From: Sasha Levin Date: Sat, 29 Jun 2024 11:49:58 +0000 (-0400) Subject: Fixes for 6.9 X-Git-Tag: v4.19.317~132 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f0d60b49fff588738ae392a7ccaf47e688ec458;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.9 Signed-off-by: Sasha Levin --- diff --git a/queue-6.9/af_unix-don-t-stop-recv-at-consumed-ex-oob-skb.patch b/queue-6.9/af_unix-don-t-stop-recv-at-consumed-ex-oob-skb.patch new file mode 100644 index 00000000000..ce408ac6664 --- /dev/null +++ b/queue-6.9/af_unix-don-t-stop-recv-at-consumed-ex-oob-skb.patch @@ -0,0 +1,71 @@ +From 16344483e0461c164e98cac18f4e6b3e9719facf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 18:36:40 -0700 +Subject: af_unix: Don't stop recv() at consumed ex-OOB skb. + +From: Kuniyuki Iwashima + +[ Upstream commit 36893ef0b661671ee64eb37bf5f345f33d2cabb7 ] + +Currently, recv() is stopped at a consumed OOB skb even if a new +OOB skb is queued and we can ignore the old OOB skb. + + >>> from socket import * + >>> c1, c2 = socket(AF_UNIX, SOCK_STREAM) + >>> c1.send(b'hellowor', MSG_OOB) + 8 + >>> c2.recv(1, MSG_OOB) # consume OOB data stays at middle of recvq. + b'r' + >>> c1.send(b'ld', MSG_OOB) + 2 + >>> c2.recv(10) # recv() stops at the old consumed OOB + b'hellowo' # should be 'hellowol' + +manage_oob() should not stop recv() at the old consumed OOB skb if +there is a new OOB data queued. + +Note that TCP behaviour is apparently wrong in this test case because +we can recv() the same OOB data twice. + +Without fix: + + # RUN msg_oob.no_peek.ex_oob_ahead_break ... + # msg_oob.c:138:ex_oob_ahead_break:AF_UNIX :hellowo + # msg_oob.c:139:ex_oob_ahead_break:Expected:hellowol + # msg_oob.c:141:ex_oob_ahead_break:Expected ret[0] (7) == expected_len (8) + # ex_oob_ahead_break: Test terminated by assertion + # FAIL msg_oob.no_peek.ex_oob_ahead_break + not ok 11 msg_oob.no_peek.ex_oob_ahead_break + +With fix: + + # RUN msg_oob.no_peek.ex_oob_ahead_break ... + # msg_oob.c:146:ex_oob_ahead_break:AF_UNIX :hellowol + # msg_oob.c:147:ex_oob_ahead_break:TCP :helloworl + # OK msg_oob.no_peek.ex_oob_ahead_break + ok 11 msg_oob.no_peek.ex_oob_ahead_break + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 645ac77e4dda3..e0fea73317de8 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2665,7 +2665,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, + + spin_lock(&sk->sk_receive_queue.lock); + +- if (copied) { ++ if (copied && (!u->oob_skb || skb == u->oob_skb)) { + skb = NULL; + } else if (flags & MSG_PEEK) { + skb = skb_peek_next(skb, &sk->sk_receive_queue); +-- +2.43.0 + diff --git a/queue-6.9/af_unix-don-t-stop-recv-msg_dontwait-if-consumed-oob.patch b/queue-6.9/af_unix-don-t-stop-recv-msg_dontwait-if-consumed-oob.patch new file mode 100644 index 00000000000..5484f305dd8 --- /dev/null +++ b/queue-6.9/af_unix-don-t-stop-recv-msg_dontwait-if-consumed-oob.patch @@ -0,0 +1,111 @@ +From 4dd8fcab9527dcb2e90530feeff507257c53ce23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 18:36:38 -0700 +Subject: af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the + head. + +From: Kuniyuki Iwashima + +[ Upstream commit 93c99f21db360957d49853e5666b5c147f593bda ] + +Let's say a socket send()s "hello" with MSG_OOB and "world" without flags, + + >>> from socket import * + >>> c1, c2 = socketpair(AF_UNIX) + >>> c1.send(b'hello', MSG_OOB) + 5 + >>> c1.send(b'world') + 5 + +and its peer recv()s "hell" and "o". + + >>> c2.recv(10) + b'hell' + >>> c2.recv(1, MSG_OOB) + b'o' + +Now the consumed OOB skb stays at the head of recvq to return a correct +value for ioctl(SIOCATMARK), which is broken now and fixed by a later +patch. + +Then, if peer issues recv() with MSG_DONTWAIT, manage_oob() returns NULL, +so recv() ends up with -EAGAIN. + + >>> c2.setblocking(False) # This causes -EAGAIN even with available data + >>> c2.recv(5) + Traceback (most recent call last): + File "", line 1, in + BlockingIOError: [Errno 11] Resource temporarily unavailable + +However, next recv() will return the following available data, "world". + + >>> c2.recv(5) + b'world' + +When the consumed OOB skb is at the head of the queue, we need to fetch +the next skb to fix the weird behaviour. + +Note that the issue does not happen without MSG_DONTWAIT because we can +retry after manage_oob(). + +This patch also adds a test case that covers the issue. + +Without fix: + + # RUN msg_oob.no_peek.ex_oob_break ... + # msg_oob.c:134:ex_oob_break:AF_UNIX :Resource temporarily unavailable + # msg_oob.c:135:ex_oob_break:Expected:ld + # msg_oob.c:137:ex_oob_break:Expected ret[0] (-1) == expected_len (2) + # ex_oob_break: Test terminated by assertion + # FAIL msg_oob.no_peek.ex_oob_break + not ok 8 msg_oob.no_peek.ex_oob_break + +With fix: + + # RUN msg_oob.no_peek.ex_oob_break ... + # OK msg_oob.no_peek.ex_oob_break + ok 8 msg_oob.no_peek.ex_oob_break + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index d687670e84990..645ac77e4dda3 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2661,12 +2661,23 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, + struct unix_sock *u = unix_sk(sk); + + if (!unix_skb_len(skb)) { +- if (!(flags & MSG_PEEK)) { +- skb_unlink(skb, &sk->sk_receive_queue); +- consume_skb(skb); ++ struct sk_buff *unlinked_skb = NULL; ++ ++ spin_lock(&sk->sk_receive_queue.lock); ++ ++ if (copied) { ++ skb = NULL; ++ } else if (flags & MSG_PEEK) { ++ skb = skb_peek_next(skb, &sk->sk_receive_queue); ++ } else { ++ unlinked_skb = skb; ++ skb = skb_peek_next(skb, &sk->sk_receive_queue); ++ __skb_unlink(unlinked_skb, &sk->sk_receive_queue); + } + +- skb = NULL; ++ spin_unlock(&sk->sk_receive_queue.lock); ++ ++ consume_skb(unlinked_skb); + } else { + struct sk_buff *unlinked_skb = NULL; + +-- +2.43.0 + diff --git a/queue-6.9/af_unix-fix-wrong-ioctl-siocatmark-when-consumed-oob.patch b/queue-6.9/af_unix-fix-wrong-ioctl-siocatmark-when-consumed-oob.patch new file mode 100644 index 00000000000..87b4b5c8e3c --- /dev/null +++ b/queue-6.9/af_unix-fix-wrong-ioctl-siocatmark-when-consumed-oob.patch @@ -0,0 +1,68 @@ +From 2f3ef1c681be686de19c983d43596450e0c6665e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 18:36:44 -0700 +Subject: af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the + head. + +From: Kuniyuki Iwashima + +[ Upstream commit e400cfa38bb0419cf1313e5494ea2b7d114e86d7 ] + +Even if OOB data is recv()ed, ioctl(SIOCATMARK) must return 1 when the +OOB skb is at the head of the receive queue and no new OOB data is queued. + +Without fix: + + # RUN msg_oob.no_peek.oob ... + # msg_oob.c:305:oob:Expected answ[0] (0) == oob_head (1) + # oob: Test terminated by assertion + # FAIL msg_oob.no_peek.oob + not ok 2 msg_oob.no_peek.oob + +With fix: + + # RUN msg_oob.no_peek.oob ... + # OK msg_oob.no_peek.oob + ok 2 msg_oob.no_peek.oob + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index e0fea73317de8..24286ce0ef3ee 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -3154,12 +3154,23 @@ static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + #if IS_ENABLED(CONFIG_AF_UNIX_OOB) + case SIOCATMARK: + { ++ struct unix_sock *u = unix_sk(sk); + struct sk_buff *skb; + int answ = 0; + ++ mutex_lock(&u->iolock); ++ + skb = skb_peek(&sk->sk_receive_queue); +- if (skb && skb == READ_ONCE(unix_sk(sk)->oob_skb)) +- answ = 1; ++ if (skb) { ++ struct sk_buff *oob_skb = READ_ONCE(u->oob_skb); ++ ++ if (skb == oob_skb || ++ (!oob_skb && !unix_skb_len(skb))) ++ answ = 1; ++ } ++ ++ mutex_unlock(&u->iolock); ++ + err = put_user(answ, (int __user *)arg); + } + break; +-- +2.43.0 + diff --git a/queue-6.9/af_unix-stop-recv-msg_peek-at-consumed-oob-skb.patch b/queue-6.9/af_unix-stop-recv-msg_peek-at-consumed-oob-skb.patch new file mode 100644 index 00000000000..544940033a2 --- /dev/null +++ b/queue-6.9/af_unix-stop-recv-msg_peek-at-consumed-oob-skb.patch @@ -0,0 +1,78 @@ +From ffffae0b7d7368d64c6b8110af30a4f466c9f1c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 18:36:37 -0700 +Subject: af_unix: Stop recv(MSG_PEEK) at consumed OOB skb. + +From: Kuniyuki Iwashima + +[ Upstream commit b94038d841a91d0e3f59cfe4d073e210910366ee ] + +After consuming OOB data, recv() reading the preceding data must break at +the OOB skb regardless of MSG_PEEK. + +Currently, MSG_PEEK does not stop recv() for AF_UNIX, and the behaviour is +not compliant with TCP. + + >>> from socket import * + >>> c1, c2 = socketpair(AF_UNIX) + >>> c1.send(b'hello', MSG_OOB) + 5 + >>> c1.send(b'world') + 5 + >>> c2.recv(1, MSG_OOB) + b'o' + >>> c2.recv(9, MSG_PEEK) # This should return b'hell' + b'hellworld' # even with enough buffer. + +Let's fix it by returning NULL for consumed skb and unlinking it only if +MSG_PEEK is not specified. + +This patch also adds test cases that add recv(MSG_PEEK) before each recv(). + +Without fix: + + # RUN msg_oob.peek.oob_ahead_break ... + # msg_oob.c:134:oob_ahead_break:AF_UNIX :hellworld + # msg_oob.c:135:oob_ahead_break:Expected:hell + # msg_oob.c:137:oob_ahead_break:Expected ret[0] (9) == expected_len (4) + # oob_ahead_break: Test terminated by assertion + # FAIL msg_oob.peek.oob_ahead_break + not ok 13 msg_oob.peek.oob_ahead_break + +With fix: + + # RUN msg_oob.peek.oob_ahead_break ... + # OK msg_oob.peek.oob_ahead_break + ok 13 msg_oob.peek.oob_ahead_break + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 68a58bc07cf23..d687670e84990 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2660,9 +2660,12 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, + { + struct unix_sock *u = unix_sk(sk); + +- if (!unix_skb_len(skb) && !(flags & MSG_PEEK)) { +- skb_unlink(skb, &sk->sk_receive_queue); +- consume_skb(skb); ++ if (!unix_skb_len(skb)) { ++ if (!(flags & MSG_PEEK)) { ++ skb_unlink(skb, &sk->sk_receive_queue); ++ consume_skb(skb); ++ } ++ + skb = NULL; + } else { + struct sk_buff *unlinked_skb = NULL; +-- +2.43.0 + diff --git a/queue-6.9/alsa-seq-fix-missing-channel-at-encoding-rpn-nrpn-mi.patch b/queue-6.9/alsa-seq-fix-missing-channel-at-encoding-rpn-nrpn-mi.patch new file mode 100644 index 00000000000..47adbe2a419 --- /dev/null +++ b/queue-6.9/alsa-seq-fix-missing-channel-at-encoding-rpn-nrpn-mi.patch @@ -0,0 +1,64 @@ +From 6414ffe5d5cc9b6992de2218e2cc82a586cd3d43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 11:51:58 +0200 +Subject: ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages + +From: Takashi Iwai + +[ Upstream commit c5ab94ea280a9b4108723eecf0a636e22a5bb137 ] + +The conversion from the legacy event to MIDI2 UMP for RPN and NRPN +missed the setup of the channel number, resulting in always the +channel 0. Fix it. + +Fixes: e9e02819a98a ("ALSA: seq: Automatic conversion of UMP events") +Link: https://patch.msgid.link/20240625095200.25745-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_ump_convert.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c +index d81f776a4c3dd..6687efdceea13 100644 +--- a/sound/core/seq/seq_ump_convert.c ++++ b/sound/core/seq/seq_ump_convert.c +@@ -791,7 +791,8 @@ static int paf_ev_to_ump_midi2(const struct snd_seq_event *event, + + /* set up the MIDI2 RPN/NRPN packet data from the parsed info */ + static void fill_rpn(struct snd_seq_ump_midi2_bank *cc, +- union snd_ump_midi2_msg *data) ++ union snd_ump_midi2_msg *data, ++ unsigned char channel) + { + if (cc->rpn_set) { + data->rpn.status = UMP_MSG_STATUS_RPN; +@@ -808,6 +809,7 @@ static void fill_rpn(struct snd_seq_ump_midi2_bank *cc, + } + data->rpn.data = upscale_14_to_32bit((cc->cc_data_msb << 7) | + cc->cc_data_lsb); ++ data->rpn.channel = channel; + cc->cc_data_msb = cc->cc_data_lsb = 0; + } + +@@ -855,7 +857,7 @@ static int cc_ev_to_ump_midi2(const struct snd_seq_event *event, + cc->cc_data_lsb = val; + if (!(cc->rpn_set || cc->nrpn_set)) + return 0; // skip +- fill_rpn(cc, data); ++ fill_rpn(cc, data, channel); + return 1; + } + +@@ -957,7 +959,7 @@ static int ctrl14_ev_to_ump_midi2(const struct snd_seq_event *event, + cc->cc_data_lsb = lsb; + if (!(cc->rpn_set || cc->nrpn_set)) + return 0; // skip +- fill_rpn(cc, data); ++ fill_rpn(cc, data, channel); + return 1; + } + +-- +2.43.0 + diff --git a/queue-6.9/alsa-seq-fix-missing-msb-in-midi2-spp-conversion.patch b/queue-6.9/alsa-seq-fix-missing-msb-in-midi2-spp-conversion.patch new file mode 100644 index 00000000000..21bdab98399 --- /dev/null +++ b/queue-6.9/alsa-seq-fix-missing-msb-in-midi2-spp-conversion.patch @@ -0,0 +1,37 @@ +From b32b9a139e8311084fb064f738bc8efd7d73f773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 16:51:13 +0200 +Subject: ALSA: seq: Fix missing MSB in MIDI2 SPP conversion + +From: Takashi Iwai + +[ Upstream commit 9d65ab6050d25f17c13f4195aa8e160c6ac638f6 ] + +The conversion of SPP to MIDI2 UMP called a wrong function, and the +secondary argument wasn't taken. As a result, MSB of SPP was always +zero. Fix to call the right function. + +Fixes: e9e02819a98a ("ALSA: seq: Automatic conversion of UMP events") +Link: https://patch.msgid.link/20240626145141.16648-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_ump_convert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c +index 6687efdceea13..e90b27a135e6f 100644 +--- a/sound/core/seq/seq_ump_convert.c ++++ b/sound/core/seq/seq_ump_convert.c +@@ -1020,7 +1020,7 @@ static int system_2p_ev_to_ump_midi2(const struct snd_seq_event *event, + union snd_ump_midi2_msg *data, + unsigned char status) + { +- return system_1p_ev_to_ump_midi1(event, dest_port, ++ return system_2p_ev_to_ump_midi1(event, dest_port, + (union snd_ump_midi1_msg *)data, + status); + } +-- +2.43.0 + diff --git a/queue-6.9/asoc-amd-acp-add-a-null-check-for-chip_pdev-structur.patch b/queue-6.9/asoc-amd-acp-add-a-null-check-for-chip_pdev-structur.patch new file mode 100644 index 00000000000..20f21775ae4 --- /dev/null +++ b/queue-6.9/asoc-amd-acp-add-a-null-check-for-chip_pdev-structur.patch @@ -0,0 +1,46 @@ +From 16d62eb396802c6be13ee9396857b8f2e57dacf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 12:58:34 +0530 +Subject: ASoC: amd: acp: add a null check for chip_pdev structure + +From: Vijendar Mukunda + +[ Upstream commit 98d919dfee1cc402ca29d45da642852d7c9a2301 ] + +When acp platform device creation is skipped, chip->chip_pdev value will +remain NULL. Add NULL check for chip->chip_pdev structure in +snd_acp_resume() function to avoid null pointer dereference. + +Fixes: 088a40980efb ("ASoC: amd: acp: add pm ops support for acp pci driver") +Signed-off-by: Vijendar Mukunda +Link: https://msgid.link/r/20240617072844.871468-1-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-pci.c b/sound/soc/amd/acp/acp-pci.c +index ad320b29e87dc..aa3e72d134518 100644 +--- a/sound/soc/amd/acp/acp-pci.c ++++ b/sound/soc/amd/acp/acp-pci.c +@@ -199,10 +199,12 @@ static int __maybe_unused snd_acp_resume(struct device *dev) + ret = acp_init(chip); + if (ret) + dev_err(dev, "ACP init failed\n"); +- child = chip->chip_pdev->dev; +- adata = dev_get_drvdata(&child); +- if (adata) +- acp_enable_interrupts(adata); ++ if (chip->chip_pdev) { ++ child = chip->chip_pdev->dev; ++ adata = dev_get_drvdata(&child); ++ if (adata) ++ acp_enable_interrupts(adata); ++ } + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.9/asoc-amd-acp-move-chip-flag-variable-assignment.patch b/queue-6.9/asoc-amd-acp-move-chip-flag-variable-assignment.patch new file mode 100644 index 00000000000..9bfc8de91b1 --- /dev/null +++ b/queue-6.9/asoc-amd-acp-move-chip-flag-variable-assignment.patch @@ -0,0 +1,47 @@ +From 0cf9e51f58e5e15b6621fbd7041442e193fe7467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 12:58:36 +0530 +Subject: ASoC: amd: acp: move chip->flag variable assignment + +From: Vijendar Mukunda + +[ Upstream commit 379bcd2c9197bf2c429434e8a01cea0ee1852316 ] + +chip->flag variable assignment will be skipped when acp platform device +creation is skipped. In this case chip>flag value will not be set. +chip->flag variable should be assigned along with other structure +variables for 'chip' structure. Move chip->flag variable assignment +prior to acp platform device creation. + +Fixes: 3a94c8ad0aae ("ASoC: amd: acp: add code for scanning acp pdm controller") +Signed-off-by: Vijendar Mukunda +Link: https://msgid.link/r/20240617072844.871468-3-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/amd/acp/acp-pci.c b/sound/soc/amd/acp/acp-pci.c +index aa3e72d134518..777b5a78d8a9e 100644 +--- a/sound/soc/amd/acp/acp-pci.c ++++ b/sound/soc/amd/acp/acp-pci.c +@@ -100,6 +100,7 @@ static int acp_pci_probe(struct pci_dev *pci, const struct pci_device_id *pci_id + ret = -EINVAL; + goto release_regions; + } ++ chip->flag = flag; + dmic_dev = platform_device_register_data(dev, "dmic-codec", PLATFORM_DEVID_NONE, NULL, 0); + if (IS_ERR(dmic_dev)) { + dev_err(dev, "failed to create DMIC device\n"); +@@ -139,7 +140,6 @@ static int acp_pci_probe(struct pci_dev *pci, const struct pci_device_id *pci_id + } + } + +- chip->flag = flag; + memset(&pdevinfo, 0, sizeof(pdevinfo)); + + pdevinfo.name = chip->name; +-- +2.43.0 + diff --git a/queue-6.9/asoc-amd-acp-remove-i2s-configuration-check-in-acp_i.patch b/queue-6.9/asoc-amd-acp-remove-i2s-configuration-check-in-acp_i.patch new file mode 100644 index 00000000000..7e9b2361264 --- /dev/null +++ b/queue-6.9/asoc-amd-acp-remove-i2s-configuration-check-in-acp_i.patch @@ -0,0 +1,53 @@ +From 044dacebaab0785fd0bf39386ebd4354f241b1f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 12:58:35 +0530 +Subject: ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe() + +From: Vijendar Mukunda + +[ Upstream commit 70fa3900c3ed92158628710e81d274e5cb52f92b ] + +ACP supports different pin configurations for I2S IO. Checking ACP pin +configuration value against specific value breaks the functionality for +other I2S pin configurations. This check is no longer required in i2s dai +driver probe call as i2s configuration check will be verified during acp +platform device creation sequence. +Remove i2s_mode check in acp_i2s_probe() function. + +Fixes: b24484c18b10 ("ASoC: amd: acp: ACP code generic to support newer platforms") +Signed-off-by: Vijendar Mukunda +Link: https://msgid.link/r/20240617072844.871468-2-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-i2s.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-i2s.c b/sound/soc/amd/acp/acp-i2s.c +index 60cbc881be6e1..ef12f97ddc69e 100644 +--- a/sound/soc/amd/acp/acp-i2s.c ++++ b/sound/soc/amd/acp/acp-i2s.c +@@ -588,20 +588,12 @@ static int acp_i2s_probe(struct snd_soc_dai *dai) + { + struct device *dev = dai->component->dev; + struct acp_dev_data *adata = dev_get_drvdata(dev); +- struct acp_resource *rsrc = adata->rsrc; +- unsigned int val; + + if (!adata->acp_base) { + dev_err(dev, "I2S base is NULL\n"); + return -EINVAL; + } + +- val = readl(adata->acp_base + rsrc->i2s_pin_cfg_offset); +- if (val != rsrc->i2s_mode) { +- dev_err(dev, "I2S Mode not supported val %x\n", val); +- return -EINVAL; +- } +- + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.9/asoc-atmel-atmel-classd-re-add-dai_link-platform-to-.patch b/queue-6.9/asoc-atmel-atmel-classd-re-add-dai_link-platform-to-.patch new file mode 100644 index 00000000000..b955617a76d --- /dev/null +++ b/queue-6.9/asoc-atmel-atmel-classd-re-add-dai_link-platform-to-.patch @@ -0,0 +1,79 @@ +From 1237fd41b5d950d5324ab34549b039af0aeccf9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 13:10:30 +0300 +Subject: ASoC: atmel: atmel-classd: Re-add dai_link->platform to fix card init + +From: Andrei Simion + +[ Upstream commit 2ed22161b19b11239aa742804549f63edd7c91e3 ] + +The removed dai_link->platform component cause a fail which +is exposed at runtime. (ex: when a sound tool is used) +This patch re-adds the dai_link->platform component to have +a full card registered. + +Before this patch: +:~$ aplay -l +**** List of PLAYBACK Hardware Devices **** +card 0: CLASSD [CLASSD], device 0: CLASSD PCM snd-soc-dummy-dai-0 [] + Subdevices: 1/1 + Subdevice #0: subdevice #0 + +:~$ speaker-test -t sine +speaker-test 1.2.6 +Playback device is default +Stream parameters are 48000Hz, S16_LE, 1 channels +Sine wave rate is 440.0000Hz +Playback open error: -22,Invalid argument + +After this patch which restores the platform component: +:~$ aplay -l +**** List of PLAYBACK Hardware Devices **** +card 0: CLASSD [CLASSD], device 0: CLASSD PCM snd-soc-dummy-dai-0 + [CLASSD PCM snd-soc-dummy-dai-0] + Subdevices: 1/1 + Subdevice #0: subdevice #0 +-> Resolve the playback error. + +Fixes: 2f650f87c03c ("ASoC: atmel: remove unnecessary dai_link->platform") +Signed-off-by: Andrei Simion +Acked-by: Kuninori Morimoto +Link: https://msgid.link/r/20240604101030.237792-1-andrei.simion@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/atmel-classd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/atmel/atmel-classd.c b/sound/soc/atmel/atmel-classd.c +index 6aed1ee443b44..ba314b2799190 100644 +--- a/sound/soc/atmel/atmel-classd.c ++++ b/sound/soc/atmel/atmel-classd.c +@@ -473,19 +473,22 @@ static int atmel_classd_asoc_card_init(struct device *dev, + if (!dai_link) + return -ENOMEM; + +- comp = devm_kzalloc(dev, sizeof(*comp), GFP_KERNEL); ++ comp = devm_kzalloc(dev, 2 * sizeof(*comp), GFP_KERNEL); + if (!comp) + return -ENOMEM; + +- dai_link->cpus = comp; ++ dai_link->cpus = &comp[0]; + dai_link->codecs = &snd_soc_dummy_dlc; ++ dai_link->platforms = &comp[1]; + + dai_link->num_cpus = 1; + dai_link->num_codecs = 1; ++ dai_link->num_platforms = 1; + + dai_link->name = "CLASSD"; + dai_link->stream_name = "CLASSD