From: Sasha Levin Date: Mon, 30 Jan 2023 03:56:01 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v5.10.166~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82e77236a9a9e4bd2885c157d04829e34b01d681;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-asus-u.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-asus-u.patch new file mode 100644 index 00000000000..128f41a2f5b --- /dev/null +++ b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-asus-u.patch @@ -0,0 +1,78 @@ +From df9dfabcc42694980c7aae1580e6bf9fc2d1405f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 18:24:41 +0100 +Subject: ACPI: video: Add backlight=native DMI quirk for Asus U46E + +From: Hans de Goede + +[ Upstream commit e6b3086fddc0065a5ffb947d4d29dd0e6efc327b ] + +The Asus U46E backlight tables have a set of interesting problems: + +1. Its ACPI tables do make _OSI ("Windows 2012") checks, so + acpi_osi_is_win8() should return true. + + But the tables have 2 sets of _OSI calls, one from the usual global + _INI method setting a global OSYS variable and a second set of _OSI + calls from a MSOS method and the MSOS method is the only one calling + _OSI ("Windows 2012"). + + The MSOS method only gets called in the following cases: + 1. From some Asus specific WMI methods + 2. From _DOD, which only runs after acpi_video_get_backlight_type() + has already been called by the i915 driver + 3. From other ACPI video bus methods which never run (see below) + 4. From some EC query callbacks + + So when i915 calls acpi_video_get_backlight_type() MSOS has never run + and acpi_osi_is_win8() returns false, so acpi_video_get_backlight_type() + returns acpi_video as the desired backlight type, which causes + the intel_backlight device to not register. + +2. _DOD effectively does this: + + Return (Package (0x01) + { + 0x0400 + }) + + causing acpi_video_device_in_dod() to return false, which causes + the acpi_video backlight device to not register. + +Leaving the user with no backlight device at all. Note that before 6.1.y +the i915 driver would register the intel_backlight device unconditionally +and since that then was the only backlight device userspace would use that. + +Add a backlight=native DMI quirk for this special laptop to restore +the old (and working) behavior of the intel_backlight device registering. + +Fixes: fb1836c91317 ("ACPI: video: Prefer native over vendor") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 4719978b8aa3..04f3b26e3a75 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -600,6 +600,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "GA503"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Asus U46E */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "U46E"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Asus UX303UB */ +-- +2.39.0 + diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-hp-eli.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-hp-eli.patch new file mode 100644 index 00000000000..4c4374ea098 --- /dev/null +++ b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-hp-eli.patch @@ -0,0 +1,55 @@ +From 5bd152b6600bbf13f2e60f46ddb39551f3bfa541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 17:37:44 +0100 +Subject: ACPI: video: Add backlight=native DMI quirk for HP EliteBook 8460p + +From: Hans de Goede + +[ Upstream commit 9dcb34234b8235144c96103266317da33321077e ] + +The HP EliteBook 8460p predates Windows 8, so it defaults to using +acpi_video# for backlight control. + +Starting with the 6.1.y kernels the native radeon_bl0 backlight is hidden +in this case instead of relying on userspace preferring acpi_video# over +native backlight devices. + +It turns out that for the acpi_video# interface to work on +the HP EliteBook 8460p, the brightness needs to be set at least once +through the native interface, which now no longer is done breaking +backlight control. + +The native interface however always works without problems, so add +a quirk to use native backlight on the EliteBook 8460p to fix this. + +Fixes: fb1836c91317 ("ACPI: video: Prefer native over vendor") +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2161428 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index c20fc7ddca2f..4719978b8aa3 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -608,6 +608,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "UX303UB"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* HP EliteBook 8460p */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook 8460p"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* HP Pavilion g6-1d80nr / B4U19UA */ +-- +2.39.0 + diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-hp-pav.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-hp-pav.patch new file mode 100644 index 00000000000..d9ac7d7a005 --- /dev/null +++ b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-hp-pav.patch @@ -0,0 +1,47 @@ +From 49e103e62290a725b7439496ef61c99478f97629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 17:37:43 +0100 +Subject: ACPI: video: Add backlight=native DMI quirk for HP Pavilion g6-1d80nr + +From: Hans de Goede + +[ Upstream commit d77596d432cc4142520af32b5388d512e52e0edb ] + +The HP Pavilion g6-1d80nr predates Windows 8, so it defaults to using +acpi_video# for backlight control, but this is non functional on +this model. + +Add a DMI quirk to use the native backlight interface which does +work properly. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 9dcb34234b82 ("ACPI: video: Add backlight=native DMI quirk for HP EliteBook 8460p") +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 1db8e68cd8bc..c20fc7ddca2f 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -608,6 +608,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "UX303UB"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* HP Pavilion g6-1d80nr / B4U19UA */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion g6 Notebook PC"), ++ DMI_MATCH(DMI_PRODUCT_SKU, "B4U19UA"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Samsung N150P */ +-- +2.39.0 + diff --git a/queue-6.1/acpi-video-fix-apple-gmux-detection.patch b/queue-6.1/acpi-video-fix-apple-gmux-detection.patch new file mode 100644 index 00000000000..3f4cc646f46 --- /dev/null +++ b/queue-6.1/acpi-video-fix-apple-gmux-detection.patch @@ -0,0 +1,109 @@ +From 6b82a732fb7b2105e8460ecc50a8444fbe19aba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:57:54 +0100 +Subject: ACPI: video: Fix apple gmux detection + +From: Hans de Goede + +[ Upstream commit b0935f110cff5d70da05c5cb1670bee0b07b631c ] + +Some apple laptop models have an ACPI device with a HID of APP000B +and that device has an IO resource (so it does not describe the new +unsupported MMIO based gmux type), but there actually is no gmux +in the laptop at all. + +The gmux_probe() function of the actual apple-gmux driver has code +to detect this, this code has been factored out into a new +apple_gmux_detect() helper in apple-gmux.h. + +Use this new function to fix acpi_video_get_backlight_type() wrongly +returning apple_gmux as type on the following laptops: + +MacBookPro5,4 +https://pastebin.com/8Xjq7RhS + +MacBookPro8,1 +https://linux-hardware.org/?probe=e513cfbadb&log=dmesg + +MacBookPro9,2 +https://bugzilla.kernel.org/attachment.cgi?id=278961 + +MacBookPro10,2 +https://lkml.org/lkml/2014/9/22/657 + +MacBookPro11,2 +https://forums.fedora-fr.org/viewtopic.php?id=70142 + +MacBookPro11,4 +https://raw.githubusercontent.com/im-0/investigate-card-reader-suspend-problem-on-mbp11.4/mast + +Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") +Link: https://lore.kernel.org/platform-driver-x86/20230123113750.462144-1-hdegoede@redhat.com/ +Reported-by: Emmanouil Kouroupakis +Acked-by: Rafael J. Wysocki +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230124105754.62167-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 24 +++--------------------- + 1 file changed, 3 insertions(+), 21 deletions(-) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 04f3b26e3a75..5c32b318c173 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -110,26 +110,6 @@ static bool nvidia_wmi_ec_supported(void) + } + #endif + +-static bool apple_gmux_backlight_present(void) +-{ +- struct acpi_device *adev; +- struct device *dev; +- +- adev = acpi_dev_get_first_match_dev(GMUX_ACPI_HID, NULL, -1); +- if (!adev) +- return false; +- +- dev = acpi_get_first_physical_node(adev); +- if (!dev) +- return false; +- +- /* +- * drivers/platform/x86/apple-gmux.c only supports old style +- * Apple GMUX with an IO-resource. +- */ +- return pnp_get_resource(to_pnp_dev(dev), IORESOURCE_IO, 0) != NULL; +-} +- + /* Force to use vendor driver when the ACPI device is known to be + * buggy */ + static int video_detect_force_vendor(const struct dmi_system_id *d) +@@ -781,6 +761,7 @@ static enum acpi_backlight_type __acpi_video_get_backlight_type(bool native) + { + static DEFINE_MUTEX(init_mutex); + static bool nvidia_wmi_ec_present; ++ static bool apple_gmux_present; + static bool native_available; + static bool init_done; + static long video_caps; +@@ -794,6 +775,7 @@ static enum acpi_backlight_type __acpi_video_get_backlight_type(bool native) + ACPI_UINT32_MAX, find_video, NULL, + &video_caps, NULL); + nvidia_wmi_ec_present = nvidia_wmi_ec_supported(); ++ apple_gmux_present = apple_gmux_detect(NULL, NULL); + init_done = true; + } + if (native) +@@ -815,7 +797,7 @@ static enum acpi_backlight_type __acpi_video_get_backlight_type(bool native) + if (nvidia_wmi_ec_present) + return acpi_backlight_nvidia_wmi_ec; + +- if (apple_gmux_backlight_present()) ++ if (apple_gmux_present) + return acpi_backlight_apple_gmux; + + /* Use ACPI video if available, except when native should be preferred. */ +-- +2.39.0 + diff --git a/queue-6.1/block-ublk-move-ublk_chr_class-destroying-after-devi.patch b/queue-6.1/block-ublk-move-ublk_chr_class-destroying-after-devi.patch new file mode 100644 index 00000000000..d1263d448b3 --- /dev/null +++ b/queue-6.1/block-ublk-move-ublk_chr_class-destroying-after-devi.patch @@ -0,0 +1,53 @@ +From 7b4dcecc4824ebce677162d3c880a2d507554f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 19:53:46 +0800 +Subject: block: ublk: move ublk_chr_class destroying after devices are removed + +From: Ming Lei + +[ Upstream commit 8e4ff684762b6503db45e8906e258faee080c336 ] + +The 'ublk_chr_class' is needed when deleting ublk char devices in +ublk_exit(), so move it after devices(idle) are removed. + +Fixes the following warning reported by Harris, James R: + +[ 859.178950] sysfs group 'power' not found for kobject 'ublkc0' +[ 859.178962] WARNING: CPU: 3 PID: 1109 at fs/sysfs/group.c:278 sysfs_remove_group+0x9c/0xb0 + +Reported-by: "Harris, James R" +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Link: https://lore.kernel.org/linux-block/Y9JlFmSgDl3+zy3N@T590/T/#t +Signed-off-by: Ming Lei +Tested-by: Jim Harris +Link: https://lore.kernel.org/r/20230126115346.263344-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 17b677b5d3b2..e54693204630 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -2092,13 +2092,12 @@ static void __exit ublk_exit(void) + struct ublk_device *ub; + int id; + +- class_destroy(ublk_chr_class); +- +- misc_deregister(&ublk_misc); +- + idr_for_each_entry(&ublk_index_idr, ub, id) + ublk_remove(ub); + ++ class_destroy(ublk_chr_class); ++ misc_deregister(&ublk_misc); ++ + idr_destroy(&ublk_index_idr); + unregister_chrdev_region(ublk_chr_devt, UBLK_MINORS); + } +-- +2.39.0 + diff --git a/queue-6.1/drm-drm_vma_manager-add-drm_vma_node_allow_once.patch b/queue-6.1/drm-drm_vma_manager-add-drm_vma_node_allow_once.patch new file mode 100644 index 00000000000..ecc748eea56 --- /dev/null +++ b/queue-6.1/drm-drm_vma_manager-add-drm_vma_node_allow_once.patch @@ -0,0 +1,153 @@ +From 58b2bfa4778c54c09ed6719104d406d42a783bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 18:52:35 +0100 +Subject: drm/drm_vma_manager: Add drm_vma_node_allow_once() + +From: Nirmoy Das + +[ Upstream commit 899d3a3c19ac0e5da013ce34833dccb97d19b5e4 ] + +Currently there is no easy way for a drm driver to safely check and allow +drm_vma_offset_node for a drm file just once. Allow drm drivers to call +non-refcounted version of drm_vma_node_allow() so that a driver doesn't +need to keep track of each drm_vma_node_allow() to call subsequent +drm_vma_node_revoke() to prevent memory leak. + +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: Daniel Vetter +Cc: Tvrtko Ursulin +Cc: Andi Shyti + +Suggested-by: Chris Wilson +Signed-off-by: Nirmoy Das +Reviewed-by: Tvrtko Ursulin +Reviewed-by: Andi Shyti +Link: https://lore.kernel.org/r/20230117175236.22317-1-nirmoy.das@intel.com +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_vma_manager.c | 76 ++++++++++++++++++++++--------- + include/drm/drm_vma_manager.h | 1 + + 2 files changed, 55 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/drm_vma_manager.c b/drivers/gpu/drm/drm_vma_manager.c +index 7de37f8c68fd..83229a031af0 100644 +--- a/drivers/gpu/drm/drm_vma_manager.c ++++ b/drivers/gpu/drm/drm_vma_manager.c +@@ -240,27 +240,8 @@ void drm_vma_offset_remove(struct drm_vma_offset_manager *mgr, + } + EXPORT_SYMBOL(drm_vma_offset_remove); + +-/** +- * drm_vma_node_allow - Add open-file to list of allowed users +- * @node: Node to modify +- * @tag: Tag of file to remove +- * +- * Add @tag to the list of allowed open-files for this node. If @tag is +- * already on this list, the ref-count is incremented. +- * +- * The list of allowed-users is preserved across drm_vma_offset_add() and +- * drm_vma_offset_remove() calls. You may even call it if the node is currently +- * not added to any offset-manager. +- * +- * You must remove all open-files the same number of times as you added them +- * before destroying the node. Otherwise, you will leak memory. +- * +- * This is locked against concurrent access internally. +- * +- * RETURNS: +- * 0 on success, negative error code on internal failure (out-of-mem) +- */ +-int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) ++static int vma_node_allow(struct drm_vma_offset_node *node, ++ struct drm_file *tag, bool ref_counted) + { + struct rb_node **iter; + struct rb_node *parent = NULL; +@@ -282,7 +263,8 @@ int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) + entry = rb_entry(*iter, struct drm_vma_offset_file, vm_rb); + + if (tag == entry->vm_tag) { +- entry->vm_count++; ++ if (ref_counted) ++ entry->vm_count++; + goto unlock; + } else if (tag > entry->vm_tag) { + iter = &(*iter)->rb_right; +@@ -307,8 +289,58 @@ int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) + kfree(new); + return ret; + } ++ ++/** ++ * drm_vma_node_allow - Add open-file to list of allowed users ++ * @node: Node to modify ++ * @tag: Tag of file to remove ++ * ++ * Add @tag to the list of allowed open-files for this node. If @tag is ++ * already on this list, the ref-count is incremented. ++ * ++ * The list of allowed-users is preserved across drm_vma_offset_add() and ++ * drm_vma_offset_remove() calls. You may even call it if the node is currently ++ * not added to any offset-manager. ++ * ++ * You must remove all open-files the same number of times as you added them ++ * before destroying the node. Otherwise, you will leak memory. ++ * ++ * This is locked against concurrent access internally. ++ * ++ * RETURNS: ++ * 0 on success, negative error code on internal failure (out-of-mem) ++ */ ++int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) ++{ ++ return vma_node_allow(node, tag, true); ++} + EXPORT_SYMBOL(drm_vma_node_allow); + ++/** ++ * drm_vma_node_allow_once - Add open-file to list of allowed users ++ * @node: Node to modify ++ * @tag: Tag of file to remove ++ * ++ * Add @tag to the list of allowed open-files for this node. ++ * ++ * The list of allowed-users is preserved across drm_vma_offset_add() and ++ * drm_vma_offset_remove() calls. You may even call it if the node is currently ++ * not added to any offset-manager. ++ * ++ * This is not ref-counted unlike drm_vma_node_allow() hence drm_vma_node_revoke() ++ * should only be called once after this. ++ * ++ * This is locked against concurrent access internally. ++ * ++ * RETURNS: ++ * 0 on success, negative error code on internal failure (out-of-mem) ++ */ ++int drm_vma_node_allow_once(struct drm_vma_offset_node *node, struct drm_file *tag) ++{ ++ return vma_node_allow(node, tag, false); ++} ++EXPORT_SYMBOL(drm_vma_node_allow_once); ++ + /** + * drm_vma_node_revoke - Remove open-file from list of allowed users + * @node: Node to modify +diff --git a/include/drm/drm_vma_manager.h b/include/drm/drm_vma_manager.h +index 4f8c35206f7c..6c2a2f21dbf0 100644 +--- a/include/drm/drm_vma_manager.h ++++ b/include/drm/drm_vma_manager.h +@@ -74,6 +74,7 @@ void drm_vma_offset_remove(struct drm_vma_offset_manager *mgr, + struct drm_vma_offset_node *node); + + int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag); ++int drm_vma_node_allow_once(struct drm_vma_offset_node *node, struct drm_file *tag); + void drm_vma_node_revoke(struct drm_vma_offset_node *node, + struct drm_file *tag); + bool drm_vma_node_is_allowed(struct drm_vma_offset_node *node, +-- +2.39.0 + diff --git a/queue-6.1/drm-i915-fix-a-memory-leak-with-reused-mmap_offset.patch b/queue-6.1/drm-i915-fix-a-memory-leak-with-reused-mmap_offset.patch new file mode 100644 index 00000000000..ba3f858f2c8 --- /dev/null +++ b/queue-6.1/drm-i915-fix-a-memory-leak-with-reused-mmap_offset.patch @@ -0,0 +1,49 @@ +From 521da3152406aed7f94bb089d6128be64a5c8e9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 18:52:36 +0100 +Subject: drm/i915: Fix a memory leak with reused mmap_offset + +From: Nirmoy Das + +[ Upstream commit 0220e4fe178c3390eb0291cdb34912d66972db8a ] + +drm_vma_node_allow() and drm_vma_node_revoke() should be called in +balanced pairs. We call drm_vma_node_allow() once per-file everytime a +user calls mmap_offset, but only call drm_vma_node_revoke once per-file +on each mmap_offset. As the mmap_offset is reused by the client, the +per-file vm_count may remain non-zero and the rbtree leaked. + +Call drm_vma_node_allow_once() instead to prevent that memory leak. + +Cc: Tvrtko Ursulin +Cc: Andi Shyti + +Signed-off-by: Nirmoy Das +Fixes: 786555987207 ("drm/i915/gem: Store mmap_offsets in an rbtree rather than a plain list") +Reported-by: Chuansheng Liu +Reported-by: Mirsad Todorovac +Reviewed-by: Tvrtko Ursulin +Reviewed-by: Andi Shyti +Link: https://lore.kernel.org/r/20230117175236.22317-2-nirmoy.das@intel.com +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +index 354c1d6dab84..d445e2d63c9c 100644 +--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +@@ -697,7 +697,7 @@ mmap_offset_attach(struct drm_i915_gem_object *obj, + GEM_BUG_ON(lookup_mmo(obj, mmap_type) != mmo); + out: + if (file) +- drm_vma_node_allow(&mmo->vma_node, file); ++ drm_vma_node_allow_once(&mmo->vma_node, file); + return mmo; + + err: +-- +2.39.0 + diff --git a/queue-6.1/drm-i915-selftest-fix-intel_selftest_modify_policy-a.patch b/queue-6.1/drm-i915-selftest-fix-intel_selftest_modify_policy-a.patch new file mode 100644 index 00000000000..fcc67c74adb --- /dev/null +++ b/queue-6.1/drm-i915-selftest-fix-intel_selftest_modify_policy-a.patch @@ -0,0 +1,51 @@ +From d5ccb4d5960a63d7f209aa66e0c70bce239a9a5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 17:37:29 +0100 +Subject: drm/i915/selftest: fix intel_selftest_modify_policy argument types + +From: Arnd Bergmann + +[ Upstream commit 2255bbcdc39d5b0311968f86614ae4f25fdd465d ] + +The definition of intel_selftest_modify_policy() does not match the +declaration, as gcc-13 points out: + +drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c:29:5: error: conflicting types for 'intel_selftest_modify_policy' due to enum/integer mismatch; have 'int(struct intel_engine_cs *, struct intel_selftest_saved_policy *, u32)' {aka 'int(struct intel_engine_cs *, struct intel_selftest_saved_policy *, unsigned int)'} [-Werror=enum-int-mismatch] + 29 | int intel_selftest_modify_policy(struct intel_engine_cs *engine, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c:11: +drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.h:28:5: note: previous declaration of 'intel_selftest_modify_policy' with type 'int(struct intel_engine_cs *, struct intel_selftest_saved_policy *, enum selftest_scheduler_modify)' + 28 | int intel_selftest_modify_policy(struct intel_engine_cs *engine, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Change the type in the definition to match. + +Fixes: 617e87c05c72 ("drm/i915/selftest: Fix hangcheck self test for GuC submission") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20230117163743.1003219-1-arnd@kernel.org +(cherry picked from commit 8d7eb8ed3f83f248e01a4f548d9c500a950a2c2d) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c b/drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c +index 310fb83c527e..2990dd4d4a0d 100644 +--- a/drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c ++++ b/drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c +@@ -28,8 +28,7 @@ struct intel_engine_cs *intel_selftest_find_any_engine(struct intel_gt *gt) + + int intel_selftest_modify_policy(struct intel_engine_cs *engine, + struct intel_selftest_saved_policy *saved, +- u32 modify_type) +- ++ enum selftest_scheduler_modify modify_type) + { + int err; + +-- +2.39.0 + diff --git a/queue-6.1/fix-up-more-non-executable-files-marked-executable.patch b/queue-6.1/fix-up-more-non-executable-files-marked-executable.patch new file mode 100644 index 00000000000..eda4b402aba --- /dev/null +++ b/queue-6.1/fix-up-more-non-executable-files-marked-executable.patch @@ -0,0 +1,44 @@ +From 15acb60ae391ce77168a5ef5d06647674380aa0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jan 2023 11:17:57 -0800 +Subject: Fix up more non-executable files marked executable + +From: Linus Torvalds + +[ Upstream commit c96618275234ad03d44eafe9f8844305bb44fda4 ] + +Joe found another DT file that shouldn't be executable, and that +frustrated me enough that I went hunting with this script: + + git ls-files -s | + grep '^100755' | + cut -f2 | + xargs grep -L '^#!' + +and that found another file that shouldn't have been marked executable +either, despite being in the scripts directory. + +Maybe these two are the last ones at least for now. But I'm sure we'll +be back in a few years, fixing things up again. + +Fixes: 8c6789f4e2d4 ("ASoC: dt-bindings: Add Everest ES8326 audio CODEC") +Fixes: 4d8e5cd233db ("locking/atomics: Fix scripts/atomic/ script permissions") +Reported-by: Joe Perches +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/sound/everest,es8326.yaml | 0 + scripts/atomic/atomics.tbl | 0 + 2 files changed, 0 insertions(+), 0 deletions(-) + mode change 100755 => 100644 Documentation/devicetree/bindings/sound/everest,es8326.yaml + mode change 100755 => 100644 scripts/atomic/atomics.tbl + +diff --git a/Documentation/devicetree/bindings/sound/everest,es8326.yaml b/Documentation/devicetree/bindings/sound/everest,es8326.yaml +old mode 100755 +new mode 100644 +diff --git a/scripts/atomic/atomics.tbl b/scripts/atomic/atomics.tbl +old mode 100755 +new mode 100644 +-- +2.39.0 + diff --git a/queue-6.1/gpio-ep93xx-fix-port-f-hwirq-numbers-in-handler.patch b/queue-6.1/gpio-ep93xx-fix-port-f-hwirq-numbers-in-handler.patch new file mode 100644 index 00000000000..92b56f62d18 --- /dev/null +++ b/queue-6.1/gpio-ep93xx-fix-port-f-hwirq-numbers-in-handler.patch @@ -0,0 +1,37 @@ +From 9b321ecf473c9a6303b4435937f14f9b1bc39f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 11:30:24 +0300 +Subject: gpio: ep93xx: Fix port F hwirq numbers in handler + +From: Nikita Shubin + +[ Upstream commit 0f04cdbdb210000a97c773b28b598fa8ac3aafa4 ] + +Fix wrong translation of irq numbers in port F handler, as ep93xx hwirqs +increased by 1, we should simply decrease them by 1 in translation. + +Fixes: 482c27273f52 ("ARM: ep93xx: renumber interrupts") +Signed-off-by: Nikita Shubin +Acked-by: Arnd Bergmann +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-ep93xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-ep93xx.c b/drivers/gpio/gpio-ep93xx.c +index 2e1779709113..7edcdc575080 100644 +--- a/drivers/gpio/gpio-ep93xx.c ++++ b/drivers/gpio/gpio-ep93xx.c +@@ -148,7 +148,7 @@ static void ep93xx_gpio_f_irq_handler(struct irq_desc *desc) + */ + struct irq_chip *irqchip = irq_desc_get_chip(desc); + unsigned int irq = irq_desc_get_irq(desc); +- int port_f_idx = ((irq + 1) & 7) ^ 4; /* {19..22,47..50} -> {0..7} */ ++ int port_f_idx = (irq & 7) ^ 4; /* {20..23,48..51} -> {0..7} */ + int gpio_irq = EP93XX_GPIO_F_IRQ_BASE + port_f_idx; + + chained_irq_enter(irqchip, desc); +-- +2.39.0 + diff --git a/queue-6.1/gpio-mxc-unlock-on-error-path-in-mxc_flip_edge.patch b/queue-6.1/gpio-mxc-unlock-on-error-path-in-mxc_flip_edge.patch new file mode 100644 index 00000000000..cc6e40d2f6b --- /dev/null +++ b/queue-6.1/gpio-mxc-unlock-on-error-path-in-mxc_flip_edge.patch @@ -0,0 +1,41 @@ +From 9531a31d0ebdc7d975a36adf7af44b3f2a5f252e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 18:20:26 +0300 +Subject: gpio: mxc: Unlock on error path in mxc_flip_edge() + +From: Dan Carpenter + +[ Upstream commit 37870358616ca7fdb1e90ad1cdd791655ec54414 ] + +We recently added locking to this function but one error path was +over looked. Drop the lock before returning. + +Fixes: e5464277625c ("gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock") +Signed-off-by: Dan Carpenter +Acked-by: Marek Vasut +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mxc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-mxc.c b/drivers/gpio/gpio-mxc.c +index dd91908c72f1..853d9aa6b3b1 100644 +--- a/drivers/gpio/gpio-mxc.c ++++ b/drivers/gpio/gpio-mxc.c +@@ -236,10 +236,11 @@ static void mxc_flip_edge(struct mxc_gpio_port *port, u32 gpio) + } else { + pr_err("mxc: invalid configuration for GPIO %d: %x\n", + gpio, edge); +- return; ++ goto unlock; + } + writel(val | (edge << (bit << 1)), reg); + ++unlock: + raw_spin_unlock_irqrestore(&port->gc.bgpio_lock, flags); + } + +-- +2.39.0 + diff --git a/queue-6.1/i2c-designware-fix-unbalanced-suspended-flag.patch b/queue-6.1/i2c-designware-fix-unbalanced-suspended-flag.patch new file mode 100644 index 00000000000..909d60b789c --- /dev/null +++ b/queue-6.1/i2c-designware-fix-unbalanced-suspended-flag.patch @@ -0,0 +1,103 @@ +From 29f2a5a9af97d5ee10a7bcd81b697c2672559fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 13:01:45 +0000 +Subject: i2c: designware: Fix unbalanced suspended flag + +From: Richard Fitzgerald + +[ Upstream commit 75507a319876aba88932e2c7dab58b6c22d89f6b ] + +Ensure that i2c_mark_adapter_suspended() is always balanced by a call to +i2c_mark_adapter_resumed(). + +dw_i2c_plat_resume() must always be called, so that +i2c_mark_adapter_resumed() is called. This is not compatible with +DPM_FLAG_MAY_SKIP_RESUME, so remove the flag. + +Since the controller is always resumed on system resume the +dw_i2c_plat_complete() callback is redundant and has been removed. + +The unbalanced suspended flag was introduced by commit c57813b8b288 +("i2c: designware: Lock the adapter while setting the suspended flag") + +Before that commit, the system and runtime PM used the same functions. The +DPM_FLAG_MAY_SKIP_RESUME was used to skip the system resume if the driver +had been in runtime-suspend. If system resume was skipped, the suspended +flag would be cleared by the next runtime resume. The check of the +suspended flag was _after_ the call to pm_runtime_get_sync() in +i2c_dw_xfer(). So either a system resume or a runtime resume would clear +the flag before it was checked. + +Having introduced the unbalanced suspended flag with that commit, a further +commit 80704a84a9f8 +("i2c: designware: Use the i2c_mark_adapter_suspended/resumed() helpers") + +changed from using a local suspended flag to using the +i2c_mark_adapter_suspended/resumed() functions. These use a flag that is +checked by I2C core code before issuing the transfer to the bus driver, so +there was no opportunity for the bus driver to runtime resume itself before +the flag check. + +Signed-off-by: Richard Fitzgerald +Fixes: c57813b8b288 ("i2c: designware: Lock the adapter while setting the suspended flag") +Reviewed-by: Hans de Goede +Acked-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-platdrv.c | 20 ++------------------ + 1 file changed, 2 insertions(+), 18 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-designware-platdrv.c b/drivers/i2c/busses/i2c-designware-platdrv.c +index ba043b547393..74182db03a88 100644 +--- a/drivers/i2c/busses/i2c-designware-platdrv.c ++++ b/drivers/i2c/busses/i2c-designware-platdrv.c +@@ -351,13 +351,11 @@ static int dw_i2c_plat_probe(struct platform_device *pdev) + + if (dev->flags & ACCESS_NO_IRQ_SUSPEND) { + dev_pm_set_driver_flags(&pdev->dev, +- DPM_FLAG_SMART_PREPARE | +- DPM_FLAG_MAY_SKIP_RESUME); ++ DPM_FLAG_SMART_PREPARE); + } else { + dev_pm_set_driver_flags(&pdev->dev, + DPM_FLAG_SMART_PREPARE | +- DPM_FLAG_SMART_SUSPEND | +- DPM_FLAG_MAY_SKIP_RESUME); ++ DPM_FLAG_SMART_SUSPEND); + } + + device_enable_async_suspend(&pdev->dev); +@@ -419,21 +417,8 @@ static int dw_i2c_plat_prepare(struct device *dev) + */ + return !has_acpi_companion(dev); + } +- +-static void dw_i2c_plat_complete(struct device *dev) +-{ +- /* +- * The device can only be in runtime suspend at this point if it has not +- * been resumed throughout the ending system suspend/resume cycle, so if +- * the platform firmware might mess up with it, request the runtime PM +- * framework to resume it. +- */ +- if (pm_runtime_suspended(dev) && pm_resume_via_firmware()) +- pm_request_resume(dev); +-} + #else + #define dw_i2c_plat_prepare NULL +-#define dw_i2c_plat_complete NULL + #endif + + #ifdef CONFIG_PM +@@ -483,7 +468,6 @@ static int __maybe_unused dw_i2c_plat_resume(struct device *dev) + + static const struct dev_pm_ops dw_i2c_dev_pm_ops = { + .prepare = dw_i2c_plat_prepare, +- .complete = dw_i2c_plat_complete, + SET_LATE_SYSTEM_SLEEP_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume) + SET_RUNTIME_PM_OPS(dw_i2c_plat_runtime_suspend, dw_i2c_plat_runtime_resume, NULL) + }; +-- +2.39.0 + diff --git a/queue-6.1/i2c-designware-use-casting-of-u64-in-clock-multiplic.patch b/queue-6.1/i2c-designware-use-casting-of-u64-in-clock-multiplic.patch new file mode 100644 index 00000000000..5109041b578 --- /dev/null +++ b/queue-6.1/i2c-designware-use-casting-of-u64-in-clock-multiplic.patch @@ -0,0 +1,66 @@ +From f290052a4a410f1133f7ad205d1b528fdb982545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Dec 2022 19:59:00 +0000 +Subject: i2c: designware: use casting of u64 in clock multiplication to avoid + overflow + +From: Lareine Khawaly + +[ Upstream commit c8c37bc514514999e62a17e95160ed9ebf75ca8d ] + +In functions i2c_dw_scl_lcnt() and i2c_dw_scl_hcnt() may have overflow +by depending on the values of the given parameters including the ic_clk. +For example in our use case where ic_clk is larger than one million, +multiplication of ic_clk * 4700 will result in 32 bit overflow. + +Add cast of u64 to the calculation to avoid multiplication overflow, and +use the corresponding define for divide. + +Fixes: 2373f6b9744d ("i2c-designware: split of i2c-designware.c into core and bus specific parts") +Signed-off-by: Lareine Khawaly +Signed-off-by: Hanna Hawa +Reviewed-by: Andy Shevchenko +Acked-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-common.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-designware-common.c b/drivers/i2c/busses/i2c-designware-common.c +index c023b691441e..bceaf70f4e23 100644 +--- a/drivers/i2c/busses/i2c-designware-common.c ++++ b/drivers/i2c/busses/i2c-designware-common.c +@@ -351,7 +351,8 @@ u32 i2c_dw_scl_hcnt(u32 ic_clk, u32 tSYMBOL, u32 tf, int cond, int offset) + * + * If your hardware is free from tHD;STA issue, try this one. + */ +- return DIV_ROUND_CLOSEST(ic_clk * tSYMBOL, MICRO) - 8 + offset; ++ return DIV_ROUND_CLOSEST_ULL((u64)ic_clk * tSYMBOL, MICRO) - ++ 8 + offset; + else + /* + * Conditional expression: +@@ -367,7 +368,8 @@ u32 i2c_dw_scl_hcnt(u32 ic_clk, u32 tSYMBOL, u32 tf, int cond, int offset) + * The reason why we need to take into account "tf" here, + * is the same as described in i2c_dw_scl_lcnt(). + */ +- return DIV_ROUND_CLOSEST(ic_clk * (tSYMBOL + tf), MICRO) - 3 + offset; ++ return DIV_ROUND_CLOSEST_ULL((u64)ic_clk * (tSYMBOL + tf), MICRO) - ++ 3 + offset; + } + + u32 i2c_dw_scl_lcnt(u32 ic_clk, u32 tLOW, u32 tf, int offset) +@@ -383,7 +385,8 @@ u32 i2c_dw_scl_lcnt(u32 ic_clk, u32 tLOW, u32 tf, int offset) + * account the fall time of SCL signal (tf). Default tf value + * should be 0.3 us, for safety. + */ +- return DIV_ROUND_CLOSEST(ic_clk * (tLOW + tf), MICRO) - 1 + offset; ++ return DIV_ROUND_CLOSEST_ULL((u64)ic_clk * (tLOW + tf), MICRO) - ++ 1 + offset; + } + + int i2c_dw_set_sda_hold(struct dw_i2c_dev *dev) +-- +2.39.0 + diff --git a/queue-6.1/iavf-fix-temporary-deadlock-and-failure-to-set-mac-a.patch b/queue-6.1/iavf-fix-temporary-deadlock-and-failure-to-set-mac-a.patch new file mode 100644 index 00000000000..009506bb6e2 --- /dev/null +++ b/queue-6.1/iavf-fix-temporary-deadlock-and-failure-to-set-mac-a.patch @@ -0,0 +1,432 @@ +From f5864b4ad5fb647abf343f3543fbf6db3b91fee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 23:50:48 +0100 +Subject: iavf: fix temporary deadlock and failure to set MAC address + +From: Michal Schmidt + +[ Upstream commit 4411a608f7c8df000cb1a9f7881982dd8e10839a ] + +We are seeing an issue where setting the MAC address on iavf fails with +EAGAIN after the 2.5s timeout expires in iavf_set_mac(). + +There is the following deadlock scenario: + +iavf_set_mac(), holding rtnl_lock, waits on: + iavf_watchdog_task (within iavf_wq) to send a message to the PF, + and + iavf_adminq_task (within iavf_wq) to receive a response from the PF. +In this adapter state (>=__IAVF_DOWN), these tasks do not need to take +rtnl_lock, but iavf_wq is a global single-threaded workqueue, so they +may get stuck waiting for another adapter's iavf_watchdog_task to run +iavf_init_config_adapter(), which does take rtnl_lock. + +The deadlock resolves itself by the timeout in iavf_set_mac(), +which results in EAGAIN returned to userspace. + +Let's break the deadlock loop by changing iavf_wq into a per-adapter +workqueue, so that one adapter's tasks are not blocked by another's. + +Fixes: 35a2443d0910 ("iavf: Add waiting for response from PF in set mac") +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Michal Schmidt +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 +- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 10 +-- + drivers/net/ethernet/intel/iavf/iavf_main.c | 86 +++++++++---------- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 2 +- + 4 files changed, 49 insertions(+), 51 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 0d1bab4ac1b0..2a9f1eeeb701 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -249,6 +249,7 @@ struct iavf_cloud_filter { + + /* board specific private data structure */ + struct iavf_adapter { ++ struct workqueue_struct *wq; + struct work_struct reset_task; + struct work_struct adminq_task; + struct delayed_work client_task; +@@ -459,7 +460,6 @@ struct iavf_device { + + /* needed by iavf_ethtool.c */ + extern char iavf_driver_name[]; +-extern struct workqueue_struct *iavf_wq; + + static inline const char *iavf_state_str(enum iavf_state_t state) + { +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index a056e1545615..83cfc54a4706 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -532,7 +532,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + if (changed_flags & IAVF_FLAG_LEGACY_RX) { + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + } + } + +@@ -672,7 +672,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + } + + return 0; +@@ -1433,7 +1433,7 @@ static int iavf_add_fdir_ethtool(struct iavf_adapter *adapter, struct ethtool_rx + adapter->aq_required |= IAVF_FLAG_AQ_ADD_FDIR_FILTER; + spin_unlock_bh(&adapter->fdir_fltr_lock); + +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + + ret: + if (err && fltr) +@@ -1474,7 +1474,7 @@ static int iavf_del_fdir_ethtool(struct iavf_adapter *adapter, struct ethtool_rx + spin_unlock_bh(&adapter->fdir_fltr_lock); + + if (fltr && fltr->state == IAVF_FDIR_FLTR_DEL_REQUEST) +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + + return err; + } +@@ -1658,7 +1658,7 @@ iavf_set_adv_rss_hash_opt(struct iavf_adapter *adapter, + spin_unlock_bh(&adapter->adv_rss_lock); + + if (!err) +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + + mutex_unlock(&adapter->crit_lock); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 260c55951c28..efc7735ece30 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -49,7 +49,6 @@ MODULE_DESCRIPTION("Intel(R) Ethernet Adaptive Virtual Function Network Driver") + MODULE_LICENSE("GPL v2"); + + static const struct net_device_ops iavf_netdev_ops; +-struct workqueue_struct *iavf_wq; + + int iavf_status_to_errno(enum iavf_status status) + { +@@ -277,7 +276,7 @@ void iavf_schedule_reset(struct iavf_adapter *adapter) + if (!(adapter->flags & + (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + } + } + +@@ -291,7 +290,7 @@ void iavf_schedule_reset(struct iavf_adapter *adapter) + void iavf_schedule_request_stats(struct iavf_adapter *adapter) + { + adapter->aq_required |= IAVF_FLAG_AQ_REQUEST_STATS; +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + + /** +@@ -411,7 +410,7 @@ static irqreturn_t iavf_msix_aq(int irq, void *data) + + if (adapter->state != __IAVF_REMOVE) + /* schedule work on the private workqueue */ +- queue_work(iavf_wq, &adapter->adminq_task); ++ queue_work(adapter->wq, &adapter->adminq_task); + + return IRQ_HANDLED; + } +@@ -1034,7 +1033,7 @@ int iavf_replace_primary_mac(struct iavf_adapter *adapter, + + /* schedule the watchdog task to immediately process the request */ + if (f) { +- queue_work(iavf_wq, &adapter->watchdog_task.work); ++ queue_work(adapter->wq, &adapter->watchdog_task.work); + return 0; + } + return -ENOMEM; +@@ -1257,7 +1256,7 @@ static void iavf_up_complete(struct iavf_adapter *adapter) + adapter->aq_required |= IAVF_FLAG_AQ_ENABLE_QUEUES; + if (CLIENT_ENABLED(adapter)) + adapter->flags |= IAVF_FLAG_CLIENT_NEEDS_OPEN; +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + + /** +@@ -1414,7 +1413,7 @@ void iavf_down(struct iavf_adapter *adapter) + adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES; + } + +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + + /** +@@ -2248,7 +2247,7 @@ iavf_set_vlan_offload_features(struct iavf_adapter *adapter, + + if (aq_required) { + adapter->aq_required |= aq_required; +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 0); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + } + +@@ -2700,7 +2699,7 @@ static void iavf_watchdog_task(struct work_struct *work) + adapter->aq_required = 0; + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + mutex_unlock(&adapter->crit_lock); +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + return; + } + +@@ -2708,31 +2707,31 @@ static void iavf_watchdog_task(struct work_struct *work) + case __IAVF_STARTUP: + iavf_startup(adapter); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(30)); + return; + case __IAVF_INIT_VERSION_CHECK: + iavf_init_version_check(adapter); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(30)); + return; + case __IAVF_INIT_GET_RESOURCES: + iavf_init_get_resources(adapter); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(1)); + return; + case __IAVF_INIT_EXTENDED_CAPS: + iavf_init_process_extended_caps(adapter); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(1)); + return; + case __IAVF_INIT_CONFIG_ADAPTER: + iavf_init_config_adapter(adapter); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(1)); + return; + case __IAVF_INIT_FAILED: +@@ -2751,14 +2750,14 @@ static void iavf_watchdog_task(struct work_struct *work) + adapter->flags |= IAVF_FLAG_PF_COMMS_FAILED; + iavf_shutdown_adminq(hw); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, ++ queue_delayed_work(adapter->wq, + &adapter->watchdog_task, (5 * HZ)); + return; + } + /* Try again from failed step*/ + iavf_change_state(adapter, adapter->last_state); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, HZ); ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, HZ); + return; + case __IAVF_COMM_FAILED: + if (test_bit(__IAVF_IN_REMOVE_TASK, +@@ -2789,13 +2788,14 @@ static void iavf_watchdog_task(struct work_struct *work) + adapter->aq_required = 0; + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, ++ queue_delayed_work(adapter->wq, + &adapter->watchdog_task, + msecs_to_jiffies(10)); + return; + case __IAVF_RESETTING: + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, HZ * 2); ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, ++ HZ * 2); + return; + case __IAVF_DOWN: + case __IAVF_DOWN_PENDING: +@@ -2834,9 +2834,9 @@ static void iavf_watchdog_task(struct work_struct *work) + adapter->aq_required = 0; + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + dev_err(&adapter->pdev->dev, "Hardware reset detected\n"); +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + mutex_unlock(&adapter->crit_lock); +- queue_delayed_work(iavf_wq, ++ queue_delayed_work(adapter->wq, + &adapter->watchdog_task, HZ * 2); + return; + } +@@ -2845,12 +2845,13 @@ static void iavf_watchdog_task(struct work_struct *work) + mutex_unlock(&adapter->crit_lock); + restart_watchdog: + if (adapter->state >= __IAVF_DOWN) +- queue_work(iavf_wq, &adapter->adminq_task); ++ queue_work(adapter->wq, &adapter->adminq_task); + if (adapter->aq_required) +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(20)); + else +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, HZ * 2); ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, ++ HZ * 2); + } + + /** +@@ -2952,7 +2953,7 @@ static void iavf_reset_task(struct work_struct *work) + */ + if (!mutex_trylock(&adapter->crit_lock)) { + if (adapter->state != __IAVF_REMOVE) +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + + goto reset_finish; + } +@@ -3116,7 +3117,7 @@ static void iavf_reset_task(struct work_struct *work) + bitmap_clear(adapter->vsi.active_cvlans, 0, VLAN_N_VID); + bitmap_clear(adapter->vsi.active_svlans, 0, VLAN_N_VID); + +- mod_delayed_work(iavf_wq, &adapter->watchdog_task, 2); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 2); + + /* We were running when the reset started, so we need to restore some + * state here. +@@ -3208,7 +3209,7 @@ static void iavf_adminq_task(struct work_struct *work) + if (adapter->state == __IAVF_REMOVE) + return; + +- queue_work(iavf_wq, &adapter->adminq_task); ++ queue_work(adapter->wq, &adapter->adminq_task); + goto out; + } + +@@ -4349,7 +4350,7 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + } + + return 0; +@@ -4898,6 +4899,13 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + hw = &adapter->hw; + hw->back = adapter; + ++ adapter->wq = alloc_ordered_workqueue("%s", WQ_MEM_RECLAIM, ++ iavf_driver_name); ++ if (!adapter->wq) { ++ err = -ENOMEM; ++ goto err_alloc_wq; ++ } ++ + adapter->msg_enable = BIT(DEFAULT_DEBUG_LEVEL_SHIFT) - 1; + iavf_change_state(adapter, __IAVF_STARTUP); + +@@ -4942,7 +4950,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + INIT_WORK(&adapter->adminq_task, iavf_adminq_task); + INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); + INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); +- queue_delayed_work(iavf_wq, &adapter->watchdog_task, ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(5 * (pdev->devfn & 0x07))); + + /* Setup the wait queue for indicating transition to down status */ +@@ -4954,6 +4962,8 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + return 0; + + err_ioremap: ++ destroy_workqueue(adapter->wq); ++err_alloc_wq: + free_netdev(netdev); + err_alloc_etherdev: + pci_disable_pcie_error_reporting(pdev); +@@ -5023,7 +5033,7 @@ static int __maybe_unused iavf_resume(struct device *dev_d) + return err; + } + +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + + netif_device_attach(adapter->netdev); + +@@ -5170,6 +5180,8 @@ static void iavf_remove(struct pci_dev *pdev) + } + spin_unlock_bh(&adapter->adv_rss_lock); + ++ destroy_workqueue(adapter->wq); ++ + free_netdev(netdev); + + pci_disable_pcie_error_reporting(pdev); +@@ -5196,24 +5208,11 @@ static struct pci_driver iavf_driver = { + **/ + static int __init iavf_init_module(void) + { +- int ret; +- + pr_info("iavf: %s\n", iavf_driver_string); + + pr_info("%s\n", iavf_copyright); + +- iavf_wq = alloc_workqueue("%s", WQ_UNBOUND | WQ_MEM_RECLAIM, 1, +- iavf_driver_name); +- if (!iavf_wq) { +- pr_err("%s: Failed to create workqueue\n", iavf_driver_name); +- return -ENOMEM; +- } +- +- ret = pci_register_driver(&iavf_driver); +- if (ret) +- destroy_workqueue(iavf_wq); +- +- return ret; ++ return pci_register_driver(&iavf_driver); + } + + module_init(iavf_init_module); +@@ -5227,7 +5226,6 @@ module_init(iavf_init_module); + static void __exit iavf_exit_module(void) + { + pci_unregister_driver(&iavf_driver); +- destroy_workqueue(iavf_wq); + } + + module_exit(iavf_exit_module); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 24a701fd140e..0752fd67c96e 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -1952,7 +1952,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + if (!(adapter->flags & IAVF_FLAG_RESET_PENDING)) { + adapter->flags |= IAVF_FLAG_RESET_PENDING; + dev_info(&adapter->pdev->dev, "Scheduling reset task\n"); +- queue_work(iavf_wq, &adapter->reset_task); ++ queue_work(adapter->wq, &adapter->reset_task); + } + break; + default: +-- +2.39.0 + diff --git a/queue-6.1/iavf-schedule-watchdog-immediately-when-changing-pri.patch b/queue-6.1/iavf-schedule-watchdog-immediately-when-changing-pri.patch new file mode 100644 index 00000000000..b7c41b3642c --- /dev/null +++ b/queue-6.1/iavf-schedule-watchdog-immediately-when-changing-pri.patch @@ -0,0 +1,44 @@ +From 7a95d659cad842b3b0a3e30951597e578fe80069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 09:00:18 +0100 +Subject: iavf: schedule watchdog immediately when changing primary MAC + +From: Stefan Assmann + +[ Upstream commit e2b53ea5a7c1fb484277ad12cd075f502cf03b04 ] + +iavf_replace_primary_mac() utilizes queue_work() to schedule the +watchdog task but that only ensures that the watchdog task is queued +to run. To make sure the watchdog is executed asap use +mod_delayed_work(). + +Without this patch it may take up to 2s until the watchdog task gets +executed, which may cause long delays when setting the MAC address. + +Fixes: a3e839d539e0 ("iavf: Add usage of new virtchnl format to set default MAC") +Signed-off-by: Stefan Assmann +Reviewed-by: Michal Schmidt +Tested-by: Michal Schmidt +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index efc7735ece30..3dad834b9b8e 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1033,7 +1033,7 @@ int iavf_replace_primary_mac(struct iavf_adapter *adapter, + + /* schedule the watchdog task to immediately process the request */ + if (f) { +- queue_work(adapter->wq, &adapter->watchdog_task.work); ++ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + return 0; + } + return -ENOMEM; +-- +2.39.0 + diff --git a/queue-6.1/io_uring-always-prep_async-for-drain-requests.patch b/queue-6.1/io_uring-always-prep_async-for-drain-requests.patch new file mode 100644 index 00000000000..a61b1722621 --- /dev/null +++ b/queue-6.1/io_uring-always-prep_async-for-drain-requests.patch @@ -0,0 +1,85 @@ +From 8a5cdc76006684732443d8849efa6589f58d07b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 02:59:11 -0800 +Subject: io_uring: always prep_async for drain requests + +From: Dylan Yudaken + +[ Upstream commit ef5c600adb1d985513d2b612cc90403a148ff287 ] + +Drain requests all go through io_drain_req, which has a quick exit in case +there is nothing pending (ie the drain is not useful). In that case it can +run the issue the request immediately. + +However for safety it queues it through task work. +The problem is that in this case the request is run asynchronously, but +the async work has not been prepared through io_req_prep_async. + +This has not been a problem up to now, as the task work always would run +before returning to userspace, and so the user would not have a chance to +race with it. + +However - with IORING_SETUP_DEFER_TASKRUN - this is no longer the case and +the work might be defered, giving userspace a chance to change data being +referred to in the request. + +Instead _always_ prep_async for drain requests, which is simpler anyway +and removes this issue. + +Cc: stable@vger.kernel.org +Fixes: c0e0d6ba25f1 ("io_uring: add IORING_SETUP_DEFER_TASKRUN") +Signed-off-by: Dylan Yudaken +Link: https://lore.kernel.org/r/20230127105911.2420061-1-dylany@meta.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 13a60f51b283..862e05e6691d 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1634,17 +1634,12 @@ static __cold void io_drain_req(struct io_kiocb *req) + } + spin_unlock(&ctx->completion_lock); + +- ret = io_req_prep_async(req); +- if (ret) { +-fail: +- io_req_complete_failed(req, ret); +- return; +- } + io_prep_async_link(req); + de = kmalloc(sizeof(*de), GFP_KERNEL); + if (!de) { + ret = -ENOMEM; +- goto fail; ++ io_req_complete_failed(req, ret); ++ return; + } + + spin_lock(&ctx->completion_lock); +@@ -1918,13 +1913,16 @@ static void io_queue_sqe_fallback(struct io_kiocb *req) + req->flags &= ~REQ_F_HARDLINK; + req->flags |= REQ_F_LINK; + io_req_complete_failed(req, req->cqe.res); +- } else if (unlikely(req->ctx->drain_active)) { +- io_drain_req(req); + } else { + int ret = io_req_prep_async(req); + +- if (unlikely(ret)) ++ if (unlikely(ret)) { + io_req_complete_failed(req, ret); ++ return; ++ } ++ ++ if (unlikely(req->ctx->drain_active)) ++ io_drain_req(req); + else + io_queue_iowq(req, NULL); + } +-- +2.39.0 + diff --git a/queue-6.1/io_uring-hold-locks-for-io_req_complete_failed.patch b/queue-6.1/io_uring-hold-locks-for-io_req_complete_failed.patch new file mode 100644 index 00000000000..ee37d52a3b2 --- /dev/null +++ b/queue-6.1/io_uring-hold-locks-for-io_req_complete_failed.patch @@ -0,0 +1,59 @@ +From 761dd8e0fadb91b6002650cadcde2361f615e25f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:33:37 +0000 +Subject: io_uring: hold locks for io_req_complete_failed + +From: Pavel Begunkov + +[ Upstream commit e276ae344a770f91912a81c6a338d92efd319be2 ] + +A preparation patch, make sure we always hold uring_lock around +io_req_complete_failed(). The only place deviating from the rule +is io_cancel_defer_files(), queue a tw instead. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/70760344eadaecf2939287084b9d4ba5c05a6984.1669203009.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: ef5c600adb1d ("io_uring: always prep_async for drain requests") +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 9b1c917c99d9..6b81a0d2d9bc 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -871,9 +871,12 @@ inline void __io_req_complete(struct io_kiocb *req, unsigned issue_flags) + } + + void io_req_complete_failed(struct io_kiocb *req, s32 res) ++ __must_hold(&ctx->uring_lock) + { + const struct io_op_def *def = &io_op_defs[req->opcode]; + ++ lockdep_assert_held(&req->ctx->uring_lock); ++ + req_set_fail(req); + io_req_set_res(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED)); + if (def->fail) +@@ -1631,6 +1634,7 @@ static u32 io_get_sequence(struct io_kiocb *req) + } + + static __cold void io_drain_req(struct io_kiocb *req) ++ __must_hold(&ctx->uring_lock) + { + struct io_ring_ctx *ctx = req->ctx; + struct io_defer_entry *de; +@@ -2867,7 +2871,7 @@ static __cold bool io_cancel_defer_files(struct io_ring_ctx *ctx, + while (!list_empty(&list)) { + de = list_first_entry(&list, struct io_defer_entry, list); + list_del_init(&de->list); +- io_req_complete_failed(de->req, -ECANCELED); ++ io_req_task_queue_fail(de->req, -ECANCELED); + kfree(de); + } + return true; +-- +2.39.0 + diff --git a/queue-6.1/io_uring-inline-__io_req_complete_post.patch b/queue-6.1/io_uring-inline-__io_req_complete_post.patch new file mode 100644 index 00000000000..3a6a72f070a --- /dev/null +++ b/queue-6.1/io_uring-inline-__io_req_complete_post.patch @@ -0,0 +1,63 @@ +From 55686260bf33ca780c66bbf7ff4cee08baa4ae92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:41:06 +0000 +Subject: io_uring: inline __io_req_complete_post() + +From: Pavel Begunkov + +[ Upstream commit f9d567c75ec216447f36da6e855500023504fa04 ] + +There is only one user of __io_req_complete_post(), inline it. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/ef4c9059950a3da5cf68df00f977f1fd13bd9306.1668597569.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: ef5c600adb1d ("io_uring: always prep_async for drain requests") +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 11 +++-------- + io_uring/io_uring.h | 1 - + 2 files changed, 3 insertions(+), 9 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index b4f9707730b8..9b1c917c99d9 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -854,19 +854,14 @@ static void __io_req_complete_put(struct io_kiocb *req) + } + } + +-void __io_req_complete_post(struct io_kiocb *req) +-{ +- if (!(req->flags & REQ_F_CQE_SKIP)) +- __io_fill_cqe_req(req->ctx, req); +- __io_req_complete_put(req); +-} +- + void io_req_complete_post(struct io_kiocb *req) + { + struct io_ring_ctx *ctx = req->ctx; + + io_cq_lock(ctx); +- __io_req_complete_post(req); ++ if (!(req->flags & REQ_F_CQE_SKIP)) ++ __io_fill_cqe_req(ctx, req); ++ __io_req_complete_put(req); + io_cq_unlock_post(ctx); + } + +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 56ecc1550476..0cf544ba6656 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -33,7 +33,6 @@ int io_run_local_work(struct io_ring_ctx *ctx); + void io_req_complete_failed(struct io_kiocb *req, s32 res); + void __io_req_complete(struct io_kiocb *req, unsigned issue_flags); + void io_req_complete_post(struct io_kiocb *req); +-void __io_req_complete_post(struct io_kiocb *req); + bool io_post_aux_cqe(struct io_ring_ctx *ctx, u64 user_data, s32 res, u32 cflags, + bool allow_overflow); + bool io_fill_cqe_aux(struct io_ring_ctx *ctx, u64 user_data, s32 res, u32 cflags, +-- +2.39.0 + diff --git a/queue-6.1/io_uring-inline-__io_req_complete_put.patch b/queue-6.1/io_uring-inline-__io_req_complete_put.patch new file mode 100644 index 00000000000..0b0ddeecd22 --- /dev/null +++ b/queue-6.1/io_uring-inline-__io_req_complete_put.patch @@ -0,0 +1,68 @@ +From cc906fdaf1df65bba2aea973182fdb72f86184f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:33:40 +0000 +Subject: io_uring: inline __io_req_complete_put() + +From: Pavel Begunkov + +[ Upstream commit fa18fa2272c7469e470dcb7bf838ea50a25494ca ] + +Inline __io_req_complete_put() into io_req_complete_post(), there are no +other users. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1923a4dfe80fa877f859a22ed3df2d5fc8ecf02b.1669203009.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: ef5c600adb1d ("io_uring: always prep_async for drain requests") +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 50f959ffb55c..13a60f51b283 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -823,15 +823,19 @@ bool io_post_aux_cqe(struct io_ring_ctx *ctx, + return filled; + } + +-static void __io_req_complete_put(struct io_kiocb *req) ++void io_req_complete_post(struct io_kiocb *req) + { ++ struct io_ring_ctx *ctx = req->ctx; ++ ++ io_cq_lock(ctx); ++ if (!(req->flags & REQ_F_CQE_SKIP)) ++ __io_fill_cqe_req(ctx, req); ++ + /* + * If we're the last reference to this request, add to our locked + * free_list cache. + */ + if (req_ref_put_and_test(req)) { +- struct io_ring_ctx *ctx = req->ctx; +- + if (req->flags & IO_REQ_LINK_FLAGS) { + if (req->flags & IO_DISARM_MASK) + io_disarm_next(req); +@@ -852,16 +856,6 @@ static void __io_req_complete_put(struct io_kiocb *req) + wq_list_add_head(&req->comp_list, &ctx->locked_free_list); + ctx->locked_free_nr++; + } +-} +- +-void io_req_complete_post(struct io_kiocb *req) +-{ +- struct io_ring_ctx *ctx = req->ctx; +- +- io_cq_lock(ctx); +- if (!(req->flags & REQ_F_CQE_SKIP)) +- __io_fill_cqe_req(ctx, req); +- __io_req_complete_put(req); + io_cq_unlock_post(ctx); + } + +-- +2.39.0 + diff --git a/queue-6.1/io_uring-inline-io_req_task_work_add.patch b/queue-6.1/io_uring-inline-io_req_task_work_add.patch new file mode 100644 index 00000000000..32d4b8e21e9 --- /dev/null +++ b/queue-6.1/io_uring-inline-io_req_task_work_add.patch @@ -0,0 +1,84 @@ +From 122656ccb50796def87ffbf1a031e644d8ff2c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 16:54:08 +0000 +Subject: io_uring: inline io_req_task_work_add() + +From: Pavel Begunkov + +[ Upstream commit e52d2e583e4ad1d5d0b804d79c2b8752eb0e5ceb ] + +__io_req_task_work_add() is huge but marked inline, that makes compilers +to generate lots of garbage. Inline the wrapper caller +io_req_task_work_add() instead. + +before and after: + text data bss dec hex filename + 47347 16248 8 63603 f873 io_uring/io_uring.o + text data bss dec hex filename + 45303 16248 8 61559 f077 io_uring/io_uring.o + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/26dc8c28ca0160e3269ef3e55c5a8b917c4d4450.1668162751.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: ef5c600adb1d ("io_uring: always prep_async for drain requests") +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 7 +------ + io_uring/io_uring.h | 7 ++++++- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index cea5de98c423..b4f9707730b8 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1133,7 +1133,7 @@ static void io_req_local_work_add(struct io_kiocb *req) + percpu_ref_put(&ctx->refs); + } + +-static inline void __io_req_task_work_add(struct io_kiocb *req, bool allow_local) ++void __io_req_task_work_add(struct io_kiocb *req, bool allow_local) + { + struct io_uring_task *tctx = req->task->io_uring; + struct io_ring_ctx *ctx = req->ctx; +@@ -1165,11 +1165,6 @@ static inline void __io_req_task_work_add(struct io_kiocb *req, bool allow_local + } + } + +-void io_req_task_work_add(struct io_kiocb *req) +-{ +- __io_req_task_work_add(req, true); +-} +- + static void __cold io_move_task_work_from_local(struct io_ring_ctx *ctx) + { + struct llist_node *node; +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 4334cd30c423..56ecc1550476 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -51,9 +51,9 @@ static inline bool io_req_ffs_set(struct io_kiocb *req) + return req->flags & REQ_F_FIXED_FILE; + } + ++void __io_req_task_work_add(struct io_kiocb *req, bool allow_local); + bool io_is_uring_fops(struct file *file); + bool io_alloc_async_data(struct io_kiocb *req); +-void io_req_task_work_add(struct io_kiocb *req); + void io_req_tw_post_queue(struct io_kiocb *req, s32 res, u32 cflags); + void io_req_task_queue(struct io_kiocb *req); + void io_queue_iowq(struct io_kiocb *req, bool *dont_use); +@@ -83,6 +83,11 @@ bool __io_alloc_req_refill(struct io_ring_ctx *ctx); + bool io_match_task_safe(struct io_kiocb *head, struct task_struct *task, + bool cancel_all); + ++static inline void io_req_task_work_add(struct io_kiocb *req) ++{ ++ __io_req_task_work_add(req, true); ++} ++ + #define io_for_each_link(pos, head) \ + for (pos = (head); pos; pos = pos->link) + +-- +2.39.0 + diff --git a/queue-6.1/io_uring-remove-io_req_tw_post_queue.patch b/queue-6.1/io_uring-remove-io_req_tw_post_queue.patch new file mode 100644 index 00000000000..69a9765f0b7 --- /dev/null +++ b/queue-6.1/io_uring-remove-io_req_tw_post_queue.patch @@ -0,0 +1,104 @@ +From e812e2002a044e876c839e22ab1c406181ea1aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:33:39 +0000 +Subject: io_uring: remove io_req_tw_post_queue + +From: Pavel Begunkov + +[ Upstream commit 833b5dfffc26c81835ce38e2a5df9ac5fa142735 ] + +Remove io_req_tw_post() and io_req_tw_post_queue(), we can use +io_req_task_complete() instead. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/b9b73c08022c7f1457023ac841f35c0100e70345.1669203009.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: ef5c600adb1d ("io_uring: always prep_async for drain requests") +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 12 ------------ + io_uring/io_uring.h | 8 +++++++- + io_uring/timeout.c | 6 +++--- + 3 files changed, 10 insertions(+), 16 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 6b81a0d2d9bc..50f959ffb55c 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1236,18 +1236,6 @@ int io_run_local_work(struct io_ring_ctx *ctx) + return ret; + } + +-static void io_req_tw_post(struct io_kiocb *req, bool *locked) +-{ +- io_req_complete_post(req); +-} +- +-void io_req_tw_post_queue(struct io_kiocb *req, s32 res, u32 cflags) +-{ +- io_req_set_res(req, res, cflags); +- req->io_task_work.func = io_req_tw_post; +- io_req_task_work_add(req); +-} +- + static void io_req_task_cancel(struct io_kiocb *req, bool *locked) + { + /* not needed for normal modes, but SQPOLL depends on it */ +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 0cf544ba6656..90b675c65b84 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -53,7 +53,6 @@ static inline bool io_req_ffs_set(struct io_kiocb *req) + void __io_req_task_work_add(struct io_kiocb *req, bool allow_local); + bool io_is_uring_fops(struct file *file); + bool io_alloc_async_data(struct io_kiocb *req); +-void io_req_tw_post_queue(struct io_kiocb *req, s32 res, u32 cflags); + void io_req_task_queue(struct io_kiocb *req); + void io_queue_iowq(struct io_kiocb *req, bool *dont_use); + void io_req_task_complete(struct io_kiocb *req, bool *locked); +@@ -380,4 +379,11 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) + ctx->submitter_task == current); + } + ++static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) ++{ ++ io_req_set_res(req, res, 0); ++ req->io_task_work.func = io_req_task_complete; ++ io_req_task_work_add(req); ++} ++ + #endif +diff --git a/io_uring/timeout.c b/io_uring/timeout.c +index 16b006bbbb11..4c6a5666541c 100644 +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -63,7 +63,7 @@ static bool io_kill_timeout(struct io_kiocb *req, int status) + atomic_set(&req->ctx->cq_timeouts, + atomic_read(&req->ctx->cq_timeouts) + 1); + list_del_init(&timeout->list); +- io_req_tw_post_queue(req, status, 0); ++ io_req_queue_tw_complete(req, status); + return true; + } + return false; +@@ -161,7 +161,7 @@ void io_disarm_next(struct io_kiocb *req) + req->flags &= ~REQ_F_ARM_LTIMEOUT; + if (link && link->opcode == IORING_OP_LINK_TIMEOUT) { + io_remove_next_linked(req); +- io_req_tw_post_queue(link, -ECANCELED, 0); ++ io_req_queue_tw_complete(link, -ECANCELED); + } + } else if (req->flags & REQ_F_LINK_TIMEOUT) { + struct io_ring_ctx *ctx = req->ctx; +@@ -170,7 +170,7 @@ void io_disarm_next(struct io_kiocb *req) + link = io_disarm_linked_timeout(req); + spin_unlock_irq(&ctx->timeout_lock); + if (link) +- io_req_tw_post_queue(link, -ECANCELED, 0); ++ io_req_queue_tw_complete(link, -ECANCELED); + } + if (unlikely((req->flags & REQ_F_FAIL) && + !(req->flags & REQ_F_HARDLINK))) +-- +2.39.0 + diff --git a/queue-6.1/io_uring-use-io_req_task_complete-in-timeout.patch b/queue-6.1/io_uring-use-io_req_task_complete-in-timeout.patch new file mode 100644 index 00000000000..4b3fd2d2241 --- /dev/null +++ b/queue-6.1/io_uring-use-io_req_task_complete-in-timeout.patch @@ -0,0 +1,42 @@ +From bacbb0de50eb243bcf88db754411f5af07c4f1ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:33:38 +0000 +Subject: io_uring: use io_req_task_complete() in timeout + +From: Pavel Begunkov + +[ Upstream commit 624fd779fd869bdcb2c0ccca0f09456eed71ed52 ] + +Use a more generic io_req_task_complete() in timeout completion +task_work instead of io_req_complete_post(). + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/bda1710b58c07bf06107421c2a65c529ea9cdcac.1669203009.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: ef5c600adb1d ("io_uring: always prep_async for drain requests") +Signed-off-by: Sasha Levin +--- + io_uring/timeout.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io_uring/timeout.c b/io_uring/timeout.c +index 06200fe73a04..16b006bbbb11 100644 +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -284,11 +284,11 @@ static void io_req_task_link_timeout(struct io_kiocb *req, bool *locked) + ret = io_try_cancel(req->task->io_uring, &cd, issue_flags); + } + io_req_set_res(req, ret ?: -ETIME, 0); +- io_req_complete_post(req); ++ io_req_task_complete(req, locked); + io_put_req(prev); + } else { + io_req_set_res(req, -ETIME, 0); +- io_req_complete_post(req); ++ io_req_task_complete(req, locked); + } + } + +-- +2.39.0 + diff --git a/queue-6.1/ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch b/queue-6.1/ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch new file mode 100644 index 00000000000..36852efbd49 --- /dev/null +++ b/queue-6.1/ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch @@ -0,0 +1,51 @@ +From e20f0629ade7755d891fcec6e49cf0179c0045c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 13:31:40 +0000 +Subject: ipv4: prevent potential spectre v1 gadget in fib_metrics_match() + +From: Eric Dumazet + +[ Upstream commit 5e9398a26a92fc402d82ce1f97cc67d832527da0 ] + +if (!type) + continue; + if (type > RTAX_MAX) + return false; + ... + fi_val = fi->fib_metrics->metrics[type - 1]; + +@type being used as an array index, we need to prevent +cpu speculation or risk leaking kernel memory content. + +Fixes: 5f9ae3d9e7e4 ("ipv4: do metrics match when looking up and deleting a route") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230120133140.3624204-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index ce9ff3c62e84..3bb890a40ed7 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1022,6 +1023,7 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi) + if (type > RTAX_MAX) + return false; + ++ type = array_index_nospec(type, RTAX_MAX + 1); + if (type == RTAX_CC_ALGO) { + char tmp[TCP_CA_NAME_MAX]; + bool ecn_ca = false; +-- +2.39.0 + diff --git a/queue-6.1/ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch b/queue-6.1/ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch new file mode 100644 index 00000000000..62de3d9ef19 --- /dev/null +++ b/queue-6.1/ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch @@ -0,0 +1,50 @@ +From 9621c12bcca3e2159705f8301802faa181af6556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 13:30:40 +0000 +Subject: ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() + +From: Eric Dumazet + +[ Upstream commit 1d1d63b612801b3f0a39b7d4467cad0abd60e5c8 ] + +if (!type) + continue; + if (type > RTAX_MAX) + return -EINVAL; + ... + metrics[type - 1] = val; + +@type being used as an array index, we need to prevent +cpu speculation or risk leaking kernel memory content. + +Fixes: 6cf9dfd3bd62 ("net: fib: move metrics parsing to a helper") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230120133040.3623463-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/metrics.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c +index 25ea6ac44db9..6a1427916c7d 100644 +--- a/net/ipv4/metrics.c ++++ b/net/ipv4/metrics.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + #include ++#include + #include + #include + #include +@@ -28,6 +29,7 @@ static int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, + return -EINVAL; + } + ++ type = array_index_nospec(type, RTAX_MAX + 1); + if (type == RTAX_CC_ALGO) { + char tmp[TCP_CA_NAME_MAX]; + +-- +2.39.0 + diff --git a/queue-6.1/net-dsa-microchip-fix-probe-of-i2c-connected-ksz8563.patch b/queue-6.1/net-dsa-microchip-fix-probe-of-i2c-connected-ksz8563.patch new file mode 100644 index 00000000000..9c964351340 --- /dev/null +++ b/queue-6.1/net-dsa-microchip-fix-probe-of-i2c-connected-ksz8563.patch @@ -0,0 +1,56 @@ +From f1317d72351fce6867820ddb014d137ac807c9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:09:32 +0100 +Subject: net: dsa: microchip: fix probe of I2C-connected KSZ8563 + +From: Ahmad Fatoum + +[ Upstream commit 360fdc999d92db4a4adbba0db8641396dc9f1b13 ] + +Starting with commit eee16b147121 ("net: dsa: microchip: perform the +compatibility check for dev probed"), the KSZ switch driver now bails +out if it thinks the DT compatible doesn't match the actual chip ID +read back from the hardware: + + ksz9477-switch 1-005f: Device tree specifies chip KSZ9893 but found + KSZ8563, please fix it! + +For the KSZ8563, which used ksz_switch_chips[KSZ9893], this was fine +at first, because it indeed shares the same chip id as the KSZ9893. + +Commit b44908095612 ("net: dsa: microchip: add separate struct +ksz_chip_data for KSZ8563 chip") started differentiating KSZ9893 +compatible chips by consulting the 0x1F register. The resulting breakage +was fixed for the SPI driver in the same commit by introducing the +appropriate ksz_switch_chips[KSZ8563], but not for the I2C driver. + +Fix this for I2C-connected KSZ8563 now to get it probing again. + +Fixes: b44908095612 ("net: dsa: microchip: add separate struct ksz_chip_data for KSZ8563 chip"). +Reviewed-by: Andrew Lunn +Signed-off-by: Ahmad Fatoum +Acked-by: Arun Ramadoss +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230120110933.1151054-1-a.fatoum@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477_i2c.c b/drivers/net/dsa/microchip/ksz9477_i2c.c +index 3763930dc6fc..aae1dadef882 100644 +--- a/drivers/net/dsa/microchip/ksz9477_i2c.c ++++ b/drivers/net/dsa/microchip/ksz9477_i2c.c +@@ -105,7 +105,7 @@ static const struct of_device_id ksz9477_dt_ids[] = { + }, + { + .compatible = "microchip,ksz8563", +- .data = &ksz_switch_chips[KSZ9893] ++ .data = &ksz_switch_chips[KSZ8563] + }, + { + .compatible = "microchip,ksz9567", +-- +2.39.0 + diff --git a/queue-6.1/net-ethernet-adi-adin1110-fix-multicast-offloading.patch b/queue-6.1/net-ethernet-adi-adin1110-fix-multicast-offloading.patch new file mode 100644 index 00000000000..eab6d1f4a02 --- /dev/null +++ b/queue-6.1/net-ethernet-adi-adin1110-fix-multicast-offloading.patch @@ -0,0 +1,40 @@ +From 132efdd6b7599ab2cdc70fa7f41dab5dad67395c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 11:08:46 +0200 +Subject: net: ethernet: adi: adin1110: Fix multicast offloading + +From: Alexandru Tachici + +[ Upstream commit 8a4f6d023221c4b052ddfa1db48b27871bad6e96 ] + +Driver marked broadcast/multicast frames as offloaded incorrectly. +Mark them as offloaded only when HW offloading has been enabled. +This should happen only for ADIN2111 when both ports are bridged +by the software. + +Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support") +Signed-off-by: Alexandru Tachici +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230120090846.18172-1-alexandru.tachici@analog.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index 9d8dfe172994..ecce5f7a549f 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -356,7 +356,7 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv) + + if ((port_priv->flags & IFF_ALLMULTI && rxb->pkt_type == PACKET_MULTICAST) || + (port_priv->flags & IFF_BROADCAST && rxb->pkt_type == PACKET_BROADCAST)) +- rxb->offload_fwd_mark = 1; ++ rxb->offload_fwd_mark = port_priv->priv->forwarding; + + netif_rx(rxb); + +-- +2.39.0 + diff --git a/queue-6.1/net-fec-use-page_pool_put_full_page-when-freeing-rx-.patch b/queue-6.1/net-fec-use-page_pool_put_full_page-when-freeing-rx-.patch new file mode 100644 index 00000000000..030a7f060ad --- /dev/null +++ b/queue-6.1/net-fec-use-page_pool_put_full_page-when-freeing-rx-.patch @@ -0,0 +1,193 @@ +From 260c96acebb34f2e8f57bfd6d34001b9b1b6e760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 12:37:47 +0800 +Subject: net: fec: Use page_pool_put_full_page when freeing rx buffers + +From: Wei Fang + +[ Upstream commit e38553bdc377e3e7a6caa9dd9770d8b644d8dac3 ] + +The page_pool_release_page was used when freeing rx buffers, and this +function just unmaps the page (if mapped) and does not recycle the page. +So after hundreds of down/up the eth0, the system will out of memory. +For more details, please refer to the following reproduce steps and +bug logs. To solve this issue and refer to the doc of page pool, the +page_pool_put_full_page should be used to replace page_pool_release_page. +Because this API will try to recycle the page if the page refcnt equal to +1. After testing 20000 times, the issue can not be reproduced anymore +(about testing 391 times the issue will occur on i.MX8MN-EVK before). + +Reproduce steps: +Create the test script and run the script. The script content is as +follows: +LOOPS=20000 +i=1 +while [ $i -le $LOOPS ] +do + echo "TINFO:ENET $curface up and down test $i times" + org_macaddr=$(cat /sys/class/net/eth0/address) + ifconfig eth0 down + ifconfig eth0 hw ether $org_macaddr up + i=$(expr $i + 1) +done +sleep 5 +if cat /sys/class/net/eth0/operstate | grep 'up';then + echo "TEST PASS" +else + echo "TEST FAIL" +fi + +Bug detail logs: +TINFO:ENET up and down test 391 times +[ 850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL) +[ 853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready +[ 853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx +[ 870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec +[ 931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec +TINFO:ENET up and down test 392 times +[ 991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec +[ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec +[ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL) +[ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec +[ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx +[ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready +[ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec +[ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec +[ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec +[ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec +TINFO:ENET up and down test 393 times +[ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec +[ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec +[ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec +[ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec +[ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec +[ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL) +[ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx +[ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready +[ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec +[ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec +[ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec +[ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec +[ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec +[ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec +TINFO:ENET up and down test 394 times +[ 1492.830522] page_pool_release_retry() stalled pool shutdown 310 inflight 181 sec +[ 1519.358519] page_pool_release_retry() stalled pool shutdown 308 inflight 483 sec +[ 1535.166545] page_pool_release_retry() stalled pool shutdown 2 inflight 724 sec +[ 1537.090278] eth_test2.sh invoked oom-killer: gfp_mask=0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), order=0, oom_score_adj=0 +[ 1537.101192] CPU: 3 PID: 2379 Comm: eth_test2.sh Tainted: G C 6.1.1+g56321e101aca #1 +[ 1537.110249] Hardware name: NXP i.MX8MNano EVK board (DT) +[ 1537.115561] Call trace: +[ 1537.118005] dump_backtrace.part.0+0xe0/0xf0 +[ 1537.122289] show_stack+0x18/0x40 +[ 1537.125608] dump_stack_lvl+0x64/0x80 +[ 1537.129276] dump_stack+0x18/0x34 +[ 1537.132592] dump_header+0x44/0x208 +[ 1537.136083] oom_kill_process+0x2b4/0x2c0 +[ 1537.140097] out_of_memory+0xe4/0x594 +[ 1537.143766] __alloc_pages+0xb68/0xd00 +[ 1537.147521] alloc_pages+0xac/0x160 +[ 1537.151013] __get_free_pages+0x14/0x40 +[ 1537.154851] pgd_alloc+0x1c/0x30 +[ 1537.158082] mm_init+0xf8/0x1d0 +[ 1537.161228] mm_alloc+0x48/0x60 +[ 1537.164368] alloc_bprm+0x7c/0x240 +[ 1537.167777] do_execveat_common.isra.0+0x70/0x240 +[ 1537.172486] __arm64_sys_execve+0x40/0x54 +[ 1537.176502] invoke_syscall+0x48/0x114 +[ 1537.180255] el0_svc_common.constprop.0+0xcc/0xec +[ 1537.184964] do_el0_svc+0x2c/0xd0 +[ 1537.188280] el0_svc+0x2c/0x84 +[ 1537.191340] el0t_64_sync_handler+0xf4/0x120 +[ 1537.195613] el0t_64_sync+0x18c/0x190 +[ 1537.199334] Mem-Info: +[ 1537.201620] active_anon:342 inactive_anon:10343 isolated_anon:0 +[ 1537.201620] active_file:54 inactive_file:112 isolated_file:0 +[ 1537.201620] unevictable:0 dirty:0 writeback:0 +[ 1537.201620] slab_reclaimable:2620 slab_unreclaimable:7076 +[ 1537.201620] mapped:1489 shmem:2473 pagetables:466 +[ 1537.201620] sec_pagetables:0 bounce:0 +[ 1537.201620] kernel_misc_reclaimable:0 +[ 1537.201620] free:136672 free_pcp:96 free_cma:129241 +[ 1537.240419] Node 0 active_anon:1368kB inactive_anon:41372kB active_file:216kB inactive_file:5052kB unevictable:0kB isolated(anon):0kB isolated(file):0kB s +[ 1537.271422] Node 0 DMA free:541636kB boost:0kB min:30000kB low:37500kB high:45000kB reserved_highatomic:0KB active_anon:1368kB inactive_anon:41372kB actiB +[ 1537.300219] lowmem_reserve[]: 0 0 0 0 +[ 1537.303929] Node 0 DMA: 1015*4kB (UMEC) 743*8kB (UMEC) 417*16kB (UMEC) 235*32kB (UMEC) 116*64kB (UMEC) 25*128kB (UMEC) 4*256kB (UC) 2*512kB (UC) 0*1024kBB +[ 1537.323938] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB +[ 1537.332708] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=32768kB +[ 1537.341292] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB +[ 1537.349776] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=64kB +[ 1537.358087] 2939 total pagecache pages +[ 1537.361876] 0 pages in swap cache +[ 1537.365229] Free swap = 0kB +[ 1537.368147] Total swap = 0kB +[ 1537.371065] 516096 pages RAM +[ 1537.373959] 0 pages HighMem/MovableOnly +[ 1537.377834] 17302 pages reserved +[ 1537.381103] 163840 pages cma reserved +[ 1537.384809] 0 pages hwpoisoned +[ 1537.387902] Tasks state (memory values in pages): +[ 1537.392652] [ pid ] uid tgid total_vm rss pgtables_bytes swapents oom_score_adj name +[ 1537.401356] [ 201] 993 201 1130 72 45056 0 0 rpcbind +[ 1537.409772] [ 202] 0 202 4529 1640 77824 0 -250 systemd-journal +[ 1537.418861] [ 222] 0 222 4691 801 69632 0 -1000 systemd-udevd +[ 1537.427787] [ 248] 994 248 20914 130 65536 0 0 systemd-timesyn +[ 1537.436884] [ 497] 0 497 620 31 49152 0 0 atd +[ 1537.444938] [ 500] 0 500 854 77 53248 0 0 crond +[ 1537.453165] [ 503] 997 503 1470 160 49152 0 -900 dbus-daemon +[ 1537.461908] [ 505] 0 505 633 24 40960 0 0 firmwared +[ 1537.470491] [ 513] 0 513 2507 180 61440 0 0 ofonod +[ 1537.478800] [ 514] 990 514 69640 137 81920 0 0 parsec +[ 1537.487120] [ 533] 0 533 599 39 40960 0 0 syslogd +[ 1537.495518] [ 534] 0 534 4546 148 65536 0 0 systemd-logind +[ 1537.504560] [ 535] 0 535 690 24 45056 0 0 tee-supplicant +[ 1537.513564] [ 540] 996 540 2769 168 61440 0 0 systemd-network +[ 1537.522680] [ 566] 0 566 3878 228 77824 0 0 connmand +[ 1537.531168] [ 645] 998 645 1538 133 57344 0 0 avahi-daemon +[ 1537.540004] [ 646] 998 646 1461 64 57344 0 0 avahi-daemon +[ 1537.548846] [ 648] 992 648 781 41 45056 0 0 rpc.statd +[ 1537.557415] [ 650] 64371 650 590 23 45056 0 0 ninfod +[ 1537.565754] [ 653] 61563 653 555 24 45056 0 0 rdisc +[ 1537.573971] [ 655] 0 655 374569 2999 290816 0 -999 containerd +[ 1537.582621] [ 658] 0 658 1311 20 49152 0 0 agetty +[ 1537.590922] [ 663] 0 663 1529 97 49152 0 0 login +[ 1537.599138] [ 666] 0 666 3430 202 69632 0 0 wpa_supplicant +[ 1537.608147] [ 667] 0 667 2344 96 61440 0 0 systemd-userdbd +[ 1537.617240] [ 677] 0 677 2964 314 65536 0 100 systemd +[ 1537.625651] [ 679] 0 679 3720 646 73728 0 100 (sd-pam) +[ 1537.634138] [ 687] 0 687 1289 403 45056 0 0 sh +[ 1537.642108] [ 789] 0 789 970 93 45056 0 0 eth_test2.sh +[ 1537.650955] [ 2355] 0 2355 2346 94 61440 0 0 systemd-userwor +[ 1537.660046] [ 2356] 0 2356 2346 94 61440 0 0 systemd-userwor +[ 1537.669137] [ 2358] 0 2358 2346 95 57344 0 0 systemd-userwor +[ 1537.678258] [ 2379] 0 2379 970 93 45056 0 0 eth_test2.sh +[ 1537.687098] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-0.slice/user@0.service,tas0 +[ 1537.703009] Out of memory: Killed process 679 ((sd-pam)) total-vm:14880kB, anon-rss:2584kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:72kB oom_score_ad0 +[ 1553.246526] page_pool_release_retry() stalled pool shutdown 310 inflight 241 sec + +Fixes: 95698ff6177b ("net: fec: using page pool to manage RX buffers") +Signed-off-by: Wei Fang +Reviewed-by: shenwei wang +Reviewed-by: Jesse Brandeburg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index f250b0df27fb..6f914180f479 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3089,7 +3089,7 @@ static void fec_enet_free_buffers(struct net_device *ndev) + for (q = 0; q < fep->num_rx_queues; q++) { + rxq = fep->rx_queue[q]; + for (i = 0; i < rxq->bd.ring_size; i++) +- page_pool_release_page(rxq->page_pool, rxq->rx_skb_info[i].page); ++ page_pool_put_full_page(rxq->page_pool, rxq->rx_skb_info[i].page, false); + + if (xdp_rxq_info_is_reg(&rxq->xdp_rxq)) + xdp_rxq_info_unreg(&rxq->xdp_rxq); +-- +2.39.0 + diff --git a/queue-6.1/net-fix-uaf-in-netns-ops-registration-error-path.patch b/queue-6.1/net-fix-uaf-in-netns-ops-registration-error-path.patch new file mode 100644 index 00000000000..8bc7090f924 --- /dev/null +++ b/queue-6.1/net-fix-uaf-in-netns-ops-registration-error-path.patch @@ -0,0 +1,84 @@ +From 964a81b4f23aea36f7f0a95f17ca335833df2fb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 19:55:45 +0100 +Subject: net: fix UaF in netns ops registration error path + +From: Paolo Abeni + +[ Upstream commit 71ab9c3e2253619136c31c89dbb2c69305cc89b1 ] + +If net_assign_generic() fails, the current error path in ops_init() tries +to clear the gen pointer slot. Anyway, in such error path, the gen pointer +itself has not been modified yet, and the existing and accessed one is +smaller than the accessed index, causing an out-of-bounds error: + + BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320 + Write of size 8 at addr ffff888109124978 by task modprobe/1018 + + CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 + Call Trace: + + dump_stack_lvl+0x6a/0x9f + print_address_description.constprop.0+0x86/0x2b5 + print_report+0x11b/0x1fb + kasan_report+0x87/0xc0 + ops_init+0x2de/0x320 + register_pernet_operations+0x2e4/0x750 + register_pernet_subsys+0x24/0x40 + tcf_register_action+0x9f/0x560 + do_one_initcall+0xf9/0x570 + do_init_module+0x190/0x650 + load_module+0x1fa5/0x23c0 + __do_sys_finit_module+0x10d/0x1b0 + do_syscall_64+0x58/0x80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + RIP: 0033:0x7f42518f778d + Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 + 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff + ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48 + RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d + RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003 + RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 + R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000 + + +This change addresses the issue by skipping the gen pointer +de-reference in the mentioned error-path. + +Found by code inspection and verified with explicit error injection +on a kasan-enabled kernel. + +Fixes: d266935ac43d ("net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed") +Signed-off-by: Paolo Abeni +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/cec4e0f3bb2c77ac03a6154a8508d3930beb5f0f.1674154348.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/net_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index f64654df71a2..4c1707d0eb9b 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -137,12 +137,12 @@ static int ops_init(const struct pernet_operations *ops, struct net *net) + return 0; + + if (ops->id && ops->size) { +-cleanup: + ng = rcu_dereference_protected(net->gen, + lockdep_is_held(&pernet_ops_rwsem)); + ng->ptr[*ops->id] = NULL; + } + ++cleanup: + kfree(data); + + out: +-- +2.39.0 + diff --git a/queue-6.1/net-mana-fix-irq-name-add-pci-and-queue-number.patch b/queue-6.1/net-mana-fix-irq-name-add-pci-and-queue-number.patch new file mode 100644 index 00000000000..fec12b515dc --- /dev/null +++ b/queue-6.1/net-mana-fix-irq-name-add-pci-and-queue-number.patch @@ -0,0 +1,72 @@ +From eef72925b170a392a8349ced8b0cc9477de12964 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 12:59:10 -0800 +Subject: net: mana: Fix IRQ name - add PCI and queue number + +From: Haiyang Zhang + +[ Upstream commit 20e3028c39a5bf882e91e717da96d14f1acec40e ] + +The PCI and queue number info is missing in IRQ names. + +Add PCI and queue number to IRQ names, to allow CPU affinity +tuning scripts to work. + +Cc: stable@vger.kernel.org +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Haiyang Zhang +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/1674161950-19708-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 3 +++ + drivers/net/ethernet/microsoft/mana/gdma_main.c | 9 ++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma.h b/drivers/net/ethernet/microsoft/mana/gdma.h +index 65c24ee49efd..48b0ab56bdb0 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -324,9 +324,12 @@ struct gdma_queue_spec { + }; + }; + ++#define MANA_IRQ_NAME_SZ 32 ++ + struct gdma_irq_context { + void (*handler)(void *arg); + void *arg; ++ char name[MANA_IRQ_NAME_SZ]; + }; + + struct gdma_context { +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index a6f99b4344d9..d674ebda2053 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1233,13 +1233,20 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev) + gic->handler = NULL; + gic->arg = NULL; + ++ if (!i) ++ snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_hwc@pci:%s", ++ pci_name(pdev)); ++ else ++ snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_q%d@pci:%s", ++ i - 1, pci_name(pdev)); ++ + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; + goto free_irq; + } + +- err = request_irq(irq, mana_gd_intr, 0, "mana_intr", gic); ++ err = request_irq(irq, mana_gd_intr, 0, gic->name, gic); + if (err) + goto free_irq; + } +-- +2.39.0 + diff --git a/queue-6.1/net-mctp-add-an-explicit-reference-from-a-mctp_sk_ke.patch b/queue-6.1/net-mctp-add-an-explicit-reference-from-a-mctp_sk_ke.patch new file mode 100644 index 00000000000..29c3d3496db --- /dev/null +++ b/queue-6.1/net-mctp-add-an-explicit-reference-from-a-mctp_sk_ke.patch @@ -0,0 +1,70 @@ +From 9ff68b3d6c223b94bd2a69c5f888073d7434ebdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 10:01:03 +0800 +Subject: net: mctp: add an explicit reference from a mctp_sk_key to sock + +From: Jeremy Kerr + +[ Upstream commit de8a6b15d9654c3e4f672d76da9d9df8ee06331d ] + +Currently, we correlate the mctp_sk_key lifetime to the sock lifetime +through the sock hash/unhash operations, but this is pretty tenuous, and +there are cases where we may have a temporary reference to an unhashed +sk. + +This change makes the reference more explicit, by adding a hold on the +sock when it's associated with a mctp_sk_key, released on final key +unref. + +Fixes: 73c618456dc5 ("mctp: locking, lifetime and validity changes for sk_keys") +Signed-off-by: Jeremy Kerr +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index f9a80b82dc51..ce10ba7ae839 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -147,6 +147,7 @@ static struct mctp_sk_key *mctp_key_alloc(struct mctp_sock *msk, + key->valid = true; + spin_lock_init(&key->lock); + refcount_set(&key->refs, 1); ++ sock_hold(key->sk); + + return key; + } +@@ -165,6 +166,7 @@ void mctp_key_unref(struct mctp_sk_key *key) + mctp_dev_release_key(key->dev, key); + spin_unlock_irqrestore(&key->lock, flags); + ++ sock_put(key->sk); + kfree(key); + } + +@@ -419,14 +421,14 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + * this function. + */ + rc = mctp_key_add(key, msk); +- if (rc) { +- kfree(key); +- } else { ++ if (!rc) + trace_mctp_key_acquire(key); + +- /* we don't need to release key->lock on exit */ +- mctp_key_unref(key); +- } ++ /* we don't need to release key->lock on exit, so ++ * clean up here and suppress the unlock via ++ * setting to NULL ++ */ ++ mctp_key_unref(key); + key = NULL; + + } else { +-- +2.39.0 + diff --git a/queue-6.1/net-mctp-hold-key-reference-when-looking-up-a-genera.patch b/queue-6.1/net-mctp-hold-key-reference-when-looking-up-a-genera.patch new file mode 100644 index 00000000000..4350719cba0 --- /dev/null +++ b/queue-6.1/net-mctp-hold-key-reference-when-looking-up-a-genera.patch @@ -0,0 +1,72 @@ +From 2f4532a0ff059bb344baefb27e9919ef4895edaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 10:01:05 +0800 +Subject: net: mctp: hold key reference when looking up a general key + +From: Paolo Abeni + +[ Upstream commit 6e54ea37e344f145665c2dc3cc534b92529e8de5 ] + +Currently, we have a race where we look up a sock through a "general" +(ie, not directly associated with the (src,dest,tag) tuple) key, then +drop the key reference while still holding the key's sock. + +This change expands the key reference until we've finished using the +sock, and hence the sock reference too. + +Commit message changes from Jeremy Kerr . + +Reported-by: Noam Rathaus +Fixes: 73c618456dc5 ("mctp: locking, lifetime and validity changes for sk_keys") +Signed-off-by: Paolo Abeni +Signed-off-by: Jeremy Kerr +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index ce10ba7ae839..06c0de21984d 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -317,8 +317,8 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + + static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + { ++ struct mctp_sk_key *key, *any_key = NULL; + struct net *net = dev_net(skb->dev); +- struct mctp_sk_key *key; + struct mctp_sock *msk; + struct mctp_hdr *mh; + unsigned long f; +@@ -363,13 +363,11 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + * key for reassembly - we'll create a more specific + * one for future packets if required (ie, !EOM). + */ +- key = mctp_lookup_key(net, skb, MCTP_ADDR_ANY, &f); +- if (key) { +- msk = container_of(key->sk, ++ any_key = mctp_lookup_key(net, skb, MCTP_ADDR_ANY, &f); ++ if (any_key) { ++ msk = container_of(any_key->sk, + struct mctp_sock, sk); +- spin_unlock_irqrestore(&key->lock, f); +- mctp_key_unref(key); +- key = NULL; ++ spin_unlock_irqrestore(&any_key->lock, f); + } + } + +@@ -475,6 +473,8 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + spin_unlock_irqrestore(&key->lock, f); + mctp_key_unref(key); + } ++ if (any_key) ++ mctp_key_unref(any_key); + out: + if (rc) + kfree_skb(skb); +-- +2.39.0 + diff --git a/queue-6.1/net-mctp-mark-socks-as-dead-on-unhash-prevent-re-add.patch b/queue-6.1/net-mctp-mark-socks-as-dead-on-unhash-prevent-re-add.patch new file mode 100644 index 00000000000..935b4e07773 --- /dev/null +++ b/queue-6.1/net-mctp-mark-socks-as-dead-on-unhash-prevent-re-add.patch @@ -0,0 +1,66 @@ +From f89bd2af414083464eba0ea996ffe0a4fc699408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 10:01:06 +0800 +Subject: net: mctp: mark socks as dead on unhash, prevent re-add + +From: Jeremy Kerr + +[ Upstream commit b98e1a04e27fddfdc808bf46fe78eca30db89ab3 ] + +Once a socket has been unhashed, we want to prevent it from being +re-used in a sk_key entry as part of a routing operation. + +This change marks the sk as SOCK_DEAD on unhash, which prevents addition +into the net's key list. + +We need to do this during the key add path, rather than key lookup, as +we release the net keys_lock between those operations. + +Fixes: 4a992bbd3650 ("mctp: Implement message fragmentation & reassembly") +Signed-off-by: Jeremy Kerr +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 1 + + net/mctp/route.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index fb6ae3110528..45bbe3e54cc2 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -577,6 +577,7 @@ static void mctp_sk_unhash(struct sock *sk) + spin_lock_irqsave(&key->lock, fl2); + __mctp_key_remove(key, net, fl2, MCTP_TRACE_KEY_CLOSED); + } ++ sock_set_flag(sk, SOCK_DEAD); + spin_unlock_irqrestore(&net->mctp.keys_lock, flags); + + /* Since there are no more tag allocations (we have removed all of the +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 06c0de21984d..f51a05ec7162 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -179,6 +179,11 @@ static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk) + + spin_lock_irqsave(&net->mctp.keys_lock, flags); + ++ if (sock_flag(&msk->sk, SOCK_DEAD)) { ++ rc = -EINVAL; ++ goto out_unlock; ++ } ++ + hlist_for_each_entry(tmp, &net->mctp.keys, hlist) { + if (mctp_key_match(tmp, key->local_addr, key->peer_addr, + key->tag)) { +@@ -200,6 +205,7 @@ static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk) + hlist_add_head(&key->sklist, &msk->keys); + } + ++out_unlock: + spin_unlock_irqrestore(&net->mctp.keys_lock, flags); + + return rc; +-- +2.39.0 + diff --git a/queue-6.1/net-mctp-move-expiry-timer-delete-to-unhash.patch b/queue-6.1/net-mctp-move-expiry-timer-delete-to-unhash.patch new file mode 100644 index 00000000000..bcdce2dd965 --- /dev/null +++ b/queue-6.1/net-mctp-move-expiry-timer-delete-to-unhash.patch @@ -0,0 +1,54 @@ +From 954ef3eed43c433541d33c6ff4cf4b563a0cfbfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 10:01:04 +0800 +Subject: net: mctp: move expiry timer delete to unhash + +From: Jeremy Kerr + +[ Upstream commit 5f41ae6fca9d40ab3cb9b0507931ef7a9b3ea50b ] + +Currently, we delete the key expiry timer (in sk->close) before +unhashing the sk. This means that another thread may find the sk through +its presence on the key list, and re-queue the timer. + +This change moves the timer deletion to the unhash, after we have made +the key no longer observable, so the timer cannot be re-queued. + +Fixes: 7b14e15ae6f4 ("mctp: Implement a timeout for tags") +Signed-off-by: Jeremy Kerr +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index fc9e728b6333..fb6ae3110528 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -544,9 +544,6 @@ static int mctp_sk_init(struct sock *sk) + + static void mctp_sk_close(struct sock *sk, long timeout) + { +- struct mctp_sock *msk = container_of(sk, struct mctp_sock, sk); +- +- del_timer_sync(&msk->key_expiry); + sk_common_release(sk); + } + +@@ -581,6 +578,12 @@ static void mctp_sk_unhash(struct sock *sk) + __mctp_key_remove(key, net, fl2, MCTP_TRACE_KEY_CLOSED); + } + spin_unlock_irqrestore(&net->mctp.keys_lock, flags); ++ ++ /* Since there are no more tag allocations (we have removed all of the ++ * keys), stop any pending expiry events. the timer cannot be re-queued ++ * as the sk is no longer observable ++ */ ++ del_timer_sync(&msk->key_expiry); + } + + static struct proto mctp_proto = { +-- +2.39.0 + diff --git a/queue-6.1/net-mdio-mux-meson-g12a-force-internal-phy-off-on-mu.patch b/queue-6.1/net-mdio-mux-meson-g12a-force-internal-phy-off-on-mu.patch new file mode 100644 index 00000000000..9bd92c07609 --- /dev/null +++ b/queue-6.1/net-mdio-mux-meson-g12a-force-internal-phy-off-on-mu.patch @@ -0,0 +1,80 @@ +From 91136a014fad5de37a9a37c37cc93d3795fc12be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:11:57 +0100 +Subject: net: mdio-mux-meson-g12a: force internal PHY off on mux switch + +From: Jerome Brunet + +[ Upstream commit 7083df59abbc2b7500db312cac706493be0273ff ] + +Force the internal PHY off then on when switching to the internal path. +This fixes problems where the PHY ID is not properly set. + +Fixes: 7090425104db ("net: phy: add amlogic g12a mdio mux support") +Suggested-by: Qi Duan +Co-developed-by: Heiner Kallweit +Signed-off-by: Heiner Kallweit +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230124101157.232234-1-jbrunet@baylibre.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-mux-meson-g12a.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/mdio/mdio-mux-meson-g12a.c b/drivers/net/mdio/mdio-mux-meson-g12a.c +index 4a2e94faf57e..c4542ecf5623 100644 +--- a/drivers/net/mdio/mdio-mux-meson-g12a.c ++++ b/drivers/net/mdio/mdio-mux-meson-g12a.c +@@ -4,6 +4,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -150,6 +151,7 @@ static const struct clk_ops g12a_ephy_pll_ops = { + + static int g12a_enable_internal_mdio(struct g12a_mdio_mux *priv) + { ++ u32 value; + int ret; + + /* Enable the phy clock */ +@@ -163,18 +165,25 @@ static int g12a_enable_internal_mdio(struct g12a_mdio_mux *priv) + + /* Initialize ephy control */ + writel(EPHY_G12A_ID, priv->regs + ETH_PHY_CNTL0); +- writel(FIELD_PREP(PHY_CNTL1_ST_MODE, 3) | +- FIELD_PREP(PHY_CNTL1_ST_PHYADD, EPHY_DFLT_ADD) | +- FIELD_PREP(PHY_CNTL1_MII_MODE, EPHY_MODE_RMII) | +- PHY_CNTL1_CLK_EN | +- PHY_CNTL1_CLKFREQ | +- PHY_CNTL1_PHY_ENB, +- priv->regs + ETH_PHY_CNTL1); ++ ++ /* Make sure we get a 0 -> 1 transition on the enable bit */ ++ value = FIELD_PREP(PHY_CNTL1_ST_MODE, 3) | ++ FIELD_PREP(PHY_CNTL1_ST_PHYADD, EPHY_DFLT_ADD) | ++ FIELD_PREP(PHY_CNTL1_MII_MODE, EPHY_MODE_RMII) | ++ PHY_CNTL1_CLK_EN | ++ PHY_CNTL1_CLKFREQ; ++ writel(value, priv->regs + ETH_PHY_CNTL1); + writel(PHY_CNTL2_USE_INTERNAL | + PHY_CNTL2_SMI_SRC_MAC | + PHY_CNTL2_RX_CLK_EPHY, + priv->regs + ETH_PHY_CNTL2); + ++ value |= PHY_CNTL1_PHY_ENB; ++ writel(value, priv->regs + ETH_PHY_CNTL1); ++ ++ /* The phy needs a bit of time to power up */ ++ mdelay(10); ++ + return 0; + } + +-- +2.39.0 + diff --git a/queue-6.1/net-ravb-fix-lack-of-register-setting-after-system-r.patch b/queue-6.1/net-ravb-fix-lack-of-register-setting-after-system-r.patch new file mode 100644 index 00000000000..0f94524b85a --- /dev/null +++ b/queue-6.1/net-ravb-fix-lack-of-register-setting-after-system-r.patch @@ -0,0 +1,51 @@ +From 5ece530b5a2ecdd52e5533b9c9bf89c2a04228e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 09:02:10 +0900 +Subject: net: ravb: Fix lack of register setting after system resumed for Gen3 + +From: Yoshihiro Shimoda + +[ Upstream commit c2b6cdee1d13ffbb24baca3c9b8a572d6b541e4e ] + +After system entered Suspend to RAM, registers setting of this +hardware is reset because the SoC will be turned off. On R-Car Gen3 +(info->ccc_gac), ravb_ptp_init() is called in ravb_probe() only. So, +after system resumed, it lacks of the initial settings for ptp. So, +add ravb_ptp_{init,stop}() into ravb_{resume,suspend}(). + +Fixes: f5d7837f96e5 ("ravb: ptp: Add CONFIG mode support") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index b4e0fc7f65bd..3f61100c02f4 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2973,6 +2973,9 @@ static int __maybe_unused ravb_suspend(struct device *dev) + else + ret = ravb_close(ndev); + ++ if (priv->info->ccc_gac) ++ ravb_ptp_stop(ndev); ++ + return ret; + } + +@@ -3011,6 +3014,9 @@ static int __maybe_unused ravb_resume(struct device *dev) + /* Restore descriptor base address table */ + ravb_write(ndev, priv->desc_bat_dma, DBAT); + ++ if (priv->info->ccc_gac) ++ ravb_ptp_init(ndev, priv->pdev); ++ + if (netif_running(ndev)) { + if (priv->wol_enabled) { + ret = ravb_wol_restore(ndev); +-- +2.39.0 + diff --git a/queue-6.1/net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch b/queue-6.1/net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch new file mode 100644 index 00000000000..f211aae39f4 --- /dev/null +++ b/queue-6.1/net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch @@ -0,0 +1,49 @@ +From 5398a9e0ea3533401855e5ae96eb26f3a3fd766d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 09:02:11 +0900 +Subject: net: ravb: Fix possible hang if RIS2_QFF1 happen + +From: Yoshihiro Shimoda + +[ Upstream commit f3c07758c9007a6bfff5290d9e19d3c41930c897 ] + +Since this driver enables the interrupt by RIC2_QFE1, this driver +should clear the interrupt flag if it happens. Otherwise, the interrupt +causes to hang the system. + +Note that this also fix a minor coding style (a comment indentation) +around the fixed code. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 3f61100c02f4..0f54849a3823 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1101,14 +1101,14 @@ static void ravb_error_interrupt(struct net_device *ndev) + ravb_write(ndev, ~(EIS_QFS | EIS_RESERVED), EIS); + if (eis & EIS_QFS) { + ris2 = ravb_read(ndev, RIS2); +- ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF | RIS2_RESERVED), ++ ravb_write(ndev, ~(RIS2_QFF0 | RIS2_QFF1 | RIS2_RFFF | RIS2_RESERVED), + RIS2); + + /* Receive Descriptor Empty int */ + if (ris2 & RIS2_QFF0) + priv->stats[RAVB_BE].rx_over_errors++; + +- /* Receive Descriptor Empty int */ ++ /* Receive Descriptor Empty int */ + if (ris2 & RIS2_QFF1) + priv->stats[RAVB_NC].rx_over_errors++; + +-- +2.39.0 + diff --git a/queue-6.1/net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch b/queue-6.1/net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch new file mode 100644 index 00000000000..b49bd011e4b --- /dev/null +++ b/queue-6.1/net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch @@ -0,0 +1,89 @@ +From f03a0695383bace6d7af8d44768db75104d1def8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 08:45:52 +0000 +Subject: net/sched: sch_taprio: do not schedule in taprio_reset() + +From: Eric Dumazet + +[ Upstream commit ea4fdbaa2f7798cb25adbe4fd52ffc6356f097bb ] + +As reported by syzbot and hinted by Vinicius, I should not have added +a qdisc_synchronize() call in taprio_reset() + +taprio_reset() can be called with qdisc spinlock held (and BH disabled) +as shown in included syzbot report [1]. + +Only taprio_destroy() needed this synchronization, as explained +in the blamed commit changelog. + +[1] + +BUG: scheduling while atomic: syz-executor150/5091/0x00000202 +2 locks held by syz-executor150/5091: +Modules linked in: +Preemption disabled at: +[<0000000000000000>] 0x0 +Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ... +CPU: 1 PID: 5091 Comm: syz-executor150 Not tainted 6.2.0-rc3-syzkaller-00219-g010a74f52203 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 +panic+0x2cc/0x626 kernel/panic.c:318 +check_panic_on_warn.cold+0x19/0x35 kernel/panic.c:238 +__schedule_bug.cold+0xd5/0xfe kernel/sched/core.c:5836 +schedule_debug kernel/sched/core.c:5865 [inline] +__schedule+0x34e4/0x5450 kernel/sched/core.c:6500 +schedule+0xde/0x1b0 kernel/sched/core.c:6682 +schedule_timeout+0x14e/0x2a0 kernel/time/timer.c:2167 +schedule_timeout_uninterruptible kernel/time/timer.c:2201 [inline] +msleep+0xb6/0x100 kernel/time/timer.c:2322 +qdisc_synchronize include/net/sch_generic.h:1295 [inline] +taprio_reset+0x93/0x270 net/sched/sch_taprio.c:1703 +qdisc_reset+0x10c/0x770 net/sched/sch_generic.c:1022 +dev_reset_queue+0x92/0x130 net/sched/sch_generic.c:1285 +netdev_for_each_tx_queue include/linux/netdevice.h:2464 [inline] +dev_deactivate_many+0x36d/0x9f0 net/sched/sch_generic.c:1351 +dev_deactivate+0xed/0x1b0 net/sched/sch_generic.c:1374 +qdisc_graft+0xe4a/0x1380 net/sched/sch_api.c:1080 +tc_modify_qdisc+0xb6b/0x19a0 net/sched/sch_api.c:1689 +rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6141 +netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 +netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] +netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 +netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xd3/0x120 net/socket.c:734 +____sys_sendmsg+0x712/0x8c0 net/socket.c:2476 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 +__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] + +Fixes: 3a415d59c1db ("net/sched: sch_taprio: fix possible use-after-free") +Link: https://lore.kernel.org/netdev/167387581653.2747.13878941339893288655.git-patchwork-notify@kernel.org/T/ +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Vinicius Costa Gomes +Link: https://lore.kernel.org/r/20230123084552.574396-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 9a11a499ea2d..c322a61eaeea 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1700,7 +1700,6 @@ static void taprio_reset(struct Qdisc *sch) + int i; + + hrtimer_cancel(&q->advance_timer); +- qdisc_synchronize(sch); + + if (q->qdiscs) { + for (i = 0; i < dev->num_tx_queues; i++) +-- +2.39.0 + diff --git a/queue-6.1/net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch b/queue-6.1/net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch new file mode 100644 index 00000000000..bce058a137c --- /dev/null +++ b/queue-6.1/net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch @@ -0,0 +1,119 @@ +From 58f81c2e234e1a8739ea3732604eacbde1c3e2cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 13:53:39 -0500 +Subject: net/tg3: resolve deadlock in tg3_reset_task() during EEH + +From: David Christensen + +[ Upstream commit 6c4ca03bd890566d873e3593b32d034bf2f5a087 ] + +During EEH error injection testing, a deadlock was encountered in the tg3 +driver when tg3_io_error_detected() was attempting to cancel outstanding +reset tasks: + +crash> foreach UN bt +... +PID: 159 TASK: c0000000067c6000 CPU: 8 COMMAND: "eehd" +... + #5 [c00000000681f990] __cancel_work_timer at c00000000019fd18 + #6 [c00000000681fa30] tg3_io_error_detected at c00800000295f098 [tg3] + #7 [c00000000681faf0] eeh_report_error at c00000000004e25c +... + +PID: 290 TASK: c000000036e5f800 CPU: 6 COMMAND: "kworker/6:1" +... + #4 [c00000003721fbc0] rtnl_lock at c000000000c940d8 + #5 [c00000003721fbe0] tg3_reset_task at c008000002969358 [tg3] + #6 [c00000003721fc60] process_one_work at c00000000019e5c4 +... + +PID: 296 TASK: c000000037a65800 CPU: 21 COMMAND: "kworker/21:1" +... + #4 [c000000037247bc0] rtnl_lock at c000000000c940d8 + #5 [c000000037247be0] tg3_reset_task at c008000002969358 [tg3] + #6 [c000000037247c60] process_one_work at c00000000019e5c4 +... + +PID: 655 TASK: c000000036f49000 CPU: 16 COMMAND: "kworker/16:2" +...:1 + + #4 [c0000000373ebbc0] rtnl_lock at c000000000c940d8 + #5 [c0000000373ebbe0] tg3_reset_task at c008000002969358 [tg3] + #6 [c0000000373ebc60] process_one_work at c00000000019e5c4 +... + +Code inspection shows that both tg3_io_error_detected() and +tg3_reset_task() attempt to acquire the RTNL lock at the beginning of +their code blocks. If tg3_reset_task() should happen to execute between +the times when tg3_io_error_deteced() acquires the RTNL lock and +tg3_reset_task_cancel() is called, a deadlock will occur. + +Moving tg3_reset_task_cancel() call earlier within the code block, prior +to acquiring RTNL, prevents this from happening, but also exposes another +deadlock issue where tg3_reset_task() may execute AFTER +tg3_io_error_detected() has executed: + +crash> foreach UN bt +PID: 159 TASK: c0000000067d2000 CPU: 9 COMMAND: "eehd" +... + #4 [c000000006867a60] rtnl_lock at c000000000c940d8 + #5 [c000000006867a80] tg3_io_slot_reset at c0080000026c2ea8 [tg3] + #6 [c000000006867b00] eeh_report_reset at c00000000004de88 +... +PID: 363 TASK: c000000037564000 CPU: 6 COMMAND: "kworker/6:1" +... + #3 [c000000036c1bb70] msleep at c000000000259e6c + #4 [c000000036c1bba0] napi_disable at c000000000c6b848 + #5 [c000000036c1bbe0] tg3_reset_task at c0080000026d942c [tg3] + #6 [c000000036c1bc60] process_one_work at c00000000019e5c4 +... + +This issue can be avoided by aborting tg3_reset_task() if EEH error +recovery is already in progress. + +Fixes: db84bf43ef23 ("tg3: tg3_reset_task() needs to use rtnl_lock to synchronize") +Signed-off-by: David Christensen +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230124185339.225806-1-drc@linux.vnet.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 4179a12fc881..af9ea5e4371b 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -11174,7 +11174,7 @@ static void tg3_reset_task(struct work_struct *work) + rtnl_lock(); + tg3_full_lock(tp, 0); + +- if (!netif_running(tp->dev)) { ++ if (tp->pcierr_recovery || !netif_running(tp->dev)) { + tg3_flag_clear(tp, RESET_TASK_PENDING); + tg3_full_unlock(tp); + rtnl_unlock(); +@@ -18109,6 +18109,9 @@ static pci_ers_result_t tg3_io_error_detected(struct pci_dev *pdev, + + netdev_info(netdev, "PCI I/O error detected\n"); + ++ /* Want to make sure that the reset task doesn't run */ ++ tg3_reset_task_cancel(tp); ++ + rtnl_lock(); + + /* Could be second call or maybe we don't have netdev yet */ +@@ -18125,9 +18128,6 @@ static pci_ers_result_t tg3_io_error_detected(struct pci_dev *pdev, + + tg3_timer_stop(tp); + +- /* Want to make sure that the reset task doesn't run */ +- tg3_reset_task_cancel(tp); +- + netif_device_detach(netdev); + + /* Clean up software state, even if MMIO is blocked */ +-- +2.39.0 + diff --git a/queue-6.1/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-6.1/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch new file mode 100644 index 00000000000..759328650bd --- /dev/null +++ b/queue-6.1/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch @@ -0,0 +1,42 @@ +From 099acc3ff752a5871df012b0698db0d6bfc1c4c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 02:47:19 +0100 +Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk + +From: Sriram Yagnaraman + +[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] + +skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds +skb->len, so this offset < skb->len test is redundant. + +if sch->length == 0, this will end up in an infinite loop, add a check +for sch->length > 0 + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Suggested-by: Florian Westphal +Signed-off-by: Sriram Yagnaraman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index 3704d1c7d3c2..ee317f9a22e5 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -155,8 +155,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) + + #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ + for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ +- (offset) < (skb)->len && \ +- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ ++ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ ++ (sch)->length; \ + (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) + + /* Some validity checks to make sure the chunks are fine */ +-- +2.39.0 + diff --git a/queue-6.1/netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch b/queue-6.1/netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch new file mode 100644 index 00000000000..9b9dbba8b61 --- /dev/null +++ b/queue-6.1/netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch @@ -0,0 +1,71 @@ +From ade1966643604beb61fd5d6086feeb9ed2a5adc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 02:47:18 +0100 +Subject: netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE + +From: Sriram Yagnaraman + +[ Upstream commit a9993591fa94246b16b444eea55d84c54608282a ] + +RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk +MUST be accepted if the vtag of the packet matches its own tag and the +T bit is not set OR if it is set to its peer's vtag and the T bit is set +in chunk flags. Otherwise the packet MUST be silently dropped. + +Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above +description. + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Signed-off-by: Sriram Yagnaraman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_sctp.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index 5a936334b517..3704d1c7d3c2 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -412,22 +412,29 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, + for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { + /* Special cases of Verification tag check (Sec 8.5.1) */ + if (sch->type == SCTP_CID_INIT) { +- /* Sec 8.5.1 (A) */ ++ /* (A) vtag MUST be zero */ + if (sh->vtag != 0) + goto out_unlock; + } else if (sch->type == SCTP_CID_ABORT) { +- /* Sec 8.5.1 (B) */ +- if (sh->vtag != ct->proto.sctp.vtag[dir] && +- sh->vtag != ct->proto.sctp.vtag[!dir]) ++ /* (B) vtag MUST match own vtag if T flag is unset OR ++ * MUST match peer's vtag if T flag is set ++ */ ++ if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[dir]) || ++ ((sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[!dir])) + goto out_unlock; + } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { +- /* Sec 8.5.1 (C) */ +- if (sh->vtag != ct->proto.sctp.vtag[dir] && +- sh->vtag != ct->proto.sctp.vtag[!dir] && +- sch->flags & SCTP_CHUNK_FLAG_T) ++ /* (C) vtag MUST match own vtag if T flag is unset OR ++ * MUST match peer's vtag if T flag is set ++ */ ++ if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[dir]) || ++ ((sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[!dir])) + goto out_unlock; + } else if (sch->type == SCTP_CID_COOKIE_ECHO) { +- /* Sec 8.5.1 (D) */ ++ /* (D) vtag must be same as init_vtag as found in INIT_ACK */ + if (sh->vtag != ct->proto.sctp.vtag[dir]) + goto out_unlock; + } else if (sch->type == SCTP_CID_HEARTBEAT) { +-- +2.39.0 + diff --git a/queue-6.1/netfilter-nft_set_rbtree-skip-elements-in-transactio.patch b/queue-6.1/netfilter-nft_set_rbtree-skip-elements-in-transactio.patch new file mode 100644 index 00000000000..5bd74774dd6 --- /dev/null +++ b/queue-6.1/netfilter-nft_set_rbtree-skip-elements-in-transactio.patch @@ -0,0 +1,69 @@ +From ea723dc0f0f3aef28f80cf21ecdc7fd207da9da6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 23:49:46 +0100 +Subject: netfilter: nft_set_rbtree: skip elements in transaction from garbage + collection + +From: Pablo Neira Ayuso + +[ Upstream commit 5d235d6ce75c12a7fdee375eb211e4116f7ab01b ] + +Skip interference with an ongoing transaction, do not perform garbage +collection on inactive elements. Reset annotated previous end interval +if the expired element is marked as busy (control plane removed the +element right before expiration). + +Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 217225e13faf..19ea4d3c3553 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -563,23 +563,37 @@ static void nft_rbtree_gc(struct work_struct *work) + struct nft_rbtree *priv; + struct rb_node *node; + struct nft_set *set; ++ struct net *net; ++ u8 genmask; + + priv = container_of(work, struct nft_rbtree, gc_work.work); + set = nft_set_container_of(priv); ++ net = read_pnet(&set->net); ++ genmask = nft_genmask_cur(net); + + write_lock_bh(&priv->lock); + write_seqcount_begin(&priv->count); + for (node = rb_first(&priv->root); node != NULL; node = rb_next(node)) { + rbe = rb_entry(node, struct nft_rbtree_elem, node); + ++ if (!nft_set_elem_active(&rbe->ext, genmask)) ++ continue; ++ ++ /* elements are reversed in the rbtree for historical reasons, ++ * from highest to lowest value, that is why end element is ++ * always visited before the start element. ++ */ + if (nft_rbtree_interval_end(rbe)) { + rbe_end = rbe; + continue; + } + if (!nft_set_elem_expired(&rbe->ext)) + continue; +- if (nft_set_elem_mark_busy(&rbe->ext)) ++ ++ if (nft_set_elem_mark_busy(&rbe->ext)) { ++ rbe_end = NULL; + continue; ++ } + + if (rbe_prev) { + rb_erase(&rbe_prev->node, &priv->root); +-- +2.39.0 + diff --git a/queue-6.1/netfilter-nft_set_rbtree-switch-to-node-list-walk-fo.patch b/queue-6.1/netfilter-nft_set_rbtree-switch-to-node-list-walk-fo.patch new file mode 100644 index 00000000000..ac82555ca91 --- /dev/null +++ b/queue-6.1/netfilter-nft_set_rbtree-switch-to-node-list-walk-fo.patch @@ -0,0 +1,428 @@ +From 9f87832504255d7ed7e17505e08c88730cc934ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 23:38:32 +0100 +Subject: netfilter: nft_set_rbtree: Switch to node list walk for overlap + detection + +From: Pablo Neira Ayuso + +[ Upstream commit c9e6978e2725a7d4b6cd23b2facd3f11422c0643 ] + +...instead of a tree descent, which became overly complicated in an +attempt to cover cases where expired or inactive elements would affect +comparisons with the new element being inserted. + +Further, it turned out that it's probably impossible to cover all those +cases, as inactive nodes might entirely hide subtrees consisting of a +complete interval plus a node that makes the current insertion not +overlap. + +To speed up the overlap check, descent the tree to find a greater +element that is closer to the key value to insert. Then walk down the +node list for overlap detection. Starting the overlap check from +rb_first() unconditionally is slow, it takes 10 times longer due to the +full linear traversal of the list. + +Moreover, perform garbage collection of expired elements when walking +down the node list to avoid bogus overlap reports. + +For the insertion operation itself, this essentially reverts back to the +implementation before commit 7c84d41416d8 ("netfilter: nft_set_rbtree: +Detect partial overlaps on insertion"), except that cases of complete +overlap are already handled in the overlap detection phase itself, which +slightly simplifies the loop to find the insertion point. + +Based on initial patch from Stefano Brivio, including text from the +original patch description too. + +Fixes: 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion") +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 316 ++++++++++++++++++++------------- + 1 file changed, 189 insertions(+), 127 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 7325bee7d144..217225e13faf 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -38,10 +38,12 @@ static bool nft_rbtree_interval_start(const struct nft_rbtree_elem *rbe) + return !nft_rbtree_interval_end(rbe); + } + +-static bool nft_rbtree_equal(const struct nft_set *set, const void *this, +- const struct nft_rbtree_elem *interval) ++static int nft_rbtree_cmp(const struct nft_set *set, ++ const struct nft_rbtree_elem *e1, ++ const struct nft_rbtree_elem *e2) + { +- return memcmp(this, nft_set_ext_key(&interval->ext), set->klen) == 0; ++ return memcmp(nft_set_ext_key(&e1->ext), nft_set_ext_key(&e2->ext), ++ set->klen); + } + + static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set, +@@ -52,7 +54,6 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + const struct nft_rbtree_elem *rbe, *interval = NULL; + u8 genmask = nft_genmask_cur(net); + const struct rb_node *parent; +- const void *this; + int d; + + parent = rcu_dereference_raw(priv->root.rb_node); +@@ -62,12 +63,11 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + + rbe = rb_entry(parent, struct nft_rbtree_elem, node); + +- this = nft_set_ext_key(&rbe->ext); +- d = memcmp(this, key, set->klen); ++ d = memcmp(nft_set_ext_key(&rbe->ext), key, set->klen); + if (d < 0) { + parent = rcu_dereference_raw(parent->rb_left); + if (interval && +- nft_rbtree_equal(set, this, interval) && ++ !nft_rbtree_cmp(set, rbe, interval) && + nft_rbtree_interval_end(rbe) && + nft_rbtree_interval_start(interval)) + continue; +@@ -215,154 +215,216 @@ static void *nft_rbtree_get(const struct net *net, const struct nft_set *set, + return rbe; + } + ++static int nft_rbtree_gc_elem(const struct nft_set *__set, ++ struct nft_rbtree *priv, ++ struct nft_rbtree_elem *rbe) ++{ ++ struct nft_set *set = (struct nft_set *)__set; ++ struct rb_node *prev = rb_prev(&rbe->node); ++ struct nft_rbtree_elem *rbe_prev; ++ struct nft_set_gc_batch *gcb; ++ ++ gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC); ++ if (!gcb) ++ return -ENOMEM; ++ ++ /* search for expired end interval coming before this element. */ ++ do { ++ rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); ++ if (nft_rbtree_interval_end(rbe_prev)) ++ break; ++ ++ prev = rb_prev(prev); ++ } while (prev != NULL); ++ ++ rb_erase(&rbe_prev->node, &priv->root); ++ rb_erase(&rbe->node, &priv->root); ++ atomic_sub(2, &set->nelems); ++ ++ nft_set_gc_batch_add(gcb, rbe); ++ nft_set_gc_batch_complete(gcb); ++ ++ return 0; ++} ++ ++static bool nft_rbtree_update_first(const struct nft_set *set, ++ struct nft_rbtree_elem *rbe, ++ struct rb_node *first) ++{ ++ struct nft_rbtree_elem *first_elem; ++ ++ first_elem = rb_entry(first, struct nft_rbtree_elem, node); ++ /* this element is closest to where the new element is to be inserted: ++ * update the first element for the node list path. ++ */ ++ if (nft_rbtree_cmp(set, rbe, first_elem) < 0) ++ return true; ++ ++ return false; ++} ++ + static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_rbtree_elem *new, + struct nft_set_ext **ext) + { +- bool overlap = false, dup_end_left = false, dup_end_right = false; ++ struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL; ++ struct rb_node *node, *parent, **p, *first = NULL; + struct nft_rbtree *priv = nft_set_priv(set); + u8 genmask = nft_genmask_next(net); +- struct nft_rbtree_elem *rbe; +- struct rb_node *parent, **p; +- int d; ++ int d, err; + +- /* Detect overlaps as we descend the tree. Set the flag in these cases: +- * +- * a1. _ _ __>| ?_ _ __| (insert end before existing end) +- * a2. _ _ ___| ?_ _ _>| (insert end after existing end) +- * a3. _ _ ___? >|_ _ __| (insert start before existing end) +- * +- * and clear it later on, as we eventually reach the points indicated by +- * '?' above, in the cases described below. We'll always meet these +- * later, locally, due to tree ordering, and overlaps for the intervals +- * that are the closest together are always evaluated last. +- * +- * b1. _ _ __>| !_ _ __| (insert end before existing start) +- * b2. _ _ ___| !_ _ _>| (insert end after existing start) +- * b3. _ _ ___! >|_ _ __| (insert start after existing end, as a leaf) +- * '--' no nodes falling in this range +- * b4. >|_ _ ! (insert start before existing start) +- * +- * Case a3. resolves to b3.: +- * - if the inserted start element is the leftmost, because the '0' +- * element in the tree serves as end element +- * - otherwise, if an existing end is found immediately to the left. If +- * there are existing nodes in between, we need to further descend the +- * tree before we can conclude the new start isn't causing an overlap +- * +- * or to b4., which, preceded by a3., means we already traversed one or +- * more existing intervals entirely, from the right. +- * +- * For a new, rightmost pair of elements, we'll hit cases b3. and b2., +- * in that order. +- * +- * The flag is also cleared in two special cases: +- * +- * b5. |__ _ _!|<_ _ _ (insert start right before existing end) +- * b6. |__ _ >|!__ _ _ (insert end right after existing start) +- * +- * which always happen as last step and imply that no further +- * overlapping is possible. +- * +- * Another special case comes from the fact that start elements matching +- * an already existing start element are allowed: insertion is not +- * performed but we return -EEXIST in that case, and the error will be +- * cleared by the caller if NLM_F_EXCL is not present in the request. +- * This way, request for insertion of an exact overlap isn't reported as +- * error to userspace if not desired. +- * +- * However, if the existing start matches a pre-existing start, but the +- * end element doesn't match the corresponding pre-existing end element, +- * we need to report a partial overlap. This is a local condition that +- * can be noticed without need for a tracking flag, by checking for a +- * local duplicated end for a corresponding start, from left and right, +- * separately. ++ /* Descend the tree to search for an existing element greater than the ++ * key value to insert that is greater than the new element. This is the ++ * first element to walk the ordered elements to find possible overlap. + */ +- + parent = NULL; + p = &priv->root.rb_node; + while (*p != NULL) { + parent = *p; + rbe = rb_entry(parent, struct nft_rbtree_elem, node); +- d = memcmp(nft_set_ext_key(&rbe->ext), +- nft_set_ext_key(&new->ext), +- set->klen); ++ d = nft_rbtree_cmp(set, rbe, new); ++ + if (d < 0) { + p = &parent->rb_left; +- +- if (nft_rbtree_interval_start(new)) { +- if (nft_rbtree_interval_end(rbe) && +- nft_set_elem_active(&rbe->ext, genmask) && +- !nft_set_elem_expired(&rbe->ext) && !*p) +- overlap = false; +- } else { +- if (dup_end_left && !*p) +- return -ENOTEMPTY; +- +- overlap = nft_rbtree_interval_end(rbe) && +- nft_set_elem_active(&rbe->ext, +- genmask) && +- !nft_set_elem_expired(&rbe->ext); +- +- if (overlap) { +- dup_end_right = true; +- continue; +- } +- } + } else if (d > 0) { +- p = &parent->rb_right; ++ if (!first || ++ nft_rbtree_update_first(set, rbe, first)) ++ first = &rbe->node; + +- if (nft_rbtree_interval_end(new)) { +- if (dup_end_right && !