.2801588-2-changbin.du@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-stat.c | 15 +++++---------- + tools/perf/util/stat.c | 6 +----- + tools/perf/util/stat.h | 1 - + tools/perf/util/target.h | 12 ++++++++++++ + 4 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index 978fdc60b4e84..f6427e3a47421 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -528,12 +528,7 @@ static int enable_counters(void) + return err; + } + +- /* +- * We need to enable counters only if: +- * - we don't have tracee (attaching to task or cpu) +- * - we have initial delay configured +- */ +- if (!target__none(&target)) { ++ if (!target__enable_on_exec(&target)) { + if (!all_counters_use_bpf) + evlist__enable(evsel_list); + } +@@ -906,7 +901,7 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx) + return err; + } + +- if (stat_config.initial_delay) { ++ if (target.initial_delay) { + pr_info(EVLIST_DISABLED_MSG); + } else { + err = enable_counters(); +@@ -918,8 +913,8 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx) + if (forks) + evlist__start_workload(evsel_list); + +- if (stat_config.initial_delay > 0) { +- usleep(stat_config.initial_delay * USEC_PER_MSEC); ++ if (target.initial_delay > 0) { ++ usleep(target.initial_delay * USEC_PER_MSEC); + err = enable_counters(); + if (err) + return -1; +@@ -1243,7 +1238,7 @@ static struct option stat_options[] = { + "aggregate counts per thread", AGGR_THREAD), + OPT_SET_UINT(0, "per-node", &stat_config.aggr_mode, + "aggregate counts per numa node", AGGR_NODE), +- OPT_INTEGER('D', "delay", &stat_config.initial_delay, ++ OPT_INTEGER('D', "delay", &target.initial_delay, + "ms to wait before starting measurement after program start (-1: start with events disabled)"), + OPT_CALLBACK_NOOPT(0, "metric-only", &stat_config.metric_only, NULL, + "Only print computed metrics. No raw values", enable_metric_only), +diff --git a/tools/perf/util/stat.c b/tools/perf/util/stat.c +index 8ec8bb4a99129..b63b3a3129919 100644 +--- a/tools/perf/util/stat.c ++++ b/tools/perf/util/stat.c +@@ -583,11 +583,7 @@ int create_perf_stat_counter(struct evsel *evsel, + if (evsel__is_group_leader(evsel)) { + attr->disabled = 1; + +- /* +- * In case of initial_delay we enable tracee +- * events manually. +- */ +- if (target__none(target) && !config->initial_delay) ++ if (target__enable_on_exec(target)) + attr->enable_on_exec = 1; + } + +diff --git a/tools/perf/util/stat.h b/tools/perf/util/stat.h +index 35c940d7f29cd..05c5125d7f419 100644 +--- a/tools/perf/util/stat.h ++++ b/tools/perf/util/stat.h +@@ -145,7 +145,6 @@ struct perf_stat_config { + FILE *output; + unsigned int interval; + unsigned int timeout; +- int initial_delay; + unsigned int unit_width; + unsigned int metric_only_len; + int times; +diff --git a/tools/perf/util/target.h b/tools/perf/util/target.h +index daec6cba500d4..880f1af7f6ad6 100644 +--- a/tools/perf/util/target.h ++++ b/tools/perf/util/target.h +@@ -18,6 +18,7 @@ struct target { + bool per_thread; + bool use_bpf; + bool hybrid; ++ int initial_delay; + const char *attr_map; + }; + +@@ -72,6 +73,17 @@ static inline bool target__none(struct target *target) + return !target__has_task(target) && !target__has_cpu(target); + } + ++static inline bool target__enable_on_exec(struct target *target) ++{ ++ /* ++ * Normally enable_on_exec should be set if: ++ * 1) The tracee process is forked (not attaching to existed task or cpu). ++ * 2) And initial_delay is not configured. ++ * Otherwise, we enable tracee events manually. ++ */ ++ return target__none(target) && !target->initial_delay; ++} ++ + static inline bool target__has_per_thread(struct target *target) + { + return target->system_wide && target->per_thread; +-- +2.39.2 + diff --git a/queue-6.1/platform-mellanox-select-regmap-instead-of-depending.patch b/queue-6.1/platform-mellanox-select-regmap-instead-of-depending.patch new file mode 100644 index 00000000000..172c43bd551 --- /dev/null +++ b/queue-6.1/platform-mellanox-select-regmap-instead-of-depending.patch @@ -0,0 +1,89 @@ +From c2d957ac66946ffd9b60bb5c63c9ce854bed3396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:50 -0800 +Subject: platform: mellanox: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 03f5eb300ad1241f854269a3e521b119189a4493 ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +For NVSW_SN2201, select REGMAP_I2C instead of depending on it. + +Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a regmap interface") +Fixes: 5ec4a8ace06c ("platform/mellanox: Introduce support for Mellanox register access driver") +Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices") +Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system") +Signed-off-by: Randy Dunlap +Cc: Darren Hart +Cc: Hans de Goede +Cc: Michael Shych +Cc: Mark Gross +Cc: Vadim Pasternak +Cc: platform-driver-x86@vger.kernel.org +Link: https://lore.kernel.org/r/20230226053953.4681-6-rdunlap@infradead.org +Signed-off-by: Hans de Goede +Reviewed-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/Kconfig | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/mellanox/Kconfig b/drivers/platform/mellanox/Kconfig +index 09c7829e95c4b..382793e73a60a 100644 +--- a/drivers/platform/mellanox/Kconfig ++++ b/drivers/platform/mellanox/Kconfig +@@ -16,17 +16,17 @@ if MELLANOX_PLATFORM + + config MLXREG_HOTPLUG + tristate "Mellanox platform hotplug driver support" +- depends on REGMAP + depends on HWMON + depends on I2C ++ select REGMAP + help + This driver handles hot-plug events for the power suppliers, power + cables and fans on the wide range Mellanox IB and Ethernet systems. + + config MLXREG_IO + tristate "Mellanox platform