PCM"; + dai_link->cpus->dai_name = dev_name(dev); ++ dai_link->platforms->name = dev_name(dev); + + card->dai_link = dai_link; + card->num_links = 1; +-- +2.43.0 + diff --git a/queue-6.9/asoc-cs42l43-increase-default-type-detect-time-and-b.patch b/queue-6.9/asoc-cs42l43-increase-default-type-detect-time-and-b.patch new file mode 100644 index 00000000000..93f6a424f7c --- /dev/null +++ b/queue-6.9/asoc-cs42l43-increase-default-type-detect-time-and-b.patch @@ -0,0 +1,49 @@ +From 4626bed6a7479a1e226e37b7730cbed515a5a3ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 14:28:43 +0100 +Subject: ASoC: cs42l43: Increase default type detect time and button delay + +From: Maciej Strozek + +[ Upstream commit afe377286ad49e0b69071d2a767e2c6553f4094b ] + +Some problematic headsets have been discovered, to help with correctly +identifying these, the detect time must be increased. Also improve the +reliability of the impedance value from the button detect by slightly +increasing the button detect delay. + +Fixes: 686b8f711b99 ("ASoC: cs42l43: Lower default type detect time") +Signed-off-by: Maciej Strozek +Signed-off-by: Charles Keepax +Link: https://msgid.link/r/20240604132843.3309114-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l43-jack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l43-jack.c b/sound/soc/codecs/cs42l43-jack.c +index 901b9dbcf5854..d9ab003e166bf 100644 +--- a/sound/soc/codecs/cs42l43-jack.c ++++ b/sound/soc/codecs/cs42l43-jack.c +@@ -121,7 +121,7 @@ int cs42l43_set_jack(struct snd_soc_component *component, + priv->buttons[3] = 735; + } + +- ret = cs42l43_find_index(priv, "cirrus,detect-us", 1000, &priv->detect_us, ++ ret = cs42l43_find_index(priv, "cirrus,detect-us", 50000, &priv->detect_us, + cs42l43_accdet_us, ARRAY_SIZE(cs42l43_accdet_us)); + if (ret < 0) + goto error; +@@ -433,7 +433,7 @@ irqreturn_t cs42l43_button_press(int irq, void *data) + + // Wait for 2 full cycles of comb filter to ensure good reading + queue_delayed_work(system_wq, &priv->button_press_work, +- msecs_to_jiffies(10)); ++ msecs_to_jiffies(20)); + + return IRQ_HANDLED; + } +-- +2.43.0 + diff --git a/queue-6.9/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch b/queue-6.9/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch new file mode 100644 index 00000000000..f8a93f2d899 --- /dev/null +++ b/queue-6.9/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch @@ -0,0 +1,54 @@ +From 624bdb198946f677966995088d5e3e043ddc042e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 15:25:03 +0200 +Subject: ASoC: fsl-asoc-card: set priv->pdev before using it + +From: Elinor Montmasson + +[ Upstream commit 90f3feb24172185f1832636264943e8b5e289245 ] + +priv->pdev pointer was set after being used in +fsl_asoc_card_audmux_init(). +Move this assignment at the start of the probe function, so +sub-functions can correctly use pdev through priv. + +fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the +dev struct, used with dev_err macros. +As priv is zero-initialised, there would be a NULL pointer dereference. +Note that if priv->dev is dereferenced before assignment but never used, +for example if there is no error to be printed, the driver won't crash +probably due to compiler optimisations. + +Fixes: 708b4351f08c ("ASoC: fsl: Add Freescale Generic ASoC Sound Card with ASRC support") +Signed-off-by: Elinor Montmasson +Link: https://patch.msgid.link/20240620132511.4291-2-elinor.montmasson@savoirfairelinux.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl-asoc-card.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index bc07f26ba303f..e5ba256b3de22 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -558,6 +558,8 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) + if (!priv) + return -ENOMEM; + ++ priv->pdev = pdev; ++ + cpu_np = of_parse_phandle(np, "audio-cpu", 0); + /* Give a chance to old DT binding */ + if (!cpu_np) +@@ -780,7 +782,6 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) + } + + /* Initialize sound card */ +- priv->pdev = pdev; + priv->card.dev = &pdev->dev; + priv->card.owner = THIS_MODULE; + ret = snd_soc_of_parse_card_name(&priv->card, "model"); +-- +2.43.0 + diff --git a/queue-6.9/asoc-mediatek-mt8183-da7219-max98357-fix-kcontrol-na.patch b/queue-6.9/asoc-mediatek-mt8183-da7219-max98357-fix-kcontrol-na.patch new file mode 100644 index 00000000000..92a5c431faa --- /dev/null +++ b/queue-6.9/asoc-mediatek-mt8183-da7219-max98357-fix-kcontrol-na.patch @@ -0,0 +1,77 @@ +From f9ed307b834d5ae5847d3147ea3b99fe6aa1e5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 08:37:54 +0000 +Subject: ASoC: mediatek: mt8183-da7219-max98357: Fix kcontrol name collision + +From: Hsin-Te Yuan + +[ Upstream commit 97d8613679eb53bd0c07d0fbd3d8471e46ba46c1 ] + +Since "Headphone Switch" kcontrol name has already been used by da7219, +rename the control name from "Headphone" to "Headphones" to prevent the +colision. Also, this change makes kcontrol name align with the one in +mt8186-mt6366-da7219-max98357.c. + +Fixes: 9c7388baa2053 ("ASoC: mediatek: mt8183-da7219-max98357: Map missing jack kcontrols") +Change-Id: I9ae69a4673cd04786b247cc514fdd20f878ef009 +Signed-off-by: Hsin-Te Yuan +Reviewed-by: Chen-Yu Tsai +Link: https://msgid.link/r/20240531-da7219-v1-1-ac3343f3ae6a@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c +index acaf81fd6c9b5..f848e14b091a1 100644 +--- a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c ++++ b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c +@@ -31,7 +31,7 @@ struct mt8183_da7219_max98357_priv { + + static struct snd_soc_jack_pin mt8183_da7219_max98357_jack_pins[] = { + { +- .pin = "Headphone", ++ .pin = "Headphones", + .mask = SND_JACK_HEADPHONE, + }, + { +@@ -626,7 +626,7 @@ static struct snd_soc_codec_conf mt6358_codec_conf[] = { + }; + + static const struct snd_kcontrol_new mt8183_da7219_max98357_snd_controls[] = { +- SOC_DAPM_PIN_SWITCH("Headphone"), ++ SOC_DAPM_PIN_SWITCH("Headphones"), + SOC_DAPM_PIN_SWITCH("Headset Mic"), + SOC_DAPM_PIN_SWITCH("Speakers"), + SOC_DAPM_PIN_SWITCH("Line Out"), +@@ -634,7 +634,7 @@ static const struct snd_kcontrol_new mt8183_da7219_max98357_snd_controls[] = { + + static const + struct snd_soc_dapm_widget mt8183_da7219_max98357_dapm_widgets[] = { +- SND_SOC_DAPM_HP("Headphone", NULL), ++ SND_SOC_DAPM_HP("Headphones", NULL), + SND_SOC_DAPM_MIC("Headset Mic", NULL), + SND_SOC_DAPM_SPK("Speakers", NULL), + SND_SOC_DAPM_SPK("Line Out", NULL), +@@ -680,7 +680,7 @@ static struct snd_soc_codec_conf mt8183_da7219_rt1015_codec_conf[] = { + }; + + static const struct snd_kcontrol_new mt8183_da7219_rt1015_snd_controls[] = { +- SOC_DAPM_PIN_SWITCH("Headphone"), ++ SOC_DAPM_PIN_SWITCH("Headphones"), + SOC_DAPM_PIN_SWITCH("Headset Mic"), + SOC_DAPM_PIN_SWITCH("Left Spk"), + SOC_DAPM_PIN_SWITCH("Right Spk"), +@@ -689,7 +689,7 @@ static const struct snd_kcontrol_new mt8183_da7219_rt1015_snd_controls[] = { + + static const + struct snd_soc_dapm_widget mt8183_da7219_rt1015_dapm_widgets[] = { +- SND_SOC_DAPM_HP("Headphone", NULL), ++ SND_SOC_DAPM_HP("Headphones", NULL), + SND_SOC_DAPM_MIC("Headset Mic", NULL), + SND_SOC_DAPM_SPK("Left Spk", NULL), + SND_SOC_DAPM_SPK("Right Spk", NULL), +-- +2.43.0 + diff --git a/queue-6.9/asoc-mediatek-mt8195-add-platform-entry-for-etdm1_ou.patch b/queue-6.9/asoc-mediatek-mt8195-add-platform-entry-for-etdm1_ou.patch new file mode 100644 index 00000000000..53617623439 --- /dev/null +++ b/queue-6.9/asoc-mediatek-mt8195-add-platform-entry-for-etdm1_ou.patch @@ -0,0 +1,56 @@ +From a5345bd4718717ac90e8a8a3113b0a6c68dff1a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 14:12:56 +0800 +Subject: ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link + +From: Chen-Yu Tsai + +[ Upstream commit 282a4482e198e03781c152c88aac8aa382ef9a55 ] + +Commit e70b8dd26711 ("ASoC: mediatek: mt8195: Remove afe-dai component +and rework codec link") removed the codec entry for the ETDM1_OUT_BE +dai link entirely instead of replacing it with COMP_EMPTY(). This worked +by accident as the remaining COMP_EMPTY() platform entry became the codec +entry, and the platform entry became completely empty, effectively the +same as COMP_DUMMY() since snd_soc_fill_dummy_dai() doesn't do anything +for platform entries. + +This causes a KASAN out-of-bounds warning in mtk_soundcard_common_probe() +in sound/soc/mediatek/common/mtk-soundcard-driver.c: + + for_each_card_prelinks(card, i, dai_link) { + if (adsp_node && !strncmp(dai_link->name, "AFE_SOF", strlen("AFE_SOF"))) + dai_link->platforms->of_node = adsp_node; + else if (!dai_link->platforms->name && !dai_link->platforms->of_node) + dai_link->platforms->of_node = platform_node; + } + +where the code expects the platforms array to have space for at least one entry. + +Add an COMP_EMPTY() entry so that dai_link->platforms has space. + +Fixes: e70b8dd26711 ("ASoC: mediatek: mt8195: Remove afe-dai component and rework codec link") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patch.msgid.link/20240624061257.3115467-1-wenst@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8195/mt8195-mt6359.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359.c b/sound/soc/mediatek/mt8195/mt8195-mt6359.c +index 53fd8a897b9d2..c25a526c90d25 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-mt6359.c ++++ b/sound/soc/mediatek/mt8195/mt8195-mt6359.c +@@ -939,6 +939,7 @@ SND_SOC_DAILINK_DEFS(ETDM2_IN_BE, + + SND_SOC_DAILINK_DEFS(ETDM1_OUT_BE, + DAILINK_COMP_ARRAY(COMP_CPU("ETDM1_OUT")), ++ DAILINK_COMP_ARRAY(COMP_EMPTY()), + DAILINK_COMP_ARRAY(COMP_EMPTY())); + + SND_SOC_DAILINK_DEFS(ETDM2_OUT_BE, +-- +2.43.0 + diff --git a/queue-6.9/asoc-q6apm-lpass-dai-close-graph-on-prepare-errors.patch b/queue-6.9/asoc-q6apm-lpass-dai-close-graph-on-prepare-errors.patch new file mode 100644 index 00000000000..7689aa25e0d --- /dev/null +++ b/queue-6.9/asoc-q6apm-lpass-dai-close-graph-on-prepare-errors.patch @@ -0,0 +1,109 @@ +From d10a574d06078872edede8042bd1d741493bfae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 13:13:05 +0100 +Subject: ASoC: q6apm-lpass-dai: close graph on prepare errors + +From: Srinivas Kandagatla + +[ Upstream commit be1fae62cf253a5b67526cee9fbc07689b97c125 ] + +There is an issue around with error handling and graph management with +the exising code, none of the error paths close the graph, which result in +leaving the loaded graph in dsp, however the driver thinks otherwise. + +This can have a nasty side effect specially when we try to load the same +graph to dsp, dsp returns error which leaves the board with no sound and +requires restart. + +Fix this by properly closing the graph when we hit errors between +open and close. + +Fixes: 30ad723b93ad ("ASoC: qdsp6: audioreach: add q6apm lpass dai support") +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Dmitry Baryshkov +Tested-by: Dmitry Baryshkov # X13s +Link: https://lore.kernel.org/r/20240613-q6apm-fixes-v1-1-d88953675ab3@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 32 +++++++++++++++---------- + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +index 68a38f63a2dbf..66b911b49e3f4 100644 +--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c ++++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +@@ -141,14 +141,17 @@ static void q6apm_lpass_dai_shutdown(struct snd_pcm_substream *substream, struct + struct q6apm_lpass_dai_data *dai_data = dev_get_drvdata(dai->dev); + int rc; + +- if (!dai_data->is_port_started[dai->id]) +- return; +- rc = q6apm_graph_stop(dai_data->graph[dai->id]); +- if (rc < 0) +- dev_err(dai->dev, "fail to close APM port (%d)\n", rc); ++ if (dai_data->is_port_started[dai->id]) { ++ rc = q6apm_graph_stop(dai_data->graph[dai->id]); ++ dai_data->is_port_started[dai->id] = false; ++ if (rc < 0) ++ dev_err(dai->dev, "fail to close APM port (%d)\n", rc); ++ } + +- q6apm_graph_close(dai_data->graph[dai->id]); +- dai_data->is_port_started[dai->id] = false; ++ if (dai_data->graph[dai->id]) { ++ q6apm_graph_close(dai_data->graph[dai->id]); ++ dai_data->graph[dai->id] = NULL; ++ } + } + + static int q6apm_lpass_dai_prepare(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) +@@ -163,8 +166,10 @@ static int q6apm_lpass_dai_prepare(struct snd_pcm_substream *substream, struct s + q6apm_graph_stop(dai_data->graph[dai->id]); + dai_data->is_port_started[dai->id] = false; + +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + q6apm_graph_close(dai_data->graph[dai->id]); ++ dai_data->graph[dai->id] = NULL; ++ } + } + + /** +@@ -183,26 +188,29 @@ static int q6apm_lpass_dai_prepare(struct snd_pcm_substream *substream, struct s + + cfg->direction = substream->stream; + rc = q6apm_graph_media_format_pcm(dai_data->graph[dai->id], cfg); +- + if (rc) { + dev_err(dai->dev, "Failed to set media format %d\n", rc); +- return rc; ++ goto err; + } + + rc = q6apm_graph_prepare(dai_data->graph[dai->id]); + if (rc) { + dev_err(dai->dev, "Failed to prepare Graph %d\n", rc); +- return rc; ++ goto err; + } + + rc = q6apm_graph_start(dai_data->graph[dai->id]); + if (rc < 0) { + dev_err(dai->dev, "fail to start APM port %x\n", dai->id); +- return rc; ++ goto err; + } + dai_data->is_port_started[dai->id] = true; + + return 0; ++err: ++ q6apm_graph_close(dai_data->graph[dai->id]); ++ dai_data->graph[dai->id] = NULL; ++ return rc; + } + + static int q6apm_lpass_dai_startup(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) +-- +2.43.0 + diff --git a/queue-6.9/asoc-rockchip-i2s-tdm-fix-trcm-mode-by-setting-clock.patch b/queue-6.9/asoc-rockchip-i2s-tdm-fix-trcm-mode-by-setting-clock.patch new file mode 100644 index 00000000000..dbb199097e4 --- /dev/null +++ b/queue-6.9/asoc-rockchip-i2s-tdm-fix-trcm-mode-by-setting-clock.patch @@ -0,0 +1,56 @@ +From ec0fe4c41983feaa70c73ab37b2d8fd6eca61f16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 21:47:52 +0300 +Subject: ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk + +From: Alibek Omarov + +[ Upstream commit ccd8d753f0fe8f16745fa2b6be5946349731d901 ] + +When TRCM mode is enabled, I2S RX and TX clocks are synchronized through +selected clock source. Without this fix BCLK and LRCK might get parented +to an uninitialized MCLK and the DAI will receive data at wrong pace. + +However, unlike in original i2s-tdm driver, there is no need to manually +synchronize mclk_rx and mclk_tx, as only one gets used anyway. + +Tested on a board with RK3568 SoC and Silergy SY24145S codec with enabled and +disabled TRCM mode. + +Fixes: 9e2ab4b18ebd ("ASoC: rockchip: i2s-tdm: Fix inaccurate sampling rates") +Signed-off-by: Alibek Omarov +Reviewed-by: Luca Ceresoli +Link: https://msgid.link/r/20240604184752.697313-1-a1ba.omarov@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s_tdm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s_tdm.c b/sound/soc/rockchip/rockchip_i2s_tdm.c +index 9fa020ef7eab9..ee517d7b5b7bb 100644 +--- a/sound/soc/rockchip/rockchip_i2s_tdm.c ++++ b/sound/soc/rockchip/rockchip_i2s_tdm.c +@@ -655,8 +655,17 @@ static int rockchip_i2s_tdm_hw_params(struct snd_pcm_substream *substream, + int err; + + if (i2s_tdm->is_master_mode) { +- struct clk *mclk = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ? +- i2s_tdm->mclk_tx : i2s_tdm->mclk_rx; ++ struct clk *mclk; ++ ++ if (i2s_tdm->clk_trcm == TRCM_TX) { ++ mclk = i2s_tdm->mclk_tx; ++ } else if (i2s_tdm->clk_trcm == TRCM_RX) { ++ mclk = i2s_tdm->mclk_rx; ++ } else if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { ++ mclk = i2s_tdm->mclk_tx; ++ } else { ++ mclk = i2s_tdm->mclk_rx; ++ } + + err = clk_set_rate(mclk, DEFAULT_MCLK_FS * params_rate(params)); + if (err) +-- +2.43.0 + diff --git a/queue-6.9/bonding-fix-incorrect-software-timestamping-report.patch b/queue-6.9/bonding-fix-incorrect-software-timestamping-report.patch new file mode 100644 index 00000000000..8ba8a87f588 --- /dev/null +++ b/queue-6.9/bonding-fix-incorrect-software-timestamping-report.patch @@ -0,0 +1,54 @@ +From dda8c7d30d7f1c0bc0b75c595097bf3ea698cb01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 16:56:26 +0800 +Subject: bonding: fix incorrect software timestamping report + +From: Hangbin Liu + +[ Upstream commit a95b031c6796bf9972da2d4b4b524a57734f3a0a ] + +The __ethtool_get_ts_info function returns directly if the device has a +get_ts_info() method. For bonding with an active slave, this works correctly +as we simply return the real device's timestamping information. However, +when there is no active slave, we only check the slave's TX software +timestamp information. We still need to set the phc index and RX timestamp +information manually. Otherwise, the result will be look like: + + Time stamping parameters for bond0: + Capabilities: + software-transmit + PTP Hardware Clock: 0 + Hardware Transmit Timestamp Modes: none + Hardware Receive Filter Modes: none + +This issue does not affect VLAN or MACVLAN devices, as they only have one +downlink and can directly use the downlink's timestamping information. + +Fixes: b8768dc40777 ("net: ethtool: Refactor identical get_ts_info implementations.") +Reported-by: Liang Li +Closes: https://issues.redhat.com/browse/RHEL-42409 +Signed-off-by: Hangbin Liu +Acked-by: Kory Maincent +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index bceda85f0dcf6..cb66310c8d76b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5773,6 +5773,9 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev, + if (real_dev) { + ret = ethtool_get_ts_info_by_layer(real_dev, info); + } else { ++ info->phc_index = -1; ++ info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE | ++ SOF_TIMESTAMPING_SOFTWARE; + /* Check if all slaves support software tx timestamping */ + rcu_read_lock(); + bond_for_each_slave_rcu(bond, slave, iter) { +-- +2.43.0 + diff --git a/queue-6.9/bpf-add-missed-var_off-setting-in-coerce_subreg_to_s.patch b/queue-6.9/bpf-add-missed-var_off-setting-in-coerce_subreg_to_s.patch new file mode 100644 index 00000000000..db88730a3e3 --- /dev/null +++ b/queue-6.9/bpf-add-missed-var_off-setting-in-coerce_subreg_to_s.patch @@ -0,0 +1,55 @@ +From c0ed5718e229cfa75496e3d3433d64eabf241c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 10:46:32 -0700 +Subject: bpf: Add missed var_off setting in coerce_subreg_to_size_sx() + +From: Yonghong Song + +[ Upstream commit 44b7f7151dfc2e0947f39ed4b9bc4b0c2ccd46fc ] + +In coerce_subreg_to_size_sx(), for the case where upper +sign extension bits are the same for smax32 and smin32 +values, we missed to setup properly. This is especially +problematic if both smax32 and smin32's sign extension +bits are 1. + +The following is a simple example illustrating the inconsistent +verifier states due to missed var_off: + + 0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar() + 1: (bf) r3 = r0 ; R0_w=scalar(id=1) R3_w=scalar(id=1) + 2: (57) r3 &= 15 ; R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=15,var_off=(0x0; 0xf)) + 3: (47) r3 |= 128 ; R3_w=scalar(smin=umin=smin32=umin32=128,smax=umax=smax32=umax32=143,var_off=(0x80; 0xf)) + 4: (bc) w7 = (s8)w3 + REG INVARIANTS VIOLATION (alu): range bounds violation u64=[0xffffff80, 0x8f] s64=[0xffffff80, 0x8f] + u32=[0xffffff80, 0x8f] s32=[0x80, 0xffffff8f] var_off=(0x80, 0xf) + +The var_off=(0x80, 0xf) is not correct, and the correct one should +be var_off=(0xffffff80; 0xf) since from insn 3, we know that at +insn 4, the sign extension bits will be 1. This patch fixed this +issue by setting var_off properly. + +Fixes: 8100928c8814 ("bpf: Support new sign-extension mov insns") +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20240615174632.3995278-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 4ad77ed8059e4..add5ccbe87523 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6268,6 +6268,7 @@ static void coerce_subreg_to_size_sx(struct bpf_reg_state *reg, int size) + reg->s32_max_value = s32_max; + reg->u32_min_value = (u32)s32_min; + reg->u32_max_value = (u32)s32_max; ++ reg->var_off = tnum_subreg(tnum_range(s32_min, s32_max)); + return; + } + +-- +2.43.0 + diff --git a/queue-6.9/bpf-add-missed-var_off-setting-in-set_sext32_default.patch b/queue-6.9/bpf-add-missed-var_off-setting-in-set_sext32_default.patch new file mode 100644 index 00000000000..924c71eebd6 --- /dev/null +++ b/queue-6.9/bpf-add-missed-var_off-setting-in-set_sext32_default.patch @@ -0,0 +1,67 @@ +From 03ad9b4ab03f7734c3665427cecec4c4cd93555c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 10:46:26 -0700 +Subject: bpf: Add missed var_off setting in set_sext32_default_val() + +From: Yonghong Song + +[ Upstream commit 380d5f89a4815ff88461a45de2fb6f28533df708 ] + +Zac reported a verification failure and Alexei reproduced the issue +with a simple reproducer ([1]). The verification failure is due to missed +setting for var_off. + +The following is the reproducer in [1]: + 0: R1=ctx() R10=fp0 + 0: (71) r3 = *(u8 *)(r10 -387) ; + R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R10=fp0 + 1: (bc) w7 = (s8)w3 ; + R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) + R7_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=127,var_off=(0x0; 0x7f)) + 2: (36) if w7 >= 0x2533823b goto pc-3 + mark_precise: frame0: last_idx 2 first_idx 0 subseq_idx -1 + mark_precise: frame0: regs=r7 stack= before 1: (bc) w7 = (s8)w3 + mark_precise: frame0: regs=r3 stack= before 0: (71) r3 = *(u8 *)(r10 -387) + 2: R7_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=127,var_off=(0x0; 0x7f)) + 3: (b4) w0 = 0 ; R0_w=0 + 4: (95) exit + +Note that after insn 1, the