*p) +- return -ENOTEMPTY; +- +- overlap = nft_rbtree_interval_end(rbe) && +- nft_set_elem_active(&rbe->ext, +- genmask) && +- !nft_set_elem_expired(&rbe->ext); +- +- if (overlap) { +- dup_end_left = true; +- continue; +- } +- } else if (nft_set_elem_active(&rbe->ext, genmask) && +- !nft_set_elem_expired(&rbe->ext)) { +- overlap = nft_rbtree_interval_end(rbe); +- } ++ p = &parent->rb_right; + } else { +- if (nft_rbtree_interval_end(rbe) && +- nft_rbtree_interval_start(new)) { ++ if (nft_rbtree_interval_end(rbe)) + p = &parent->rb_left; +- +- if (nft_set_elem_active(&rbe->ext, genmask) && +- !nft_set_elem_expired(&rbe->ext)) +- overlap = false; +- } else if (nft_rbtree_interval_start(rbe) && +- nft_rbtree_interval_end(new)) { ++ else + p = &parent->rb_right; ++ } ++ } ++ ++ if (!first) ++ first = rb_first(&priv->root); ++ ++ /* Detect overlap by going through the list of valid tree nodes. ++ * Values stored in the tree are in reversed order, starting from ++ * highest to lowest value. ++ */ ++ for (node = first; node != NULL; node = rb_next(node)) { ++ rbe = rb_entry(node, struct nft_rbtree_elem, node); ++ ++ if (!nft_set_elem_active(&rbe->ext, genmask)) ++ continue; + +- if (nft_set_elem_active(&rbe->ext, genmask) && +- !nft_set_elem_expired(&rbe->ext)) +- overlap = false; +- } else if (nft_set_elem_active(&rbe->ext, genmask) && +- !nft_set_elem_expired(&rbe->ext)) { +- *ext = &rbe->ext; +- return -EEXIST; +- } else { +- overlap = false; +- if (nft_rbtree_interval_end(rbe)) +- p = &parent->rb_left; +- else +- p = &parent->rb_right; ++ /* perform garbage collection to avoid bogus overlap reports. */ ++ if (nft_set_elem_expired(&rbe->ext)) { ++ err = nft_rbtree_gc_elem(set, priv, rbe); ++ if (err < 0) ++ return err; ++ ++ continue; ++ } ++ ++ d = nft_rbtree_cmp(set, rbe, new); ++ if (d == 0) { ++ /* Matching end element: no need to look for an ++ * overlapping greater or equal element. ++ */ ++ if (nft_rbtree_interval_end(rbe)) { ++ rbe_le = rbe; ++ break; ++ } ++ ++ /* first element that is greater or equal to key value. */ ++ if (!rbe_ge) { ++ rbe_ge = rbe; ++ continue; ++ } ++ ++ /* this is a closer more or equal element, update it. */ ++ if (nft_rbtree_cmp(set, rbe_ge, new) != 0) { ++ rbe_ge = rbe; ++ continue; + } ++ ++ /* element is equal to key value, make sure flags are ++ * the same, an existing more or equal start element ++ * must not be replaced by more or equal end element. ++ */ ++ if ((nft_rbtree_interval_start(new) && ++ nft_rbtree_interval_start(rbe_ge)) || ++ (nft_rbtree_interval_end(new) && ++ nft_rbtree_interval_end(rbe_ge))) { ++ rbe_ge = rbe; ++ continue; ++ } ++ } else if (d > 0) { ++ /* annotate element greater than the new element. */ ++ rbe_ge = rbe; ++ continue; ++ } else if (d < 0) { ++ /* annotate element less than the new element. */ ++ rbe_le = rbe; ++ break; + } ++ } + +- dup_end_left = dup_end_right = false; ++ /* - new start element matching existing start element: full overlap ++ * reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given. ++ */ ++ if (rbe_ge && !nft_rbtree_cmp(set, new, rbe_ge) && ++ nft_rbtree_interval_start(rbe_ge) == nft_rbtree_interval_start(new)) { ++ *ext = &rbe_ge->ext; ++ return -EEXIST; ++ } ++ ++ /* - new end element matching existing end element: full overlap ++ * reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given. ++ */ ++ if (rbe_le && !nft_rbtree_cmp(set, new, rbe_le) && ++ nft_rbtree_interval_end(rbe_le) == nft_rbtree_interval_end(new)) { ++ *ext = &rbe_le->ext; ++ return -EEXIST; + } + +- if (overlap) ++ /* - new start element with existing closest, less or equal key value ++ * being a start element: partial overlap, reported as -ENOTEMPTY. ++ * Anonymous sets allow for two consecutive start element since they ++ * are constant, skip them to avoid bogus overlap reports. ++ */ ++ if (!nft_set_is_anonymous(set) && rbe_le && ++ nft_rbtree_interval_start(rbe_le) && nft_rbtree_interval_start(new)) ++ return -ENOTEMPTY; ++ ++ /* - new end element with existing closest, less or equal key value ++ * being a end element: partial overlap, reported as -ENOTEMPTY. ++ */ ++ if (rbe_le && ++ nft_rbtree_interval_end(rbe_le) && nft_rbtree_interval_end(new)) + return -ENOTEMPTY; + ++ /* - new end element with existing closest, greater or equal key value ++ * being an end element: partial overlap, reported as -ENOTEMPTY ++ */ ++ if (rbe_ge && ++ nft_rbtree_interval_end(rbe_ge) && nft_rbtree_interval_end(new)) ++ return -ENOTEMPTY; ++ ++ /* Accepted element: pick insertion point depending on key value */ ++ parent = NULL; ++ p = &priv->root.rb_node; ++ while (*p != NULL) { ++ parent = *p; ++ rbe = rb_entry(parent, struct nft_rbtree_elem, node); ++ d = nft_rbtree_cmp(set, rbe, new); ++ ++ if (d < 0) ++ p = &parent->rb_left; ++ else if (d > 0) ++ p = &parent->rb_right; ++ else if (nft_rbtree_interval_end(rbe)) ++ p = &parent->rb_left; ++ else ++ p = &parent->rb_right; ++ } ++ + rb_link_node_rcu(&new->node, parent, p); + rb_insert_color(&new->node, &priv->root); + return 0; +-- +2.39.0 + diff --git a/queue-6.1/netlink-annotate-data-races-around-dst_portid-and-ds.patch b/queue-6.1/netlink-annotate-data-races-around-dst_portid-and-ds.patch new file mode 100644 index 00000000000..0c9656d9154 --- /dev/null +++ b/queue-6.1/netlink-annotate-data-races-around-dst_portid-and-ds.patch @@ -0,0 +1,87 @@ +From e83b0a30db1437e245a40049c12a5f726cee22ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:59:54 +0000 +Subject: netlink: annotate data races around dst_portid and dst_group + +From: Eric Dumazet + +[ Upstream commit 004db64d185a5f23dfb891d7701e23713b2420ee ] + +netlink_getname(), netlink_sendmsg() and netlink_getsockbyportid() +can read nlk->dst_portid and nlk->dst_group while another +thread is changing them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 11a6309f17a3..a597e4dac7fd 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1088,8 +1088,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + + if (addr->sa_family == AF_UNSPEC) { + sk->sk_state = NETLINK_UNCONNECTED; +- nlk->dst_portid = 0; +- nlk->dst_group = 0; ++ /* dst_portid and dst_group can be read locklessly */ ++ WRITE_ONCE(nlk->dst_portid, 0); ++ WRITE_ONCE(nlk->dst_group, 0); + return 0; + } + if (addr->sa_family != AF_NETLINK) +@@ -1111,8 +1112,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + + if (err == 0) { + sk->sk_state = NETLINK_CONNECTED; +- nlk->dst_portid = nladdr->nl_pid; +- nlk->dst_group = ffs(nladdr->nl_groups); ++ /* dst_portid and dst_group can be read locklessly */ ++ WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid); ++ WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups)); + } + + return err; +@@ -1129,8 +1131,9 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr, + nladdr->nl_pad = 0; + + if (peer) { +- nladdr->nl_pid = nlk->dst_portid; +- nladdr->nl_groups = netlink_group_mask(nlk->dst_group); ++ /* Paired with WRITE_ONCE() in netlink_connect() */ ++ nladdr->nl_pid = READ_ONCE(nlk->dst_portid); ++ nladdr->nl_groups = netlink_group_mask(READ_ONCE(nlk->dst_group)); + } else { + /* Paired with WRITE_ONCE() in netlink_insert() */ + nladdr->nl_pid = READ_ONCE(nlk->portid); +@@ -1160,8 +1163,9 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid) + + /* Don't bother queuing skb if kernel socket has no input function */ + nlk = nlk_sk(sock); ++ /* dst_portid can be changed in netlink_connect() */ + if (sock->sk_state == NETLINK_CONNECTED && +- nlk->dst_portid != nlk_sk(ssk)->portid) { ++ READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) { + sock_put(sock); + return ERR_PTR(-ECONNREFUSED); + } +@@ -1878,8 +1882,9 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + goto out; + netlink_skb_flags |= NETLINK_SKB_DST; + } else { +- dst_portid = nlk->dst_portid; +- dst_group = nlk->dst_group; ++ /* Paired with WRITE_ONCE() in netlink_connect() */ ++ dst_portid = READ_ONCE(nlk->dst_portid); ++ dst_group = READ_ONCE(nlk->dst_group); + } + + /* Paired with WRITE_ONCE() in netlink_insert() */ +-- +2.39.0 + diff --git a/queue-6.1/netlink-annotate-data-races-around-nlk-portid.patch b/queue-6.1/netlink-annotate-data-races-around-nlk-portid.patch new file mode 100644 index 00000000000..c19fb2f9dfc --- /dev/null +++ b/queue-6.1/netlink-annotate-data-races-around-nlk-portid.patch @@ -0,0 +1,87 @@ +From 7e0390d1a57b1d0b52910ed6e93b589616fd5a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:59:53 +0000 +Subject: netlink: annotate data races around nlk->portid + +From: Eric Dumazet + +[ Upstream commit c1bb9484e3b05166880da8574504156ccbd0549e ] + +syzbot reminds us netlink_getname() runs locklessly [1] + +This first patch annotates the race against nlk->portid. + +Following patches take care of the remaining races. + +[1] +BUG: KCSAN: data-race in netlink_getname / netlink_insert + +write to 0xffff88814176d310 of 4 bytes by task 2315 on cpu 1: +netlink_insert+0xf1/0x9a0 net/netlink/af_netlink.c:583 +netlink_autobind+0xae/0x180 net/netlink/af_netlink.c:856 +netlink_sendmsg+0x444/0x760 net/netlink/af_netlink.c:1895 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg net/socket.c:734 [inline] +____sys_sendmsg+0x38f/0x500 net/socket.c:2476 +___sys_sendmsg net/socket.c:2530 [inline] +__sys_sendmsg+0x19a/0x230 net/socket.c:2559 +__do_sys_sendmsg net/socket.c:2568 [inline] +__se_sys_sendmsg net/socket.c:2566 [inline] +__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88814176d310 of 4 bytes by task 2316 on cpu 0: +netlink_getname+0xcd/0x1a0 net/netlink/af_netlink.c:1144 +__sys_getsockname+0x11d/0x1b0 net/socket.c:2026 +__do_sys_getsockname net/socket.c:2041 [inline] +__se_sys_getsockname net/socket.c:2038 [inline] +__x64_sys_getsockname+0x3e/0x50 net/socket.c:2038 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00000000 -> 0xc9a49780 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 2316 Comm: syz-executor.2 Not tainted 6.2.0-rc3-syzkaller-00030-ge8f60cd7db24-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a662e8a5ff84..11a6309f17a3 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -580,7 +580,9 @@ static int netlink_insert(struct sock *sk, u32 portid) + if (nlk_sk(sk)->bound) + goto err; + +- nlk_sk(sk)->portid = portid; ++ /* portid can be read locklessly from netlink_getname(). */ ++ WRITE_ONCE(nlk_sk(sk)->portid, portid); ++ + sock_hold(sk); + + err = __netlink_insert(table, sk); +@@ -1130,7 +1132,8 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr, + nladdr->nl_pid = nlk->dst_portid; + nladdr->nl_groups = netlink_group_mask(nlk->dst_group); + } else { +- nladdr->nl_pid = nlk->portid; ++ /* Paired with WRITE_ONCE() in netlink_insert() */ ++ nladdr->nl_pid = READ_ONCE(nlk->portid); + netlink_lock_table(); + nladdr->nl_groups = nlk->groups ? nlk->groups[0] : 0; + netlink_unlock_table(); +-- +2.39.0 + diff --git a/queue-6.1/netlink-annotate-data-races-around-sk_state.patch b/queue-6.1/netlink-annotate-data-races-around-sk_state.patch new file mode 100644 index 00000000000..05b8f039323 --- /dev/null +++ b/queue-6.1/netlink-annotate-data-races-around-sk_state.patch @@ -0,0 +1,58 @@ +From d501cade919f4354fdb12be4ddc12d362ac59874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:59:55 +0000 +Subject: netlink: annotate data races around sk_state + +From: Eric Dumazet + +[ Upstream commit 9b663b5cbb15b494ef132a3c937641c90646eb73 ] + +netlink_getsockbyportid() reads sk_state while a concurrent +netlink_connect() can change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a597e4dac7fd..e50671296791 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1087,7 +1087,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + return -EINVAL; + + if (addr->sa_family == AF_UNSPEC) { +- sk->sk_state = NETLINK_UNCONNECTED; ++ /* paired with READ_ONCE() in netlink_getsockbyportid() */ ++ WRITE_ONCE(sk->sk_state, NETLINK_UNCONNECTED); + /* dst_portid and dst_group can be read locklessly */ + WRITE_ONCE(nlk->dst_portid, 0); + WRITE_ONCE(nlk->dst_group, 0); +@@ -1111,7 +1112,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + err = netlink_autobind(sock); + + if (err == 0) { +- sk->sk_state = NETLINK_CONNECTED; ++ /* paired with READ_ONCE() in netlink_getsockbyportid() */ ++ WRITE_ONCE(sk->sk_state, NETLINK_CONNECTED); + /* dst_portid and dst_group can be read locklessly */ + WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid); + WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups)); +@@ -1163,8 +1165,8 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid) + + /* Don't bother queuing skb if kernel socket has no input function */ + nlk = nlk_sk(sock); +- /* dst_portid can be changed in netlink_connect() */ +- if (sock->sk_state == NETLINK_CONNECTED && ++ /* dst_portid and sk_state can be changed in netlink_connect() */ ++ if (READ_ONCE(sock->sk_state) == NETLINK_CONNECTED && + READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) { + sock_put(sock); + return ERR_PTR(-ECONNREFUSED); +-- +2.39.0 + diff --git a/queue-6.1/netlink-prevent-potential-spectre-v1-gadgets.patch b/queue-6.1/netlink-prevent-potential-spectre-v1-gadgets.patch new file mode 100644 index 00000000000..fbd6ec66b6f --- /dev/null +++ b/queue-6.1/netlink-prevent-potential-spectre-v1-gadgets.patch @@ -0,0 +1,68 @@ +From 7ee1cea303a4a6765cec03eaf95e2c0fa6adb297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 11:01:50 +0000 +Subject: netlink: prevent potential spectre v1 gadgets + +From: Eric Dumazet + +[ Upstream commit f0950402e8c76e7dcb08563f1b4e8000fbc62455 ] + +Most netlink attributes are parsed and validated from +__nla_validate_parse() or validate_nla() + + u16 type = nla_type(nla); + + if (type == 0 || type > maxtype) { + /* error or continue */ + } + +@type is then used as an array index and can be used +as a Spectre v1 gadget. + +array_index_nospec() can be used to prevent leaking +content of kernel memory to malicious users. + +This should take care of vast majority of netlink uses, +but an audit is needed to take care of others where +validation is not yet centralized in core netlink functions. + +Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230119110150.2678537-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + lib/nlattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index b67a53e29b8f..dffd60e4065f 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -381,6 +382,7 @@ static int validate_nla(const struct nlattr *nla, int maxtype, + if (type <= 0 || type > maxtype) + return 0; + ++ type = array_index_nospec(type, maxtype + 1); + pt = &policy[type]; + + BUG_ON(pt->type > NLA_TYPE_MAX); +@@ -596,6 +598,7 @@ static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype, + } + continue; + } ++ type = array_index_nospec(type, maxtype + 1); + if (policy) { + int err = validate_nla(nla, maxtype, policy, + validate, extack, depth); +-- +2.39.0 + diff --git a/queue-6.1/netrom-fix-use-after-free-of-a-listening-socket.patch b/queue-6.1/netrom-fix-use-after-free-of-a-listening-socket.patch new file mode 100644 index 00000000000..185a86ed229 --- /dev/null +++ b/queue-6.1/netrom-fix-use-after-free-of-a-listening-socket.patch @@ -0,0 +1,161 @@ +From 73eff8ec80c31e4cd55629212f6414423ff0ef6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 15:19:27 -0800 +Subject: netrom: Fix use-after-free of a listening socket. + +From: Kuniyuki Iwashima + +[ Upstream commit 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 ] + +syzbot reported a use-after-free in do_accept(), precisely nr_accept() +as sk_prot_alloc() allocated the memory and sock_put() frees it. [0] + +The issue could happen if the heartbeat timer is fired and +nr_heartbeat_expiry() calls nr_destroy_socket(), where a socket +has SOCK_DESTROY or a listening socket has SOCK_DEAD. + +In this case, the first condition cannot be true. SOCK_DESTROY is +flagged in nr_release() only when the file descriptor is close()d, +but accept() is being called for the listening socket, so the second +condition must be true. + +Usually, the AF_NETROM listener neither starts timers nor sets +SOCK_DEAD. However, the condition is met if connect() fails before +listen(). connect() starts the t1 timer and heartbeat timer, and +t1timer calls nr_disconnect() when timeout happens. Then, SOCK_DEAD +is set, and if we call listen(), the heartbeat timer calls +nr_destroy_socket(). + + nr_connect + nr_establish_data_link(sk) + nr_start_t1timer(sk) + nr_start_heartbeat(sk) + nr_t1timer_expiry + nr_disconnect(sk, ETIMEDOUT) + nr_sk(sk)->state = NR_STATE_0 + sk->sk_state = TCP_CLOSE + sock_set_flag(sk, SOCK_DEAD) +nr_listen + if (sk->sk_state != TCP_LISTEN) + sk->sk_state = TCP_LISTEN + nr_heartbeat_expiry + switch (nr->state) + case NR_STATE_0 + if (sk->sk_state == TCP_LISTEN && + sock_flag(sk, SOCK_DEAD)) + nr_destroy_socket(sk) + +This path seems expected, and nr_destroy_socket() is called to clean +up resources. Initially, there was sock_hold() before nr_destroy_socket() +so that the socket would not be freed, but the commit 517a16b1a88b +("netrom: Decrease sock refcount when sock timers expire") accidentally +removed it. + +To fix use-after-free, let's add sock_hold(). + +[0]: +BUG: KASAN: use-after-free in do_accept+0x483/0x510 net/socket.c:1848 +Read of size 8 at addr ffff88807978d398 by task syz-executor.3/5315 + +CPU: 0 PID: 5315 Comm: syz-executor.3 Not tainted 6.2.0-rc3-syzkaller-00165-gd9fc1511728c #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + do_accept+0x483/0x510 net/socket.c:1848 + __sys_accept4_file net/socket.c:1897 [inline] + __sys_accept4+0x9a/0x120 net/socket.c:1927 + __do_sys_accept net/socket.c:1944 [inline] + __se_sys_accept net/socket.c:1941 [inline] + __x64_sys_accept+0x75/0xb0 net/socket.c:1941 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fa436a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa437784168 EFLAGS: 00000246 ORIG_RAX: 000000000000002b +RAX: ffffffffffffffda RBX: 00007fa436bac050 RCX: 00007fa436a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 +RBP: 00007fa436ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffebc6700df R14: 00007fa437784300 R15: 0000000000022000 + + +Allocated by task 5294: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 14: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_heartbeat_expiry+0x1d7/0x460 net/netrom/nr_timer.c:148 + call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700 + expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751 + __run_timers kernel/time/timer.c:2022 [inline] + __run_timers kernel/time/timer.c:1995 [inline] + run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 + __do_softirq+0x1fb/0xadc kernel/softirq.c:571 + +Fixes: 517a16b1a88b ("netrom: Decrease sock refcount when sock timers expire") +Reported-by: syzbot+5fafd5cfe1fc91f6b352@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230120231927.51711-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index a8da88db7893..4e7c968cde2d 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -121,6 +121,7 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { ++ sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); + goto out; +-- +2.39.0 + diff --git a/queue-6.1/nvme-consolidate-setting-the-tagset-flags.patch b/queue-6.1/nvme-consolidate-setting-the-tagset-flags.patch new file mode 100644 index 00000000000..16061c50292 --- /dev/null +++ b/queue-6.1/nvme-consolidate-setting-the-tagset-flags.patch @@ -0,0 +1,204 @@ +From 2e4301d060acd99bded39e27bcb58e275ebc79be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 17:19:50 +0100 +Subject: nvme: consolidate setting the tagset flags + +From: Christoph Hellwig + +[ Upstream commit db45e1a5ddccc034eb60d62fc5352022d7963ae2 ] + +All nvme transports should be using the same flags for their tagsets, +with the exception for the blocking flag that should only be set for +transports that can block in ->queue_rq. + +Add a NVME_F_BLOCKING flag to nvme_ctrl_ops to control the blocking +behavior and lift setting the flags into nvme_alloc_{admin,io}_tag_set. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Stable-dep-of: 98e3528012cd ("nvme-fc: fix initialization order") +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 15 +++++++++------ + drivers/nvme/host/fc.c | 4 ++-- + drivers/nvme/host/nvme.h | 9 +++++---- + drivers/nvme/host/rdma.c | 3 +-- + drivers/nvme/host/tcp.c | 5 ++--- + drivers/nvme/target/loop.c | 4 ++-- + 6 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index badc6984ff83..9e9ad91618ab 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4840,8 +4840,7 @@ void nvme_complete_async_event(struct nvme_ctrl *ctrl, __le16 status, + EXPORT_SYMBOL_GPL(nvme_complete_async_event); + + int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set, +- const struct blk_mq_ops *ops, unsigned int flags, +- unsigned int cmd_size) ++ const struct blk_mq_ops *ops, unsigned int cmd_size) + { + int ret; + +@@ -4851,7 +4850,9 @@ int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set, + if (ctrl->ops->flags & NVME_F_FABRICS) + set->reserved_tags = NVMF_RESERVED_TAGS; + set->numa_node = ctrl->numa_node; +- set->flags = flags; ++ set->flags = BLK_MQ_F_NO_SCHED; ++ if (ctrl->ops->flags & NVME_F_BLOCKING) ++ set->flags |= BLK_MQ_F_BLOCKING; + set->cmd_size = cmd_size; + set->driver_data = ctrl; + set->nr_hw_queues = 1; +@@ -4895,8 +4896,8 @@ void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl) + EXPORT_SYMBOL_GPL(nvme_remove_admin_tag_set); + + int nvme_alloc_io_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set, +- const struct blk_mq_ops *ops, unsigned int flags, +- unsigned int nr_maps, unsigned int cmd_size) ++ const struct blk_mq_ops *ops, unsigned int nr_maps, ++ unsigned int cmd_size) + { + int ret; + +@@ -4905,7 +4906,9 @@ int nvme_alloc_io_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set, + set->queue_depth = ctrl->sqsize + 1; + set->reserved_tags = NVMF_RESERVED_TAGS; + set->numa_node = ctrl->numa_node; +- set->flags = flags; ++ set->flags = BLK_MQ_F_SHOULD_MERGE; ++ if (ctrl->ops->flags & NVME_F_BLOCKING) ++ set->flags |= BLK_MQ_F_BLOCKING; + set->cmd_size = cmd_size, + set->driver_data = ctrl; + set->nr_hw_queues = ctrl->queue_count - 1; +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 20b0c29a9a34..5f07a6b29276 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2903,7 +2903,7 @@ nvme_fc_create_io_queues(struct nvme_fc_ctrl *ctrl) + nvme_fc_init_io_queues(ctrl); + + ret = nvme_alloc_io_tag_set(&ctrl->ctrl, &ctrl->tag_set, +- &nvme_fc_mq_ops, BLK_MQ_F_SHOULD_MERGE, 1, ++ &nvme_fc_mq_ops, 1, + struct_size((struct nvme_fcp_op_w_sgl *)NULL, priv, + ctrl->lport->ops->fcprqst_priv_sz)); + if (ret) +@@ -3509,7 +3509,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + nvme_fc_init_queue(ctrl, 0); + + ret = nvme_alloc_admin_tag_set(&ctrl->ctrl, &ctrl->admin_tag_set, +- &nvme_fc_admin_mq_ops, BLK_MQ_F_NO_SCHED, ++ &nvme_fc_admin_mq_ops, + struct_size((struct nvme_fcp_op_w_sgl *)NULL, priv, + ctrl->lport->ops->fcprqst_priv_sz)); + if (ret) +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index aef3693ba5d3..01d90424af53 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -508,6 +508,8 @@ struct nvme_ctrl_ops { + unsigned int flags; + #define NVME_F_FABRICS (1 << 0) + #define NVME_F_METADATA_SUPPORTED (1 << 1) ++#define NVME_F_BLOCKING (1 << 2) ++ + const struct attribute_group **dev_attr_groups; + int (*reg_read32)(struct nvme_ctrl *ctrl, u32 off, u32 *val); + int (*reg_write32)(struct nvme_ctrl *ctrl, u32 off, u32 val); +@@ -739,12 +741,11 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl); + void nvme_stop_ctrl(struct nvme_ctrl *ctrl); + int nvme_init_ctrl_finish(struct nvme_ctrl *ctrl); + int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set, +- const struct blk_mq_ops *ops, unsigned int flags, +- unsigned int cmd_size); ++ const struct blk_mq_ops *ops, unsigned int cmd_size); + void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl); + int nvme_alloc_io_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set, +- const struct blk_mq_ops *ops, unsigned int flags, +- unsigned int nr_maps, unsigned int cmd_size); ++ const struct blk_mq_ops *ops, unsigned int nr_maps, ++ unsigned int cmd_size); + void nvme_remove_io_tag_set(struct nvme_ctrl *ctrl); + + void nvme_remove_namespaces(struct nvme_ctrl *ctrl); +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index a55d3e8b607d..6f918e61b6ae 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -798,7 +798,7 @@ static int nvme_rdma_alloc_tag_set(struct nvme_ctrl *ctrl) + NVME_RDMA_METADATA_SGL_SIZE; + + return nvme_alloc_io_tag_set(ctrl, &to_rdma_ctrl(ctrl)->tag_set, +- &nvme_rdma_mq_ops, BLK_MQ_F_SHOULD_MERGE, ++ &nvme_rdma_mq_ops, + ctrl->opts->nr_poll_queues ? HCTX_MAX_TYPES : 2, + cmd_size); + } +@@ -848,7 +848,6 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl, + if (new) { + error = nvme_alloc_admin_tag_set(&ctrl->ctrl, + &ctrl->admin_tag_set, &nvme_rdma_admin_mq_ops, +- BLK_MQ_F_NO_SCHED, + sizeof(struct nvme_rdma_request) + + NVME_RDMA_DATA_SGL_SIZE); + if (error) +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 83735c52d34a..eacd445b5333 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1867,7 +1867,6 @@ static int nvme_tcp_configure_io_queues(struct nvme_ctrl *ctrl, bool new) + if (new) { + ret = nvme_alloc_io_tag_set(ctrl, &to_tcp_ctrl(ctrl)->tag_set, + &nvme_tcp_mq_ops, +- BLK_MQ_F_SHOULD_MERGE | BLK_MQ_F_BLOCKING, + ctrl->opts->nr_poll_queues ? HCTX_MAX_TYPES : 2, + sizeof(struct nvme_tcp_request)); + if (ret) +@@ -1943,7 +1942,7 @@ static int nvme_tcp_configure_admin_queue(struct nvme_ctrl *ctrl, bool new) + if (new) { + error = nvme_alloc_admin_tag_set(ctrl, + &to_tcp_ctrl(ctrl)->admin_tag_set, +- &nvme_tcp_admin_mq_ops, BLK_MQ_F_BLOCKING, ++ &nvme_tcp_admin_mq_ops, + sizeof(struct nvme_tcp_request)); + if (error) + goto out_free_queue; +@@ -2524,7 +2523,7 @@ static const struct blk_mq_ops nvme_tcp_admin_mq_ops = { + static const struct nvme_ctrl_ops nvme_tcp_ctrl_ops = { + .name = "tcp", + .module = THIS_MODULE, +- .flags = NVME_F_FABRICS, ++ .flags = NVME_F_FABRICS | NVME_F_BLOCKING, + .reg_read32 = nvmf_reg_read32, + .reg_read64 = nvmf_reg_read64, + .reg_write32 = nvmf_reg_write32, +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 08c583258e90..c864e902e91e 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -353,7 +353,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl) + ctrl->ctrl.queue_count = 1; + + error = nvme_alloc_admin_tag_set(&ctrl->ctrl, &ctrl->admin_tag_set, +- &nvme_loop_admin_mq_ops, BLK_MQ_F_NO_SCHED, ++ &nvme_loop_admin_mq_ops, + sizeof(struct nvme_loop_iod) + + NVME_INLINE_SG_CNT * sizeof(struct scatterlist)); + if (error) +@@ -494,7 +494,7 @@ static int nvme_loop_create_io_queues(struct nvme_loop_ctrl *ctrl) + return ret; + + ret = nvme_alloc_io_tag_set(&ctrl->ctrl, &ctrl->tag_set, +- &nvme_loop_mq_ops, BLK_MQ_F_SHOULD_MERGE, 1, ++ &nvme_loop_mq_ops, 1, + sizeof(struct nvme_loop_iod) + + NVME_INLINE_SG_CNT * sizeof(struct scatterlist)); + if (ret) +-- +2.39.0 + diff --git a/queue-6.1/nvme-fc-fix-initialization-order.patch b/queue-6.1/nvme-fc-fix-initialization-order.patch new file mode 100644 index 00000000000..c550119105f --- /dev/null +++ b/queue-6.1/nvme-fc-fix-initialization-order.patch @@ -0,0 +1,71 @@ +From a7879e8c8c72863baa3387225a573a0a85284af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 17:43:54 +0000 +Subject: nvme-fc: fix initialization order + +From: Ross Lagerwall + +[ Upstream commit 98e3528012cd571c48bbae7c7c0f868823254b6c ] + +ctrl->ops is used by nvme_alloc_admin_tag_set() but set by +nvme_init_ctrl() so reorder the calls to avoid a NULL pointer +dereference. + +Fixes: 6dfba1c09c10 ("nvme-fc: use the tagset alloc/free helpers") +Signed-off-by: Ross Lagerwall +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 5f07a6b29276..6c3d469eed7e 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3508,13 +3508,6 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + nvme_fc_init_queue(ctrl, 0); + +- ret = nvme_alloc_admin_tag_set(&ctrl->ctrl, &ctrl->admin_tag_set, +- &nvme_fc_admin_mq_ops, +- struct_size((struct nvme_fcp_op_w_sgl *)NULL, priv, +- ctrl->lport->ops->fcprqst_priv_sz)); +- if (ret) +- goto out_free_queues; +- + /* + * Would have been nice to init io queues tag set as well. + * However, we require interaction from the controller +@@ -3524,10 +3517,17 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ret = nvme_init_ctrl(&ctrl->ctrl, dev, &nvme_fc_ctrl_ops, 0); + if (ret) +- goto out_cleanup_tagset; ++ goto out_free_queues; + + /* at this point, teardown path changes to ref counting on nvme ctrl */ + ++ ret = nvme_alloc_admin_tag_set(&ctrl->ctrl, &ctrl->admin_tag_set, ++ &nvme_fc_admin_mq_ops, ++ struct_size((struct nvme_fcp_op_w_sgl *)NULL, priv, ++ ctrl->lport->ops->fcprqst_priv_sz)); ++ if (ret) ++ goto fail_ctrl; ++ + spin_lock_irqsave(&rport->lock, flags); + list_add_tail(&ctrl->ctrl_list, &rport->ctrl_list); + spin_unlock_irqrestore(&rport->lock, flags); +@@ -3579,8 +3579,6 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + return ERR_PTR(-EIO); + +-out_cleanup_tagset: +- nvme_remove_admin_tag_set(&ctrl->ctrl); + out_free_queues: + kfree(ctrl->queues); + out_free_ida: +-- +2.39.0 + diff --git a/queue-6.1/nvme-fix-passthrough-csi-check.patch b/queue-6.1/nvme-fix-passthrough-csi-check.patch new file mode 100644 index 00000000000..5da795c47c0 --- /dev/null +++ b/queue-6.1/nvme-fix-passthrough-csi-check.patch @@ -0,0 +1,36 @@ +From d26e9510a14eb1caeca6e2de36c359d3ba4b71d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 13:29:14 -0800 +Subject: nvme: fix passthrough csi check + +From: Keith Busch + +[ Upstream commit 85eee6341abb81ac6a35062ffd5c3029eb53be6b ] + +The namespace head saves the Command Set Indicator enum, so use that +instead of the Command Set Selected. The two values are not the same. + +Fixes: 831ed60c2aca2d ("nvme: also return I/O command effects from nvme_command_effects") +Signed-off-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 9e9ad91618ab..25ade4ce8e0a 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1088,7 +1088,7 @@ u32 nvme_command_effects(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u8 opcode) + if (ns) { + if (ns->head->effects) + effects = le32_to_cpu(ns->head->effects->iocs[opcode]); +- if (ns->head->ids.csi == NVME_CAP_CSS_NVM) ++ if (ns->head->ids.csi == NVME_CSI_NVM) + effects |= nvme_known_nvm_effects(opcode); + if (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC)) + dev_warn_once(ctrl->device, +-- +2.39.0 + diff --git a/queue-6.1/nvme-simplify-transport-specific-device-attribute-ha.patch b/queue-6.1/nvme-simplify-transport-specific-device-attribute-ha.patch new file mode 100644 index 00000000000..1f41ec05b8c --- /dev/null +++ b/queue-6.1/nvme-simplify-transport-specific-device-attribute-ha.patch @@ -0,0 +1,151 @@ +From 73ce4d0ac1c400573a839703cd8259568bf6866a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 02:34:13 -0700 +Subject: nvme: simplify transport specific device attribute handling + +From: Christoph Hellwig + +[ Upstream commit 86adbf0cdb9ec6533234696c3e243184d4d0d040 ] + +Allow the transport driver to override the attribute groups for the +control device, so that the PCIe driver doesn't manually have to add a +group after device creation and keep track of it. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Tested-by Gerd Bayer +Stable-dep-of: 98e3528012cd ("nvme-fc: fix initialization order") +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 8 ++++++-- + drivers/nvme/host/nvme.h | 2 ++ + drivers/nvme/host/pci.c | 23 ++++++++--------------- + 3 files changed, 16 insertions(+), 17 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 1ded96d1bfd2..badc6984ff83 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3903,10 +3903,11 @@ static umode_t nvme_dev_attrs_are_visible(struct kobject *kobj, + return a->mode; + } + +-static const struct attribute_group nvme_dev_attrs_group = { ++const struct attribute_group nvme_dev_attrs_group = { + .attrs = nvme_dev_attrs, + .is_visible = nvme_dev_attrs_are_visible, + }; ++EXPORT_SYMBOL_GPL(nvme_dev_attrs_group); + + static const struct attribute_group *nvme_dev_attr_groups[] = { + &nvme_dev_attrs_group, +@@ -5080,7 +5081,10 @@ int nvme_init_ctrl(struct nvme_ctrl *ctrl, struct device *dev, + ctrl->instance); + ctrl->device->class = nvme_class; + ctrl->device->parent = ctrl->dev; +- ctrl->device->groups = nvme_dev_attr_groups; ++ if (ops->dev_attr_groups) ++ ctrl->device->groups = ops->dev_attr_groups; ++ else ++ ctrl->device->groups = nvme_dev_attr_groups; + ctrl->device->release = nvme_free_ctrl; + dev_set_drvdata(ctrl->device, ctrl); + ret = dev_set_name(ctrl->device, "nvme%d", ctrl->instance); +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index cbda8a19409b..aef3693ba5d3 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -508,6 +508,7 @@ struct nvme_ctrl_ops { + unsigned int flags; + #define NVME_F_FABRICS (1 << 0) + #define NVME_F_METADATA_SUPPORTED (1 << 1) ++ const struct attribute_group **dev_attr_groups; + int (*reg_read32)(struct nvme_ctrl *ctrl, u32 off, u32 *val); + int (*reg_write32)(struct nvme_ctrl *ctrl, u32 off, u32 val); + int (*reg_read64)(struct nvme_ctrl *ctrl, u32 off, u64 *val); +@@ -857,6 +858,7 @@ int nvme_dev_uring_cmd(struct io_uring_cmd *ioucmd, unsigned int issue_flags); + extern const struct attribute_group *nvme_ns_id_attr_groups[]; + extern const struct pr_ops nvme_pr_ops; + extern const struct block_device_operations nvme_ns_head_ops; ++extern const struct attribute_group nvme_dev_attrs_group; + + struct nvme_ns *nvme_find_path(struct nvme_ns_head *head); + #ifdef CONFIG_NVME_MULTIPATH +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index e2de5d0de5d9..d839689af17c 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -158,8 +158,6 @@ struct nvme_dev { + unsigned int nr_allocated_queues; + unsigned int nr_write_queues; + unsigned int nr_poll_queues; +- +- bool attrs_added; + }; + + static int io_queue_depth_set(const char *val, const struct kernel_param *kp) +@@ -2241,11 +2239,17 @@ static struct attribute *nvme_pci_attrs[] = { + NULL, + }; + +-static const struct attribute_group nvme_pci_attr_group = { ++static const struct attribute_group nvme_pci_dev_attrs_group = { + .attrs = nvme_pci_attrs, + .is_visible = nvme_pci_attrs_are_visible, + }; + ++static const struct attribute_group *nvme_pci_dev_attr_groups[] = { ++ &nvme_dev_attrs_group, ++ &nvme_pci_dev_attrs_group, ++ NULL, ++}; ++ + /* + * nirqs is the number of interrupts available for write and read + * queues. The core already reserved an interrupt for the admin queue. +@@ -2935,10 +2939,6 @@ static void nvme_reset_work(struct work_struct *work) + goto out; + } + +- if (!dev->attrs_added && !sysfs_create_group(&dev->ctrl.device->kobj, +- &nvme_pci_attr_group)) +- dev->attrs_added = true; +- + nvme_start_ctrl(&dev->ctrl); + return; + +@@ -3011,6 +3011,7 @@ static const struct nvme_ctrl_ops nvme_pci_ctrl_ops = { + .name = "pcie", + .module = THIS_MODULE, + .flags = NVME_F_METADATA_SUPPORTED, ++ .dev_attr_groups = nvme_pci_dev_attr_groups, + .reg_read32 = nvme_pci_reg_read32, + .reg_write32 = nvme_pci_reg_write32, + .reg_read64 = nvme_pci_reg_read64, +@@ -3209,13 +3210,6 @@ static void nvme_shutdown(struct pci_dev *pdev) + nvme_disable_prepare_reset(dev, true); + } + +-static void nvme_remove_attrs(struct nvme_dev *dev) +-{ +- if (dev->attrs_added) +- sysfs_remove_group(&dev->ctrl.device->kobj, +- &nvme_pci_attr_group); +-} +- + /* + * The driver's remove may be called on a device in a partially initialized + * state. This function must not have any dependencies on the device state in +@@ -3237,7 +3231,6 @@ static void nvme_remove(struct pci_dev *pdev) + nvme_stop_ctrl(&dev->ctrl); + nvme_remove_namespaces(&dev->ctrl); + nvme_dev_disable(dev, true); +- nvme_remove_attrs(dev); + nvme_free_host_mem(dev); + nvme_dev_remove_admin(dev); + nvme_free_queues(dev, 0); +-- +2.39.0 + diff --git a/queue-6.1/partially-revert-perf-arm-cmn-optimise-dtc-counter-a.patch b/queue-6.1/partially-revert-perf-arm-cmn-optimise-dtc-counter-a.patch new file mode 100644 index 00000000000..cc113ede3d1 --- /dev/null +++ b/queue-6.1/partially-revert-perf-arm-cmn-optimise-dtc-counter-a.patch @@ -0,0 +1,61 @@ +From a257f5b31e7db0a6a7ae51e3d07a651b2e71653b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 18:30:38 +0000 +Subject: Partially revert "perf/arm-cmn: Optimise DTC counter accesses" + +From: Robin Murphy + +[ Upstream commit a428eb4b99ab80454f06ad256b25e930fe8a4954 ] + +It turns out the optimisation implemented by commit 4f2c3872dde5 is +totally broken, since all the places that consume hw->dtcs_used for +events other than cycle count are still not expecting it to be sparsely +populated, and fail to read all the relevant DTC counters correctly if +so. + +If implemented correctly, the optimisation potentially saves up to 3 +register reads per event update, which is reasonably significant for +events targeting a single node, but still not worth a massive amount of +additional code complexity overall. Getting it right within the current +design looks a fair bit more involved than it was ever intended to be, +so let's just make a functional revert which restores the old behaviour +while still backporting easily. + +Fixes: 4f2c3872dde5 ("perf/arm-cmn: Optimise DTC counter accesses") +Reported-by: Ilkka Koskinen +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/b41bb4ed7283c3d8400ce5cf5e6ec94915e6750f.1674498637.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index b80a9b74662b..1deb61b22bc7 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -1576,7 +1576,6 @@ static int arm_cmn_event_init(struct perf_event *event) + hw->dn++; + continue; + } +- hw->dtcs_used |= arm_cmn_node_to_xp(cmn, dn)->dtc; + hw->num_dns++; + if (bynodeid) + break; +@@ -1589,6 +1588,12 @@ static int arm_cmn_event_init(struct perf_event *event) + nodeid, nid.x, nid.y, nid.port, nid.dev, type); + return -EINVAL; + } ++ /* ++ * Keep assuming non-cycles events count in all DTC domains; turns out ++ * it's hard to make a worthwhile optimisation around this, short of ++ * going all-in with domain-local counter allocation as well. ++ */ ++ hw->dtcs_used = (1U << cmn->num_dtcs) - 1; + + return arm_cmn_validate_group(cmn, event); + } +-- +2.39.0 + diff --git a/queue-6.1/platform-x86-apple-gmux-add-apple_gmux_detect-helper.patch b/queue-6.1/platform-x86-apple-gmux-add-apple_gmux_detect-helper.patch new file mode 100644 index 00000000000..ac07b09cad9 --- /dev/null +++ b/queue-6.1/platform-x86-apple-gmux-add-apple_gmux_detect-helper.patch @@ -0,0 +1,283 @@ +From 5fed114d13dfd0a0b2e467c8522ff76a7f80f579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:57:53 +0100 +Subject: platform/x86: apple-gmux: Add apple_gmux_detect() helper + +From: Hans de Goede + +[ Upstream commit d143908f80f3e5d164ac3342f73d6b9f536e8b4d ] + +Add a new (static inline) apple_gmux_detect() helper to apple-gmux.h +which can be used for gmux detection instead of apple_gmux_present(). + +The latter is not really reliable since an ACPI device with a HID +of APP000B is present on some devices without a gmux at all, as well +as on devices with a newer (unsupported) MMIO based gmux model. + +This causes apple_gmux_present() to return false-positives on +a number of different Apple laptop models. + +This new helper uses the same probing as the actual apple-gmux +driver, so that it does not return false positives. + +To avoid code duplication the gmux_probe() function of the actual +driver is also moved over to using the new apple_gmux_detect() helper. + +This avoids false positives (vs _HID + IO region detection) on: + +MacBookPro5,4 +https://pastebin.com/8Xjq7RhS + +MacBookPro8,1 +https://linux-hardware.org/?probe=e513cfbadb&log=dmesg + +MacBookPro9,2 +https://bugzilla.kernel.org/attachment.cgi?id=278961 + +MacBookPro10,2 +https://lkml.org/lkml/2014/9/22/657 + +MacBookPro11,2 +https://forums.fedora-fr.org/viewtopic.php?id=70142 + +MacBookPro11,4 +https://raw.githubusercontent.com/im-0/investigate-card-reader-suspend-problem-on-mbp11.4/master/test-16/dmesg + +Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") +Link: https://lore.kernel.org/platform-driver-x86/20230123113750.462144-1-hdegoede@redhat.com/ +Reported-by: Emmanouil Kouroupakis +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230124105754.62167-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/apple-gmux.c | 70 +++++++------------------ + include/linux/apple-gmux.h | 86 ++++++++++++++++++++++++++++++- + 2 files changed, 102 insertions(+), 54 deletions(-) + +diff --git a/drivers/platform/x86/apple-gmux.c b/drivers/platform/x86/apple-gmux.c +index a0af01f6a0fd..9333f82cfa8a 100644 +--- a/drivers/platform/x86/apple-gmux.c ++++ b/drivers/platform/x86/apple-gmux.c +@@ -226,23 +226,6 @@ static void gmux_write32(struct apple_gmux_data *gmux_data, int port, + gmux_pio_write32(gmux_data, port, val); + } + +-static bool gmux_is_indexed(struct apple_gmux_data *gmux_data) +-{ +- u16 val; +- +- outb(0xaa, gmux_data->iostart + 0xcc); +- outb(0x55, gmux_data->iostart + 0xcd); +- outb(0x00, gmux_data->iostart + 0xce); +- +- val = inb(gmux_data->iostart + 0xcc) | +- (inb(gmux_data->iostart + 0xcd) << 8); +- +- if (val == 0x55aa) +- return true; +- +- return false; +-} +- + /** + * DOC: Backlight control + * +@@ -582,60 +565,43 @@ static int gmux_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + int ret = -ENXIO; + acpi_status status; + unsigned long long gpe; ++ bool indexed = false; ++ u32 version; + + if (apple_gmux_data) + return -EBUSY; + ++ if (!apple_gmux_detect(pnp, &indexed)) { ++ pr_info("gmux device not present\n"); ++ return -ENODEV; ++ } ++ + gmux_data = kzalloc(sizeof(*gmux_data), GFP_KERNEL); + if (!gmux_data) + return -ENOMEM; + pnp_set_drvdata(pnp, gmux_data); + + res = pnp_get_resource(pnp, IORESOURCE_IO, 0); +- if (!res) { +- pr_err("Failed to find gmux I/O resource\n"); +- goto err_free; +- } +- + gmux_data->iostart = res->start; + gmux_data->iolen = resource_size(res); + +- if (gmux_data->iolen < GMUX_MIN_IO_LEN) { +- pr_err("gmux I/O region too small (%lu < %u)\n", +- gmux_data->iolen, GMUX_MIN_IO_LEN); +- goto err_free; +- } +- + if (!request_region(gmux_data->iostart, gmux_data->iolen, + "Apple gmux")) { + pr_err("gmux I/O already in use\n"); + goto err_free; + } + +- /* +- * Invalid version information may indicate either that the gmux +- * device isn't present or that it's a new one that uses indexed +- * io +- */ +- +- ver_major = gmux_read8(gmux_data, GMUX_PORT_VERSION_MAJOR); +- ver_minor = gmux_read8(gmux_data, GMUX_PORT_VERSION_MINOR); +- ver_release = gmux_read8(gmux_data, GMUX_PORT_VERSION_RELEASE); +- if (ver_major == 0xff && ver_minor == 0xff && ver_release == 0xff) { +- if (gmux_is_indexed(gmux_data)) { +- u32 version; +- mutex_init(&gmux_data->index_lock); +- gmux_data->indexed = true; +- version = gmux_read32(gmux_data, +- GMUX_PORT_VERSION_MAJOR); +- ver_major = (version >> 24) & 0xff; +- ver_minor = (version >> 16) & 0xff; +- ver_release = (version >> 8) & 0xff; +- } else { +- pr_info("gmux device not present\n"); +- ret = -ENODEV; +- goto err_release; +- } ++ if (indexed) { ++ mutex_init(&gmux_data->index_lock); ++ gmux_data->indexed = true; ++ version = gmux_read32(gmux_data, GMUX_PORT_VERSION_MAJOR); ++ ver_major = (version >> 24) & 0xff; ++ ver_minor = (version >> 16) & 0xff; ++ ver_release = (version >> 8) & 0xff; ++ } else { ++ ver_major = gmux_read8(gmux_data, GMUX_PORT_VERSION_MAJOR); ++ ver_minor = gmux_read8(gmux_data, GMUX_PORT_VERSION_MINOR); ++ ver_release = gmux_read8(gmux_data, GMUX_PORT_VERSION_RELEASE); + } + pr_info("Found gmux version %d.%d.%d [%s]\n", ver_major, ver_minor, + ver_release, (gmux_data->indexed ? "indexed" : "classic")); +diff --git a/include/linux/apple-gmux.h b/include/linux/apple-gmux.h +index 80efaaf89e07..1f68b49bcd68 100644 +--- a/include/linux/apple-gmux.h ++++ b/include/linux/apple-gmux.h +@@ -8,6 +8,8 @@ + #define LINUX_APPLE_GMUX_H + + #include ++#include ++#include + + #define GMUX_ACPI_HID "APP000B" + +@@ -35,14 +37,89 @@ + #define GMUX_MIN_IO_LEN (GMUX_PORT_BRIGHTNESS + 4) + + #if IS_ENABLED(CONFIG_APPLE_GMUX) ++static inline bool apple_gmux_is_indexed(unsigned long iostart) ++{ ++ u16 val; ++ ++ outb(0xaa, iostart + 0xcc); ++ outb(0x55, iostart + 0xcd); ++ outb(0x00, iostart + 0xce); ++ ++ val = inb(iostart + 0xcc) | (inb(iostart + 0xcd) << 8); ++ if (val == 0x55aa) ++ return true; ++ ++ return false; ++} + + /** +- * apple_gmux_present() - detect if gmux is built into the machine ++ * apple_gmux_detect() - detect if gmux is built into the machine ++ * ++ * @pnp_dev: Device to probe or NULL to use the first matching device ++ * @indexed_ret: Returns (by reference) if the gmux is indexed or not ++ * ++ * Detect if a supported gmux device is present by actually probing it. ++ * This avoids the false positives returned on some models by ++ * apple_gmux_present(). ++ * ++ * Return: %true if a supported gmux ACPI device is detected and the kernel ++ * was configured with CONFIG_APPLE_GMUX, %false otherwise. ++ */ ++static inline bool apple_gmux_detect(struct pnp_dev *pnp_dev, bool *indexed_ret) ++{ ++ u8 ver_major, ver_minor, ver_release; ++ struct device *dev = NULL; ++ struct acpi_device *adev; ++ struct resource *res; ++ bool indexed = false; ++ bool ret = false; ++ ++ if (!pnp_dev) { ++ adev = acpi_dev_get_first_match_dev(GMUX_ACPI_HID, NULL, -1); ++ if (!adev) ++ return false; ++ ++ dev = get_device(acpi_get_first_physical_node(adev)); ++ acpi_dev_put(adev); ++ if (!dev) ++ return false; ++ ++ pnp_dev = to_pnp_dev(dev); ++ } ++ ++ res = pnp_get_resource(pnp_dev, IORESOURCE_IO, 0); ++ if (!res || resource_size(res) < GMUX_MIN_IO_LEN) ++ goto out; ++ ++ /* ++ * Invalid version information may indicate either that the gmux ++ * device isn't present or that it's a new one that uses indexed io. ++ */ ++ ver_major = inb(res->start + GMUX_PORT_VERSION_MAJOR); ++ ver_minor = inb(res->start + GMUX_PORT_VERSION_MINOR); ++ ver_release = inb(res->start + GMUX_PORT_VERSION_RELEASE); ++ if (ver_major == 0xff && ver_minor == 0xff && ver_release == 0xff) { ++ indexed = apple_gmux_is_indexed(res->start); ++ if (!indexed) ++ goto out; ++ } ++ ++ if (indexed_ret) ++ *indexed_ret = indexed; ++ ++ ret = true; ++out: ++ put_device(dev); ++ return ret; ++} ++ ++/** ++ * apple_gmux_present() - check if gmux ACPI device is present + * + * Drivers may use this to activate quirks specific to dual GPU MacBook Pros + * and Mac Pros, e.g. for deferred probing, runtime pm and backlight. + * +- * Return: %true if gmux is present and the kernel was configured ++ * Return: %true if gmux ACPI device is present and the kernel was configured + * with CONFIG_APPLE_GMUX, %false otherwise. + */ + static inline bool apple_gmux_present(void) +@@ -57,6 +134,11 @@ static inline bool apple_gmux_present(void) + return false; + } + ++static inline bool apple_gmux_detect(struct pnp_dev *pnp_dev, bool *indexed_ret) ++{ ++ return false; ++} ++ + #endif /* !CONFIG_APPLE_GMUX */ + + #endif /* LINUX_APPLE_GMUX_H */ +-- +2.39.0 + diff --git a/queue-6.1/platform-x86-apple-gmux-move-port-defines-to-apple-g.patch b/queue-6.1/platform-x86-apple-gmux-move-port-defines-to-apple-g.patch new file mode 100644 index 00000000000..448e6788dd1 --- /dev/null +++ b/queue-6.1/platform-x86-apple-gmux-move-port-defines-to-apple-g.patch @@ -0,0 +1,96 @@ +From 7628286b2f5bbdfa30c7fe6b887a7ac1c9314fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:57:52 +0100 +Subject: platform/x86: apple-gmux: Move port defines to apple-gmux.h + +From: Hans de Goede + +[ Upstream commit 39f5a81f7ad80eb3fbcbfd817c6552db9de5504d ] + +This is a preparation patch for adding a new static inline +apple_gmux_detect() helper which actually checks a supported +gmux is present, rather then only checking an ACPI device with +the HID is there as apple_gmux_present() does. + +Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") +Link: https://lore.kernel.org/platform-driver-x86/20230123113750.462144-1-hdegoede@redhat.com/ +Reported-by: Emmanouil Kouroupakis +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230124105754.62167-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/apple-gmux.c | 23 ----------------------- + include/linux/apple-gmux.h | 23 +++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/drivers/platform/x86/apple-gmux.c b/drivers/platform/x86/apple-gmux.c +index ca33df7ea550..a0af01f6a0fd 100644 +--- a/drivers/platform/x86/apple-gmux.c ++++ b/drivers/platform/x86/apple-gmux.c +@@ -64,29 +64,6 @@ struct apple_gmux_data { + + static struct apple_gmux_data *apple_gmux_data; + +-/* +- * gmux port offsets. Many of these are not yet used, but may be in the +- * future, and it's useful to have them documented here anyhow. +- */ +-#define GMUX_PORT_VERSION_MAJOR 0x04 +-#define GMUX_PORT_VERSION_MINOR 0x05 +-#define GMUX_PORT_VERSION_RELEASE 0x06 +-#define GMUX_PORT_SWITCH_DISPLAY 0x10 +-#define GMUX_PORT_SWITCH_GET_DISPLAY 0x11 +-#define GMUX_PORT_INTERRUPT_ENABLE 0x14 +-#define GMUX_PORT_INTERRUPT_STATUS 0x16 +-#define GMUX_PORT_SWITCH_DDC 0x28 +-#define GMUX_PORT_SWITCH_EXTERNAL 0x40 +-#define GMUX_PORT_SWITCH_GET_EXTERNAL 0x41 +-#define GMUX_PORT_DISCRETE_POWER 0x50 +-#define GMUX_PORT_MAX_BRIGHTNESS 0x70 +-#define GMUX_PORT_BRIGHTNESS 0x74 +-#define GMUX_PORT_VALUE 0xc2 +-#define GMUX_PORT_READ 0xd0 +-#define GMUX_PORT_WRITE 0xd4 +- +-#define GMUX_MIN_IO_LEN (GMUX_PORT_BRIGHTNESS + 4) +- + #define GMUX_INTERRUPT_ENABLE 0xff + #define GMUX_INTERRUPT_DISABLE 0x00 + +diff --git a/include/linux/apple-gmux.h b/include/linux/apple-gmux.h +index ddb10aa67b14..80efaaf89e07 100644 +--- a/include/linux/apple-gmux.h ++++ b/include/linux/apple-gmux.h +@@ -11,6 +11,29 @@ + + #define GMUX_ACPI_HID "APP000B" + ++/* ++ * gmux port offsets. Many of these are not yet used, but may be in the ++ * future, and it's useful to have them documented here anyhow. ++ */ ++#define GMUX_PORT_VERSION_MAJOR 0x04 ++#define GMUX_PORT_VERSION_MINOR 0x05 ++#define GMUX_PORT_VERSION_RELEASE 0x06 ++#define GMUX_PORT_SWITCH_DISPLAY 0x10 ++#define GMUX_PORT_SWITCH_GET_DISPLAY 0x11 ++#define GMUX_PORT_INTERRUPT_ENABLE 0x14 ++#define GMUX_PORT_INTERRUPT_STATUS 0x16 ++#define GMUX_PORT_SWITCH_DDC 0x28 ++#define GMUX_PORT_SWITCH_EXTERNAL 0x40 ++#define GMUX_PORT_SWITCH_GET_EXTERNAL 0x41 ++#define GMUX_PORT_DISCRETE_POWER 0x50 ++#define GMUX_PORT_MAX_BRIGHTNESS 0x70 ++#define GMUX_PORT_BRIGHTNESS 0x74 ++#define GMUX_PORT_VALUE 0xc2 ++#define GMUX_PORT_READ 0xd0 ++#define GMUX_PORT_WRITE 0xd4 ++ ++#define GMUX_MIN_IO_LEN (GMUX_PORT_BRIGHTNESS + 4) ++ + #if IS_ENABLED(CONFIG_APPLE_GMUX) + + /** +-- +2.39.0 + diff --git a/queue-6.1/platform-x86-asus-wmi-fix-kbd_dock_devid-tablet-swit.patch b/queue-6.1/platform-x86-asus-wmi-fix-kbd_dock_devid-tablet-swit.patch new file mode 100644 index 00000000000..d051b7aa2b0 --- /dev/null +++ b/queue-6.1/platform-x86-asus-wmi-fix-kbd_dock_devid-tablet-swit.patch @@ -0,0 +1,87 @@ +From aa074e99caecef6de727f2c036f3062328107ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 15:34:41 +0100 +Subject: platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting + +From: Hans de Goede + +[ Upstream commit fdcc0602d64f22185f61c70747214b630049cc33 ] + +Commit 1ea0d3b46798 ("platform/x86: asus-wmi: Simplify tablet-mode-switch +handling") unified the asus-wmi tablet-switch handling, but it did not take +into account that the value returned for the kbd_dock_devid WMI method is +inverted where as the other ones are not inverted. + +This causes asus-wmi to report an inverted tablet-switch state for devices +which use the kbd_dock_devid, which causes libinput to