register access driver support" +- depends on REGMAP + depends on HWMON ++ select REGMAP + help + This driver allows access to Mellanox programmable device register + space through sysfs interface. The sets of registers for sysfs access +@@ -36,9 +36,9 @@ config MLXREG_IO + + config MLXREG_LC + tristate "Mellanox line card platform driver support" +- depends on REGMAP + depends on HWMON + depends on I2C ++ select REGMAP + help + This driver provides support for the Mellanox MSN4800-XX line cards, + which are the part of MSN4800 Ethernet modular switch systems +@@ -80,10 +80,9 @@ config MLXBF_PMC + + config NVSW_SN2201 + tristate "Nvidia SN2201 platform driver support" +- depends on REGMAP + depends on HWMON + depends on I2C +- depends on REGMAP_I2C ++ select REGMAP_I2C + help + This driver provides support for the Nvidia SN2201 platform. + The SN2201 is a highly integrated for one rack unit system with +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-mlx_platform-select-regmap-instead-of-d.patch b/queue-6.1/platform-x86-mlx_platform-select-regmap-instead-of-d.patch new file mode 100644 index 00000000000..96c5fb687f6 --- /dev/null +++ b/queue-6.1/platform-x86-mlx_platform-select-regmap-instead-of-d.patch @@ -0,0 +1,50 @@ +From d1a45b1a1ab31c379b5991e78448fb36b48d9164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:51 -0800 +Subject: platform: x86: MLX_PLATFORM: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 7e7e1541c91615e9950d0b96bcd1806d297e970e ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +Fixes: ef0f62264b2a ("platform/x86: mlx-platform: Add physical bus number auto detection") +Signed-off-by: Randy Dunlap +Cc: Vadim Pasternak +Cc: Darren Hart +Cc: Hans de Goede +Cc: Mark Gross +Cc: platform-driver-x86@vger.kernel.org +Link: https://lore.kernel.org/r/20230226053953.4681-7-rdunlap@infradead.org +Signed-off-by: Hans de Goede +Reviewed-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index f5312f51de19f..b02a8125bc7d5 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -997,7 +997,8 @@ config SERIAL_MULTI_INSTANTIATE + + config MLX_PLATFORM + tristate "Mellanox Technologies platform support" +- depends on I2C && REGMAP ++ depends on I2C ++ select REGMAP + help + This option enables system support for the Mellanox Technologies + platform. The Mellanox systems provide data center networking +-- +2.39.2 + diff --git a/queue-6.1/powerpc-boot-don-t-always-pass-mcpu-powerpc-when-bui.patch b/queue-6.1/powerpc-boot-don-t-always-pass-mcpu-powerpc-when-bui.patch new file mode 100644 index 00000000000..f9a59bce7e0 --- /dev/null +++ b/queue-6.1/powerpc-boot-don-t-always-pass-mcpu-powerpc-when-bui.patch @@ -0,0 +1,68 @@ +From 16653e56716d799166f4e6d8bb2be304ef74ed18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:39:00 +0100 +Subject: powerpc/boot: Don't always pass -mcpu=powerpc when building 32-bit + uImage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit ff7c76f66d8bad4e694c264c789249e1d3a8205d ] + +When CONFIG_TARGET_CPU is specified then pass its value to the compiler +-mcpu option. This fixes following build error when building kernel with +powerpc e500 SPE capable cross compilers: + + BOOTAS arch/powerpc/boot/crt0.o + powerpc-linux-gnuspe-gcc: error: unrecognized argument in option ‘-mcpu=powerpc’ + powerpc-linux-gnuspe-gcc: note: valid arguments to ‘-mcpu=’ are: 8540 8548 native + make[1]: *** [arch/powerpc/boot/Makefile:231: arch/powerpc/boot/crt0.o] Error 1 + +Similar change was already introduced for the main powerpc Makefile in +commit 446cda1b21d9 ("powerpc/32: Don't always pass -mcpu=powerpc to the +compiler"). + +Fixes: 40a75584e526 ("powerpc/boot: Build wrapper for an appropriate CPU") +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Pali Rohár +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/2ae3ae5887babfdacc34435bff0944b3f336100a.1674632329.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/Makefile | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile +index d32d95aea5d6f..295f76df13b55 100644 +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -39,13 +39,19 @@ BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + $(LINUXINCLUDE) + + ifdef CONFIG_PPC64_BOOT_WRAPPER +-ifdef CONFIG_CPU_LITTLE_ENDIAN +-BOOTCFLAGS += -m64 -mcpu=powerpc64le ++BOOTCFLAGS += -m64 + else +-BOOTCFLAGS += -m64 -mcpu=powerpc64 ++BOOTCFLAGS += -m32 + endif ++ ++ifdef CONFIG_TARGET_CPU_BOOL ++BOOTCFLAGS += -mcpu=$(CONFIG_TARGET_CPU) ++else ifdef CONFIG_PPC64_BOOT_WRAPPER ++ifdef CONFIG_CPU_LITTLE_ENDIAN ++BOOTCFLAGS += -mcpu=powerpc64le + else +-BOOTCFLAGS += -m32 -mcpu=powerpc ++BOOTCFLAGS += -mcpu=powerpc64 ++endif + endif + + BOOTCFLAGS += -isystem $(shell $(BOOTCC) -print-file-name=include) +-- +2.39.2 + diff --git a/queue-6.1/powerpc-dts-t1040rdb-fix-compatible-string-for-rev-a.patch b/queue-6.1/powerpc-dts-t1040rdb-fix-compatible-string-for-rev-a.patch new file mode 100644 index 00000000000..114d7e1fcb8 --- /dev/null +++ b/queue-6.1/powerpc-dts-t1040rdb-fix-compatible-string-for-rev-a.patch @@ -0,0 +1,36 @@ +From 4e9f763224ed18ac24b398f1923bef6c4f546ab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 17:59:39 +0200 +Subject: powerpc: dts: t1040rdb: fix compatible string for Rev A boards + +From: Vladimir Oltean + +[ Upstream commit ae44f1c9d1fc54aeceb335fedb1e73b2c3ee4561 ] + +It looks like U-Boot fails to start the kernel properly when the +compatible string of the board isn't fsl,T1040RDB, so stop overriding it +from the rev-a.dts. + +Fixes: 5ebb74749202 ("powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts b/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts +index 