var_off for R7 is (0x0; 0x7f). This is not correct +since upper 24 bits of w7 could be 0 or 1. So correct var_off should be +(0x0; 0xffffffff). Missing var_off setting in set_sext32_default_val() caused later +incorrect analysis in zext_32_to_64(dst_reg) and reg_bounds_sync(dst_reg). + +To fix the issue, set var_off correctly in set_sext32_default_val(). The correct +reg state after insn 1 becomes: + 1: (bc) w7 = (s8)w3 ; + R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) + R7_w=scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff)) +and at insn 2, the verifier correctly determines either branch is possible. + + [1] https://lore.kernel.org/bpf/CAADnVQLPU0Shz7dWV4bn2BgtGdxN3uFHPeobGBA72tpg5Xoykw@mail.gmail.com/ + +Fixes: 8100928c8814 ("bpf: Support new sign-extension mov insns") +Reported-by: Zac Ecob +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20240615174626.3994813-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 0ef18ae40bc5a..4ad77ed8059e4 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6223,6 +6223,7 @@ static void set_sext32_default_val(struct bpf_reg_state *reg, int size) + } + reg->u32_min_value = 0; + reg->u32_max_value = U32_MAX; ++ reg->var_off = tnum_subreg(tnum_unknown); + } + + static void coerce_subreg_to_size_sx(struct bpf_reg_state *reg, int size) +-- +2.43.0 + diff --git a/queue-6.9/bpf-fix-may_goto-with-negative-offset.patch b/queue-6.9/bpf-fix-may_goto-with-negative-offset.patch new file mode 100644 index 00000000000..a1a5d4bda9c --- /dev/null +++ b/queue-6.9/bpf-fix-may_goto-with-negative-offset.patch @@ -0,0 +1,68 @@ +From 87af6ba0076d14429c70e4507b9939497852242e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 16:53:54 -0700 +Subject: bpf: Fix may_goto with negative offset. + +From: Alexei Starovoitov + +[ Upstream commit 2b2efe1937ca9f8815884bd4dcd5b32733025103 ] + +Zac's syzbot crafted a bpf prog that exposed two bugs in may_goto. +The 1st bug is the way may_goto is patched. When offset is negative +it should be patched differently. +The 2nd bug is in the verifier: +when current state may_goto_depth is equal to visited state may_goto_depth +it means there is an actual infinite loop. It's not correct to prune +exploration of the program at this point. +Note, that this check doesn't limit the program to only one may_goto insn, +since 2nd and any further may_goto will increment may_goto_depth only +in the queued state pushed for future exploration. The current state +will have may_goto_depth == 0 regardless of number of may_goto insns +and the verifier has to explore the program until bpf_exit. + +Fixes: 011832b97b31 ("bpf: Introduce may_goto instruction") +Reported-by: Zac Ecob +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Eduard Zingerman +Closes: https://lore.kernel.org/bpf/CAADnVQL-15aNp04-cyHRn47Yv61NXfYyhopyZtUyxNojUZUXpA@mail.gmail.com/ +Link: https://lore.kernel.org/bpf/20240619235355.85031-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2233bf50a9012..ab558eea1c9ee 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -17308,11 +17308,11 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) + goto skip_inf_loop_check; + } + if (is_may_goto_insn_at(env, insn_idx)) { +- if (states_equal(env, &sl->state, cur, RANGE_WITHIN)) { ++ if (sl->state.may_goto_depth != cur->may_goto_depth && ++ states_equal(env, &sl->state, cur, RANGE_WITHIN)) { + update_loop_entry(cur, &sl->state); + goto hit; + } +- goto skip_inf_loop_check; + } + if (calls_callback(env, insn_idx)) { + if (states_equal(env, &sl->state, cur, RANGE_WITHIN)) +@@ -19853,7 +19853,10 @@ static int do_misc_fixups(struct bpf_verifier_env *env) + + stack_depth_extra = 8; + insn_buf[0] = BPF_LDX_MEM(BPF_DW, BPF_REG_AX, BPF_REG_10, stack_off); +- insn_buf[1] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_AX, 0, insn->off + 2); ++ if (insn->off >= 0) ++ insn_buf[1] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_AX, 0, insn->off + 2); ++ else ++ insn_buf[1] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_AX, 0, insn->off - 1); + insn_buf[2] = BPF_ALU64_IMM(BPF_SUB, BPF_REG_AX, 1); + insn_buf[3] = BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_AX, stack_off); + cnt = 4; +-- +2.43.0 + diff --git a/queue-6.9/bpf-fix-overrunning-reservations-in-ringbuf.patch b/queue-6.9/bpf-fix-overrunning-reservations-in-ringbuf.patch new file mode 100644 index 00000000000..75ec4ff43e0 --- /dev/null +++ b/queue-6.9/bpf-fix-overrunning-reservations-in-ringbuf.patch @@ -0,0 +1,152 @@ +From 5d93d20ce0bdd00121e3102c27776b32ba60ed86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 16:08:27 +0200 +Subject: bpf: Fix overrunning reservations in ringbuf + +From: Daniel Borkmann + +[ Upstream commit cfa1a2329a691ffd991fcf7248a57d752e712881 ] + +The BPF ring buffer internally is implemented as a power-of-2 sized circular +buffer, with two logical and ever-increasing counters: consumer_pos is the +consumer counter to show which logical position the consumer consumed the +data, and producer_pos which is the producer counter denoting the amount of +data reserved by all producers. + +Each time a record is reserved, the producer that "owns" the record will +successfully advance producer counter. In user space each time a record is +read, the consumer of the data advanced the consumer counter once it finished +processing. Both counters are stored in separate pages so that from user +space, the producer counter is read-only and the consumer counter is read-write. + +One aspect that simplifies and thus speeds up the implementation of both +producers and consumers is how the data area is mapped twice contiguously +back-to-back in the virtual memory, allowing to not take any special measures +for samples that have to wrap around at the end of the circular buffer data +area, because the next page after the last data page would be first data page +again, and thus the sample will still appear completely contiguous in virtual +memory. + +Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for +book-keeping the length and offset, and is inaccessible to the BPF program. +Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` +for the BPF program to use. Bing-Jhong and Muhammad reported that it is however +possible to make a second allocated memory chunk overlapping with the first +chunk and as a result, the BPF program is now able to edit first chunk's +header. + +For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size +of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to +bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in +[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets +allocate a chunk B with size 0x3000. This will succeed because consumer_pos +was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` +check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able +to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned +earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data +pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. +bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then +locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk +B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong +page and could cause a crash. + +Fix it by calculating the oldest pending_pos and check whether the range +from the oldest outstanding record to the newest would span beyond the ring +buffer size. If that is the case, then reject the request. We've tested with +the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) +before/after the fix and while it seems a bit slower on some benchmarks, it +is still not significantly enough to matter. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: Bing-Jhong Billy Jheng +Reported-by: Muhammad Ramdhan +Co-developed-by: Bing-Jhong Billy Jheng +Co-developed-by: Andrii Nakryiko +Signed-off-by: Bing-Jhong Billy Jheng +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240621140828.18238-1-daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index 0ee653a936ea0..e20b90c361316 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -51,7 +51,8 @@ struct bpf_ringbuf { + * This prevents a user-space application from modifying the + * position and ruining in-kernel tracking. The permissions of the + * pages depend on who is producing samples: user-space or the +- * kernel. ++ * kernel. Note that the pending counter is placed in the same ++ * page as the producer, so that it shares the same cache line. + * + * Kernel-producer + * --------------- +@@ -70,6 +71,7 @@ struct bpf_ringbuf { + */ + unsigned long consumer_pos __aligned(PAGE_SIZE); + unsigned long producer_pos __aligned(PAGE_SIZE); ++ unsigned long pending_pos; + char data[] __aligned(PAGE_SIZE); + }; + +@@ -179,6 +181,7 @@ static struct bpf_ringbuf *bpf_ringbuf_alloc(size_t data_sz, int numa_node) + rb->mask = data_sz - 1; + rb->consumer_pos = 0; + rb->producer_pos = 0; ++ rb->pending_pos = 0; + + return rb; + } +@@ -404,9 +407,9 @@ bpf_ringbuf_restore_from_rec(struct bpf_ringbuf_hdr *hdr) + + static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size) + { +- unsigned long cons_pos, prod_pos, new_prod_pos, flags; +- u32 len, pg_off; ++ unsigned long cons_pos, prod_pos, new_prod_pos, pend_pos, flags; + struct bpf_ringbuf_hdr *hdr; ++ u32 len, pg_off, tmp_size, hdr_len; + + if (unlikely(size > RINGBUF_MAX_RECORD_SZ)) + return NULL; +@@ -424,13 +427,29 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size) + spin_lock_irqsave(&rb->spinlock, flags); + } + ++ pend_pos = rb->pending_pos; + prod_pos = rb->producer_pos; + new_prod_pos = prod_pos + len; + +- /* check for out of ringbuf space by ensuring producer position +- * doesn't advance more than (ringbuf_size - 1) ahead ++ while (pend_pos < prod_pos) { ++ hdr = (void *)rb->data + (pend_pos & rb->mask); ++ hdr_len = READ_ONCE(hdr->len); ++ if (hdr_len & BPF_RINGBUF_BUSY_BIT) ++ break; ++ tmp_size = hdr_len & ~BPF_RINGBUF_DISCARD_BIT; ++ tmp_size = round_up(tmp_size + BPF_RINGBUF_HDR_SZ, 8); ++ pend_pos += tmp_size; ++ } ++ rb->pending_pos = pend_pos; ++ ++ /* check for out of ringbuf space: ++ * - by ensuring producer position doesn't advance more than ++ * (ringbuf_size - 1) ahead ++ * - by ensuring oldest not yet committed record until newest ++ * record does not span more than (ringbuf_size - 1) + */ +- if (new_prod_pos - cons_pos > rb->mask) { ++ if (new_prod_pos - cons_pos > rb->mask || ++ new_prod_pos - pend_pos > rb->mask) { + spin_unlock_irqrestore(&rb->spinlock, flags); + return NULL; + } +-- +2.43.0 + diff --git a/queue-6.9/bpf-fix-remap-of-arena.patch b/queue-6.9/bpf-fix-remap-of-arena.patch new file mode 100644 index 00000000000..c700da79687 --- /dev/null +++ b/queue-6.9/bpf-fix-remap-of-arena.patch @@ -0,0 +1,81 @@ +From 90fe38b673c6391dcedcb8d71e244c55cbc1783b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 10:18:12 -0700 +Subject: bpf: Fix remap of arena. + +From: Alexei Starovoitov + +[ Upstream commit b90d77e5fd784ada62ddd714d15ee2400c28e1cf ] + +The bpf arena logic didn't account for mremap operation. Add a refcnt for +multiple mmap events to prevent use-after-free in arena_vm_close. + +Fixes: 317460317a02 ("bpf: Introduce bpf_arena.") +Reported-by: Pengfei Xu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Reviewed-by: Barret Rhoden +Tested-by: Pengfei Xu +Closes: https://lore.kernel.org/bpf/Zmuw29IhgyPNKnIM@xpf.sh.intel.com +Link: https://lore.kernel.org/bpf/20240617171812.76634-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/arena.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c +index 343c3456c8ddf..a59ae9c582253 100644 +--- a/kernel/bpf/arena.c ++++ b/kernel/bpf/arena.c +@@ -212,6 +212,7 @@ static u64 arena_map_mem_usage(const struct bpf_map *map) + struct vma_list { + struct vm_area_struct *vma; + struct list_head head; ++ atomic_t mmap_count; + }; + + static int remember_vma(struct bpf_arena *arena, struct vm_area_struct *vma) +@@ -221,20 +222,30 @@ static int remember_vma(struct bpf_arena *arena, struct vm_area_struct *vma) + vml = kmalloc(sizeof(*vml), GFP_KERNEL); + if (!vml) + return -ENOMEM; ++ atomic_set(&vml->mmap_count, 1); + vma->vm_private_data = vml; + vml->vma = vma; + list_add(&vml->head, &arena->vma_list); + return 0; + } + ++static void arena_vm_open(struct vm_area_struct *vma) ++{ ++ struct vma_list *vml = vma->vm_private_data; ++ ++ atomic_inc(&vml->mmap_count); ++} ++ + static void arena_vm_close(struct vm_area_struct *vma) + { + struct bpf_map *map = vma->vm_file->private_data; + struct bpf_arena *arena = container_of(map, struct bpf_arena, map); +- struct vma_list *vml; ++ struct vma_list *vml = vma->vm_private_data; + ++ if (!atomic_dec_and_test(&vml->mmap_count)) ++ return; + guard(mutex)(&arena->lock); +- vml = vma->vm_private_data; ++ /* update link list under lock */ + list_del(&vml->head); + vma->vm_private_data = NULL; + kfree(vml); +@@ -287,6 +298,7 @@ static vm_fault_t arena_vm_fault(struct vm_fault *vmf) + } + + static const struct vm_operations_struct arena_vm_ops = { ++ .open = arena_vm_open, + .close = arena_vm_close, + .fault = arena_vm_fault, + }; +-- +2.43.0 + diff --git a/queue-6.9/bpf-fix-the-corner-case-with-may_goto-and-jump-to-th.patch b/queue-6.9/bpf-fix-the-corner-case-with-may_goto-and-jump-to-th.patch new file mode 100644 index 00000000000..5f7cd0e8c98 --- /dev/null +++ b/queue-6.9/bpf-fix-the-corner-case-with-may_goto-and-jump-to-th.patch @@ -0,0 +1,158 @@ +From 621cecbfe1991c23da45e062e914e38d727adef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 18:18:58 -0700 +Subject: bpf: Fix the corner case with may_goto and jump to the 1st insn. + +From: Alexei Starovoitov + +[ Upstream commit 5337ac4c9b807bc46baa0713121a0afa8beacd70 ] + +When the following program is processed by the verifier: +L1: may_goto L2 + goto L1 +L2: w0 = 0 + exit + +the may_goto insn is first converted to: +L1: r11 = *(u64 *)(r10 -8) + if r11 == 0x0 goto L2 + r11 -= 1 + *(u64 *)(r10 -8) = r11 + goto L1 +L2: w0 = 0 + exit + +then later as the last step the verifier inserts: + *(u64 *)(r10 -8) = BPF_MAX_LOOPS +as the first insn of the program to initialize loop count. + +When the first insn happens to be a branch target of some jmp the +bpf_patch_insn_data() logic will produce: +L1: *(u64 *)(r10 -8) = BPF_MAX_LOOPS + r11 = *(u64 *)(r10 -8) + if r11 == 0x0 goto L2 + r11 -= 1 + *(u64 *)(r10 -8) = r11 + goto L1 +L2: w0 = 0 + exit + +because instruction patching adjusts all jmps and calls, but for this +particular corner case it's incorrect and the L1 label should be one +instruction down, like: + *(u64 *)(r10 -8) = BPF_MAX_LOOPS +L1: r11 = *(u64 *)(r10 -8) + if r11 == 0x0 goto L2 + r11 -= 1 + *(u64 *)(r10 -8) = r11 + goto L1 +L2: w0 = 0 + exit + +and that's what this patch is fixing. +After bpf_patch_insn_data() call adjust_jmp_off() to adjust all jmps +that point to newly insert BPF_ST insn to point to insn after. + +Note that bpf_patch_insn_data() cannot easily be changed to accommodate +this logic, since jumps that point before or after a sequence of patched +instructions have to be adjusted with the full length of the patch. + +Conceptually it's somewhat similar to "insert" of instructions between other +instructions with weird semantics. Like "insert" before 1st insn would require +adjustment of CALL insns to point to newly inserted 1st insn, but not an +adjustment JMP insns that point to 1st, yet still adjusting JMP insns that +cross over 1st insn (point to insn before or insn after), hence use simple +adjust_jmp_off() logic to fix this corner case. Ideally bpf_patch_insn_data() +would have an auxiliary info to say where 'the start of newly inserted patch +is', but it would be too complex for backport. + +Fixes: 011832b97b31 ("bpf: Introduce may_goto instruction") +Reported-by: Zac Ecob +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Eduard Zingerman +Closes: https://lore.kernel.org/bpf/CAADnVQJ_WWx8w4b=6Gc2EpzAjgv+6A0ridnMz2TvS2egj4r3Gw@mail.gmail.com/ +Link: https://lore.kernel.org/bpf/20240619011859.79334-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 50 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index add5ccbe87523..2233bf50a9012 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -12546,6 +12546,16 @@ static bool signed_add32_overflows(s32 a, s32 b) + return res < a; + } + ++static bool signed_add16_overflows(s16 a, s16 b) ++{ ++ /* Do the add in u16, where overflow is well-defined */ ++ s16 res = (s16)((u16)a + (u16)b); ++ ++ if (b < 0) ++ return res > a; ++ return res < a; ++} ++ + static bool signed_sub_overflows(s64 a, s64 b) + { + /* Do the sub in u64, where overflow is well-defined */ +@@ -18564,6 +18574,39 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of + return new_prog; + } + ++/* ++ * For all jmp insns in a given 'prog' that point to 'tgt_idx' insn adjust the ++ * jump offset by 'delta'. ++ */ ++static int adjust_jmp_off(struct bpf_prog *prog, u32 tgt_idx, u32 delta) ++{ ++ struct bpf_insn *insn = prog->insnsi; ++ u32 insn_cnt = prog->len, i; ++ ++ for (i = 0; i < insn_cnt; i++, insn++) { ++ u8 code = insn->code; ++ ++ if ((BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) || ++ BPF_OP(code) == BPF_CALL || BPF_OP(code) == BPF_EXIT) ++ continue; ++ ++ if (insn->code == (BPF_JMP32 | BPF_JA)) { ++ if (i + 1 + insn->imm != tgt_idx) ++ continue; ++ if (signed_add32_overflows(insn->imm, delta)) ++ return -ERANGE; ++ insn->imm += delta; ++ } else { ++ if (i + 1 + insn->off != tgt_idx) ++ continue; ++ if (signed_add16_overflows(insn->imm, delta)) ++ return -ERANGE; ++ insn->off += delta; ++ } ++ } ++ return 0; ++} ++ + static int adjust_subprog_starts_after_remove(struct bpf_verifier_env *env, + u32 off, u32 cnt) + { +@@ -20268,6 +20311,13 @@ static int do_misc_fixups(struct bpf_verifier_env *env) + if (!new_prog) + return -ENOMEM; + env->prog = prog = new_prog; ++ /* ++ * If may_goto is a first insn of a prog there could be a jmp ++ * insn that points to it, hence adjust all such jmps to point ++ * to insn after BPF_ST that inits may_goto count. ++ * Adjustment will succeed because bpf_patch_insn_data() didn't fail. ++ */ ++ WARN_ON(adjust_jmp_off(env->prog, subprog_start, 1)); + } + + /* Since poke tab is now finalized, publish aux to tracker. */ +-- +2.43.0 + diff --git a/queue-6.9/btrfs-use-nofs-context-when-getting-inodes-during-lo.patch b/queue-6.9/btrfs-use-nofs-context-when-getting-inodes-during-lo.patch new file mode 100644 index 00000000000..9262a010184 --- /dev/null +++ b/queue-6.9/btrfs-use-nofs-context-when-getting-inodes-during-lo.patch @@ -0,0 +1,418 @@ +From 9a68c0e0103d092e54987442ecfc7a554c0e9b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 11:16:19 +0100 +Subject: btrfs: use NOFS context when getting inodes during logging and log + replay + +From: Filipe Manana + +[ Upstream commit d1825752e3074b5ff8d7f6016160e2b7c5c367ca ] + +During inode logging (and log replay too), we are holding a transaction +handle and we often need to call btrfs_iget(), which will read an inode +from its subvolume btree if it's not loaded in memory and that results in +allocating an inode with GFP_KERNEL semantics at the btrfs_alloc_inode() +callback - and this may recurse into the filesystem in case we are under +memory pressure and attempt to commit the current transaction, resulting +in a deadlock since the logging (or log replay) task is holding a +transaction handle open. + +Syzbot reported this with the following stack traces: + + WARNING: possible circular locking dependency detected + 6.10.0-rc2-syzkaller-00361-g061d1af7b030 #0 Not tainted + ------------------------------------------------------ + syz-executor.1/9919 is trying to acquire lock: + ffffffff8dd3aac0 (fs_reclaim){+.+.}-{0:0}, at: might_alloc include/linux/sched/mm.h:334 [inline] + ffffffff8dd3aac0 (fs_reclaim){+.+.}-{0:0}, at: slab_pre_alloc_hook mm/slub.c:3891 [inline] + ffffffff8dd3aac0 (fs_reclaim){+.+.}-{0:0}, at: slab_alloc_node mm/slub.c:3981 [inline] + ffffffff8dd3aac0 (fs_reclaim){+.+.}-{0:0}, at: kmem_cache_alloc_lru_noprof+0x58/0x2f0 mm/slub.c:4020 + + but task is already holding lock: + ffff88804b569358 (&ei->log_mutex){+.+.}-{3:3}, at: btrfs_log_inode+0x39c/0x4660 fs/btrfs/tree-log.c:6481 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #3 (&ei->log_mutex){+.+.