ignore touchpad +events while the affected T10x model 2-in-1s are docked. + +Add inverting of the return value in the kbd_dock_devid case to fix this. + +Fixes: 1ea0d3b46798 ("platform/x86: asus-wmi: Simplify tablet-mode-switch handling") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230120143441.527334-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 8e317d57ecc3..02bf28692418 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -225,6 +225,7 @@ struct asus_wmi { + + int tablet_switch_event_code; + u32 tablet_switch_dev_id; ++ bool tablet_switch_inverted; + + enum fan_type fan_type; + enum fan_type gpu_fan_type; +@@ -493,6 +494,13 @@ static bool asus_wmi_dev_is_present(struct asus_wmi *asus, u32 dev_id) + } + + /* Input **********************************************************************/ ++static void asus_wmi_tablet_sw_report(struct asus_wmi *asus, bool value) ++{ ++ input_report_switch(asus->inputdev, SW_TABLET_MODE, ++ asus->tablet_switch_inverted ? !value : value); ++ input_sync(asus->inputdev); ++} ++ + static void asus_wmi_tablet_sw_init(struct asus_wmi *asus, u32 dev_id, int event_code) + { + struct device *dev = &asus->platform_device->dev; +@@ -501,7 +509,7 @@ static void asus_wmi_tablet_sw_init(struct asus_wmi *asus, u32 dev_id, int event + result = asus_wmi_get_devstate_simple(asus, dev_id); + if (result >= 0) { + input_set_capability(asus->inputdev, EV_SW, SW_TABLET_MODE); +- input_report_switch(asus->inputdev, SW_TABLET_MODE, result); ++ asus_wmi_tablet_sw_report(asus, result); + asus->tablet_switch_dev_id = dev_id; + asus->tablet_switch_event_code = event_code; + } else if (result == -ENODEV) { +@@ -534,6 +542,7 @@ static int asus_wmi_input_init(struct asus_wmi *asus) + case asus_wmi_no_tablet_switch: + break; + case asus_wmi_kbd_dock_devid: ++ asus->tablet_switch_inverted = true; + asus_wmi_tablet_sw_init(asus, ASUS_WMI_DEVID_KBD_DOCK, NOTIFY_KBD_DOCK_CHANGE); + break; + case asus_wmi_lid_flip_devid: +@@ -573,10 +582,8 @@ static void asus_wmi_tablet_mode_get_state(struct asus_wmi *asus) + return; + + result = asus_wmi_get_devstate_simple(asus, asus->tablet_switch_dev_id); +- if (result >= 0) { +- input_report_switch(asus->inputdev, SW_TABLET_MODE, result); +- input_sync(asus->inputdev); +- } ++ if (result >= 0) ++ asus_wmi_tablet_sw_report(asus, result); + } + + /* dGPU ********************************************************************/ +-- +2.39.0 + diff --git a/queue-6.1/riscv-kprobe-fix-instruction-simulation-of-jalr.patch b/queue-6.1/riscv-kprobe-fix-instruction-simulation-of-jalr.patch new file mode 100644 index 00000000000..f6cc398cee4 --- /dev/null +++ b/queue-6.1/riscv-kprobe-fix-instruction-simulation-of-jalr.patch @@ -0,0 +1,71 @@ +From a3f87d0970de1727c8c527eeaddefaa38b3a0e15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 14:43:42 +0800 +Subject: riscv/kprobe: Fix instruction simulation of JALR + +From: Liao Chang + +[ Upstream commit ca0254998be4d74cf6add70ccfab0d2dbd362a10 ] + +Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following +crash: + +[ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170 +[ 32.093115] Oops [#1] +[ 32.093251] Modules linked in: +[ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16 +[ 32.093985] Hardware name: riscv-virtio,qemu (DT) +[ 32.094280] epc : ksys_read+0x88/0xd6 +[ 32.094855] ra : ksys_read+0xc0/0xd6 +[ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0 +[ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80 +[ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60 +[ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708 +[ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300 +[ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff +[ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170 +[ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030 +[ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410 +[ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c +[ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54 +[ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d +[ 32.098011] [] ksys_write+0x6c/0xd6 +[ 32.098222] [] sys_write+0x2a/0x38 +[ 32.098405] [] ret_from_syscall+0x0/0x2 + +Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)', +hence it requires obtaining the target address from rs1 followed by +updating rd. + +Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") +Signed-off-by: Liao Chang +Reviewed-by: Guo Ren +Link: https://lore.kernel.org/r/20230116064342.2092136-1-liaochang1@huawei.com +[Palmer: Pick Guo's cleanup] +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/probes/simulate-insn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/probes/simulate-insn.c b/arch/riscv/kernel/probes/simulate-insn.c +index d73e96f6ed7c..a20568bd1f1a 100644 +--- a/arch/riscv/kernel/probes/simulate-insn.c ++++ b/arch/riscv/kernel/probes/simulate-insn.c +@@ -71,11 +71,11 @@ bool __kprobes simulate_jalr(u32 opcode, unsigned long addr, struct pt_regs *reg + u32 rd_index = (opcode >> 7) & 0x1f; + u32 rs1_index = (opcode >> 15) & 0x1f; + +- ret = rv_insn_reg_set_val(regs, rd_index, addr + 4); ++ ret = rv_insn_reg_get_val(regs, rs1_index, &base_addr); + if (!ret) + return ret; + +- ret = rv_insn_reg_get_val(regs, rs1_index, &base_addr); ++ ret = rv_insn_reg_set_val(regs, rd_index, addr + 4); + if (!ret) + return ret; + +-- +2.39.0 + diff --git a/queue-6.1/riscv-move-call-to-init_cpu_topology-to-later-initia.patch b/queue-6.1/riscv-move-call-to-init_cpu_topology-to-later-initia.patch new file mode 100644 index 00000000000..ef293e82822 --- /dev/null +++ b/queue-6.1/riscv-move-call-to-init_cpu_topology-to-later-initia.patch @@ -0,0 +1,60 @@ +From b47702535ae5aa41faac16ff54e38d053d0fe78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 11:37:05 +0800 +Subject: riscv: Move call to init_cpu_topology() to later initialization stage + +From: Ley Foon Tan + +[ Upstream commit c1d6105869464635d8a2bcf87a43c05f4c0cfca4 ] + +If "capacity-dmips-mhz" is present in a CPU DT node, +topology_parse_cpu_capacity() will fail to allocate memory. arm64, with +which this code path is shared, does not call +topology_parse_cpu_capacity() until later in boot where memory +allocation is available. While "capacity-dmips-mhz" is not yet a valid +property on RISC-V, invalid properties should be ignored rather than +cause issues. Move init_cpu_topology(), which calls +topology_parse_cpu_capacity(), to a later initialization stage, to match +arm64. + +As a side effect of this change, RISC-V is "protected" from changes to +core topology code that would work on arm64 where memory allocation is +safe but on RISC-V isn't. + +Fixes: 03f11f03dbfe ("RISC-V: Parse cpu topology during boot.") +Reviewed-by: Conor Dooley +Reviewed-by: Andrew Jones +Signed-off-by: Ley Foon Tan +Link: https://lore.kernel.org/r/20230105033705.3946130-1-leyfoon.tan@starfivetech.com +[Palmer: use Conor's commit text] +Link: https://lore.kernel.org/linux-riscv/20230104183033.755668-1-pierre.gondois@arm.com/T/#me592d4c8b9508642954839f0077288a353b0b9b2 +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/smpboot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/smpboot.c b/arch/riscv/kernel/smpboot.c +index 3373df413c88..ddb2afba6d25 100644 +--- a/arch/riscv/kernel/smpboot.c ++++ b/arch/riscv/kernel/smpboot.c +@@ -39,7 +39,6 @@ static DECLARE_COMPLETION(cpu_running); + + void __init smp_prepare_boot_cpu(void) + { +- init_cpu_topology(); + } + + void __init smp_prepare_cpus(unsigned int max_cpus) +@@ -48,6 +47,8 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + int ret; + unsigned int curr_cpuid; + ++ init_cpu_topology(); ++ + curr_cpuid = smp_processor_id(); + store_cpu_topology(curr_cpuid); + numa_store_cpu_info(curr_cpuid); +-- +2.39.0 + diff --git a/queue-6.1/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch b/queue-6.1/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch new file mode 100644 index 00000000000..747b1e72af1 --- /dev/null +++ b/queue-6.1/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch @@ -0,0 +1,68 @@ +From 6842cdc1dcc72b9f13a5803367ae0a86672dbf77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 14:59:33 -0300 +Subject: sctp: fail if no bound addresses can be used for a given scope + +From: Marcelo Ricardo Leitner + +[ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ] + +Currently, if you bind the socket to something like: + servaddr.sin6_family = AF_INET6; + servaddr.sin6_port = htons(0); + servaddr.sin6_scope_id = 0; + inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); + +And then request a connect to: + connaddr.sin6_family = AF_INET6; + connaddr.sin6_port = htons(20000); + connaddr.sin6_scope_id = if_nametoindex("lo"); + inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); + +What the stack does is: + - bind the socket + - create a new asoc + - to handle the connect + - copy the addresses that can be used for the given scope + - try to connect + +But the copy returns 0 addresses, and the effect is that it ends up +trying to connect as if the socket wasn't bound, which is not the +desired behavior. This unexpected behavior also allows KASLR leaks +through SCTP diag interface. + +The fix here then is, if when trying to copy the addresses that can +be used for the scope used in connect() it returns 0 addresses, bail +out. This is what TCP does with a similar reproducer. + +Reported-by: Pietro Borrello +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/bind_addr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c +index 59e653b528b1..6b95d3ba8fe1 100644 +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -73,6 +73,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, + } + } + ++ /* If somehow no addresses were found that can be used with this ++ * scope, it's an error. ++ */ ++ if (list_empty(&dest->address_list)) ++ error = -ENETUNREACH; ++ + out: + if (error) + sctp_bind_addr_clean(dest); +-- +2.39.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 29f73fe26e8..99eb6c98fc3 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -237,3 +237,66 @@ drm-amdgpu-remove-unconditional-trap-enable-on-add-gfx11-queues.patch drm-amdgpu-display-mst-fix-mst_state-pbn_div-and-slot-count-assignments.patch drm-amdgpu-display-mst-limit-payload-to-be-updated-one-by-one.patch drm-amdgpu-display-mst-update-mst_mgr-relevant-variable-when-long-hpd.patch +io_uring-inline-io_req_task_work_add.patch +io_uring-inline-__io_req_complete_post.patch +io_uring-hold-locks-for-io_req_complete_failed.patch +io_uring-use-io_req_task_complete-in-timeout.patch +io_uring-remove-io_req_tw_post_queue.patch +io_uring-inline-__io_req_complete_put.patch +net-mana-fix-irq-name-add-pci-and-queue-number.patch +io_uring-always-prep_async-for-drain-requests.patch +i2c-designware-use-casting-of-u64-in-clock-multiplic.patch +i2c-designware-fix-unbalanced-suspended-flag.patch +drm-drm_vma_manager-add-drm_vma_node_allow_once.patch +drm-i915-fix-a-memory-leak-with-reused-mmap_offset.patch +iavf-fix-temporary-deadlock-and-failure-to-set-mac-a.patch +iavf-schedule-watchdog-immediately-when-changing-pri.patch +netlink-prevent-potential-spectre-v1-gadgets.patch +net-fix-uaf-in-netns-ops-registration-error-path.patch +net-fec-use-page_pool_put_full_page-when-freeing-rx-.patch +nvme-simplify-transport-specific-device-attribute-ha.patch +nvme-consolidate-setting-the-tagset-flags.patch +nvme-fc-fix-initialization-order.patch +drm-i915-selftest-fix-intel_selftest_modify_policy-a.patch +acpi-video-add-backlight-native-dmi-quirk-for-hp-pav.patch +acpi-video-add-backlight-native-dmi-quirk-for-hp-eli.patch +acpi-video-add-backlight-native-dmi-quirk-for-asus-u.patch +netfilter-nft_set_rbtree-switch-to-node-list-walk-fo.patch +netfilter-nft_set_rbtree-skip-elements-in-transactio.patch +netlink-annotate-data-races-around-nlk-portid.patch +netlink-annotate-data-races-around-dst_portid-and-ds.patch +netlink-annotate-data-races-around-sk_state.patch +ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch +ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch +net-dsa-microchip-fix-probe-of-i2c-connected-ksz8563.patch +net-ethernet-adi-adin1110-fix-multicast-offloading.patch +netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch +netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +netrom-fix-use-after-free-of-a-listening-socket.patch +platform-x86-asus-wmi-fix-kbd_dock_devid-tablet-swit.patch +platform-x86-apple-gmux-move-port-defines-to-apple-g.patch +platform-x86-apple-gmux-add-apple_gmux_detect-helper.patch +acpi-video-fix-apple-gmux-detection.patch +tracing-osnoise-use-built-in-rcu-list-checking.patch +net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch +sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch +riscv-kprobe-fix-instruction-simulation-of-jalr.patch +nvme-fix-passthrough-csi-check.patch +gpio-mxc-unlock-on-error-path-in-mxc_flip_edge.patch +gpio-ep93xx-fix-port-f-hwirq-numbers-in-handler.patch +net-ravb-fix-lack-of-register-setting-after-system-r.patch +net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch +net-mctp-add-an-explicit-reference-from-a-mctp_sk_ke.patch +net-mctp-move-expiry-timer-delete-to-unhash.patch +net-mctp-hold-key-reference-when-looking-up-a-genera.patch +net-mctp-mark-socks-as-dead-on-unhash-prevent-re-add.patch +thermal-intel-int340x-add-locking-to-int340x_thermal.patch +riscv-move-call-to-init_cpu_topology-to-later-initia.patch +net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch +tsnep-fix-tx-queue-stop-wake-for-multiple-queues.patch +net-mdio-mux-meson-g12a-force-internal-phy-off-on-mu.patch +partially-revert-perf-arm-cmn-optimise-dtc-counter-a.patch +block-ublk-move-ublk_chr_class-destroying-after-devi.patch +treewide-fix-up-files-incorrectly-marked-executable.patch +tools-gpio-fix-c-option-of-gpio-event-mon.patch +fix-up-more-non-executable-files-marked-executable.patch diff --git a/queue-6.1/thermal-intel-int340x-add-locking-to-int340x_thermal.patch b/queue-6.1/thermal-intel-int340x-add-locking-to-int340x_thermal.patch new file mode 100644 index 00000000000..5c3621fe061 --- /dev/null +++ b/queue-6.1/thermal-intel-int340x-add-locking-to-int340x_thermal.patch @@ -0,0 +1,58 @@ +From 4eb9cf6b174eb2854049b8e90987e6dfde04403d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 13:17:42 +0100 +Subject: thermal: intel: int340x: Add locking to + int340x_thermal_get_trip_type() + +From: Rafael J. Wysocki + +[ Upstream commit acd7e9ee57c880b99671dd99680cb707b7b5b0ee ] + +In order to prevent int340x_thermal_get_trip_type() from possibly +racing with int340x_thermal_read_trips() invoked by int3403_notify() +add locking to it in analogy with int340x_thermal_get_trip_temp(). + +Fixes: 6757a7abe47b ("thermal: intel: int340x: Protect trip temperature from concurrent updates") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + .../intel/int340x_thermal/int340x_thermal_zone.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c +index 852f6c579af5..0a4eaa307156 100644 +--- a/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c ++++ b/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c +@@ -81,11 +81,13 @@ static int int340x_thermal_get_trip_type(struct thermal_zone_device *zone, + enum thermal_trip_type *type) + { + struct int34x_thermal_zone *d = zone->devdata; +- int i; ++ int i, ret = 0; + + if (d->override_ops && d->override_ops->get_trip_type) + return d->override_ops->get_trip_type(zone, trip, type); + ++ mutex_lock(&d->trip_mutex); ++ + if (trip < d->aux_trip_nr) + *type = THERMAL_TRIP_PASSIVE; + else if (trip == d->crt_trip_id) +@@ -103,10 +105,12 @@ static int int340x_thermal_get_trip_type(struct thermal_zone_device *zone, + } + } + if (i == INT340X_THERMAL_MAX_ACT_TRIP_COUNT) +- return -EINVAL; ++ ret = -EINVAL; + } + +- return 0; ++ mutex_unlock(&d->trip_mutex); ++ ++ return ret; + } + + static int int340x_thermal_set_trip_temp(struct thermal_zone_device *zone, +-- +2.39.0 + diff --git a/queue-6.1/tools-gpio-fix-c-option-of-gpio-event-mon.patch b/queue-6.1/tools-gpio-fix-c-option-of-gpio-event-mon.patch new file mode 100644 index 00000000000..abcec0e9b43 --- /dev/null +++ b/queue-6.1/tools-gpio-fix-c-option-of-gpio-event-mon.patch @@ -0,0 +1,58 @@ +From cb7410e44c54667fdae52bdbeb924d622e767812 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 15:10:33 +0200 +Subject: tools: gpio: fix -c option of gpio-event-mon + +From: Ivo Borisov Shopov + +[ Upstream commit 677d85e1a1ee69fa05ccea83847309484be3781c ] + +Following line should listen for a rising edge and exit after the first +one since '-c 1' is provided. + + # gpio-event-mon -n gpiochip1 -o 0 -r -c 1 + +It works with kernel 4.19 but it doesn't work with 5.10. In 5.10 the +above command doesn't exit after the first rising edge it keep listening +for an event forever. The '-c 1' is not taken into an account. +The problem is in commit 62757c32d5db ("tools: gpio: add multi-line +monitoring to gpio-event-mon"). +Before this commit the iterator 'i' in monitor_device() is used for +counting of the events (loops). In the case of the above command (-c 1) +we should start from 0 and increment 'i' only ones and hit the 'break' +statement and exit the process. But after the above commit counting +doesn't start from 0, it start from 1 when we listen on one line. +It is because 'i' is used from one more purpose, counting of lines +(num_lines) and it isn't restore to 0 after following code + + for (i = 0; i < num_lines; i++) + gpiotools_set_bit(&values.mask, i); + +Restore the initial value of the iterator to 0 in order to allow counting +of loops to work for any cases. + +Fixes: 62757c32d5db ("tools: gpio: add multi-line monitoring to gpio-event-mon") +Signed-off-by: Ivo Borisov Shopov +Reviewed-by: Andy Shevchenko +[Bartosz: tweak the commit message] +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + tools/gpio/gpio-event-mon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/gpio/gpio-event-mon.c b/tools/gpio/gpio-event-mon.c +index 6c122952c589..5dee2b98ab60 100644 +--- a/tools/gpio/gpio-event-mon.c ++++ b/tools/gpio/gpio-event-mon.c +@@ -86,6 +86,7 @@ int monitor_device(const char *device_name, + gpiotools_test_bit(values.bits, i)); + } + ++ i = 0; + while (1) { + struct gpio_v2_line_event event; + +-- +2.39.0 + diff --git a/queue-6.1/tracing-osnoise-use-built-in-rcu-list-checking.patch b/queue-6.1/tracing-osnoise-use-built-in-rcu-list-checking.patch new file mode 100644 index 00000000000..5994bbdeffa --- /dev/null +++ b/queue-6.1/tracing-osnoise-use-built-in-rcu-list-checking.patch @@ -0,0 +1,56 @@ +From a4ef8cfece510b7254754cb888d9d356dc873642 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 10:30:36 +0800 +Subject: tracing/osnoise: Use built-in RCU list checking + +From: Chuang Wang + +[ Upstream commit 685b64e4d6da4be8b4595654a57db663b3d1dfc2 ] + +list_for_each_entry_rcu() has built-in RCU and lock checking. + +Pass cond argument to list_for_each_entry_rcu() to silence false lockdep +warning when CONFIG_PROVE_RCU_LIST is enabled. + +Execute as follow: + + [tracing]# echo osnoise > current_tracer + [tracing]# echo 1 > tracing_on + [tracing]# echo 0 > tracing_on + +The trace_types_lock is held when osnoise_tracer_stop() or +timerlat_tracer_stop() are called in the non-RCU read side section. +So, pass lockdep_is_held(&trace_types_lock) to silence false lockdep +warning. + +Link: https://lkml.kernel.org/r/20221227023036.784337-1-nashuiliang@gmail.com + +Cc: Masami Hiramatsu +Fixes: dae181349f1e ("tracing/osnoise: Support a list of trace_array *tr") +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Chuang Wang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_osnoise.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c +index 4300c5dc4e5d..1c07efcb3d46 100644 +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -125,9 +125,8 @@ static void osnoise_unregister_instance(struct trace_array *tr) + * register/unregister serialization is provided by trace's + * trace_types_lock. + */ +- lockdep_assert_held(&trace_types_lock); +- +- list_for_each_entry_rcu(inst, &osnoise_instances, list) { ++ list_for_each_entry_rcu(inst, &osnoise_instances, list, ++ lockdep_is_held(&trace_types_lock)) { + if (inst->tr == tr) { + list_del_rcu(&inst->list); + found = 1; +-- +2.39.0 + diff --git a/queue-6.1/treewide-fix-up-files-incorrectly-marked-executable.patch b/queue-6.1/treewide-fix-up-files-incorrectly-marked-executable.patch new file mode 100644 index 00000000000..70568a5daa1 --- /dev/null +++ b/queue-6.1/treewide-fix-up-files-incorrectly-marked-executable.patch @@ -0,0 +1,46 @@ +From af95e60c38e6d27c4d4bfc503a7afc39001e364c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 10:05:39 -0800 +Subject: treewide: fix up files incorrectly marked executable + +From: Linus Torvalds + +[ Upstream commit 262b42e02d1e0b5ad1b33e9b9842e178c16231de ] + +I'm not exactly clear on what strange workflow causes people to do it, +but clearly occasionally some files end up being committed as executable +even though they clearly aren't. + +This is a reprise of commit 90fda63fa115 ("treewide: fix up files +incorrectly marked executable"), just with a different set of files (but +with the same trivial shell scripting). + +So apparently we need to re-do this every five years or so, and Joe +needs to just keep reminding me to do so ;) + +Reported-by: Joe Perches +Fixes: 523375c943e5 ("drm/vmwgfx: Port vmwgfx to arm64") +Fixes: 5c439937775d ("ASoC: codecs: add support for ES8326") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_msg_arm64.h | 0 + sound/soc/codecs/es8326.c | 0 + sound/soc/codecs/es8326.h | 0 + 3 files changed, 0 insertions(+), 0 deletions(-) + mode change 100755 => 100644 drivers/gpu/drm/vmwgfx/vmwgfx_msg_arm64.h + mode change 100755 => 100644 sound/soc/codecs/es8326.c + mode change 100755 => 100644 sound/soc/codecs/es8326.h + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg_arm64.h b/drivers/gpu/drm/vmwgfx/vmwgfx_msg_arm64.h +old mode 100755 +new mode 100644 +diff --git a/sound/soc/codecs/es8326.c b/sound/soc/codecs/es8326.c +old mode 100755 +new mode 100644 +diff --git a/sound/soc/codecs/es8326.h b/sound/soc/codecs/es8326.h +old mode 100755 +new mode 100644 +-- +2.39.0 + diff --git a/queue-6.1/tsnep-fix-tx-queue-stop-wake-for-multiple-queues.patch b/queue-6.1/tsnep-fix-tx-queue-stop-wake-for-multiple-queues.patch new file mode 100644 index 00000000000..c834bed2ebd --- /dev/null +++ b/queue-6.1/tsnep-fix-tx-queue-stop-wake-for-multiple-queues.patch @@ -0,0 +1,79 @@ +From 0bd0a3577641b24250a58a89f8fd357026803a42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 20:14:40 +0100 +Subject: tsnep: Fix TX queue stop/wake for multiple queues + +From: Gerhard Engleder + +[ Upstream commit 3d53aaef4332245044b2f3688ac0ea10436c719c ] + +netif_stop_queue() and netif_wake_queue() act on TX queue 0. This is ok +as long as only a single TX queue is supported. But support for multiple +TX queues was introduced with 762031375d5c and I missed to adapt stop +and wake of TX queues. + +Use netif_stop_subqueue() and netif_tx_wake_queue() to act on specific +TX queue. + +Fixes: 762031375d5c ("tsnep: Support multiple TX/RX queue pairs") +Signed-off-by: Gerhard Engleder +Link: https://lore.kernel.org/r/20230124191440.56887-1-gerhard@engleder-embedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/engleder/tsnep_main.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/engleder/tsnep_main.c b/drivers/net/ethernet/engleder/tsnep_main.c +index 13d5ff4e0e02..6bf3cc11d212 100644 +--- a/drivers/net/ethernet/engleder/tsnep_main.c ++++ b/drivers/net/ethernet/engleder/tsnep_main.c +@@ -419,7 +419,7 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + /* ring full, shall not happen because queue is stopped if full + * below + */ +- netif_stop_queue(tx->adapter->netdev); ++ netif_stop_subqueue(tx->adapter->netdev, tx->queue_index); + + spin_unlock_irqrestore(&tx->lock, flags); + +@@ -462,7 +462,7 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + + if (tsnep_tx_desc_available(tx) < (MAX_SKB_FRAGS + 1)) { + /* ring can get full with next frame */ +- netif_stop_queue(tx->adapter->netdev); ++ netif_stop_subqueue(tx->adapter->netdev, tx->queue_index); + } + + spin_unlock_irqrestore(&tx->lock, flags); +@@ -472,11 +472,14 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + + static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget) + { ++ struct tsnep_tx_entry *entry; ++ struct netdev_queue *nq; + unsigned long flags; + int budget = 128; +- struct tsnep_tx_entry *entry; +- int count; + int length; ++ int count; ++ ++ nq = netdev_get_tx_queue(tx->adapter->netdev, tx->queue_index); + + spin_lock_irqsave(&tx->lock, flags); + +@@ -533,8 +536,8 @@ static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget) + } while (likely(budget)); + + if ((tsnep_tx_desc_available(tx) >= ((MAX_SKB_FRAGS + 1) * 2)) && +- netif_queue_stopped(tx->adapter->netdev)) { +- netif_wake_queue(tx->adapter->netdev); ++ netif_tx_queue_stopped(nq)) { ++ netif_tx_wake_queue(nq); + } + + spin_unlock_irqrestore(&tx->lock, flags); +-- +2.39.0 +