73f8c998c64df..d4f5f159d6f23 100644 +--- a/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts ++++ b/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts +@@ -10,7 +10,6 @@ + + / { + model = "fsl,T1040RDB-REV-A"; +- compatible = "fsl,T1040RDB-REV-A"; + }; + + &seville_port0 { +-- +2.39.2 + diff --git a/queue-6.1/risc-v-don-t-check-text_mutex-during-stop_machine.patch b/queue-6.1/risc-v-don-t-check-text_mutex-during-stop_machine.patch new file mode 100644 index 00000000000..5aea526311d --- /dev/null +++ b/queue-6.1/risc-v-don-t-check-text_mutex-during-stop_machine.patch @@ -0,0 +1,161 @@ +From 58362747ffe4611eae1b034623fb9710ff0fba02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 14:37:55 +0000 +Subject: RISC-V: Don't check text_mutex during stop_machine + +From: Conor Dooley + +[ Upstream commit 2a8db5ec4a28a0fce822d10224db9471a44b6925 ] + +We're currently using stop_machine() to update ftrace & kprobes, which +means that the thread that takes text_mutex during may not be the same +as the thread that eventually patches the code. This isn't actually a +race because the lock is still held (preventing any other concurrent +accesses) and there is only one thread running during stop_machine(), +but it does trigger a lockdep failure. + +This patch just elides the lockdep check during stop_machine. + +Fixes: c15ac4fd60d5 ("riscv/ftrace: Add dynamic function tracer support") +Suggested-by: Steven Rostedt +Reported-by: Changbin Du +Signed-off-by: Palmer Dabbelt +Signed-off-by: Conor Dooley +Link: https://lore.kernel.org/r/20230303143754.4005217-1-conor.dooley@microchip.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/ftrace.h | 2 +- + arch/riscv/include/asm/patch.h | 2 ++ + arch/riscv/kernel/ftrace.c | 13 +++++++++++-- + arch/riscv/kernel/patch.c | 28 +++++++++++++++++++++++++--- + 4 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h +index 9e73922e1e2e5..d47d87c2d7e3d 100644 +--- a/arch/riscv/include/asm/ftrace.h ++++ b/arch/riscv/include/asm/ftrace.h +@@ -109,6 +109,6 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec); + #define ftrace_init_nop ftrace_init_nop + #endif + +-#endif ++#endif /* CONFIG_DYNAMIC_FTRACE */ + + #endif /* _ASM_RISCV_FTRACE_H */ +diff --git a/arch/riscv/include/asm/patch.h b/arch/riscv/include/asm/patch.h +index 9a7d7346001ee..98d9de07cba17 100644 +--- a/arch/riscv/include/asm/patch.h ++++ b/arch/riscv/include/asm/patch.h +@@ -9,4 +9,6 @@ + int patch_text_nosync(void *addr, const void *insns, size_t len); + int patch_text(void *addr, u32 insn); + ++extern int riscv_patch_in_stop_machine; ++ + #endif /* _ASM_RISCV_PATCH_H */ +diff --git a/arch/riscv/kernel/ftrace.c b/arch/riscv/kernel/ftrace.c +index 5bff37af4770b..03a6434a8cdd0 100644 +--- a/arch/riscv/kernel/ftrace.c ++++ b/arch/riscv/kernel/ftrace.c +@@ -15,10 +15,19 @@ + void ftrace_arch_code_modify_prepare(void) __acquires(&text_mutex) + { + mutex_lock(&text_mutex); ++ ++ /* ++ * The code sequences we use for ftrace can't be patched while the ++ * kernel is running, so we need to use stop_machine() to modify them ++ * for now. This doesn't play nice with text_mutex, we use this flag ++ * to elide the check. ++ */ ++ riscv_patch_in_stop_machine = true; + } + + void ftrace_arch_code_modify_post_process(void) __releases(&text_mutex) + { ++ riscv_patch_in_stop_machine = false; + mutex_unlock(&text_mutex); + } + +@@ -107,9 +116,9 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec) + { + int out; + +- ftrace_arch_code_modify_prepare(); ++ mutex_lock(&text_mutex); + out = ftrace_make_nop(mod, rec, MCOUNT_ADDR); +- ftrace_arch_code_modify_post_process(); ++ mutex_unlock(&text_mutex); + + return out; + } +diff --git a/arch/riscv/kernel/patch.c b/arch/riscv/kernel/patch.c +index 765004b605132..e099961453cca 100644 +--- a/arch/riscv/kernel/patch.c ++++ b/arch/riscv/kernel/patch.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + + struct patch_insn { +@@ -19,6 +20,8 @@ struct patch_insn { + atomic_t cpu_count; + }; + ++int riscv_patch_in_stop_machine = false; ++ + #ifdef CONFIG_MMU + /* + * The fix_to_virt(, idx) needs a const value (not a dynamic variable of +@@ -59,8 +62,15 @@ static int patch_insn_write(void *addr, const void *insn, size_t len) + * Before reaching here, it was expected to lock the text_mutex + * already, so we don't need to give another lock here and could + * ensure that it was safe between each cores. ++ * ++ * We're currently using stop_machine() for ftrace & kprobes, and while ++ * that ensures text_mutex is held before installing the mappings it ++ * does not ensure text_mutex is held by the calling thread. That's ++ * safe but triggers a lockdep failure, so just elide it for that ++ * specific case. + */ +- lockdep_assert_held(&text_mutex); ++ if (!riscv_patch_in_stop_machine) ++ lockdep_assert_held(&text_mutex); + + if (across_pages) + patch_map(addr + len, FIX_TEXT_POKE1); +@@ -121,13 +131,25 @@ NOKPROBE_SYMBOL(patch_text_cb); + + int patch_text(void *addr, u32 insn) + { ++ int ret; + struct patch_insn patch = { + .addr = addr, + .insn = insn, + .cpu_count = ATOMIC_INIT(0), + }; + +- return stop_machine_cpuslocked(patch_text_cb, +- &patch, cpu_online_mask); ++ /* ++ * kprobes takes text_mutex, before calling patch_text(), but as we call ++ * calls stop_machine(), the lockdep assertion in patch_insn_write() ++ * gets confused by the context in which the lock is taken. ++ * Instead, ensure the lock is held before calling stop_machine(), and ++ * set riscv_patch_in_stop_machine to skip the check in ++ * patch_insn_write(). ++ */ ++ lockdep_assert_held(&text_mutex); ++ riscv_patch_in_stop_machine = true; ++ ret = stop_machine_cpuslocked(patch_text_cb, &patch, cpu_online_mask); ++ riscv_patch_in_stop_machine = false; ++ return ret; + } + NOKPROBE_SYMBOL(patch_text); +-- +2.39.2 + diff --git a/queue-6.1/riscv-add-header-include-guards-to-insn.h.patch b/queue-6.1/riscv-add-header-include-guards-to-insn.h.patch new file mode 100644 index 00000000000..bf4e8f8215a --- /dev/null +++ b/queue-6.1/riscv-add-header-include-guards-to-insn.h.patch @@ -0,0 +1,48 @@ +From 67a71e390c6ea75688cddbc79e2832d7d46eefe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jan 2023 17:42:42 +0800 +Subject: riscv: Add header include guards to insn.h + +From: Liao Chang + +[ Upstream commit 8ac6e619d9d51b3eb5bae817db8aa94e780a0db4 ] + +Add header include guards to insn.h to prevent repeating declaration of +any identifiers in insn.h. + +Fixes: edde5584c7ab ("riscv: Add SW single-step support for KDB") +Signed-off-by: Liao Chang +Reviewed-by: Andrew Jones +Fixes: c9c1af3f186a ("RISC-V: rename parse_asm.h to insn.h") +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20230129094242.282620-1-liaochang1@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/parse_asm.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/riscv/include/asm/parse_asm.h b/arch/riscv/include/asm/parse_asm.h +index f36368de839f5..3cd00332d70f5 100644 +--- a/arch/riscv/include/asm/parse_asm.h ++++ b/arch/riscv/include/asm/parse_asm.h +@@ -3,6 +3,9 @@ + * Copyright (C) 2020 SiFive + */ + ++#ifndef _ASM_RISCV_INSN_H ++#define _ASM_RISCV_INSN_H ++ + #include + + /* The bit field of immediate value in I-type instruction */ +@@ -217,3 +220,5 @@ static inline bool is_ ## INSN_NAME ## _insn(long insn) \ + (RVC_X(x_, RVC_B_IMM_5_OPOFF, RVC_B_IMM_5_MASK) << RVC_B_IMM_5_OFF) | \ + (RVC_X(x_, RVC_B_IMM_7_6_OPOFF, RVC_B_IMM_7_6_MASK) << RVC_B_IMM_7_6_OFF) | \ + (RVC_IMM_SIGN(x_) << RVC_B_IMM_SIGN_OFF); }) ++ ++#endif /* _ASM_RISCV_INSN_H */ +-- +2.39.2 + diff --git a/queue-6.1/riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch b/queue-6.1/riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch new file mode 100644 index 00000000000..d0bb10d5284 --- /dev/null +++ b/queue-6.1/riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch @@ -0,0 +1,99 @@ +From 319949b256112f4117a902f4dae42699716a0b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 10:16:39 +0100 +Subject: riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode + +From: Alexandre Ghiti + +[ Upstream commit 76950340cf03b149412fe0d5f0810e52ac1df8cb ] + +When CONFIG_FRAME_POINTER is unset, the stack unwinding function +walk_stackframe randomly reads the stack and then, when KASAN is enabled, +it can lead to the following backtrace: + +[ 0.000000] ================================================================== +[ 0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a +[ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0 +[ 0.000000] +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43 +[ 0.000000] Hardware name: riscv-virtio,qemu (DT) +[ 0.000000] Call Trace: +[ 0.000000] [] walk_stackframe+0x0/0x11a +[ 0.000000] [] init_param_lock+0x26/0x2a +[ 0.000000] [] walk_stackframe+0xa2/0x11a +[ 0.000000] [] dump_stack_lvl+0x22/0x36 +[ 0.000000] [] print_report+0x198/0x4a8 +[ 0.000000] [] init_param_lock+0x26/0x2a +[ 0.000000] [] walk_stackframe+0xa2/0x11a +[ 0.000000] [] kasan_report+0x9a/0xc8 +[ 0.000000] [] walk_stackframe+0xa2/0x11a +[ 0.000000] [] walk_stackframe+0xa2/0x11a +[ 0.000000] [] desc_make_final+0x80/0x84 +[ 0.000000] [] stack_trace_save+0x88/0xa6 +[ 0.000000] [] filter_irq_stacks+0x72/0x76 +[ 0.000000] [] devkmsg_read+0x32a/0x32e +[ 0.000000] [] kasan_save_stack+0x28/0x52 +[ 0.000000] [] desc_make_final+0x7c/0x84 +[ 0.000000] [] stack_trace_save+0x84/0xa6 +[ 0.000000] [] kasan_set_track+0x12/0x20 +[ 0.000000] [] __kasan_slab_alloc+0x58/0x5e +[ 0.000000] [] __kmem_cache_create+0x21e/0x39a +[ 0.000000] [] create_boot_cache+0x70/0x9c +[ 0.000000] [] kmem_cache_init+0x6c/0x11e +[ 0.000000] [] mm_init+0xd8/0xfe +[ 0.000000] [] start_kernel+0x190/0x3ca +[ 0.000000] +[ 0.000000] The buggy address belongs to stack of task swapper/0 +[ 0.000000] and is located at offset 0 in frame: +[ 0.000000] stack_trace_save+0x0/0xa6 +[ 0.000000] +[ 0.000000] This frame has 1 object: +[ 0.000000] [32, 56) 'c' +[ 0.000000] +[ 0.000000] The buggy address belongs to the physical page: +[ 0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07 +[ 0.000000] flags: 0x1000(reserved|zone=0) +[ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000 +[ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff +[ 0.000000] page dumped because: kasan: bad access detected +[ 0.000000] +[ 0.000000] Memory state around the buggy address: +[ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 +[ 0.000000] ^ +[ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 +[ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 0.000000] ================================================================== + +Fix that by using READ_ONCE_NOCHECK when reading the stack in imprecise +mode. + +Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") +Reported-by: Chathura Rajapaksha +Link: https://lore.kernel.org/all/CAD7mqryDQCYyJ1gAmtMm8SASMWAQ4i103ptTb0f6Oda=tPY2=A@mail.gmail.com/ +Suggested-by: Dmitry Vyukov +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20230308091639.602024-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/stacktrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index 85cd5442d2f81..17d7383f201a5 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -92,7 +92,7 @@ void notrace walk_stackframe(struct task_struct *task, + while (!kstack_end(ksp)) { + if (__kernel_text_address(pc) && unlikely(!fn(arg, pc))) + break; +- pc = (*ksp++) - 0x4; ++ pc = READ_ONCE_NOCHECK(*ksp++) - 0x4; + } + } + +-- +2.39.2 + diff --git a/queue-6.1/scsi-core-remove-the-proc-scsi-proc_name-directory-e.patch b/queue-6.1/scsi-core-remove-the-proc-scsi-proc_name-directory-e.patch new file mode 100644 index 00000000000..f42388e747e --- /dev/null +++ b/queue-6.1/scsi-core-remove-the-proc-scsi-proc_name-directory-e.patch @@ -0,0 +1,79 @@ +From fe033a057ce3fc9b60e7cbe8285eea4a1ecce88f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:52:00 -0800 +Subject: scsi: core: Remove the /proc/scsi/${proc_name} directory earlier + +From: Bart Van Assche + +[ Upstream commit fc663711b94468f4e1427ebe289c9f05669699c9 ] + +Remove the /proc/scsi/${proc_name} directory earlier to fix a race +condition between unloading and reloading kernel modules. This fixes a bug +introduced in 2009 by commit 77c019768f06 ("[SCSI] fix /proc memory leak in +the SCSI core"). + +Fix the following kernel warning: + +proc_dir_entry 'scsi/scsi_debug' already registered +WARNING: CPU: 19 PID: 27986 at fs/proc/generic.c:376 proc_register+0x27d/0x2e0 +Call Trace: + proc_mkdir+0xb5/0xe0 + scsi_proc_hostdir_add+0xb5/0x170 + scsi_host_alloc+0x683/0x6c0 + sdebug_driver_probe+0x6b/0x2d0 [scsi_debug] + really_probe+0x159/0x540 + __driver_probe_device+0xdc/0x230 + driver_probe_device+0x4f/0x120 + __device_attach_driver+0xef/0x180 + bus_for_each_drv+0xe5/0x130 + __device_attach+0x127/0x290 + device_initial_probe+0x17/0x20 + bus_probe_device+0x110/0x130 + device_add+0x673/0xc80 + device_register+0x1e/0x30 + sdebug_add_host_helper+0x1a7/0x3b0 [scsi_debug] + scsi_debug_init+0x64f/0x1000 [scsi_debug] + do_one_initcall+0xd7/0x470 + do_init_module+0xe7/0x330 + load_module+0x122a/0x12c0 + __do_sys_finit_module+0x124/0x1a0 + __x64_sys_finit_module+0x46/0x50 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Link: https://lore.kernel.org/r/20230210205200.36973-3-bvanassche@acm.org +Cc: Alan Stern +Cc: Yi Zhang +Cc: stable@vger.kernel.org +Fixes: 77c019768f06 ("[SCSI] fix /proc memory leak in the SCSI core") +Reported-by: Yi Zhang +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 9857dba09c951..85e66574ec414 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -181,6 +181,7 @@ void scsi_remove_host(struct Scsi_Host *shost) + scsi_forget_host(shost); + mutex_unlock(&shost->scan_mutex); + scsi_proc_host_rm(shost); ++ scsi_proc_hostdir_rm(shost->hostt); + + /* + * New SCSI devices cannot be attached anymore because of the SCSI host +@@ -340,6 +341,7 @@ static void scsi_host_dev_release(struct device *dev) + struct Scsi_Host *shost = dev_to_shost(dev); + struct device *parent = dev->parent; + ++ /* In case scsi_remove_host() has not been called. */ + scsi_proc_hostdir_rm(shost->hostt); + + /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */ +-- +2.39.2 + diff --git a/queue-6.1/scsi-megaraid_sas-update-max-supported-ld-ids-to-240.patch b/queue-6.1/scsi-megaraid_sas-update-max-supported-ld-ids-to-240.patch new file mode 100644 index 00000000000..43708b5a776 --- /dev/null +++ b/queue-6.1/scsi-megaraid_sas-update-max-supported-ld-ids-to-240.patch @@ -0,0 +1,60 @@ +From 673917e413f121c5bd09c769d1195eefb6182bfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 16:23:40 +0530 +Subject: scsi: megaraid_sas: Update max supported LD IDs to 240 + +From: Chandrakanth Patil + +[ Upstream commit bfa659177dcba48cf13f2bd88c1972f12a60bf1c ] + +The firmware only supports Logical Disk IDs up to 240 and LD ID 255 (0xFF) +is reserved for deleted LDs. However, in some cases, firmware was assigning +LD ID 254 (0xFE) to deleted LDs and this was causing the driver to mark the +wrong disk as deleted. This in turn caused the wrong disk device to be +taken offline by the SCSI midlayer. + +To address this issue, limit the LD ID range from 255 to 240. This ensures +the deleted LD ID is properly identified and removed by the driver without +accidently deleting any valid LDs. + +Fixes: ae6874ba4b43 ("scsi: megaraid_sas: Early detection of VD deletion through RaidMap update") +Reported-by: Martin K. Petersen +Signed-off-by: Chandrakanth Patil +Signed-off-by: Sumit Saxena +Link: https://lore.kernel.org/r/20230302105342.34933-2-chandrakanth.patil@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas.h | 2 ++ + drivers/scsi/megaraid/megaraid_sas_fp.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h +index 4919ea54b8277..2ef9d41fc6f42 100644 +--- a/drivers/scsi/megaraid/megaraid_sas.h ++++ b/drivers/scsi/megaraid/megaraid_sas.h +@@ -1519,6 +1519,8 @@ struct megasas_ctrl_info { + #define MEGASAS_MAX_LD_IDS (MEGASAS_MAX_LD_CHANNELS * \ + MEGASAS_MAX_DEV_PER_CHANNEL) + ++#define MEGASAS_MAX_SUPPORTED_LD_IDS 240 ++ + #define MEGASAS_MAX_SECTORS (2*1024) + #define MEGASAS_MAX_SECTORS_IEEE (2*128) + #define MEGASAS_DBG_LVL 1 +diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c +index da1cad1ee1238..4463a538102ad 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fp.