}-{3:3}: + __mutex_lock_common kernel/locking/mutex.c:608 [inline] + __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752 + btrfs_log_inode+0x39c/0x4660 fs/btrfs/tree-log.c:6481 + btrfs_log_inode_parent+0x8cb/0x2a90 fs/btrfs/tree-log.c:7079 + btrfs_log_dentry_safe+0x59/0x80 fs/btrfs/tree-log.c:7180 + btrfs_sync_file+0x9c1/0xe10 fs/btrfs/file.c:1959 + vfs_fsync_range+0x141/0x230 fs/sync.c:188 + generic_write_sync include/linux/fs.h:2794 [inline] + btrfs_do_write_iter+0x584/0x10c0 fs/btrfs/file.c:1705 + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0x6b6/0x1140 fs/read_write.c:590 + ksys_write+0x12f/0x260 fs/read_write.c:643 + do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] + __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 + do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + -> #2 (btrfs_trans_num_extwriters){++++}-{0:0}: + join_transaction+0x164/0xf40 fs/btrfs/transaction.c:315 + start_transaction+0x427/0x1a70 fs/btrfs/transaction.c:700 + btrfs_commit_super+0xa1/0x110 fs/btrfs/disk-io.c:4170 + close_ctree+0xcb0/0xf90 fs/btrfs/disk-io.c:4324 + generic_shutdown_super+0x159/0x3d0 fs/super.c:642 + kill_anon_super+0x3a/0x60 fs/super.c:1226 + btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2096 + deactivate_locked_super+0xbe/0x1a0 fs/super.c:473 + deactivate_super+0xde/0x100 fs/super.c:506 + cleanup_mnt+0x222/0x450 fs/namespace.c:1267 + task_work_run+0x14e/0x250 kernel/task_work.c:180 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop kernel/entry/common.c:114 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218 + __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389 + do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + -> #1 (btrfs_trans_num_writers){++++}-{0:0}: + __lock_release kernel/locking/lockdep.c:5468 [inline] + lock_release+0x33e/0x6c0 kernel/locking/lockdep.c:5774 + percpu_up_read include/linux/percpu-rwsem.h:99 [inline] + __sb_end_write include/linux/fs.h:1650 [inline] + sb_end_intwrite include/linux/fs.h:1767 [inline] + __btrfs_end_transaction+0x5ca/0x920 fs/btrfs/transaction.c:1071 + btrfs_commit_inode_delayed_inode+0x228/0x330 fs/btrfs/delayed-inode.c:1301 + btrfs_evict_inode+0x960/0xe80 fs/btrfs/inode.c:5291 + evict+0x2ed/0x6c0 fs/inode.c:667 + iput_final fs/inode.c:1741 [inline] + iput.part.0+0x5a8/0x7f0 fs/inode.c:1767 + iput+0x5c/0x80 fs/inode.c:1757 + dentry_unlink_inode+0x295/0x480 fs/dcache.c:400 + __dentry_kill+0x1d0/0x600 fs/dcache.c:603 + dput.part.0+0x4b1/0x9b0 fs/dcache.c:845 + dput+0x1f/0x30 fs/dcache.c:835 + ovl_stack_put+0x60/0x90 fs/overlayfs/util.c:132 + ovl_destroy_inode+0xc6/0x190 fs/overlayfs/super.c:182 + destroy_inode+0xc4/0x1b0 fs/inode.c:311 + iput_final fs/inode.c:1741 [inline] + iput.part.0+0x5a8/0x7f0 fs/inode.c:1767 + iput+0x5c/0x80 fs/inode.c:1757 + dentry_unlink_inode+0x295/0x480 fs/dcache.c:400 + __dentry_kill+0x1d0/0x600 fs/dcache.c:603 + shrink_kill fs/dcache.c:1048 [inline] + shrink_dentry_list+0x140/0x5d0 fs/dcache.c:1075 + prune_dcache_sb+0xeb/0x150 fs/dcache.c:1156 + super_cache_scan+0x32a/0x550 fs/super.c:221 + do_shrink_slab+0x44f/0x11c0 mm/shrinker.c:435 + shrink_slab_memcg mm/shrinker.c:548 [inline] + shrink_slab+0xa87/0x1310 mm/shrinker.c:626 + shrink_one+0x493/0x7c0 mm/vmscan.c:4790 + shrink_many mm/vmscan.c:4851 [inline] + lru_gen_shrink_node+0x89f/0x1750 mm/vmscan.c:4951 + shrink_node mm/vmscan.c:5910 [inline] + kswapd_shrink_node mm/vmscan.c:6720 [inline] + balance_pgdat+0x1105/0x1970 mm/vmscan.c:6911 + kswapd+0x5ea/0xbf0 mm/vmscan.c:7180 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + -> #0 (fs_reclaim){+.+.}-{0:0}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain kernel/locking/lockdep.c:3869 [inline] + __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137 + lock_acquire kernel/locking/lockdep.c:5754 [inline] + lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 + __fs_reclaim_acquire mm/page_alloc.c:3801 [inline] + fs_reclaim_acquire+0x102/0x160 mm/page_alloc.c:3815 + might_alloc include/linux/sched/mm.h:334 [inline] + slab_pre_alloc_hook mm/slub.c:3891 [inline] + slab_alloc_node mm/slub.c:3981 [inline] + kmem_cache_alloc_lru_noprof+0x58/0x2f0 mm/slub.c:4020 + btrfs_alloc_inode+0x118/0xb20 fs/btrfs/inode.c:8411 + alloc_inode+0x5d/0x230 fs/inode.c:261 + iget5_locked fs/inode.c:1235 [inline] + iget5_locked+0x1c9/0x2c0 fs/inode.c:1228 + btrfs_iget_locked fs/btrfs/inode.c:5590 [inline] + btrfs_iget_path fs/btrfs/inode.c:5607 [inline] + btrfs_iget+0xfb/0x230 fs/btrfs/inode.c:5636 + add_conflicting_inode fs/btrfs/tree-log.c:5657 [inline] + copy_inode_items_to_log+0x1039/0x1e30 fs/btrfs/tree-log.c:5928 + btrfs_log_inode+0xa48/0x4660 fs/btrfs/tree-log.c:6592 + log_new_delayed_dentries fs/btrfs/tree-log.c:6363 [inline] + btrfs_log_inode+0x27dd/0x4660 fs/btrfs/tree-log.c:6718 + btrfs_log_all_parents fs/btrfs/tree-log.c:6833 [inline] + btrfs_log_inode_parent+0x22ba/0x2a90 fs/btrfs/tree-log.c:7141 + btrfs_log_dentry_safe+0x59/0x80 fs/btrfs/tree-log.c:7180 + btrfs_sync_file+0x9c1/0xe10 fs/btrfs/file.c:1959 + vfs_fsync_range+0x141/0x230 fs/sync.c:188 + generic_write_sync include/linux/fs.h:2794 [inline] + btrfs_do_write_iter+0x584/0x10c0 fs/btrfs/file.c:1705 + do_iter_readv_writev+0x504/0x780 fs/read_write.c:741 + vfs_writev+0x36f/0xde0 fs/read_write.c:971 + do_pwritev+0x1b2/0x260 fs/read_write.c:1072 + __do_compat_sys_pwritev2 fs/read_write.c:1218 [inline] + __se_compat_sys_pwritev2 fs/read_write.c:1210 [inline] + __ia32_compat_sys_pwritev2+0x121/0x1b0 fs/read_write.c:1210 + do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] + __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 + do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + other info that might help us debug this: + + Chain exists of: + fs_reclaim --> btrfs_trans_num_extwriters --> &ei->log_mutex + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ei->log_mutex); + lock(btrfs_trans_num_extwriters); + lock(&ei->log_mutex); + lock(fs_reclaim); + + *** DEADLOCK *** + + 7 locks held by syz-executor.1/9919: + #0: ffff88802be20420 (sb_writers#23){.+.+}-{0:0}, at: do_pwritev+0x1b2/0x260 fs/read_write.c:1072 + #1: ffff888065c0f8f0 (&sb->s_type->i_mutex_key#33){++++}-{3:3}, at: inode_lock include/linux/fs.h:791 [inline] + #1: ffff888065c0f8f0 (&sb->s_type->i_mutex_key#33){++++}-{3:3}, at: btrfs_inode_lock+0xc8/0x110 fs/btrfs/inode.c:385 + #2: ffff888065c0f778 (&ei->i_mmap_lock){++++}-{3:3}, at: btrfs_inode_lock+0xee/0x110 fs/btrfs/inode.c:388 + #3: ffff88802be20610 (sb_internal#4){.+.+}-{0:0}, at: btrfs_sync_file+0x95b/0xe10 fs/btrfs/file.c:1952 + #4: ffff8880546323f0 (btrfs_trans_num_writers){++++}-{0:0}, at: join_transaction+0x430/0xf40 fs/btrfs/transaction.c:290 + #5: ffff888054632418 (btrfs_trans_num_extwriters){++++}-{0:0}, at: join_transaction+0x430/0xf40 fs/btrfs/transaction.c:290 + #6: ffff88804b569358 (&ei->log_mutex){+.+.}-{3:3}, at: btrfs_log_inode+0x39c/0x4660 fs/btrfs/tree-log.c:6481 + + stack backtrace: + CPU: 2 PID: 9919 Comm: syz-executor.1 Not tainted 6.10.0-rc2-syzkaller-00361-g061d1af7b030 #0 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 + check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187 + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain kernel/locking/lockdep.c:3869 [inline] + __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137 + lock_acquire kernel/locking/lockdep.c:5754 [inline] + lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 + __fs_reclaim_acquire mm/page_alloc.c:3801 [inline] + fs_reclaim_acquire+0x102/0x160 mm/page_alloc.c:3815 + might_alloc include/linux/sched/mm.h:334 [inline] + slab_pre_alloc_hook mm/slub.c:3891 [inline] + slab_alloc_node mm/slub.c:3981 [inline] + kmem_cache_alloc_lru_noprof+0x58/0x2f0 mm/slub.c:4020 + btrfs_alloc_inode+0x118/0xb20 fs/btrfs/inode.c:8411 + alloc_inode+0x5d/0x230 fs/inode.c:261 + iget5_locked fs/inode.c:1235 [inline] + iget5_locked+0x1c9/0x2c0 fs/inode.c:1228 + btrfs_iget_locked fs/btrfs/inode.c:5590 [inline] + btrfs_iget_path fs/btrfs/inode.c:5607 [inline] + btrfs_iget+0xfb/0x230 fs/btrfs/inode.c:5636 + add_conflicting_inode fs/btrfs/tree-log.c:5657 [inline] + copy_inode_items_to_log+0x1039/0x1e30 fs/btrfs/tree-log.c:5928 + btrfs_log_inode+0xa48/0x4660 fs/btrfs/tree-log.c:6592 + log_new_delayed_dentries fs/btrfs/tree-log.c:6363 [inline] + btrfs_log_inode+0x27dd/0x4660 fs/btrfs/tree-log.c:6718 + btrfs_log_all_parents fs/btrfs/tree-log.c:6833 [inline] + btrfs_log_inode_parent+0x22ba/0x2a90 fs/btrfs/tree-log.c:7141 + btrfs_log_dentry_safe+0x59/0x80 fs/btrfs/tree-log.c:7180 + btrfs_sync_file+0x9c1/0xe10 fs/btrfs/file.c:1959 + vfs_fsync_range+0x141/0x230 fs/sync.c:188 + generic_write_sync include/linux/fs.h:2794 [inline] + btrfs_do_write_iter+0x584/0x10c0 fs/btrfs/file.c:1705 + do_iter_readv_writev+0x504/0x780 fs/read_write.c:741 + vfs_writev+0x36f/0xde0 fs/read_write.c:971 + do_pwritev+0x1b2/0x260 fs/read_write.c:1072 + __do_compat_sys_pwritev2 fs/read_write.c:1218 [inline] + __se_compat_sys_pwritev2 fs/read_write.c:1210 [inline] + __ia32_compat_sys_pwritev2+0x121/0x1b0 fs/read_write.c:1210 + do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] + __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 + do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + RIP: 0023:0xf7334579 + Code: b8 01 10 06 03 (...) + RSP: 002b:00000000f5f265ac EFLAGS: 00000292 ORIG_RAX: 000000000000017b + RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000200002c0 + RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Fix this by ensuring we are under a NOFS scope whenever we call +btrfs_iget() during inode logging and log replay. + +Reported-by: syzbot+8576cfa84070dce4d59b@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/000000000000274a3a061abbd928@google.com/ +Fixes: 712e36c5f2a7 ("btrfs: use GFP_KERNEL in btrfs_alloc_inode") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 43 ++++++++++++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 15 deletions(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index d4fc5fedd8ee5..9d156aa8f20d1 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -138,6 +138,25 @@ static void wait_log_commit(struct btrfs_root *root, int transid); + * and once to do all the other items. + */ + ++static struct inode *btrfs_iget_logging(u64 objectid, struct btrfs_root *root) ++{ ++ unsigned int nofs_flag; ++ struct inode *inode; ++ ++ /* ++ * We're holding a transaction handle whether we are logging or ++ * replaying a log tree, so we must make sure NOFS semantics apply ++ * because btrfs_alloc_inode() may be triggered and it uses GFP_KERNEL ++ * to allocate an inode, which can recurse back into the filesystem and ++ * attempt a transaction commit, resulting in a deadlock. ++ */ ++ nofs_flag = memalloc_nofs_save(); ++ inode = btrfs_iget(root->fs_info->sb, objectid, root); ++ memalloc_nofs_restore(nofs_flag); ++ ++ return inode; ++} ++ + /* + * start a sub transaction and setup the log tree + * this increments the log tree writer count to make the people +@@ -600,7 +619,7 @@ static noinline struct inode *read_one_inode(struct btrfs_root *root, + { + struct inode *inode; + +- inode = btrfs_iget(root->fs_info->sb, objectid, root); ++ inode = btrfs_iget_logging(objectid, root); + if (IS_ERR(inode)) + inode = NULL; + return inode; +@@ -5434,7 +5453,6 @@ static int log_new_dir_dentries(struct btrfs_trans_handle *trans, + struct btrfs_log_ctx *ctx) + { + struct btrfs_root *root = start_inode->root; +- struct btrfs_fs_info *fs_info = root->fs_info; + struct btrfs_path *path; + LIST_HEAD(dir_list); + struct btrfs_dir_list *dir_elem; +@@ -5495,7 +5513,7 @@ static int log_new_dir_dentries(struct btrfs_trans_handle *trans, + continue; + + btrfs_release_path(path); +- di_inode = btrfs_iget(fs_info->sb, di_key.objectid, root); ++ di_inode = btrfs_iget_logging(di_key.objectid, root); + if (IS_ERR(di_inode)) { + ret = PTR_ERR(di_inode); + goto out; +@@ -5555,7 +5573,7 @@ static int log_new_dir_dentries(struct btrfs_trans_handle *trans, + btrfs_add_delayed_iput(curr_inode); + curr_inode = NULL; + +- vfs_inode = btrfs_iget(fs_info->sb, ino, root); ++ vfs_inode = btrfs_iget_logging(ino, root); + if (IS_ERR(vfs_inode)) { + ret = PTR_ERR(vfs_inode); + break; +@@ -5650,7 +5668,7 @@ static int add_conflicting_inode(struct btrfs_trans_handle *trans, + if (ctx->num_conflict_inodes >= MAX_CONFLICT_INODES) + return BTRFS_LOG_FORCE_COMMIT; + +- inode = btrfs_iget(root->fs_info->sb, ino, root); ++ inode = btrfs_iget_logging(ino, root); + /* + * If the other inode that had a conflicting dir entry was deleted in + * the current transaction then we either: +@@ -5751,7 +5769,6 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct btrfs_log_ctx *ctx) + { +- struct btrfs_fs_info *fs_info = root->fs_info; + int ret = 0; + + /* +@@ -5782,7 +5799,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + list_del(&curr->list); + kfree(curr); + +- inode = btrfs_iget(fs_info->sb, ino, root); ++ inode = btrfs_iget_logging(ino, root); + /* + * If the other inode that had a conflicting dir entry was + * deleted in the current transaction, we need to log its parent +@@ -5793,7 +5810,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + if (ret != -ENOENT) + break; + +- inode = btrfs_iget(fs_info->sb, parent, root); ++ inode = btrfs_iget_logging(parent, root); + if (IS_ERR(inode)) { + ret = PTR_ERR(inode); + break; +@@ -6315,7 +6332,6 @@ static int log_new_delayed_dentries(struct btrfs_trans_handle *trans, + struct btrfs_log_ctx *ctx) + { + const bool orig_log_new_dentries = ctx->log_new_dentries; +- struct btrfs_fs_info *fs_info = trans->fs_info; + struct btrfs_delayed_item *item; + int ret = 0; + +@@ -6341,7 +6357,7 @@ static int log_new_delayed_dentries(struct btrfs_trans_handle *trans, + if (key.type == BTRFS_ROOT_ITEM_KEY) + continue; + +- di_inode = btrfs_iget(fs_info->sb, key.objectid, inode->root); ++ di_inode = btrfs_iget_logging(key.objectid, inode->root); + if (IS_ERR(di_inode)) { + ret = PTR_ERR(di_inode); + break; +@@ -6725,7 +6741,6 @@ static int btrfs_log_all_parents(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_log_ctx *ctx) + { +- struct btrfs_fs_info *fs_info = trans->fs_info; + int ret; + struct btrfs_path *path; + struct btrfs_key key; +@@ -6790,8 +6805,7 @@ static int btrfs_log_all_parents(struct btrfs_trans_handle *trans, + cur_offset = item_size; + } + +- dir_inode = btrfs_iget(fs_info->sb, inode_key.objectid, +- root); ++ dir_inode = btrfs_iget_logging(inode_key.objectid, root); + /* + * If the parent inode was deleted, return an error to + * fallback to a transaction commit. This is to prevent +@@ -6853,7 +6867,6 @@ static int log_new_ancestors(struct btrfs_trans_handle *trans, + btrfs_item_key_to_cpu(path->nodes[0], &found_key, path->slots[0]); + + while (true) { +- struct btrfs_fs_info *fs_info = root->fs_info; + struct extent_buffer *leaf; + int slot; + struct btrfs_key search_key; +@@ -6868,7 +6881,7 @@ static int log_new_ancestors(struct btrfs_trans_handle *trans, + search_key.objectid = found_key.offset; + search_key.type = BTRFS_INODE_ITEM_KEY; + search_key.offset = 0; +- inode = btrfs_iget(fs_info->sb, ino, root); ++ inode = btrfs_iget_logging(ino, root); + if (IS_ERR(inode)) + return PTR_ERR(inode); + +-- +2.43.0 + diff --git a/queue-6.9/fix-race-for-duplicate-reqsk-on-identical-syn.patch b/queue-6.9/fix-race-for-duplicate-reqsk-on-identical-syn.patch new file mode 100644 index 00000000000..9954cb38565 --- /dev/null +++ b/queue-6.9/fix-race-for-duplicate-reqsk-on-identical-syn.patch @@ -0,0 +1,195 @@ +From 1019b623d96a22afbf34f44665b4fa6570153525 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 09:39:29 +0800 +Subject: Fix race for duplicate reqsk on identical SYN + +From: luoxuanqiang + +[ Upstream commit ff46e3b4421923937b7f6e44ffcd3549a074f321 ] + +When bonding is configured in BOND_MODE_BROADCAST mode, if two identical +SYN packets are received at the same time and processed on different CPUs, +it can potentially create the same sk (sock) but two different reqsk +(request_sock) in tcp_conn_request(). + +These two different reqsk will respond with two SYNACK packets, and since +the generation of the seq (ISN) incorporates a timestamp, the final two +SYNACK packets will have different seq values. + +The consequence is that when the Client receives and replies with an ACK +to the earlier SYNACK packet, we will reset(RST) it. + +======================================================================== + +This behavior is consistently reproducible in my local setup, +which comprises: + + | NETA1 ------ NETB1 | +PC_A --- bond --- | | --- bond --- PC_B + | NETA2 ------ NETB2 | + +- PC_A is the Server and has two network cards, NETA1 and NETA2. I have + bonded these two cards using BOND_MODE_BROADCAST mode and configured + them to be handled by different CPU. + +- PC_B is the Client, also equipped with two network cards, NETB1 and + NETB2, which are also bonded and configured in BOND_MODE_BROADCAST mode. + +If the client attempts a TCP connection to the server, it might encounter +a failure. Capturing packets from the server side reveals: + +10.10.10.10.45182 > localhost: Flags [S], seq 320236027, +10.10.10.10.45182 > localhost: Flags [S], seq 320236027, +localhost > 10.10.10.10.45182: Flags [S.], seq 2967855116, +localhost > 10.10.10.10.45182: Flags [S.], seq 2967855123, <== +10.10.10.10.45182 > localhost: Flags [.], ack 4294967290, +10.10.10.10.45182 > localhost: Flags [.], ack 4294967290, +localhost > 10.10.10.10.45182: Flags [R], seq 2967855117, <== +localhost > 10.10.10.10.45182: Flags [R], seq 2967855117, + +Two SYNACKs with different seq numbers are sent by localhost, +resulting in an anomaly. + +======================================================================== + +The attempted solution is as follows: +Add a return value to inet_csk_reqsk_queue_hash_add() to confirm if the +ehash insertion is successful (Up to now, the reason for unsuccessful +insertion is that a reqsk for the same connection has already been +inserted). If the insertion fails, release the reqsk. + +Due to the refcnt, Kuniyuki suggests also adding a return value check +for the DCCP module; if ehash insertion fails, indicating a successful +insertion of the same connection, simply release the reqsk as well. + +Simultaneously, In the reqsk_queue_hash_req(), the start of the +req->rsk_timer is adjusted to be after successful insertion. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: luoxuanqiang +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240621013929.1386815-1-luoxuanqiang@kylinos.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + net/dccp/ipv4.c | 7 +++++-- + net/dccp/ipv6.c | 7 +++++-- + net/ipv4/inet_connection_sock.c | 17 +++++++++++++---- + net/ipv4/tcp_input.c | 7 ++++++- + 5 files changed, 30 insertions(+), 10 deletions(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index ccf171f7eb60d..146ece8563cae 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -266,7 +266,7 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk, + struct sock *inet_csk_reqsk_queue_add(struct sock *sk, + struct request_sock *req, + struct sock *child); +-void inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req, ++bool inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req, + unsigned long timeout); + struct sock *inet_csk_complete_hashdance(struct sock *sk, struct sock *child, + struct request_sock *req, +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 44b033fe1ef68..f94d30b171992 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -655,8 +655,11 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_v4_send_response(sk, req)) + goto drop_and_free; + +- inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); +- reqsk_put(req); ++ if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT))) ++ reqsk_free(req); ++ else ++ reqsk_put(req); ++ + return 0; + + drop_and_free: +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index ded07e09f8135..ddbd490b3531b 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -398,8 +398,11 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_v6_send_response(sk, req)) + goto drop_and_free; + +- inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); +- reqsk_put(req); ++ if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT))) ++ reqsk_free(req); ++ else ++ reqsk_put(req); ++ + return 0; + + drop_and_free: +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 3b38610958ee4..39e9070fe3cdf 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1121,25 +1121,34 @@ static void reqsk_timer_handler(struct timer_list *t) + inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq); + } + +-static void reqsk_queue_hash_req(struct request_sock *req, ++static bool reqsk_queue_hash_req(struct request_sock *req, + unsigned long timeout) + { ++ bool found_dup_sk = false; ++ ++ if (!inet_ehash_insert(req_to_sk(req), NULL, &found_dup_sk)) ++ return false; ++ ++ /* The timer needs to be setup after a successful insertion. */ + timer_setup(&req->rsk_timer, reqsk_timer_handler, TIMER_PINNED); + mod_timer(&req->rsk_timer, jiffies + timeout); + +- inet_ehash_insert(req_to_sk(req), NULL, NULL); + /* before letting lookups find us, make sure all req fields + * are committed to memory and refcnt initialized. + */ + smp_wmb(); + refcount_set(&req->rsk_refcnt, 2 + 1); ++ return true; + } + +-void inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req, ++bool inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req, + unsigned long timeout) + { +- reqsk_queue_hash_req(req, timeout); ++ if (!reqsk_queue_hash_req(req, timeout)) ++ return false; ++ + inet_csk_reqsk_queue_added(sk); ++ return true; + } + EXPORT_SYMBOL_GPL(inet_csk_reqsk_queue_hash_add); + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 1054a440332d3..d37b45b90a61c 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -7243,7 +7243,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, + tcp_rsk(req)->tfo_listener = false; + if (!want_cookie) { + req->timeout = tcp_timeout_init((struct sock *)req); +- inet_csk_reqsk_queue_hash_add(sk, req, req->timeout); ++ if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req, ++ req->timeout))) { ++ reqsk_free(req); ++ return 0; ++ } ++ + } + af_ops->send_synack(sk, dst, &fl, req, &foc, + !want_cookie ? TCP_SYNACK_NORMAL : +-- +2.43.0 + diff --git a/queue-6.9/ibmvnic-free-any-outstanding-tx-skbs-during-scrq-res.patch b/queue-6.9/ibmvnic-free-any-outstanding-tx-skbs-during-scrq-res.patch new file mode 100644 index 00000000000..281209775ae --- /dev/null +++ b/queue-6.9/ibmvnic-free-any-outstanding-tx-skbs-during-scrq-res.patch @@ -0,0 +1,60 @@ +From fed262da7111678b0f605fb96c41de2e623e8ffb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 10:23:12 -0500 +Subject: ibmvnic: Free any outstanding tx skbs during scrq reset + +From: Nick Child + +[ Upstream commit 49bbeb5719c2f56907d3a9623b47c6c15c2c431d ] + +There are 2 types of outstanding tx skb's: +Type 1: Packets that are sitting in the drivers ind_buff that are +waiting to be batch sent to the NIC. During a device reset, these are +freed with a call to ibmvnic_tx_scrq_clean_buffer() +Type 2: Packets that have been sent to the NIC and are awaiting a TX +completion IRQ. These are free'd during a reset with a call to +clean_tx_pools() + +During any reset which requires us to free the tx irq, ensure that the +Type 2 skb references are freed. Since the irq is released, it is +impossible for the NIC to inform of any completions. + +Furthermore, later in the reset process is a call to init_tx_pools() +which marks every entry in the tx pool as free (ie not outstanding). +So if the driver is to make a call to init_tx_pools(), it must first +be sure that the tx pool is empty of skb references. + +This issue was discovered by observing the following in the logs during +EEH testing: + TX free map points to untracked skb (tso_pool 0 idx=4) + TX free map points to untracked skb (tso_pool 0 idx=5) + TX free map points to untracked skb (tso_pool 1 idx=36) + +Fixes: 65d6470d139a ("ibmvnic: clean pending indirect buffs during reset") +Signed-off-by: Nick Child +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 30c47b8470ade..722bb724361c2 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4057,6 +4057,12 @@ static void release_sub_crqs(struct ibmvnic_adapter *adapter, bool do_h_free) + adapter->num_active_tx_scrqs = 0; + } + ++ /* Clean any remaining outstanding SKBs ++ * we freed the irq so we won't be hearing ++ * from them ++ */ ++ clean_tx_pools(adapter); ++ + if (adapter->rx_scrq) { + for (i = 0; i < adapter->num_active_rx_scrqs; i++) { + if (!adapter->rx_scrq[i]) +-- +2.43.0 + diff --git a/queue-6.9/ice-rebuild-tc-queues-on-vsi-queue-reconfiguration.patch b/queue-6.9/ice-rebuild-tc-queues-on-vsi-queue-reconfiguration.patch new file mode 100644 index 00000000000..5f295f2aec3 --- /dev/null +++ b/queue-6.9/ice-rebuild-tc-queues-on-vsi-queue-reconfiguration.patch @@ -0,0 +1,57 @@ +From ca438d45c4d7132a2c91d137cc3b684f30a04da4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 10:54:19 -0700 +Subject: ice: Rebuild TC queues on VSI queue reconfiguration + +From: Jan Sokolowski + +[ Upstream commit f4b91c1d17c676b8ad4c6bd674da874f3f7d5701 ] + +TC queues needs to be correctly updated when the number of queues on +a VSI is reconfigured, so netdev's queue and TC settings will be +dynamically adjusted and could accurately represent the underlying +hardware state after changes to the VSI queue counts. + +Fixes: 0754d65bd4be ("ice: Add infrastructure for mqprio support via ndo_setup_tc") +Reviewed-by: Wojciech Drewek +Signed-off-by: Jan Sokolowski +Signed-off-by: Karen Ostrowska +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 61eef3259cbaa..88d4675cc3428 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4102,7 +4102,7 @@ bool ice_is_wol_supported(struct ice_hw *hw) + int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx, bool locked) + { + struct ice_pf *pf = vsi->back; +- int err = 0, timeout = 50; ++ int i, err = 0, timeout = 50; + + if (!new_rx && !new_tx) + return -EINVAL; +@@ -4128,6 +4128,14 @@ int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx, bool locked) + + ice_vsi_close(vsi); + ice_vsi_rebuild(vsi, ICE_VSI_FLAG_NO_INIT); ++ ++ ice_for_each_traffic_class(i) { ++ if (vsi->tc_cfg.ena_tc & BIT(i)) ++ netdev_set_tc_queue(vsi->netdev, ++ vsi->tc_cfg.tc_info[i].netdev_tc, ++ vsi->tc_cfg.tc_info[i].qcount_tx, ++ vsi->tc_cfg.tc_info[i].qoffset); ++ } + ice_pf_dcb_recfg(pf, locked); + ice_vsi_open(vsi); + done: +-- +2.43.0 + diff --git a/queue-6.9/ionic-fix-kernel-panic-due-to-multi-buffer-handling.patch b/queue-6.9/ionic-fix-kernel-panic-due-to-multi-buffer-handling.patch new file mode 100644 index 00000000000..09cf2e05577 --- /dev/null +++ b/queue-6.9/ionic-fix-kernel-panic-due-to-multi-buffer-handling.patch @@ -0,0 +1,137 @@ +From a7e9959a8e564f516849e7012e50a806aada0a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 10:58:08 +0000 +Subject: ionic: fix kernel panic due to multi-buffer handling + +From: Taehee Yoo + +[ Upstream commit e3f02f32a05009a688a87f5799e049ed6b55bab5 ] + +Currently, the ionic_run_xdp() doesn't handle multi-buffer packets +properly for XDP_TX and XDP_REDIRECT. +When a jumbo frame is received, the ionic_run_xdp() first makes xdp +frame with all necessary pages in the rx descriptor. +And if the action is either XDP_TX or XDP_REDIRECT, it should unmap +dma-mapping and reset page pointer to NULL for all pages, not only the +first page. +But it doesn't for SG pages. So, SG pages unexpectedly will be reused. +It eventually causes kernel panic. + +Oops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTI +CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25 +RIP: 0010:xdp_return_frame+0x42/0x90 +Code: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0 +RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202 +RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001 +RDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49 +RBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010 +R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0 +FS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ? die_addr+0x33/0x90 + ? exc_general_protection+0x251/0x2f0 + ? asm_exc_general_protection+0x22/0x30 + ? xdp_return_frame+0x42/0x90 + ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] + ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] + ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] + __napi_poll.constprop.0+0x29/0x1b0 + net_rx_action+0x2c4/0x350 + handle_softirqs+0xf4/0x320 + irq_exit_rcu+0x78/0xa0 + common_interrupt+0x77/0x90 + +Fixes: 5377805dc1c0 ("ionic: implement xdp frags support") +Signed-off-by: Taehee Yoo +Reviewed-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_txrx.c | 27 ++++++++++++------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 2427610f4306d..aed7d9cbce038 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -480,6 +480,20 @@ int ionic_xdp_xmit(struct net_device *netdev, int n, + return nxmit; + } + ++static void ionic_xdp_rx_put_bufs(struct ionic_queue *q, ++ struct ionic_buf_info *buf_info, ++ int nbufs) ++{ ++ int i; ++ ++ for (i = 0; i < nbufs; i++) { ++ dma_unmap_page(q->dev, buf_info->dma_addr, ++ IONIC_PAGE_SIZE, DMA_FROM_DEVICE); ++ buf_info->page = NULL; ++ buf_info++; ++ } ++} ++ + static bool ionic_run_xdp(struct ionic_rx_stats *stats, + struct net_device *netdev, + struct bpf_prog *xdp_prog, +@@ -493,6 +507,7 @@ static bool ionic_run_xdp(struct ionic_rx_stats *stats, + struct netdev_queue *nq; + struct xdp_frame *xdpf; + int remain_len; ++ int nbufs = 1; + int frag_len; + int err = 0; + +@@ -542,6 +557,7 @@ static bool ionic_run_xdp(struct ionic_rx_stats *stats, + if (page_is_pfmemalloc(bi->page)) + xdp_buff_set_frag_pfmemalloc(&xdp_buf); + } while (remain_len > 0); ++ nbufs += sinfo->nr_frags; + } + + xdp_action = bpf_prog_run_xdp(xdp_prog, &xdp_buf); +@@ -574,9 +590,6 @@ static bool ionic_run_xdp(struct ionic_rx_stats *stats, + goto out_xdp_abort; + } + +- dma_unmap_page(rxq->dev, buf_info->dma_addr, +- IONIC_PAGE_SIZE, DMA_FROM_DEVICE); +- + err = ionic_xdp_post_frame(txq, xdpf, XDP_TX, + buf_info->page, + buf_info->page_offset, +@@ -586,23 +599,19 @@ static bool ionic_run_xdp(struct ionic_rx_stats *stats, + netdev_dbg(netdev, "tx ionic_xdp_post_frame err %d\n", err); + goto out_xdp_abort; + } +- buf_info->page = NULL; ++ ionic_xdp_rx_put_bufs(rxq, buf_info, nbufs); + stats->xdp_tx++; + + /* the Tx completion will free the buffers */ + break; + + case XDP_REDIRECT: +- /* unmap the pages before handing them to a different device */ +- dma_unmap_page(rxq->dev, buf_info->dma_addr, +- IONIC_PAGE_SIZE, DMA_FROM_DEVICE); +- + err = xdp_do_redirect(netdev, &xdp_buf, xdp_prog); + if (err) { + netdev_dbg(netdev, "xdp_do_redirect err %d\n", err); + goto out_xdp_abort; + } +- buf_info->page = NULL; ++ ionic_xdp_rx_put_bufs(rxq, buf_info, nbufs); + rxq->xdp_flush = true; + stats->xdp_redirect++; + break; +-- +2.43.0 + diff --git a/queue-6.9/ionic-use-dev_consume_skb_any-outside-of-napi.patch b/queue-6.9/ionic-use-dev_consume_skb_any-outside-of-napi.patch new file mode 100644 index 00000000000..39fce5b19ee --- /dev/null +++ b/queue-6.9/ionic-use-dev_consume_skb_any-outside-of-napi.patch @@ -0,0 +1,196 @@ +From 42a5fc7c763a238b173ac884be37e23b93461108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 10:50:15 -0700 +Subject: ionic: use dev_consume_skb_any outside of napi + +From: Shannon Nelson + +[ Upstream commit 84b767f9e34fdb143c09e66a2a20722fc2921821 ] + +If we're not in a NAPI softirq context, we need to be careful +about how we call napi_consume_skb(), specifically we need to +call it with budget==0 to signal to it that we're not in a +safe context. + +This was found while running some configuration stress testing +of traffic and a change queue config loop running, and this +curious note popped out: + +[ 4371.402645] BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/20545 +[ 4371.402897] caller is napi_skb_cache_put+0x16/0x80 +[ 4371.403120] CPU: 25 PID: 20545 Comm: ethtool Kdump: loaded Tainted: G OE 6.10.0-rc3-netnext+ #8 +[ 4371.403302] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 01/23/2021 +[ 4371.403460] Call Trace: +[ 4371.403613] +[ 4371.403758] dump_stack_lvl+0x4f/0x70 +[ 4371.403904] check_preemption_disabled+0xc1/0xe0 +[ 4371.404051] napi_skb_cache_put+0x16/0x80 +[ 4371.404199] ionic_tx_clean+0x18a/0x240 [ionic] +[ 4371.404354] ionic_tx_cq_service+0xc4/0x200 [ionic] +[ 4371.404505] ionic_tx_flush+0x15/0x70 [ionic] +[ 4371.404653] ? ionic_lif_qcq_deinit.isra.23+0x5b/0x70 [ionic] +[ 4371.404805] ionic_txrx_deinit+0x71/0x190 [ionic] +[ 4371.404956] ionic_reconfigure_queues+0x5f5/0xff0 [ionic] +[ 4371.405111] ionic_set_ringparam+0x2e8/0x3e0 [ionic] +[ 4371.405265] ethnl_set_rings+0x1f1/0x300 +[ 4371.405418] ethnl_default_set_doit+0xbb/0x160 +[ 4371.405571] genl_family_rcv_msg_doit+0xff/0x130 + [...] + +I found that ionic_tx_clean() calls napi_consume_skb() which calls +napi_skb_cache_put(), but before that last call is the note + /* Zero budget indicate non-NAPI context called us, like netpoll */ +and + DEBUG_NET_WARN_ON_ONCE(!in_softirq()); + +Those are pretty big hints that we're doing it wrong. We can pass a +context hint down through the calls to let ionic_tx_clean() know what +we're doing so it can call napi_consume_skb() correctly. + +Fixes: 386e69865311 ("ionic: Make use napi_consume_skb") +Signed-off-by: Shannon Nelson +Link: https://patch.msgid.link/20240624175015.4520-1-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_dev.h | 4 ++- + .../net/ethernet/pensando/ionic/ionic_lif.c | 2 +- + .../net/ethernet/pensando/ionic/ionic_txrx.c | 28 +++++++++++-------- + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +index f30eee4a5a80e..b6c01a88098dc 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +@@ -375,7 +375,9 @@ typedef void (*ionic_cq_done_cb)(void *done_arg); + unsigned int ionic_cq_service(struct ionic_cq *cq, unsigned int work_to_do, + ionic_cq_cb cb, ionic_cq_done_cb done_cb, + void *done_arg); +-unsigned int ionic_tx_cq_service(struct ionic_cq *cq, unsigned int work_to_do); ++unsigned int ionic_tx_cq_service(struct ionic_cq *cq, ++ unsigned int work_to_do, ++ bool in_napi); + + int ionic_q_init(struct ionic_lif *lif, struct ionic_dev *idev, + struct ionic_queue *q, unsigned int index, const char *name, +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 0cd819bc4ae35..1dec4ebd708f2 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -1189,7 +1189,7 @@ static int ionic_adminq_napi(struct napi_struct *napi, int budget) + ionic_rx_service, NULL, NULL); + + if (lif->hwstamp_txq) +- tx_work = ionic_tx_cq_service(&lif->hwstamp_txq->cq, budget); ++ tx_work = ionic_tx_cq_service(&lif->hwstamp_txq->cq, budget, !!budget); + + work_done = max(max(n_work, a_work), max(rx_work, tx_work)); + if (work_done < budget && napi_complete_done(napi, work_done)) { +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index aed7d9cbce038..9fdd7cd3ef19d 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -23,7 +23,8 @@ static void ionic_tx_desc_unmap_bufs(struct ionic_queue *q, + + static void ionic_tx_clean(struct ionic_queue *q, + struct ionic_tx_desc_info *desc_info, +- struct ionic_txq_comp *comp); ++ struct ionic_txq_comp *comp, ++ bool in_napi); + + static inline void ionic_txq_post(struct ionic_queue *q, bool ring_dbell) + { +@@ -944,7 +945,7 @@ int ionic_tx_napi(struct napi_struct *napi, int budget) + u32 work_done = 0; + u32 flags = 0; + +- work_done = ionic_tx_cq_service(cq, budget); ++ work_done = ionic_tx_cq_service(cq, budget, !!budget); + + if (unlikely(!budget)) + return budget; +@@ -1028,7 +1029,7 @@ int ionic_txrx_napi(struct napi_struct *napi, int budget) + txqcq = lif->txqcqs[qi]; + txcq = &lif->txqcqs[qi]->cq; + +- tx_work_done = ionic_tx_cq_service(txcq, IONIC_TX_BUDGET_DEFAULT); ++ tx_work_done = ionic_tx_cq_service(txcq, IONIC_TX_BUDGET_DEFAULT, !!budget); + + if (unlikely(!budget)) + return budget; +@@ -1161,7 +1162,8 @@ static void ionic_tx_desc_unmap_bufs(struct ionic_queue *q, + + static void ionic_tx_clean(struct ionic_queue *q, + struct ionic_tx_desc_info *desc_info, +- struct ionic_txq_comp *comp) ++ struct ionic_txq_comp *comp, ++ bool in_napi) + { + struct ionic_tx_stats *stats = q_to_tx_stats(q); + struct ionic_qcq *qcq = q_to_qcq(q); +@@ -1213,11 +1215,13 @@ static void ionic_tx_clean(struct ionic_queue *q, + desc_info->bytes = skb->len; + stats->clean++; + +- napi_consume_skb(skb, 1); ++ napi_consume_skb(skb, likely(in_napi) ? 1 : 0); + } + + static bool ionic_tx_service(struct ionic_cq *cq, +- unsigned int *total_pkts, unsigned int *total_bytes) ++ unsigned int *total_pkts, ++ unsigned int *total_bytes, ++ bool in_napi) + { + struct ionic_tx_desc_info *desc_info; + struct ionic_queue *q = cq->bound_q; +@@ -1239,7 +1243,7 @@ static bool ionic_tx_service(struct ionic_cq *cq, + desc_info->bytes = 0; + index = q->tail_idx; + q->tail_idx = (q->tail_idx + 1) & (q->num_descs - 1); +- ionic_tx_clean(q, desc_info, comp); ++ ionic_tx_clean(q, desc_info, comp, in_napi); + if (desc_info->skb) { + pkts++; + bytes += desc_info->bytes; +@@ -1253,7 +1257,9 @@ static bool ionic_tx_service(struct ionic_cq *cq, + return true; + } + +-unsigned int ionic_tx_cq_service(struct ionic_cq *cq, unsigned int work_to_do) ++unsigned int ionic_tx_cq_service(struct ionic_cq *cq, ++ unsigned int work_to_do, ++ bool in_napi) + { + unsigned int work_done = 0; + unsigned int bytes = 0; +@@ -1262,7 +1268,7 @@ unsigned int ionic_tx_cq_service(struct ionic_cq *cq, unsigned int work_to_do) + if (work_to_do == 0) + return 0; + +- while (ionic_tx_service(cq, &pkts, &bytes)) { ++ while (ionic_tx_service(cq, &pkts, &bytes, in_napi)) { + if (cq->tail_idx == cq->num_descs - 1) + cq->done_color = !cq->done_color; + cq->tail_idx = (cq->tail_idx + 1) & (cq->num_descs - 1); +@@ -1288,7 +1294,7 @@ void ionic_tx_flush(struct ionic_cq *cq) + { + u32 work_done; + +- work_done = ionic_tx_cq_service(cq, cq->num_descs); ++ work_done = ionic_tx_cq_service(cq, cq->num_descs, false); + if (work_done) + ionic_intr_credits(cq->idev->intr_ctrl, cq->bound_intr->index, + work_done, IONIC_INTR_CRED_RESET_COALESCE); +@@ -1305,7 +1311,7 @@ void ionic_tx_empty(struct ionic_queue *q) + desc_info = &q->tx_info[q->tail_idx]; + desc_info->bytes = 0; + q->tail_idx = (q->tail_idx + 1) & (q->num_descs - 1); +- ionic_tx_clean(q, desc_info, NULL); ++ ionic_tx_clean(q, desc_info, NULL, false); + if (desc_info->skb) { + pkts++; + bytes += desc_info->bytes; +-- +2.43.0 + diff --git a/queue-6.9/mlxsw-pci-fix-driver-initialization-with-spectrum-4.patch b/queue-6.9/mlxsw-pci-fix-driver-initialization-with-spectrum-4.patch new file mode 100644 index 00000000000..b67a1deb8fe --- /dev/null +++ b/queue-6.9/mlxsw-pci-fix-driver-initialization-with-spectrum-4.patch @@ -0,0 +1,134 @@ +From abb6aab810e5484cfcaca9ae6b792591c2fbed56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 09:19:13 +0200 +Subject: mlxsw: pci: Fix driver initialization with Spectrum-4 + +From: Ido Schimmel + +[ Upstream commit 0602697d6f4d72b0bc5edbc76afabf6aaa029a69 ] + +Cited commit added support for a new reset flow ("all reset") which is +deeper than the existing reset flow ("software reset") and allows the +device's PCI firmware to be upgraded. + +In the new flow the driver first tells the firmware that "all reset" is +required by issuing a new reset command (i.e., MRSR.command=6) and then +triggers the reset by having the PCI core issue a secondary bus reset +(SBR). + +However, due to a race condition in the device's firmware the device is +not always able to recover from this reset, resulting in initialization +failures [1]. + +New firmware versions include a fix for the bug and advertise it using a +new capability bit in the Management Capabilities Mask (MCAM) register. + +Avoid initialization failures by reading the new capability bit and +triggering the new reset flow only if the bit is set. If the bit is not +set, trigger a normal PCI hot reset by skipping the call to the +Management Reset and Shutdown Register (MRSR). + +Normal PCI hot reset is weaker than "all reset", but it results in a +fully operational driver and allows users to flash a new firmware, if +they want to. + +[1] +mlxsw_spectrum4 0000:01:00.0: not ready 1023ms after bus reset; waiting +mlxsw_spectrum4 0000:01:00.0: not ready 2047ms after bus reset; waiting +mlxsw_spectrum4 0000:01:00.0: not ready 4095ms after bus reset; waiting +mlxsw_spectrum4 0000:01:00.0: not ready 8191ms after bus reset; waiting +mlxsw_spectrum4 0000:01:00.0: not ready 16383ms after bus reset; waiting +mlxsw_spectrum4 0000:01:00.0: not ready 32767ms after bus reset; waiting +mlxsw_spectrum4 0000:01:00.0: not ready 65535ms after bus reset; giving up +mlxsw_spectrum4 0000:01:00.0: PCI function reset failed with -25 +mlxsw_spectrum4 0000:01:00.0: cannot register bus device +mlxsw_spectrum4: probe of 0000:01:00.0 failed with error -25 + +Fixes: f257c73e5356 ("mlxsw: pci: Add support for new reset flow") +Reported-by: Maksym Yaremchuk +Signed-off-by: Ido Schimmel +Tested-by: Maksym Yaremchuk +Reviewed-by: Simon Horman +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/pci.c | 18 +++++++++++++++--- + drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 ++ + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c +index f42a1b1c93687..653a47dd43862 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -1490,18 +1490,25 @@ static int mlxsw_pci_sys_ready_wait(struct mlxsw_pci *mlxsw_pci, + return -EBUSY; + } + +-static int mlxsw_pci_reset_at_pci_disable(struct mlxsw_pci *mlxsw_pci) ++static int mlxsw_pci_reset_at_pci_disable(struct mlxsw_pci *mlxsw_pci, ++ bool pci_reset_sbr_supported) + { + struct pci_dev *pdev = mlxsw_pci->pdev; + char mrsr_pl[MLXSW_REG_MRSR_LEN]; + int err; + ++ if (!pci_reset_sbr_supported) { ++ pci_dbg(pdev, "Performing PCI hot reset instead of \"all reset\"\n"); ++ goto sbr; ++ } ++ + mlxsw_reg_mrsr_pack(mrsr_pl, + MLXSW_REG_MRSR_COMMAND_RESET_AT_PCI_DISABLE); + err = mlxsw_reg_write(mlxsw_pci->core, MLXSW_REG(mrsr), mrsr_pl); + if (err) + return err; + ++sbr: + device_lock_assert(&pdev->dev); + + pci_cfg_access_lock(pdev); +@@ -1529,6 +1536,7 @@ static int + mlxsw_pci_reset(struct mlxsw_pci *mlxsw_pci, const struct pci_device_id *id) + { + struct pci_dev *pdev = mlxsw_pci->pdev; ++ bool pci_reset_sbr_supported = false; + char mcam_pl[MLXSW_REG_MCAM_LEN]; + bool pci_reset_supported = false; + u32 sys_status; +@@ -1548,13 +1556,17 @@ mlxsw_pci_reset(struct mlxsw_pci *mlxsw_pci, const struct pci_device_id *id) + mlxsw_reg_mcam_pack(mcam_pl, + MLXSW_REG_MCAM_FEATURE_GROUP_ENHANCED_FEATURES); + err = mlxsw_reg_query(mlxsw_pci->core, MLXSW_REG(mcam), mcam_pl); +- if (!err) ++ if (!err) { + mlxsw_reg_mcam_unpack(mcam_pl, MLXSW_REG_MCAM_PCI_RESET, + &pci_reset_supported); ++ mlxsw_reg_mcam_unpack(mcam_pl, MLXSW_REG_MCAM_PCI_RESET_SBR, ++ &pci_reset_sbr_supported); ++ } + + if (pci_reset_supported) { + pci_dbg(pdev, "Starting PCI reset flow\n"); +- err = mlxsw_pci_reset_at_pci_disable(mlxsw_pci); ++ err = mlxsw_pci_reset_at_pci_disable(mlxsw_pci, ++ pci_reset_sbr_supported); + } else { + pci_dbg(pdev, "Starting software reset flow\n"); + err = mlxsw_pci_reset_sw(mlxsw_pci); +diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h +index 8892654c685f3..010eecab5147a 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h +@@ -10668,6 +10668,8 @@ enum mlxsw_reg_mcam_mng_feature_cap_mask_bits { + MLXSW_REG_MCAM_MCIA_128B = 34, + /* If set, MRSR.command=6 is supported. */ + MLXSW_REG_MCAM_PCI_RESET = 48, ++ /* If set, MRSR.command=6 is supported with Secondary Bus Reset. */ ++ MLXSW_REG_MCAM_PCI_RESET_SBR = 67, + }; + + #define MLXSW_REG_BYTES_PER_DWORD 0x4 +-- +2.43.0 + diff --git a/queue-6.9/mlxsw-spectrum_buffers-fix-memory-corruptions-on-spe.patch b/queue-6.9/mlxsw-spectrum_buffers-fix-memory-corruptions-on-spe.patch new file mode 100644 index 00000000000..edd9d55be76 --- /dev/null +++ b/queue-6.9/mlxsw-spectrum_buffers-fix-memory-corruptions-on-spe.patch @@ -0,0 +1,161 @@ +From 4bb8da97a05b091a5b09eb2c095acebc3f877611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 09:19:14 +0200 +Subject: mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems + +From: Ido Schimmel + +[ Upstream commit c28947de2bed40217cf256c5d0d16880054fcf13 ] + +The following two shared buffer operations make use of the Shared Buffer +Status Register (SBSR): + + # devlink sb occupancy snapshot pci/0000:01:00.0 + # devlink sb occupancy clearmax pci/0000:01:00.0 + +The register has two masks of 256 bits to denote on which ingress / +egress ports the register should operate on. Spectrum-4 has more than +256 ports, so the register was extended by cited commit with a new +'port_page' field. + +However, when filling the register's payload, the driver specifies the +ports as absolute numbers and not relative to the first port of the port +page, resulting in memory corruptions [1]. + +Fix by specifying the ports relative to the first port of the port page. + +[1] +BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 +Read of size 1 at addr ffff8881068cb00f by task devlink/1566 +[...] +Call Trace: + + dump_stack_lvl+0xc6/0x120 + print_report+0xce/0x670 + kasan_report+0xd7/0x110 + mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 + mlxsw_devlink_sb_occ_snapshot+0x75/0xb0 + devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0 + genl_family_rcv_msg_doit+0x20c/0x300 + genl_rcv_msg+0x567/0x800 + netlink_rcv_skb+0x170/0x450 + genl_rcv+0x2d/0x40 + netlink_unicast+0x547/0x830 + netlink_sendmsg+0x8d4/0xdb0 + __sys_sendto+0x49b/0x510 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +[...] +Allocated by task 1: + kasan_save_stack+0x33/0x60 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x8f/0xa0 + copy_verifier_state+0xbc2/0xfb0 + do_check_common+0x2c51/0xc7e0 + bpf_check+0x5107/0x9960 + bpf_prog_load+0xf0e/0x2690 + __sys_bpf+0x1a61/0x49d0 + __x64_sys_bpf+0x7d/0xc0 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 1: + kasan_save_stack+0x33/0x60 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3b/0x60 + poison_slab_object+0x109/0x170 + __kasan_slab_free+0x14/0x30 + kfree+0xca/0x2b0 + free_verifier_state+0xce/0x270 + do_check_common+0x4828/0xc7e0 + bpf_check+0x5107/0x9960 + bpf_prog_load+0xf0e/0x2690 + __sys_bpf+0x1a61/0x49d0 + __x64_sys_bpf+0x7d/0xc0 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f8538aec88b4 ("mlxsw: Add support for more than 256 ports in SBSR register") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Reviewed-by: Simon Horman +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../mellanox/mlxsw/spectrum_buffers.c | 20 +++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c +index c9f1c79f3f9d0..ba090262e27ef 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c +@@ -1607,8 +1607,8 @@ static void mlxsw_sp_sb_sr_occ_query_cb(struct mlxsw_core *mlxsw_core, + int mlxsw_sp_sb_occ_snapshot(struct mlxsw_core *mlxsw_core, + unsigned int sb_index) + { ++ u16 local_port, local_port_1, first_local_port, last_local_port; + struct mlxsw_sp *mlxsw_sp = mlxsw_core_driver_priv(mlxsw_core); +- u16 local_port, local_port_1, last_local_port; + struct mlxsw_sp_sb_sr_occ_query_cb_ctx cb_ctx; + u8 masked_count, current_page = 0; + unsigned long cb_priv = 0; +@@ -1628,6 +1628,7 @@ int mlxsw_sp_sb_occ_snapshot(struct mlxsw_core *mlxsw_core, + masked_count = 0; + mlxsw_reg_sbsr_pack(sbsr_pl, false); + mlxsw_reg_sbsr_port_page_set(sbsr_pl, current_page); ++ first_local_port = current_page * MLXSW_REG_SBSR_NUM_PORTS_IN_PAGE; + last_local_port = current_page * MLXSW_REG_SBSR_NUM_PORTS_IN_PAGE + + MLXSW_REG_SBSR_NUM_PORTS_IN_PAGE - 1; + +@@ -1645,9 +1646,12 @@ int mlxsw_sp_sb_occ_snapshot(struct mlxsw_core *mlxsw_core, + if (local_port != MLXSW_PORT_CPU_PORT) { + /* Ingress quotas are not supported for the CPU port */ + mlxsw_reg_sbsr_ingress_port_mask_set(sbsr_pl, +- local_port, 1); ++ local_port - first_local_port, ++ 1); + } +- mlxsw_reg_sbsr_egress_port_mask_set(sbsr_pl, local_port, 1); ++ mlxsw_reg_sbsr_egress_port_mask_set(sbsr_pl, ++ local_port - first_local_port, ++ 1); + for (i = 0; i < mlxsw_sp->sb_vals->pool_count; i++) { + err = mlxsw_sp_sb_pm_occ_query(mlxsw_sp, local_port, i, + &bulk_list); +@@ -1684,7 +1688,7 @@ int mlxsw_sp_sb_occ_max_clear(struct mlxsw_core *mlxsw_core, + unsigned int sb_index) + { + struct mlxsw_sp *mlxsw_sp = mlxsw_core_driver_priv(mlxsw_core); +- u16 local_port, last_local_port; ++ u16 local_port, first_local_port, last_local_port; + LIST_HEAD(bulk_list); + unsigned int masked_count; + u8 current_page = 0; +@@ -1702,6 +1706,7 @@ int mlxsw_sp_sb_occ_max_clear(struct mlxsw_core *mlxsw_core, + masked_count = 0; + mlxsw_reg_sbsr_pack(sbsr_pl, true); + mlxsw_reg_sbsr_port_page_set(sbsr_pl, current_page); ++ first_local_port = current_page * MLXSW_REG_SBSR_NUM_PORTS_IN_PAGE; + last_local_port = current_page * MLXSW_REG_SBSR_NUM_PORTS_IN_PAGE + + MLXSW_REG_SBSR_NUM_PORTS_IN_PAGE - 1; + +@@ -1719,9 +1724,12 @@ int mlxsw_sp_sb_occ_max_clear(struct mlxsw_core *mlxsw_core, + if (local_port != MLXSW_PORT_CPU_PORT) { + /* Ingress quotas are not supported for the CPU port */ + mlxsw_reg_sbsr_ingress_port_mask_set(sbsr_pl, +- local_port, 1); ++ local_port - first_local_port, ++ 1); + } +- mlxsw_reg_sbsr_egress_port_mask_set(sbsr_pl, local_port, 1); ++ mlxsw_reg_sbsr_egress_port_mask_set(sbsr_pl, ++ local_port - first_local_port, ++ 1); + for (i = 0; i < mlxsw_sp->sb_vals->pool_count; i++) { + err = mlxsw_sp_sb_pm_occ_clear(mlxsw_sp, local_port, i, + &bulk_list); +-- +2.43.0 + diff --git a/queue-6.9/net-dsa-microchip-fix-initial-port-flush-problem.patch b/queue-6.9/net-dsa-microchip-fix-initial-port-flush-problem.patch new file mode 100644 index 00000000000..1b773d9cf66 --- /dev/null +++ b/queue-6.9/net-dsa-microchip-fix-initial-port-flush-problem.patch @@ -0,0 +1,49 @@ +From d4ea9efb19151cdfcf722373b7e60bca36b45f15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 17:16:42 -0700 +Subject: net: dsa: microchip: fix initial port flush problem + +From: Tristram Ha + +[ Upstream commit ad53f5f54f351e967128edbc431f0f26427172cf ] + +The very first flush in any port will flush all learned addresses in all +ports. This can be observed by unplugging the cable from one port while +additional ports are connected and dumping the fdb entries. + +This problem is caused by the initially wrong value programmed to the +REG_SW_LUE_CTRL_1 register. Setting SW_FLUSH_STP_TABLE and +SW_FLUSH_MSTP_TABLE bits does not have an immediate effect. It is when +ksz9477_flush_dyn_mac_table() is called then the SW_FLUSH_STP_TABLE bit +takes effect and flushes all learned entries. After that call both bits +are reset and so the next port flush will not cause such problem again. + +Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") +Signed-off-by: Tristram Ha +Link: https://patch.msgid.link/1718756202-2731-1-git-send-email-Tristram.Ha@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index 7f745628c84d1..05767d3025f77 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -355,10 +355,8 @@ int ksz9477_reset_switch(struct ksz_device *dev) + SPI_AUTO_EDGE_DETECTION, 0); + + /* default configuration */ +- ksz_read8(dev, REG_SW_LUE_CTRL_1, &data8); +- data8 = SW_AGING_ENABLE | SW_LINK_AUTO_AGING | +- SW_SRC_ADDR_FILTER | SW_FLUSH_STP_TABLE | SW_FLUSH_MSTP_TABLE; +- ksz_write8(dev, REG_SW_LUE_CTRL_1, data8); ++ ksz_write8(dev, REG_SW_LUE_CTRL_1, ++ SW_AGING_ENABLE | SW_LINK_AUTO_AGING | SW_SRC_ADDR_FILTER); + + /* disable interrupts */ + ksz_write32(dev, REG_SW_INT_MASK__4, SWITCH_INT_MASK); +-- +2.43.0 + diff --git a/queue-6.9/net-dsa-microchip-fix-wrong-register-write-when-mask.patch b/queue-6.9/net-dsa-microchip-fix-wrong-register-write-when-mask.patch new file mode 100644 index 00000000000..2541d79062b --- /dev/null +++ b/queue-6.9/net-dsa-microchip-fix-wrong-register-write-when-mask.patch @@ -0,0 +1,53 @@ +From f0d36f945fe99d587709efa114525707e3265349 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 15:34:22 -0700 +Subject: net: dsa: microchip: fix wrong register write when masking interrupt + +From: Tristram Ha + +[ Upstream commit b1c4b4d45263241ec6c2405a8df8265d4b58e707 ] + +The switch global port interrupt mask, REG_SW_PORT_INT_MASK__4, is +defined as 0x001C in ksz9477_reg.h. The designers used 32-bit value in +anticipation for increase of port count in future product but currently +the maximum port count is 7 and the effective value is 0x7F in register +0x001F. Each port has its own interrupt mask and is defined as 0x#01F. +It uses only 4 bits for different interrupts. + +The developer who implemented the current interrupt mechanism in the +switch driver noticed there are similarities between the mechanism to +mask port interrupts in global interrupt and individual interrupts in +each port and so used the same code to handle these interrupts. He +updated the code to use the new macro REG_SW_PORT_INT_MASK__1 which is +defined as 0x1F in ksz_common.h but he forgot to update the 32-bit write +to 8-bit as now the mask registers are 0x1F and 0x#01F. + +In addition all KSZ switches other than the KSZ9897/KSZ9893 and LAN937X +families use only 8-bit access and so this common code will eventually +be changed to accommodate them. + +Fixes: e1add7dd6183 ("net: dsa: microchip: use common irq routines for girq and pirq") +Signed-off-by: Tristram Ha +Link: https://lore.kernel.org/r/1719009262-2948-1-git-send-email-Tristram.Ha@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index 2a5861a88d0e6..e54f83a2e7d30 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -2129,7 +2129,7 @@ static void ksz_irq_bus_sync_unlock(struct irq_data *d) + struct ksz_device *dev = kirq->dev; + int ret; + +- ret = ksz_write32(dev, kirq->reg_mask, kirq->masked); ++ ret = ksz_write8(dev, kirq->reg_mask, kirq->masked); + if (ret) + dev_err(dev->dev, "failed to change IRQ mask\n"); + +-- +2.43.0 + diff --git a/queue-6.9/net-dsa-microchip-use-collision-based-back-pressure-.patch b/queue-6.9/net-dsa-microchip-use-collision-based-back-pressure-.patch new file mode 100644 index 00000000000..88237462bf6 --- /dev/null +++ b/queue-6.9/net-dsa-microchip-use-collision-based-back-pressure-.patch @@ -0,0 +1,55 @@ +From 450641787a60c2f1212b71f21ee560947fd5e40f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 16:43:21 +0200 +Subject: net: dsa: microchip: use collision based back pressure mode + +From: Enguerrand de Ribaucourt + +[ Upstream commit d963c95bc9840d070a788c35e41b715a648717f7 ] + +Errata DS80000758 states that carrier sense back pressure mode can cause +link down issues in 100BASE-TX half duplex mode. The datasheet also +recommends to always use the collision based back pressure mode. + +Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") +Signed-off-by: Enguerrand de Ribaucourt +Reviewed-by: Woojung Huh +Acked-by: Arun Ramadoss +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 4 ++++ + drivers/net/dsa/microchip/ksz9477_reg.h | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index 05767d3025f77..dde5c65c2c366 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1303,6 +1303,10 @@ int ksz9477_setup(struct dsa_switch *ds) + /* Enable REG_SW_MTU__2 reg by setting SW_JUMBO_PACKET */ + ksz_cfg(dev, REG_SW_MAC_CTRL_1, SW_JUMBO_PACKET, true); + ++ /* Use collision based back pressure mode. */ ++ ksz_cfg(dev, REG_SW_MAC_CTRL_1, SW_BACK_PRESSURE, ++ SW_BACK_PRESSURE_COLLISION); ++ + /* Now we can configure default MTU value */ + ret = regmap_update_bits(ksz_regmap_16(dev), REG_SW_MTU__2, REG_SW_MTU_MASK, + VLAN_ETH_FRAME_LEN + ETH_FCS_LEN); +diff --git a/drivers/net/dsa/microchip/ksz9477_reg.h b/drivers/net/dsa/microchip/ksz9477_reg.h +index f3a205ee483f2..fb124be8edd30 100644 +--- a/drivers/net/dsa/microchip/ksz9477_reg.h ++++ b/drivers/net/dsa/microchip/ksz9477_reg.h +@@ -247,6 +247,7 @@ + #define REG_SW_MAC_CTRL_1 0x0331 + + #define SW_BACK_PRESSURE BIT(5) ++#define SW_BACK_PRESSURE_COLLISION 0 + #define FAIR_FLOW_CTRL BIT(4) + #define NO_EXC_COLLISION_DROP BIT(3) + #define SW_JUMBO_PACKET BIT(2) +-- +2.43.0 + diff --git a/queue-6.9/net-mana-fix-possible-double-free-in-error-handling-.patch b/queue-6.9/net-mana-fix-possible-double-free-in-error-handling-.patch new file mode 100644 index 00000000000..c4cef155567 --- /dev/null +++ b/queue-6.9/net-mana-fix-possible-double-free-in-error-handling-.patch @@ -0,0 +1,39 @@ +From a59f016b7c42a74bfd23d53090f7820634eca5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 21:03:14 +0800 +Subject: net: mana: Fix possible double free in error handling path + +From: Ma Ke + +[ Upstream commit 1864b8224195d0e43ddb92a8151f54f6562090cc ] + +When auxiliary_device_add() returns error and then calls +auxiliary_device_uninit(), callback function adev_release +calls kfree(madev). We shouldn't call kfree(madev) again +in the error handling path. Set 'madev' to NULL. + +Fixes: a69839d4327d ("net: mana: Add support for auxiliary device") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20240625130314.2661257-1-make24@iscas.ac.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index d8af5e7e15b4d..191d50ba646d8 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -2800,6 +2800,8 @@ static int add_adev(struct gdma_dev *gd) + if (ret) + goto init_fail; + ++ /* madev is owned by the auxiliary device */ ++ madev = NULL; + ret = auxiliary_device_add(adev); + if (ret) + goto add_fail; +-- +2.43.0 + diff --git a/queue-6.9/net-phy-micrel-add-microchip-ksz-9477-to-the-device-.patch b/queue-6.9/net-phy-micrel-add-microchip-ksz-9477-to-the-device-.patch new file mode 100644 index 00000000000..64f4c21e56b --- /dev/null +++ b/queue-6.9/net-phy-micrel-add-microchip-ksz-9477-to-the-device-.patch @@ -0,0 +1,36 @@ +From d2754ad3c50c4328d6194c710c5e9cdffef3235e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 16:43:20 +0200 +Subject: net: phy: micrel: add Microchip KSZ 9477 to the device table + +From: Enguerrand de Ribaucourt + +[ Upstream commit 54a4e5c16382e871c01dd82b47e930fdce30406b ] + +PHY_ID_KSZ9477 was supported but not added to the device table passed to +MODULE_DEVICE_TABLE. + +Fixes: fc3973a1fa09 ("phy: micrel: add Microchip KSZ 9477 Switch PHY support") +Signed-off-by: Enguerrand de Ribaucourt +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 4b22bb6393e26..4a28b654ce877 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -5094,6 +5094,7 @@ static struct mdio_device_id __maybe_unused micrel_tbl[] = { + { PHY_ID_KSZ8081, MICREL_PHY_ID_MASK }, + { PHY_ID_KSZ8873MLL, MICREL_PHY_ID_MASK }, + { PHY_ID_KSZ886X, MICREL_PHY_ID_MASK }, ++ { PHY_ID_KSZ9477, MICREL_PHY_ID_MASK }, + { PHY_ID_LAN8814, MICREL_PHY_ID_MASK }, + { PHY_ID_LAN8804, MICREL_PHY_ID_MASK }, + { PHY_ID_LAN8841, MICREL_PHY_ID_MASK }, +-- +2.43.0 + diff --git a/queue-6.9/netfilter-fix-undefined-reference-to-netfilter_lwtun.patch b/queue-6.9/netfilter-fix-undefined-reference-to-netfilter_lwtun.patch new file mode 100644 index 00000000000..61e0d46260b --- /dev/null +++ b/queue-6.9/netfilter-fix-undefined-reference-to-netfilter_lwtun.patch @@ -0,0 +1,47 @@ +From ad428b4abf8e506beff978726d27fce93efcfcba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 10:41:13 +0800 +Subject: netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when + CONFIG_SYSCTL=n + +From: Jianguo Wu + +[ Upstream commit aef5daa2c49d510436b733827d4f0bab79fcc4a0 ] + +if CONFIG_SYSFS is not enabled in config, we get the below compile error, + +All errors (new ones prefixed by >>): + + csky-linux-ld: net/netfilter/core.o: in function `netfilter_init': + core.c:(.init.text+0x42): undefined reference to `netfilter_lwtunnel_init' +>> csky-linux-ld: core.c:(.init.text+0x56): undefined reference to `netfilter_lwtunnel_fini' +>> csky-linux-ld: core.c:(.init.text+0x70): undefined reference to `netfilter_lwtunnel_init' + csky-linux-ld: core.c:(.init.text+0x78): undefined reference to `netfilter_lwtunnel_fini' + +Fixes: a2225e0250c5 ("netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core") +Reported-by: Mirsad Todorovac +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202406210511.8vbByYj3-lkp@intel.com/ +Closes: https://lore.kernel.org/oe-kbuild-all/202406210520.6HmrUaA2-lkp@intel.com/ +Signed-off-by: Jianguo Wu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_hooks_lwtunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_hooks_lwtunnel.c b/net/netfilter/nf_hooks_lwtunnel.c +index 7cdb59bb4459f..d8ebebc9775d7 100644 +--- a/net/netfilter/nf_hooks_lwtunnel.c ++++ b/net/netfilter/nf_hooks_lwtunnel.c +@@ -117,4 +117,7 @@ void netfilter_lwtunnel_fini(void) + { + unregister_pernet_subsys(&nf_lwtunnel_net_ops); + } ++#else ++int __init netfilter_lwtunnel_init(void) { return 0; } ++void netfilter_lwtunnel_fini(void) {} + #endif /* CONFIG_SYSCTL */ +-- +2.43.0 + diff --git a/queue-6.9/netfilter-nf_tables-fully-validate-nft_data_value-on.patch b/queue-6.9/netfilter-nf_tables-fully-validate-nft_data_value-on.patch new file mode 100644 index 00000000000..d99eb94d9af --- /dev/null +++ b/queue-6.9/netfilter-nf_tables-fully-validate-nft_data_value-on.patch @@ -0,0 +1,92 @@ +From e53517db0c8109145b611cdccb841b6def2742a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 23:15:38 +0200 +Subject: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data + registers + +From: Pablo Neira Ayuso + +[ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ] + +register store validation for NFT_DATA_VALUE is conditional, however, +the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This +only requires a new helper function to infer the register type from the +set datatype so this conditional check can be removed. Otherwise, +pointer to chain object can be leaked through the registers. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Reported-by: Linus Torvalds +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 5 +++++ + net/netfilter/nf_tables_api.c | 8 ++++---- + net/netfilter/nft_lookup.c | 3 ++- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 3f1ed467f951f..2164fa350fa69 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -619,6 +619,11 @@ static inline void *nft_set_priv(const struct nft_set *set) + return (void *)set->data; + } + ++static inline enum nft_data_types nft_set_datatype(const struct nft_set *set) ++{ ++ return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; ++} ++ + static inline bool nft_set_gc_is_pending(const struct nft_set *s) + { + return refcount_read(&s->refs) != 1; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 167074283ea91..faa77b031d1f3 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5740,8 +5740,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb, + + if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && + nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), +- set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, +- set->dlen) < 0) ++ nft_set_datatype(set), set->dlen) < 0) + goto nla_put_failure; + + if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && +@@ -11069,6 +11068,9 @@ static int nft_validate_register_store(const struct nft_ctx *ctx, + + return 0; + default: ++ if (type != NFT_DATA_VALUE) ++ return -EINVAL; ++ + if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) + return -EINVAL; + if (len == 0) +@@ -11077,8 +11079,6 @@ static int nft_validate_register_store(const struct nft_ctx *ctx, + sizeof_field(struct nft_regs, data)) + return -ERANGE; + +- if (data != NULL && type != NFT_DATA_VALUE) +- return -EINVAL; + return 0; + } + } +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index b314ca728a291..f3080fa1b2263 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -132,7 +132,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx, + return -EINVAL; + + err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG], +- &priv->dreg, NULL, set->dtype, ++ &priv->dreg, NULL, ++ nft_set_datatype(set), + set->dlen); + if (err < 0) + return err; +-- +2.43.0 + diff --git a/queue-6.9/openvswitch-get-related-ct-labels-from-its-master-if.patch b/queue-6.9/openvswitch-get-related-ct-labels-from-its-master-if.patch new file mode 100644 index 00000000000..23aab8c9462 --- /dev/null +++ b/queue-6.9/openvswitch-get-related-ct-labels-from-its-master-if.patch @@ -0,0 +1,59 @@ +From 4aa1ee0859e2e4c81244e41601a1097d17e54a01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 18:08:56 -0400 +Subject: openvswitch: get related ct labels from its master if it is not + confirmed + +From: Xin Long + +[ Upstream commit a23ac973f67f37e77b3c634e8b1ad5b0164fcc1f ] + +Ilya found a failure in running check-kernel tests with at_groups=144 +(144: conntrack - FTP SNAT orig tuple) in OVS repo. After his further +investigation, the root cause is that the labels sent to userspace +for related ct are incorrect. + +The labels for unconfirmed related ct should use its master's labels. +However, the changes made in commit 8c8b73320805 ("openvswitch: set +IPS_CONFIRMED in tmpl status only when commit is set in conntrack") +led to getting labels from this related ct. + +So fix it in ovs_ct_get_labels() by changing to copy labels from its +master ct if it is a unconfirmed related ct. Note that there is no +fix needed for ct->mark, as it was already copied from its master +ct for related ct in init_conntrack(). + +Fixes: 8c8b73320805 ("openvswitch: set IPS_CONFIRMED in tmpl status only when commit is set in conntrack") +Reported-by: Ilya Maximets +Signed-off-by: Xin Long +Reviewed-by: Ilya Maximets +Tested-by: Ilya Maximets +Reviewed-by: Aaron Conole +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/conntrack.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 2928c142a2ddb..3b980bf2770bb 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -168,8 +168,13 @@ static u32 ovs_ct_get_mark(const struct nf_conn *ct) + static void ovs_ct_get_labels(const struct nf_conn *ct, + struct ovs_key_ct_labels *labels) + { +- struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL; ++ struct nf_conn_labels *cl = NULL; + ++ if (ct) { ++ if (ct->master && !nf_ct_is_confirmed(ct)) ++ ct = ct->master; ++ cl = nf_ct_labels_find(ct); ++ } + if (cl) + memcpy(labels, cl->bits, OVS_CT_LABELS_LEN); + else +-- +2.43.0 + diff --git a/queue-6.9/parisc-use-correct-compat-recv-recvfrom-syscalls.patch b/queue-6.9/parisc-use-correct-compat-recv-recvfrom-syscalls.patch new file mode 100644 index 00000000000..2b8ff2cb3b0 --- /dev/null +++ b/queue-6.9/parisc-use-correct-compat-recv-recvfrom-syscalls.patch @@ -0,0 +1,48 @@ +From 723aa8411503e4d5b86048ab273b4ae663ebe35c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 14:27:55 +0200 +Subject: parisc: use correct compat recv/recvfrom syscalls + +From: Arnd Bergmann + +[ Upstream commit 20a50787349fadf66ac5c48f62e58d753878d2bb ] + +Johannes missed parisc back when he introduced the compat version +of these syscalls, so receiving cmsg messages that require a compat +conversion is still broken. + +Use the correct calls like the other architectures do. + +Fixes: 1dacc76d0014 ("net/compat/wext: send different messages to compat tasks") +Acked-by: Helge Deller +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/syscalls/syscall.tbl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl +index b236a84c4e127..58ecf687d98da 100644 +--- a/arch/parisc/kernel/syscalls/syscall.tbl ++++ b/arch/parisc/kernel/syscalls/syscall.tbl +@@ -108,7 +108,7 @@ + 95 common fchown sys_fchown + 96 common getpriority sys_getpriority + 97 common setpriority sys_setpriority +-98 common recv sys_recv ++98 common recv sys_recv compat_sys_recv + 99 common statfs sys_statfs compat_sys_statfs + 100 common fstatfs sys_fstatfs compat_sys_fstatfs + 101 common stat64 sys_stat64 +@@ -135,7 +135,7 @@ + 120 common clone sys_clone_wrapper + 121 common setdomainname sys_setdomainname + 122 common sendfile sys_sendfile compat_sys_sendfile +-123 common recvfrom sys_recvfrom ++123 common recvfrom sys_recvfrom compat_sys_recvfrom + 124 32 adjtimex sys_adjtimex_time32 + 124 64 adjtimex sys_adjtimex + 125 common mprotect sys_mprotect +-- +2.43.0 + diff --git a/queue-6.9/powerpc-restore-some-missing-spu-syscalls.patch b/queue-6.9/powerpc-restore-some-missing-spu-syscalls.patch new file mode 100644 index 00000000000..eb752c24c82 --- /dev/null +++ b/queue-6.9/powerpc-restore-some-missing-spu-syscalls.patch @@ -0,0 +1,54 @@ +From ac53abff7e28ccbfa1d2b08a77749f0722ae1bd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 16:36:13 +0200 +Subject: powerpc: restore some missing spu syscalls + +From: Arnd Bergmann + +[ Upstream commit b1e31c134a8ab2e8f5fd62323b6b45a950ac704d ] + +A couple of system calls were inadventently removed from the table during +a bugfix for 32-bit powerpc entry. Restore the original behavior. + +Fixes: e23750623835 ("powerpc/32: fix syscall wrappers with 64-bit arguments of unaligned register-pairs") +Acked-by: Michael Ellerman +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/syscalls/syscall.tbl | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl +index 17173b82ca21d..9d7e4a313d332 100644 +--- a/arch/powerpc/kernel/syscalls/syscall.tbl ++++ b/arch/powerpc/kernel/syscalls/syscall.tbl +@@ -230,8 +230,10 @@ + 178 nospu rt_sigsuspend sys_rt_sigsuspend compat_sys_rt_sigsuspend + 179 32 pread64 sys_ppc_pread64 compat_sys_ppc_pread64 + 179 64 pread64 sys_pread64 ++179 spu pread64 sys_pread64 + 180 32 pwrite64 sys_ppc_pwrite64 compat_sys_ppc_pwrite64 + 180 64 pwrite64 sys_pwrite64 ++180 spu pwrite64 sys_pwrite64 + 181 common chown sys_chown + 182 common getcwd sys_getcwd + 183 common capget sys_capget +@@ -246,6 +248,7 @@ + 190 common ugetrlimit sys_getrlimit compat_sys_getrlimit + 191 32 readahead sys_ppc_readahead compat_sys_ppc_readahead + 191 64 readahead sys_readahead ++191 spu readahead sys_readahead + 192 32 mmap2 sys_mmap2 compat_sys_mmap2 + 193 32 truncate64 sys_ppc_truncate64 compat_sys_ppc_truncate64 + 194 32 ftruncate64 sys_ppc_ftruncate64 compat_sys_ppc_ftruncate64 +@@ -293,6 +296,7 @@ + 232 nospu set_tid_address sys_set_tid_address + 233 32 fadvise64 sys_ppc32_fadvise64 compat_sys_ppc32_fadvise64 + 233 64 fadvise64 sys_fadvise64 ++233 spu fadvise64 sys_fadvise64 + 234 nospu exit_group sys_exit_group + 235 nospu lookup_dcookie sys_ni_syscall + 236 common epoll_create sys_epoll_create +-- +2.43.0 + diff --git a/queue-6.9/s390-pci-add-missing-virt_to_phys-for-directed-dibv.patch b/queue-6.9/s390-pci-add-missing-virt_to_phys-for-directed-dibv.patch new file mode 100644 index 00000000000..5ce88fb69a8 --- /dev/null +++ b/queue-6.9/s390-pci-add-missing-virt_to_phys-for-directed-dibv.patch @@ -0,0 +1,39 @@ +From 7b8d83350a4943ef5ae2daa47f26691523bfa508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 14:06:31 +0200 +Subject: s390/pci: Add missing virt_to_phys() for directed DIBV + +From: Niklas Schnelle + +[ Upstream commit 4181b51c38875de9f6f11248fa0bcf3246c19c82 ] + +In commit 4e4dc65ab578 ("s390/pci: use phys_to_virt() for AIBVs/DIBVs") +the setting of dibv_addr was missed when adding virt_to_phys(). This +only affects systems with directed interrupt delivery enabled which are +not generally available. + +Fixes: 4e4dc65ab578 ("s390/pci: use phys_to_virt() for AIBVs/DIBVs") +Reviewed-by: Heiko Carstens +Signed-off-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index ff8f24854c646..0ef83b6ac0db7 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -410,7 +410,7 @@ static void __init cpu_enable_directed_irq(void *unused) + union zpci_sic_iib iib = {{0}}; + union zpci_sic_iib ziib = {{0}}; + +- iib.cdiib.dibv_addr = (u64) zpci_ibv[smp_processor_id()]->vector; ++ iib.cdiib.dibv_addr = virt_to_phys(zpci_ibv[smp_processor_id()]->vector); + + zpci_set_irq_ctrl(SIC_IRQ_MODE_SET_CPU, 0, &iib); + zpci_set_irq_ctrl(SIC_IRQ_MODE_D_SINGLE, PCI_ISC, &ziib); +-- +2.43.0 + diff --git a/queue-6.9/s390-virtio_ccw-fix-config-change-notifications.patch b/queue-6.9/s390-virtio_ccw-fix-config-change-notifications.patch new file mode 100644 index 00000000000..bf0f936b9e8 --- /dev/null +++ b/queue-6.9/s390-virtio_ccw-fix-config-change-notifications.patch @@ -0,0 +1,69 @@ +From 8a83fbb5fbc46042655a870bacafc753d8ed163b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 23:47:16 +0200 +Subject: s390/virtio_ccw: Fix config change notifications + +From: Halil Pasic + +[ Upstream commit d8354a1de2c4cc693812f6130fc922537a59217d ] + +Commit e3e9bda38e6d ("s390/virtio_ccw: use DMA handle from DMA API") +broke configuration change notifications for virtio-ccw by putting the +DMA address of *indicatorp directly into ccw->cda disregarding the fact +that if !!(vcdev->is_thinint) then the function +virtio_ccw_register_adapter_ind() will overwrite that ccw->cda value +with the address of the virtio_thinint_area so it can actually set up +the adapter interrupts via CCW_CMD_SET_IND_ADAPTER. Thus we end up +pointing to the wrong object for both CCW_CMD_SET_IND if setting up the +adapter interrupts fails, and for CCW_CMD_SET_CONF_IND regardless +whether it succeeds or fails. + +To fix this, let us save away the dma address of *indicatorp in a local +variable, and copy it to ccw->cda after the "vcdev->is_thinint" branch. + +Fixes: e3e9bda38e6d ("s390/virtio_ccw: use DMA handle from DMA API") +Reported-by: Boqiao Fu +Reported-by: Sebastian Mitterle +Closes: https://issues.redhat.com/browse/RHEL-39983 +Tested-by: Thomas Huth +Reviewed-by: Eric Farman +Signed-off-by: Halil Pasic +Link: https://lore.kernel.org/r/20240611214716.1002781-1-pasic@linux.ibm.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/virtio/virtio_ccw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c +index d7569f3955591..d6491fc84e8c5 100644 +--- a/drivers/s390/virtio/virtio_ccw.c ++++ b/drivers/s390/virtio/virtio_ccw.c +@@ -698,6 +698,7 @@ static int virtio_ccw_find_vqs(struct virtio_device *vdev, unsigned nvqs, + dma64_t *indicatorp = NULL; + int ret, i, queue_idx = 0; + struct ccw1 *ccw; ++ dma32_t indicatorp_dma = 0; + + ccw = ccw_device_dma_zalloc(vcdev->cdev, sizeof(*ccw), NULL); + if (!ccw) +@@ -725,7 +726,7 @@ static int virtio_ccw_find_vqs(struct virtio_device *vdev, unsigned nvqs, + */ + indicatorp = ccw_device_dma_zalloc(vcdev->cdev, + sizeof(*indicatorp), +- &ccw->cda); ++ &indicatorp_dma); + if (!indicatorp) + goto out; + *indicatorp = indicators_dma(vcdev); +@@ -735,6 +736,7 @@ static int virtio_ccw_find_vqs(struct virtio_device *vdev, unsigned nvqs, + /* no error, just fall back to legacy interrupts */ + vcdev->is_thinint = false; + } ++ ccw->cda = indicatorp_dma; + if (!vcdev->is_thinint) { + /* Register queue indicators with host. */ + *indicators(vcdev) = 0; +-- +2.43.0 + diff --git a/queue-6.9/series b/queue-6.9/series index 932a2a6d3c3..fa31a56c966 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -12,3 +12,53 @@ pwm-stm32-improve-precision-of-calculation-in-.apply.patch pwm-stm32-fix-for-settings-using-period-uint32_max.patch pwm-stm32-calculate-prescaler-with-a-division-instea.patch pwm-stm32-refuse-too-small-period-requests.patch +asoc-cs42l43-increase-default-type-detect-time-and-b.patch +asoc-rockchip-i2s-tdm-fix-trcm-mode-by-setting-clock.patch +asoc-mediatek-mt8183-da7219-max98357-fix-kcontrol-na.patch +asoc-atmel-atmel-classd-re-add-dai_link-platform-to-.patch +workqueue-increase-worker-desc-s-length-to-32.patch +asoc-q6apm-lpass-dai-close-graph-on-prepare-errors.patch +bpf-add-missed-var_off-setting-in-set_sext32_default.patch +bpf-add-missed-var_off-setting-in-coerce_subreg_to_s.patch +s390-pci-add-missing-virt_to_phys-for-directed-dibv.patch +s390-virtio_ccw-fix-config-change-notifications.patch +bpf-fix-remap-of-arena.patch +asoc-amd-acp-add-a-null-check-for-chip_pdev-structur.patch +asoc-amd-acp-remove-i2s-configuration-check-in-acp_i.patch +asoc-amd-acp-move-chip-flag-variable-assignment.patch +asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch +net-dsa-microchip-fix-initial-port-flush-problem.patch +openvswitch-get-related-ct-labels-from-its-master-if.patch +bonding-fix-incorrect-software-timestamping-report.patch +ionic-fix-kernel-panic-due-to-multi-buffer-handling.patch +mlxsw-pci-fix-driver-initialization-with-spectrum-4.patch +mlxsw-spectrum_buffers-fix-memory-corruptions-on-spe.patch +bpf-fix-the-corner-case-with-may_goto-and-jump-to-th.patch +bpf-fix-overrunning-reservations-in-ringbuf.patch +vxlan-pull-inner-ip-header-in-vxlan_xmit_one.patch +ibmvnic-free-any-outstanding-tx-skbs-during-scrq-res.patch +net-phy-micrel-add-microchip-ksz-9477-to-the-device-.patch +net-dsa-microchip-use-collision-based-back-pressure-.patch +ice-rebuild-tc-queues-on-vsi-queue-reconfiguration.patch +bpf-fix-may_goto-with-negative-offset.patch +xdp-remove-warn-from-__xdp_reg_mem_model.patch +asoc-mediatek-mt8195-add-platform-entry-for-etdm1_ou.patch +netfilter-fix-undefined-reference-to-netfilter_lwtun.patch +btrfs-use-nofs-context-when-getting-inodes-during-lo.patch +fix-race-for-duplicate-reqsk-on-identical-syn.patch +alsa-seq-fix-missing-channel-at-encoding-rpn-nrpn-mi.patch +net-dsa-microchip-fix-wrong-register-write-when-mask.patch +sparc-fix-old-compat_sys_select.patch +sparc-fix-compat-recv-recvfrom-syscalls.patch +parisc-use-correct-compat-recv-recvfrom-syscalls.patch +powerpc-restore-some-missing-spu-syscalls.patch +ionic-use-dev_consume_skb_any-outside-of-napi.patch +tcp-fix-tcp_rcv_fastopen_synack-to-enter-tcp_ca_loss.patch +alsa-seq-fix-missing-msb-in-midi2-spp-conversion.patch +netfilter-nf_tables-fully-validate-nft_data_value-on.patch +tracing-net_sched-null-pointer-dereference-in-perf_t.patch +af_unix-stop-recv-msg_peek-at-consumed-oob-skb.patch +af_unix-don-t-stop-recv-msg_dontwait-if-consumed-oob.patch +af_unix-don-t-stop-recv-at-consumed-ex-oob-skb.patch +af_unix-fix-wrong-ioctl-siocatmark-when-consumed-oob.patch +net-mana-fix-possible-double-free-in-error-handling-.patch diff --git a/queue-6.9/sparc-fix-compat-recv-recvfrom-syscalls.patch b/queue-6.9/sparc-fix-compat-recv-recvfrom-syscalls.patch new file mode 100644 index 00000000000..0deb2d9a199 --- /dev/null +++ b/queue-6.9/sparc-fix-compat-recv-recvfrom-syscalls.patch @@ -0,0 +1,279 @@ +From 8b9ed11e45cd3ffaab5d640fc5786f11114eb33f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 12:49:39 +0200 +Subject: sparc: fix compat recv/recvfrom syscalls + +From: Arnd Bergmann + +[ Upstream commit d6fbd26fb872ec518d25433a12e8ce8163e20909 ] + +sparc has the wrong compat version of recv() and recvfrom() for both the +direct syscalls and socketcall(). + +The direct syscalls just need to use the compat version. For socketcall, +the same thing could be done, but it seems better to completely remove +the custom assembler code for it and just use the same implementation that +everyone else has. + +Fixes: 1dacc76d0014 ("net/compat/wext: send different messages to compat tasks") +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/sys32.S | 221 ------------------------- + arch/sparc/kernel/syscalls/syscall.tbl | 4 +- + 2 files changed, 2 insertions(+), 223 deletions(-) + +diff --git a/arch/sparc/kernel/sys32.S b/arch/sparc/kernel/sys32.S +index a45f0f31fe51a..a3d308f2043e5 100644 +--- a/arch/sparc/kernel/sys32.S ++++ b/arch/sparc/kernel/sys32.S +@@ -18,224 +18,3 @@ sys32_mmap2: + sethi %hi(sys_mmap), %g1 + jmpl %g1 + %lo(sys_mmap), %g0 + sllx %o5, 12, %o5 +- +- .align 32 +- .globl sys32_socketcall +-sys32_socketcall: /* %o0=call, %o1=args */ +- cmp %o0, 1 +- bl,pn %xcc, do_einval +- cmp %o0, 18 +- bg,pn %xcc, do_einval +- sub %o0, 1, %o0 +- sllx %o0, 5, %o0 +- sethi %hi(__socketcall_table_begin), %g2 +- or %g2, %lo(__socketcall_table_begin), %g2 +- jmpl %g2 + %o0, %g0 +- nop +-do_einval: +- retl +- mov -EINVAL, %o0 +- +- .align 32 +-__socketcall_table_begin: +- +- /* Each entry is exactly 32 bytes. */ +-do_sys_socket: /* sys_socket(int, int, int) */ +-1: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_socket), %g1 +-2: ldswa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(sys_socket), %g0 +-3: ldswa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_bind: /* sys_bind(int fd, struct sockaddr *, int) */ +-4: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_bind), %g1 +-5: ldswa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(sys_bind), %g0 +-6: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_connect: /* sys_connect(int, struct sockaddr *, int) */ +-7: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_connect), %g1 +-8: ldswa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(sys_connect), %g0 +-9: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_listen: /* sys_listen(int, int) */ +-10: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_listen), %g1 +- jmpl %g1 + %lo(sys_listen), %g0 +-11: ldswa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +- nop +-do_sys_accept: /* sys_accept(int, struct sockaddr *, int *) */ +-12: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_accept), %g1 +-13: lduwa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(sys_accept), %g0 +-14: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_getsockname: /* sys_getsockname(int, struct sockaddr *, int *) */ +-15: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_getsockname), %g1 +-16: lduwa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(sys_getsockname), %g0 +-17: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_getpeername: /* sys_getpeername(int, struct sockaddr *, int *) */ +-18: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_getpeername), %g1 +-19: lduwa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(sys_getpeername), %g0 +-20: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_socketpair: /* sys_socketpair(int, int, int, int *) */ +-21: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_socketpair), %g1 +-22: ldswa [%o1 + 0x8] %asi, %o2 +-23: lduwa [%o1 + 0xc] %asi, %o3 +- jmpl %g1 + %lo(sys_socketpair), %g0 +-24: ldswa [%o1 + 0x4] %asi, %o1 +- nop +- nop +-do_sys_send: /* sys_send(int, void *, size_t, unsigned int) */ +-25: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_send), %g1 +-26: lduwa [%o1 + 0x8] %asi, %o2 +-27: lduwa [%o1 + 0xc] %asi, %o3 +- jmpl %g1 + %lo(sys_send), %g0 +-28: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +-do_sys_recv: /* sys_recv(int, void *, size_t, unsigned int) */ +-29: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_recv), %g1 +-30: lduwa [%o1 + 0x8] %asi, %o2 +-31: lduwa [%o1 + 0xc] %asi, %o3 +- jmpl %g1 + %lo(sys_recv), %g0 +-32: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +-do_sys_sendto: /* sys_sendto(int, u32, compat_size_t, unsigned int, u32, int) */ +-33: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_sendto), %g1 +-34: lduwa [%o1 + 0x8] %asi, %o2 +-35: lduwa [%o1 + 0xc] %asi, %o3 +-36: lduwa [%o1 + 0x10] %asi, %o4 +-37: ldswa [%o1 + 0x14] %asi, %o5 +- jmpl %g1 + %lo(sys_sendto), %g0 +-38: lduwa [%o1 + 0x4] %asi, %o1 +-do_sys_recvfrom: /* sys_recvfrom(int, u32, compat_size_t, unsigned int, u32, u32) */ +-39: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_recvfrom), %g1 +-40: lduwa [%o1 + 0x8] %asi, %o2 +-41: lduwa [%o1 + 0xc] %asi, %o3 +-42: lduwa [%o1 + 0x10] %asi, %o4 +-43: lduwa [%o1 + 0x14] %asi, %o5 +- jmpl %g1 + %lo(sys_recvfrom), %g0 +-44: lduwa [%o1 + 0x4] %asi, %o1 +-do_sys_shutdown: /* sys_shutdown(int, int) */ +-45: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_shutdown), %g1 +- jmpl %g1 + %lo(sys_shutdown), %g0 +-46: ldswa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +- nop +-do_sys_setsockopt: /* sys_setsockopt(int, int, int, char *, int) */ +-47: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_setsockopt), %g1 +-48: ldswa [%o1 + 0x8] %asi, %o2 +-49: lduwa [%o1 + 0xc] %asi, %o3 +-50: ldswa [%o1 + 0x10] %asi, %o4 +- jmpl %g1 + %lo(sys_setsockopt), %g0 +-51: ldswa [%o1 + 0x4] %asi, %o1 +- nop +-do_sys_getsockopt: /* sys_getsockopt(int, int, int, u32, u32) */ +-52: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_getsockopt), %g1 +-53: ldswa [%o1 + 0x8] %asi, %o2 +-54: lduwa [%o1 + 0xc] %asi, %o3 +-55: lduwa [%o1 + 0x10] %asi, %o4 +- jmpl %g1 + %lo(sys_getsockopt), %g0 +-56: ldswa [%o1 + 0x4] %asi, %o1 +- nop +-do_sys_sendmsg: /* compat_sys_sendmsg(int, struct compat_msghdr *, unsigned int) */ +-57: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(compat_sys_sendmsg), %g1 +-58: lduwa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(compat_sys_sendmsg), %g0 +-59: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_recvmsg: /* compat_sys_recvmsg(int, struct compat_msghdr *, unsigned int) */ +-60: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(compat_sys_recvmsg), %g1 +-61: lduwa [%o1 + 0x8] %asi, %o2 +- jmpl %g1 + %lo(compat_sys_recvmsg), %g0 +-62: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- nop +-do_sys_accept4: /* sys_accept4(int, struct sockaddr *, int *, int) */ +-63: ldswa [%o1 + 0x0] %asi, %o0 +- sethi %hi(sys_accept4), %g1 +-64: lduwa [%o1 + 0x8] %asi, %o2 +-65: ldswa [%o1 + 0xc] %asi, %o3 +- jmpl %g1 + %lo(sys_accept4), %g0 +-66: lduwa [%o1 + 0x4] %asi, %o1 +- nop +- nop +- +- .section __ex_table,"a" +- .align 4 +- .word 1b, __retl_efault, 2b, __retl_efault +- .word 3b, __retl_efault, 4b, __retl_efault +- .word 5b, __retl_efault, 6b, __retl_efault +- .word 7b, __retl_efault, 8b, __retl_efault +- .word 9b, __retl_efault, 10b, __retl_efault +- .word 11b, __retl_efault, 12b, __retl_efault +- .word 13b, __retl_efault, 14b, __retl_efault +- .word 15b, __retl_efault, 16b, __retl_efault +- .word 17b, __retl_efault, 18b, __retl_efault +- .word 19b, __retl_efault, 20b, __retl_efault +- .word 21b, __retl_efault, 22b, __retl_efault +- .word 23b, __retl_efault, 24b, __retl_efault +- .word 25b, __retl_efault, 26b, __retl_efault +- .word 27b, __retl_efault, 28b, __retl_efault +- .word 29b, __retl_efault, 30b, __retl_efault +- .word 31b, __retl_efault, 32b, __retl_efault +- .word 33b, __retl_efault, 34b, __retl_efault +- .word 35b, __retl_efault, 36b, __retl_efault +- .word 37b, __retl_efault, 38b, __retl_efault +- .word 39b, __retl_efault, 40b, __retl_efault +- .word 41b, __retl_efault, 42b, __retl_efault +- .word 43b, __retl_efault, 44b, __retl_efault +- .word 45b, __retl_efault, 46b, __retl_efault +- .word 47b, __retl_efault, 48b, __retl_efault +- .word 49b, __retl_efault, 50b, __retl_efault +- .word 51b, __retl_efault, 52b, __retl_efault +- .word 53b, __retl_efault, 54b, __retl_efault +- .word 55b, __retl_efault, 56b, __retl_efault +- .word 57b, __retl_efault, 58b, __retl_efault +- .word 59b, __retl_efault, 60b, __retl_efault +- .word 61b, __retl_efault, 62b, __retl_efault +- .word 63b, __retl_efault, 64b, __retl_efault +- .word 65b, __retl_efault, 66b, __retl_efault +- .previous +diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl +index 45c01529585c9..8c6a8dc309a44 100644 +--- a/arch/sparc/kernel/syscalls/syscall.tbl ++++ b/arch/sparc/kernel/syscalls/syscall.tbl +@@ -155,7 +155,7 @@ + 123 32 fchown