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fp.c +@@ -358,7 +358,7 @@ u8 MR_ValidateMapInfo(struct megasas_instance *instance, u64 map_id) + ld = MR_TargetIdToLdGet(i, drv_map); + + /* For non existing VDs, iterate to next VD*/ +- if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1)) ++ if (ld >= MEGASAS_MAX_SUPPORTED_LD_IDS) + continue; + + raid = MR_LdRaidGet(ld, drv_map); +-- +2.39.2 + diff --git a/queue-6.1/scsi-sd-fix-wrong-zone_write_granularity-value-durin.patch b/queue-6.1/scsi-sd-fix-wrong-zone_write_granularity-value-durin.patch new file mode 100644 index 00000000000..6fe954081df --- /dev/null +++ b/queue-6.1/scsi-sd-fix-wrong-zone_write_granularity-value-durin.patch @@ -0,0 +1,77 @@ +From 68010ef60bc62baf9fd99e4d1da7f6458910c425 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 15:30:24 +0900 +Subject: scsi: sd: Fix wrong zone_write_granularity value during revalidate + +From: Shin'ichiro Kawasaki + +[ Upstream commit 288b3271d920c9ba949c3bab0f749f4cecc70e09 ] + +When the sd driver revalidates host-managed SMR disks, it calls +disk_set_zoned() which changes the zone_write_granularity attribute value +to the logical block size regardless of the device type. After that, the sd +driver overwrites the value in sd_zbc_read_zone() with the physical block +size, since ZBC/ZAC requires this for host-managed disks. Between the calls +to disk_set_zoned() and sd_zbc_read_zone(), there exists a window where the +attribute shows the logical block size as the zone_write_granularity value, +which is wrong for host-managed disks. The duration of the window is from +20ms to 200ms, depending on report zone command execution time. + +To avoid the wrong zone_write_granularity value between disk_set_zoned() +and sd_zbc_read_zone(), modify the value not in sd_zbc_read_zone() but +just after disk_set_zoned() call. + +Fixes: a805a4fa4fa3 ("block: introduce zone_write_granularity limit") +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20230306063024.3376959-1-shinichiro.kawasaki@wdc.com +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 7 ++++++- + drivers/scsi/sd_zbc.c | 8 -------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index eb76ba0550216..e934779bf05c8 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2933,8 +2933,13 @@ static void sd_read_block_characteristics(struct scsi_disk *sdkp) + } + + if (sdkp->device->type == TYPE_ZBC) { +- /* Host-managed */ ++ /* ++ * Host-managed: Per ZBC and ZAC specifications, writes in ++ * sequential write required zones of host-managed devices must ++ * be aligned to the device physical block size. ++ */ + disk_set_zoned(sdkp->disk, BLK_ZONED_HM); ++ blk_queue_zone_write_granularity(q, sdkp->physical_block_size); + } else { + sdkp->zoned = zoned; + if (sdkp->zoned == 1) { +diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c +index bd15624c63228..4c35b4a916355 100644 +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -956,14 +956,6 @@ int sd_zbc_read_zones(struct scsi_disk *sdkp, u8 buf[SD_BUF_SIZE]) + disk_set_max_active_zones(disk, 0); + nr_zones = round_up(sdkp->capacity, zone_blocks) >> ilog2(zone_blocks); + +- /* +- * Per ZBC and ZAC specifications, writes in sequential write required +- * zones of host-managed devices must be aligned to the device physical +- * block size. +- */ +- if (blk_queue_zoned_model(q) == BLK_ZONED_HM) +- blk_queue_zone_write_granularity(q, sdkp->physical_block_size); +- + sdkp->early_zone_info.nr_zones = nr_zones; + sdkp->early_zone_info.zone_blocks = zone_blocks; + +-- +2.39.2 + diff --git a/queue-6.1/selftests-nft_nat-ensuring-the-listening-side-is-up-.patch b/queue-6.1/selftests-nft_nat-ensuring-the-listening-side-is-up-.patch new file mode 100644 index 00000000000..b0f6e322bd9 --- /dev/null +++ b/queue-6.1/selftests-nft_nat-ensuring-the-listening-side-is-up-.patch @@ -0,0 +1,58 @@ +From 30ca55d774f56288ae20d6e70debfc3b1b4deaec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 17:36:46 +0800 +Subject: selftests: nft_nat: ensuring the listening side is up before starting + the client + +From: Hangbin Liu + +[ Upstream commit 2067e7a00aa604b94de31d64f29b8893b1696f26 ] + +The test_local_dnat_portonly() function initiates the client-side as +soon as it sets the listening side to the background. This could lead to +a race condition where the server may not be ready to listen. To ensure +that the server-side is up and running before initiating the +client-side, a delay is introduced to the test_local_dnat_portonly() +function. + +Before the fix: + # ./nft_nat.sh + PASS: netns routing/connectivity: ns0-rthlYrBU can reach ns1-rthlYrBU and ns2-rthlYrBU + PASS: ping to ns1-rthlYrBU was ip NATted to ns2-rthlYrBU + PASS: ping to ns1-rthlYrBU OK after ip nat output chain flush + PASS: ipv6 ping to ns1-rthlYrBU was ip6 NATted to ns2-rthlYrBU + 2023/02/27 04:11:03 socat[6055] E connect(5, AF=2 10.0.1.99:2000, 16): Connection refused + ERROR: inet port rewrite + +After the fix: + # ./nft_nat.sh + PASS: netns routing/connectivity: ns0-9sPJV6JJ can reach ns1-9sPJV6JJ and ns2-9sPJV6JJ + PASS: ping to ns1-9sPJV6JJ was ip NATted to ns2-9sPJV6JJ + PASS: ping to ns1-9sPJV6JJ OK after ip nat output chain flush + PASS: ipv6 ping to ns1-9sPJV6JJ was ip6 NATted to ns2-9sPJV6JJ + PASS: inet port rewrite without l3 address + +Fixes: 282e5f8fe907 ("netfilter: nat: really support inet nat without l3 address") +Signed-off-by: Hangbin Liu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/nft_nat.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index 924ecb3f1f737..dd40d9f6f2599 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -404,6 +404,8 @@ EOF + echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 & + sc_s=$! + ++ sleep 1 ++ + result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT) + + if [ "$result" = "SERVER-inet" ];then +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series index a09cecf1eda..7841e0cd852 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -23,3 +23,92 @@ ext4-zero-i_disksize-when-initializing-the-bootloader-inode.patch hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch nfc-change-order-inside-nfc_se_io-error-path.patch +kvm-vmx-reset-evmcs-controls-in-vp-assist-page-durin.patch +kvm-vmx-don-t-bother-disabling-evmcs-static-key-on-m.patch +kvm-x86-move-guts-of-kvm_arch_init-to-standalone-hel.patch +kvm-vmx-do-_all_-initialization-before-exposing-dev-.patch +fs-dlm-fix-log-of-lowcomms-vs-midcomms.patch +fs-dlm-add-midcomms-init-start-functions.patch +fs-dlm-start-midcomms-before-scand.patch +fs-dlm-remove-send-repeat-remove-handling.patch +fs-dlm-use-packet-in-dlm_mhandle.patch +fd-dlm-trace-send-recv-of-dlm-message-and-rcom.patch +fs-dlm-fix-use-after-free-in-midcomms-commit.patch +fs-dlm-use-warn_on_once-instead-of-warn_on.patch +fs-dlm-be-sure-to-call-dlm_send_queue_flush.patch +fs-dlm-fix-race-setting-stop-tx-flag.patch +udf-fix-off-by-one-error-when-discarding-preallocati.patch +bus-mhi-ep-power-up-down-mhi-stack-during-mhi-reset.patch +bus-mhi-ep-change-state_lock-to-mutex.patch +powerpc-boot-don-t-always-pass-mcpu-powerpc-when-bui.patch +input-exc3000-properly-stop-timer-on-shutdown.patch +ipmi-ssif-remove-rtc_us_timer.patch +ipmi-ssif-increase-the-message-retry-time.patch +ipmi-ssif-add-a-timer-between-request-retries.patch +spi-intel-check-number-of-chip-selects-after-reading.patch +drm-i915-introduce-intel_panel_init_alloc.patch +drm-i915-do-panel-vbt-init-early-if-the-vbt-declares.patch +drm-i915-populate-encoder-devdata-for-dsi-on-icl.patch +block-revert-block-do-not-reread-partition-table-on-.patch +block-fix-scan-partition-for-exclusively-open-device.patch +riscv-add-header-include-guards-to-insn.h.patch +scsi-core-remove-the-proc-scsi-proc_name-directory-e.patch +ext4-fix-possible-corruption-when-moving-a-directory.patch +cifs-improve-checking-of-dfs-links-over-status_objec.patch +drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch +drm-msm-fix-potential-invalid-ptr-free.patch +drm-msm-a5xx-fix-setting-of-the-cp_preempt_enable_lo.patch +drm-msm-a5xx-fix-highest-bank-bit-for-a530.patch +drm-msm-a5xx-fix-the-emptyness-check-in-the-preempt-.patch +drm-msm-a5xx-fix-context-faults-during-ring-switch.patch +bgmac-fix-initial-chip-reset-to-support-bcm5358.patch +nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_.patch +powerpc-dts-t1040rdb-fix-compatible-string-for-rev-a.patch +tls-rx-fix-return-value-for-async-crypto.patch +drm-msm-dpu-disable-features-unsupported-by-qcm2290.patch +ila-do-not-generate-empty-messages-in-ila_xlat_nl_cm.patch +net-lan966x-fix-port-police-support-using-tc-matchal.patch +selftests-nft_nat-ensuring-the-listening-side-is-up-.patch +netfilter-nft_last-copy-content-when-cloning-express.patch +netfilter-nft_quota-copy-content-when-cloning-expres.patch +net-tls-fix-possible-race-condition-between-do_tls_g.patch +net-use-indirect-calls-helpers-for-sk_exit_memory_pr.patch +perf-stat-fix-counting-when-initial-delay-configured.patch +net-lan78xx-fix-accessing-the-lan7800-s-internal-phy.patch +net-caif-fix-use-after-free-in-cfusbl_device_notify.patch +ice-copy-last-block-omitted-in-ice_get_module_eeprom.patch +bpf-sockmap-fix-an-infinite-loop-error-when-len-is-0.patch +drm-msm-dpu-fix-len-of-sc7180-ctl-blocks.patch +drm-msm-dpu-drop-dpu_dim_layer-from-mixer_msm8998_ma.patch +drm-msm-dpu-fix-clocks-settings-for-msm8998-sspp-blo.patch +drm-msm-dpu-clear-dspp-reservations-in-rm-release.patch +net-stmmac-add-to-set-device-wake-up-flag-when-stmma.patch +net-phylib-get-rid-of-unnecessary-locking.patch +bnxt_en-avoid-order-5-memory-allocation-for-tpa-data.patch +netfilter-ctnetlink-revert-to-dumping-mark-regardles.patch +netfilter-tproxy-fix-deadlock-due-to-missing-bh-disa.patch +m68k-mm-move-initrd-phys_to_virt-handling-after-pagi.patch +btrfs-fix-extent-map-logging-bit-not-cleared-for-spl.patch +bpf-test_run-fix-xdp_frame-misplacement-for-live_fra.patch +btf-fix-resolving-btf_kind_var-after-array-struct-un.patch +net-phy-smsc-fix-link-up-detection-in-forced-irq-mod.patch +net-ethernet-mtk_eth_soc-fix-rx-data-corruption-issu.patch +net-tls-fix-device-offloaded-sendpage-straddling-rec.patch +scsi-megaraid_sas-update-max-supported-ld-ids-to-240.patch +scsi-sd-fix-wrong-zone_write_granularity-value-durin.patch +netfilter-conntrack-adopt-safer-max-chain-length.patch +platform-mellanox-select-regmap-instead-of-depending.patch +platform-x86-mlx_platform-select-regmap-instead-of-d.patch +block-fix-wrong-mode-for-blkdev_put-from-disk_scan_p.patch +nfsd-protect-against-filesystem-freezing.patch +ice-fix-dscp-pfc-tlv-creation.patch +ethernet-ice-avoid-gcc-9-integer-overflow-warning.patch +net-smc-fix-fallback-failed-while-sendmsg-with-fasto.patch +octeontx2-af-unlock-contexts-in-the-queue-context-ca.patch +sunrpc-fix-a-server-shutdown-leak.patch +net-dsa-mt7530-permit-port-5-to-work-without-port-6-.patch +af_unix-fix-struct-pid-leaks-in-oob-support.patch +erofs-revert-erofs-fix-kvcalloc-misuse-with-__gfp_no.patch +riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch +risc-v-don-t-check-text_mutex-during-stop_machine.patch +drm-amdgpu-fix-return-value-check-in-kfd.patch diff --git a/queue-6.1/spi-intel-check-number-of-chip-selects-after-reading.patch b/queue-6.1/spi-intel-check-number-of-chip-selects-after-reading.patch new file mode 100644 index 00000000000..b43b70fb57a --- /dev/null +++ b/queue-6.1/spi-intel-check-number-of-chip-selects-after-reading.patch @@ -0,0 +1,51 @@ +From 7f83600dc1a649047ccabd55c9eab0ef8f8abf0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 13:00:40 +0200 +Subject: spi: intel: Check number of chip selects after reading the descriptor + +From: Mika Westerberg + +[ Upstream commit 574fbb95cd9d88bdc9c9c4c64223a38a61d7de9a ] + +The flash decriptor contains the number of flash components that we use +to figure out how many flash chips there are connected. Therefore we +need to read it first before deciding how many chip selects the +controller has. + +Reported-by: Marcin Witkowski +Fixes: 3f03c618bebb ("spi: intel: Add support for second flash chip") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Link: https://lore.kernel.org/r/20230215110040.42186-1-mika.westerberg@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-intel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-intel.c b/drivers/spi/spi-intel.c +index 3ac73691fbb54..54fc226e1cdf6 100644 +--- a/drivers/spi/spi-intel.c ++++ b/drivers/spi/spi-intel.c +@@ -1366,14 +1366,14 @@ static int intel_spi_populate_chip(struct intel_spi *ispi) + if (!spi_new_device(ispi->master, &chip)) + return -ENODEV; + +- /* Add the second chip if present */ +- if (ispi->master->num_chipselect < 2) +- return 0; +- + ret = intel_spi_read_desc(ispi); + if (ret) + return ret; + ++ /* Add the second chip if present */ ++ if (ispi->master->num_chipselect < 2) ++ return 0; ++ + chip.platform_data = NULL; + chip.chip_select = 1; + +-- +2.39.2 + diff --git a/queue-6.1/sunrpc-fix-a-server-shutdown-leak.patch b/queue-6.1/sunrpc-fix-a-server-shutdown-leak.patch new file mode 100644 index 00000000000..2017f8c897f --- /dev/null +++ b/queue-6.1/sunrpc-fix-a-server-shutdown-leak.patch @@ -0,0 +1,48 @@ +From cb529ff70a8ed8ed56149d9c0cd340f67e6598bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 16:08:32 -0500 +Subject: SUNRPC: Fix a server shutdown leak + +From: Benjamin Coddington + +[ Upstream commit 9ca6705d9d609441d34f8b853e1e4a6369b3b171 ] + +Fix a race where kthread_stop() may prevent the threadfn from ever getting +called. If that happens the svc_rqst will not be cleaned up. + +Fixes: ed6473ddc704 ("NFSv4: Fix callback server shutdown") +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index 24577d1b99079..9ee32e06f877e 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -787,6 +787,7 @@ svc_start_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) + static int + svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) + { ++ struct svc_rqst *rqstp; + struct task_struct *task; + unsigned int state = serv->sv_nrthreads-1; + +@@ -795,7 +796,10 @@ svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) + task = choose_victim(serv, pool, &state); + if (task == NULL) + break; +- kthread_stop(task); ++ rqstp = kthread_data(task); ++ /* Did we lose a race to svo_function threadfn? */ ++ if (kthread_stop(task) == -EINTR) ++ svc_exit_thread(rqstp); + nrservs++; + } while (nrservs < 0); + return 0; +-- +2.39.2 + diff --git a/queue-6.1/tls-rx-fix-return-value-for-async-crypto.patch b/queue-6.1/tls-rx-fix-return-value-for-async-crypto.patch new file mode 100644 index 00000000000..58714c090b5 --- /dev/null +++ b/queue-6.1/tls-rx-fix-return-value-for-async-crypto.patch @@ -0,0 +1,46 @@ +From 5dc0e57d356f34fbac13d87893e0b65444631ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 10:12:01 -0800 +Subject: tls: rx: fix return value for async crypto + +From: Jakub Kicinski + +[ Upstream commit 4d42cd6bc2ac1b9be50ade13771daec90c9d18b1 ] + +Gaurav reports that TLS Rx is broken with async crypto +accelerators. The commit under fixes missed updating +the retval byte counting logic when updating how records +are stored. Even tho both before and after the change +'decrypted' was updated inside the main loop, it was +completely overwritten when processing the async +completions. Now that the rx_list only holds +non-zero-copy records we need to add, not overwrite. + +Reported-and-bisected-by: Gaurav Jain +Fixes: cbbdee9918a2 ("tls: rx: async: don't put async zc on the list") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217064 +Tested-by: Gaurav Jain +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230227181201.1793772-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 38dcd9b401027..992092aeebad9 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2114,7 +2114,7 @@ int tls_sw_recvmsg(struct sock *sk, + else + err = process_rx_list(ctx, msg, &control, 0, + async_copy_bytes, is_peek); +- decrypted = max(err, 0); ++ decrypted += max(err, 0); + } + + copied += decrypted; +-- +2.39.2 + diff --git a/queue-6.1/udf-fix-off-by-one-error-when-discarding-preallocati.patch b/queue-6.1/udf-fix-off-by-one-error-when-discarding-preallocati.patch new file mode 100644 index 00000000000..1e03aab2a7a --- /dev/null +++ b/queue-6.1/udf-fix-off-by-one-error-when-discarding-preallocati.patch @@ -0,0 +1,38 @@ +From 36c08ae353bc14dd1301a213cfb2ba489203bb6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 14:29:15 +0100 +Subject: udf: Fix off-by-one error when discarding preallocation + +From: Jan Kara + +[ Upstream commit f54aa97fb7e5329a373f9df4e5e213ced4fc8759 ] + +The condition determining whether the preallocation can be used had +an off-by-one error so we didn't discard preallocation when new +allocation was just following it. This can then confuse code in +inode_getblk(). + +CC: stable@vger.kernel.org +Fixes: 16d055656814 ("udf: Discard preallocation before extending file with a hole") +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 259152a08852b..a4e875b61f895 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -443,7 +443,7 @@ static int udf_get_block(struct inode *inode, sector_t block, + * Block beyond EOF and prealloc extents? Just discard preallocation + * as it is not useful and complicates things. + */ +- if (((loff_t)block) << inode->i_blkbits > iinfo->i_lenExtents) ++ if (((loff_t)block) << inode->i_blkbits >= iinfo->i_lenExtents) + udf_discard_prealloc(inode); + udf_clear_extent_cache(inode); + phys = inode_getblk(inode, block, &err, &new); +-- +2.39.2 +