sys_fchown16 + 123 64 fchown sys_fchown + 124 common fchmod sys_fchmod +-125 common recvfrom sys_recvfrom ++125 common recvfrom sys_recvfrom compat_sys_recvfrom + 126 32 setreuid sys_setreuid16 + 126 64 setreuid sys_setreuid + 127 32 setregid sys_setregid16 +@@ -247,7 +247,7 @@ + 204 32 readdir sys_old_readdir compat_sys_old_readdir + 204 64 readdir sys_nis_syscall + 205 common readahead sys_readahead compat_sys_readahead +-206 common socketcall sys_socketcall sys32_socketcall ++206 common socketcall sys_socketcall compat_sys_socketcall + 207 common syslog sys_syslog + 208 common lookup_dcookie sys_ni_syscall + 209 common fadvise64 sys_fadvise64 compat_sys_fadvise64 +-- +2.43.0 + diff --git a/queue-6.9/sparc-fix-old-compat_sys_select.patch b/queue-6.9/sparc-fix-old-compat_sys_select.patch new file mode 100644 index 00000000000..e83d29a2a65 --- /dev/null +++ b/queue-6.9/sparc-fix-old-compat_sys_select.patch @@ -0,0 +1,39 @@ +From 10b795a4dc5b875bc380ff0e136b44ae716d2392 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 14:07:30 +0200 +Subject: sparc: fix old compat_sys_select() + +From: Arnd Bergmann + +[ Upstream commit bae6428a9fffb2023191b0723e276cf1377a7c9f ] + +sparc has two identical select syscalls at numbers 93 and 230, respectively. +During the conversion to the modern syscall.tbl format, the older one of the +two broke in compat mode, and now refers to the native 64-bit syscall. + +Restore the correct behavior. This has very little effect, as glibc has +been using the newer number anyway. + +Fixes: 6ff645dd683a ("sparc: add system call table generation support") +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/syscalls/syscall.tbl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl +index b23d59313589a..45c01529585c9 100644 +--- a/arch/sparc/kernel/syscalls/syscall.tbl ++++ b/arch/sparc/kernel/syscalls/syscall.tbl +@@ -117,7 +117,7 @@ + 90 common dup2 sys_dup2 + 91 32 setfsuid32 sys_setfsuid + 92 common fcntl sys_fcntl compat_sys_fcntl +-93 common select sys_select ++93 common select sys_select compat_sys_select + 94 32 setfsgid32 sys_setfsgid + 95 common fsync sys_fsync + 96 common setpriority sys_setpriority +-- +2.43.0 + diff --git a/queue-6.9/tcp-fix-tcp_rcv_fastopen_synack-to-enter-tcp_ca_loss.patch b/queue-6.9/tcp-fix-tcp_rcv_fastopen_synack-to-enter-tcp_ca_loss.patch new file mode 100644 index 00000000000..e03c02121b0 --- /dev/null +++ b/queue-6.9/tcp-fix-tcp_rcv_fastopen_synack-to-enter-tcp_ca_loss.patch @@ -0,0 +1,168 @@ +From aa76295a4297cbeeae97bb8cb87543196f1c829b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 14:43:23 +0000 +Subject: tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed + TFO + +From: Neal Cardwell + +[ Upstream commit 5dfe9d273932c647bdc9d664f939af9a5a398cbc ] + +Testing determined that the recent commit 9e046bb111f1 ("tcp: clear +tp->retrans_stamp in tcp_rcv_fastopen_synack()") has a race, and does +not always ensure retrans_stamp is 0 after a TFO payload retransmit. + +If transmit completion for the SYN+data skb happens after the client +TCP stack receives the SYNACK (which sometimes happens), then +retrans_stamp can erroneously remain non-zero for the lifetime of the +connection, causing a premature ETIMEDOUT later. + +Testing and tracing showed that the buggy scenario is the following +somewhat tricky sequence: + ++ Client attempts a TFO handshake. tcp_send_syn_data() sends SYN + TFO + cookie + data in a single packet in the syn_data skb. It hands the + syn_data skb to tcp_transmit_skb(), which makes a clone. Crucially, + it then reuses the same original (non-clone) syn_data skb, + transforming it by advancing the seq by one byte and removing the + FIN bit, and enques the resulting payload-only skb in the + sk->tcp_rtx_queue. + ++ Client sets retrans_stamp to the start time of the three-way + handshake. + ++ Cookie mismatches or server has TFO disabled, and server only ACKs + SYN. + ++ tcp_ack() sees SYN is acked, tcp_clean_rtx_queue() clears + retrans_stamp. + ++ Since the client SYN was acked but not the payload, the TFO failure + code path in tcp_rcv_fastopen_synack() tries to retransmit the + payload skb. However, in some cases the transmit completion for the + clone of the syn_data (which had SYN + TFO cookie + data) hasn't + happened. In those cases, skb_still_in_host_queue() returns true + for the retransmitted TFO payload, because the clone of the syn_data + skb has not had its tx completetion. + ++ Because skb_still_in_host_queue() finds skb_fclone_busy() is true, + it sets the TSQ_THROTTLED bit and the retransmit does not happen in + the tcp_rcv_fastopen_synack() call chain. + ++ The tcp_rcv_fastopen_synack() code next implicitly assumes the + retransmit process is finished, and sets retrans_stamp to 0 to clear + it, but this is later overwritten (see below). + ++ Later, upon tx completion, tcp_tsq_write() calls + tcp_xmit_retransmit_queue(), which puts the retransmit in flight and + sets retrans_stamp to a non-zero value. + ++ The client receives an ACK for the retransmitted TFO payload data. + ++ Since we're in CA_Open and there are no dupacks/SACKs/DSACKs/ECN to + make tcp_ack_is_dubious() true and make us call + tcp_fastretrans_alert() and reach a code path that clears + retrans_stamp, retrans_stamp stays nonzero. + ++ Later, if there is a TLP, RTO, RTO sequence, then the connection + will suffer an early ETIMEDOUT due to the erroneously ancient + retrans_stamp. + +The fix: this commit refactors the code to have +tcp_rcv_fastopen_synack() retransmit by reusing the relevant parts of +tcp_simple_retransmit() that enter CA_Loss (without changing cwnd) and +call tcp_xmit_retransmit_queue(). We have tcp_simple_retransmit() and +tcp_rcv_fastopen_synack() share code in this way because in both cases +we get a packet indicating non-congestion loss (MTU reduction or TFO +failure) and thus in both cases we want to retransmit as many packets +as cwnd allows, without reducing cwnd. And given that retransmits will +set retrans_stamp to a non-zero value (and may do so in a later +calling context due to TSQ), we also want to enter CA_Loss so that we +track when all retransmitted packets are ACked and clear retrans_stamp +when that happens (to ensure later recurring RTOs are using the +correct retrans_stamp and don't declare ETIMEDOUT prematurely). + +Fixes: 9e046bb111f1 ("tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()") +Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()") +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Link: https://patch.msgid.link/20240624144323.2371403-1-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index d37b45b90a61c..0953c915bb4de 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2779,13 +2779,37 @@ static void tcp_mtup_probe_success(struct sock *sk) + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMTUPSUCCESS); + } + ++/* Sometimes we deduce that packets have been dropped due to reasons other than ++ * congestion, like path MTU reductions or failed client TFO attempts. In these ++ * cases we call this function to retransmit as many packets as cwnd allows, ++ * without reducing cwnd. Given that retransmits will set retrans_stamp to a ++ * non-zero value (and may do so in a later calling context due to TSQ), we ++ * also enter CA_Loss so that we track when all retransmitted packets are ACKed ++ * and clear retrans_stamp when that happens (to ensure later recurring RTOs ++ * are using the correct retrans_stamp and don't declare ETIMEDOUT ++ * prematurely). ++ */ ++static void tcp_non_congestion_loss_retransmit(struct sock *sk) ++{ ++ const struct inet_connection_sock *icsk = inet_csk(sk); ++ struct tcp_sock *tp = tcp_sk(sk); ++ ++ if (icsk->icsk_ca_state != TCP_CA_Loss) { ++ tp->high_seq = tp->snd_nxt; ++ tp->snd_ssthresh = tcp_current_ssthresh(sk); ++ tp->prior_ssthresh = 0; ++ tp->undo_marker = 0; ++ tcp_set_ca_state(sk, TCP_CA_Loss); ++ } ++ tcp_xmit_retransmit_queue(sk); ++} ++ + /* Do a simple retransmit without using the backoff mechanisms in + * tcp_timer. This is used for path mtu discovery. + * The socket is already locked here. + */ + void tcp_simple_retransmit(struct sock *sk) + { +- const struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + struct sk_buff *skb; + int mss; +@@ -2825,14 +2849,7 @@ void tcp_simple_retransmit(struct sock *sk) + * in network, but units changed and effective + * cwnd/ssthresh really reduced now. + */ +- if (icsk->icsk_ca_state != TCP_CA_Loss) { +- tp->high_seq = tp->snd_nxt; +- tp->snd_ssthresh = tcp_current_ssthresh(sk); +- tp->prior_ssthresh = 0; +- tp->undo_marker = 0; +- tcp_set_ca_state(sk, TCP_CA_Loss); +- } +- tcp_xmit_retransmit_queue(sk); ++ tcp_non_congestion_loss_retransmit(sk); + } + EXPORT_SYMBOL(tcp_simple_retransmit); + +@@ -6288,8 +6305,7 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack, + tp->fastopen_client_fail = TFO_DATA_NOT_ACKED; + skb_rbtree_walk_from(data) + tcp_mark_skb_lost(sk, data); +- tcp_xmit_retransmit_queue(sk); +- tp->retrans_stamp = 0; ++ tcp_non_congestion_loss_retransmit(sk); + NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPFASTOPENACTIVEFAIL); + return true; +-- +2.43.0 + diff --git a/queue-6.9/tracing-net_sched-null-pointer-dereference-in-perf_t.patch b/queue-6.9/tracing-net_sched-null-pointer-dereference-in-perf_t.patch new file mode 100644 index 00000000000..0d52c15e771 --- /dev/null +++ b/queue-6.9/tracing-net_sched-null-pointer-dereference-in-perf_t.patch @@ -0,0 +1,306 @@ +From 9c2f5cc153e7878ce3b8bca9aad669cad550d727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 02:33:23 +0900 +Subject: tracing/net_sched: NULL pointer dereference in + perf_trace_qdisc_reset() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunseong Kim + +[ Upstream commit bab4923132feb3e439ae45962979c5d9d5c7c1f1 ] + +In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from + + qdisc->dev_queue->dev ->name + +This situation simulated from bunch of veths and Bluetooth disconnection +and reconnection. + +During qdisc initialization, qdisc was being set to noop_queue. +In veth_init_queue, the initial tx_num was reduced back to one, +causing the qdisc reset to be called with noop, which led to the kernel +panic. + +I've attached the GitHub gist link that C converted syz-execprogram +source code and 3 log of reproduced vmcore-dmesg. + + https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740 + +Yeoreum and I use two fuzzing tool simultaneously. + +One process with syz-executor : https://github.com/google/syzkaller + + $ ./syz-execprog -executor=./syz-executor -repeat=1 -sandbox=setuid \ + -enable=none -collide=false log1 + +The other process with perf fuzzer: + https://github.com/deater/perf_event_tests/tree/master/fuzzer + + $ perf_event_tests/fuzzer/perf_fuzzer + +I think this will happen on the kernel version. + + Linux kernel version +v6.7.10, +v6.8, +v6.9 and it could happen in v6.10. + +This occurred from 51270d573a8d. I think this patch is absolutely +necessary. Previously, It was showing not intended string value of name. + +I've reproduced 3 time from my fedora 40 Debug Kernel with any other module +or patched. + + version: 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug + +[ 5287.164555] veth0_vlan: left promiscuous mode +[ 5287.164929] veth1_macvtap: left promiscuous mode +[ 5287.164950] veth0_macvtap: left promiscuous mode +[ 5287.164983] veth1_vlan: left promiscuous mode +[ 5287.165008] veth0_vlan: left promiscuous mode +[ 5287.165450] veth1_macvtap: left promiscuous mode +[ 5287.165472] veth0_macvtap: left promiscuous mode +[ 5287.165502] veth1_vlan: left promiscuous mode +… +[ 5297.598240] bridge0: port 2(bridge_slave_1) entered blocking state +[ 5297.598262] bridge0: port 2(bridge_slave_1) entered forwarding state +[ 5297.598296] bridge0: port 1(bridge_slave_0) entered blocking state +[ 5297.598313] bridge0: port 1(bridge_slave_0) entered forwarding state +[ 5297.616090] 8021q: adding VLAN 0 to HW filter on device bond0 +[ 5297.620405] bridge0: port 1(bridge_slave_0) entered disabled state +[ 5297.620730] bridge0: port 2(bridge_slave_1) entered disabled state +[ 5297.627247] 8021q: adding VLAN 0 to HW filter on device team0 +[ 5297.629636] bridge0: port 1(bridge_slave_0) entered blocking state +… +[ 5298.002798] bridge_slave_0: left promiscuous mode +[ 5298.002869] bridge0: port 1(bridge_slave_0) entered disabled state +[ 5298.309444] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface +[ 5298.315206] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface +[ 5298.320207] bond0 (unregistering): Released all slaves +[ 5298.354296] hsr_slave_0: left promiscuous mode +[ 5298.360750] hsr_slave_1: left promiscuous mode +[ 5298.374889] veth1_macvtap: left promiscuous mode +[ 5298.374931] veth0_macvtap: left promiscuous mode +[ 5298.374988] veth1_vlan: left promiscuous mode +[ 5298.375024] veth0_vlan: left promiscuous mode +[ 5299.109741] team0 (unregistering): Port device team_slave_1 removed +[ 5299.185870] team0 (unregistering): Port device team_slave_0 removed +… +[ 5300.155443] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 +[ 5300.155724] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 +[ 5300.155988] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 +…. +[ 5301.075531] team0: Port device team_slave_1 added +[ 5301.085515] bridge0: port 1(bridge_slave_0) entered blocking state +[ 5301.085531] bridge0: port 1(bridge_slave_0) entered disabled state +[ 5301.085588] bridge_slave_0: entered allmulticast mode +[ 5301.085800] bridge_slave_0: entered promiscuous mode +[ 5301.095617] bridge0: port 1(bridge_slave_0) entered blocking state +[ 5301.095633] bridge0: port 1(bridge_slave_0) entered disabled state +… +[ 5301.149734] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link +[ 5301.173234] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link +[ 5301.180517] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link +[ 5301.193481] hsr_slave_0: entered promiscuous mode +[ 5301.204425] hsr_slave_1: entered promiscuous mode +[ 5301.210172] debugfs: Directory 'hsr0' with parent 'hsr' already present! +[ 5301.210185] Cannot create hsr debugfs directory +[ 5301.224061] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link +[ 5301.246901] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link +[ 5301.255934] team0: Port device team_slave_0 added +[ 5301.256480] team0: Port device team_slave_1 added +[ 5301.256948] team0: Port device team_slave_0 added +… +[ 5301.435928] hsr_slave_0: entered promiscuous mode +[ 5301.446029] hsr_slave_1: entered promiscuous mode +[ 5301.455872] debugfs: Directory 'hsr0' with parent 'hsr' already present! +[ 5301.455884] Cannot create hsr debugfs directory +[ 5301.502664] hsr_slave_0: entered promiscuous mode +[ 5301.513675] hsr_slave_1: entered promiscuous mode +[ 5301.526155] debugfs: Directory 'hsr0' with parent 'hsr' already present! +[ 5301.526164] Cannot create hsr debugfs directory +[ 5301.563662] hsr_slave_0: entered promiscuous mode +[ 5301.576129] hsr_slave_1: entered promiscuous mode +[ 5301.580259] debugfs: Directory 'hsr0' with parent 'hsr' already present! +[ 5301.580270] Cannot create hsr debugfs directory +[ 5301.590269] 8021q: adding VLAN 0 to HW filter on device bond0 + +[ 5301.595872] KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137] +[ 5301.595877] Mem abort info: +[ 5301.595881] ESR = 0x0000000096000006 +[ 5301.595885] EC = 0x25: DABT (current EL), IL = 32 bits +[ 5301.595889] SET = 0, FnV = 0 +[ 5301.595893] EA = 0, S1PTW = 0 +[ 5301.595896] FSC = 0x06: level 2 translation fault +[ 5301.595900] Data abort info: +[ 5301.595903] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 +[ 5301.595907] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 5301.595911] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 5301.595915] [dfff800000000026] address between user and kernel address ranges +[ 5301.595971] Internal error: Oops: 0000000096000006 [#1] SMP +… +[ 5301.596076] CPU: 2 PID: 102769 Comm: +syz-executor.3 Kdump: loaded Tainted: + G W ------- --- 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug #1 +[ 5301.596080] Hardware name: VMware, Inc. VMware20,1/VBSA, + BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023 +[ 5301.596082] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 5301.596085] pc : strnlen+0x40/0x88 +[ 5301.596114] lr : trace_event_get_offsets_qdisc_reset+0x6c/0x2b0 +[ 5301.596124] sp : ffff8000beef6b40 +[ 5301.596126] x29: ffff8000beef6b40 x28: dfff800000000000 x27: 0000000000000001 +[ 5301.596131] x26: 6de1800082c62bd0 x25: 1ffff000110aa9e0 x24: ffff800088554f00 +[ 5301.596136] x23: ffff800088554ec0 x22: 0000000000000130 x21: 0000000000000140 +[ 5301.596140] x20: dfff800000000000 x19: ffff8000beef6c60 x18: ffff7000115106d8 +[ 5301.596143] x17: ffff800121bad000 x16: ffff800080020000 x15: 0000000000000006 +[ 5301.596147] x14: 0000000000000002 x13: ffff0001f3ed8d14 x12: ffff700017ddeda5 +[ 5301.596151] x11: 1ffff00017ddeda4 x10: ffff700017ddeda4 x9 : ffff800082cc5eec +[ 5301.596155] x8 : 0000000000000004 x7 : 00000000f1f1f1f1 x6 : 00000000f2f2f200 +[ 5301.596158] x5 : 00000000f3f3f3f3 x4 : ffff700017dded80 x3 : 00000000f204f1f1 +[ 5301.596162] x2 : 0000000000000026 x1 : 0000000000000000 x0 : 0000000000000130 +[ 5301.596166] Call trace: +[ 5301.596175] strnlen+0x40/0x88 +[ 5301.596179] trace_event_get_offsets_qdisc_reset+0x6c/0x2b0 +[ 5301.596182] perf_trace_qdisc_reset+0xb0/0x538 +[ 5301.596184] __traceiter_qdisc_reset+0x68/0xc0 +[ 5301.596188] qdisc_reset+0x43c/0x5e8 +[ 5301.596190] netif_set_real_num_tx_queues+0x288/0x770 +[ 5301.596194] veth_init_queues+0xfc/0x130 [veth] +[ 5301.596198] veth_newlink+0x45c/0x850 [veth] +[ 5301.596202] rtnl_newlink_create+0x2c8/0x798 +[ 5301.596205] __rtnl_newlink+0x92c/0xb60 +[ 5301.596208] rtnl_newlink+0xd8/0x130 +[ 5301.596211] rtnetlink_rcv_msg+0x2e0/0x890 +[ 5301.596214] netlink_rcv_skb+0x1c4/0x380 +[ 5301.596225] rtnetlink_rcv+0x20/0x38 +[ 5301.596227] netlink_unicast+0x3c8/0x640 +[ 5301.596231] netlink_sendmsg+0x658/0xa60 +[ 5301.596234] __sock_sendmsg+0xd0/0x180 +[ 5301.596243] __sys_sendto+0x1c0/0x280 +[ 5301.596246] __arm64_sys_sendto+0xc8/0x150 +[ 5301.596249] invoke_syscall+0xdc/0x268 +[ 5301.596256] el0_svc_common.constprop.0+0x16c/0x240 +[ 5301.596259] do_el0_svc+0x48/0x68 +[ 5301.596261] el0_svc+0x50/0x188 +[ 5301.596265] el0t_64_sync_handler+0x120/0x130 +[ 5301.596268] el0t_64_sync+0x194/0x198 +[ 5301.596272] Code: eb15001f 54000120 d343fc02 12000801 (38f46842) +[ 5301.596285] SMP: stopping secondary CPUs +[ 5301.597053] Starting crashdump kernel... +[ 5301.597057] Bye! + +After applying our patch, I didn't find any kernel panic errors. + +We've found a simple reproducer + + # echo 1 > /sys/kernel/debug/tracing/events/qdisc/qdisc_reset/enable + + # ip link add veth0 type veth peer name veth1 + + Error: Unknown device type. + +However, without our patch applied, I tested upstream 6.10.0-rc3 kernel +using the qdisc_reset event and the ip command on my qemu virtual machine. + +This 2 commands makes always kernel panic. + +Linux version: 6.10.0-rc3 + +[ 0.000000] Linux version 6.10.0-rc3-00164-g44ef20baed8e-dirty +(paran@fedora) (gcc (GCC) 14.1.1 20240522 (Red Hat 14.1.1-4), GNU ld +version 2.41-34.fc40) #20 SMP PREEMPT Sat Jun 15 16:51:25 KST 2024 + +Kernel panic message: + +[ 615.236484] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP +[ 615.237250] Dumping ftrace buffer: +[ 615.237679] (ftrace buffer empty) +[ 615.238097] Modules linked in: veth crct10dif_ce virtio_gpu +virtio_dma_buf drm_shmem_helper drm_kms_helper zynqmp_fpga xilinx_can +xilinx_spi xilinx_selectmap xilinx_core xilinx_pr_decoupler versal_fpga +uvcvideo uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev +videobuf2_common mc usbnet deflate zstd ubifs ubi rcar_canfd rcar_can +omap_mailbox ntb_msi_test ntb_hw_epf lattice_sysconfig_spi +lattice_sysconfig ice40_spi gpio_xilinx dwmac_altr_socfpga mdio_regmap +stmmac_platform stmmac pcs_xpcs dfl_fme_region dfl_fme_mgr dfl_fme_br +dfl_afu dfl fpga_region fpga_bridge can can_dev br_netfilter bridge stp +llc atl1c ath11k_pci mhi ath11k_ahb ath11k qmi_helpers ath10k_sdio +ath10k_pci ath10k_core ath mac80211 libarc4 cfg80211 drm fuse backlight ipv6 +Jun 22 02:36:5[3 6k152.62-4sm98k4-0k]v kCePUr:n e1l :P IUDn:a b4le6 +8t oC ohmma: nidpl eN oketr nteali nptaedg i6n.g1 0re.0q-urecs3t- 0at0 +1v6i4r-tgu4a4le fa2d0dbraeeds0se-dir tyd f#f2f08 + 615.252376] Hardware name: linux,dummy-virt (DT) +[ 615.253220] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS +BTYPE=--) +[ 615.254433] pc : strnlen+0x6c/0xe0 +[ 615.255096] lr : trace_event_get_offsets_qdisc_reset+0x94/0x3d0 +[ 615.256088] sp : ffff800080b269a0 +[ 615.256615] x29: ffff800080b269a0 x28: ffffc070f3f98500 x27: +0000000000000001 +[ 615.257831] x26: 0000000000000010 x25: ffffc070f3f98540 x24: +ffffc070f619cf60 +[ 615.259020] x23: 0000000000000128 x22: 0000000000000138 x21: +dfff800000000000 +[ 615.260241] x20: ffffc070f631ad00 x19: 0000000000000128 x18: +ffffc070f448b800 +[ 615.261454] x17: 0000000000000000 x16: 0000000000000001 x15: +ffffc070f4ba2a90 +[ 615.262635] x14: ffff700010164d73 x13: 1ffff80e1e8d5eb3 x12: +1ffff00010164d72 +[ 615.263877] x11: ffff700010164d72 x10: dfff800000000000 x9 : +ffffc070e85d6184 +[ 615.265047] x8 : ffffc070e4402070 x7 : 000000000000f1f1 x6 : +000000001504a6d3 +[ 615.266336] x5 : ffff28ca21122140 x4 : ffffc070f5043ea8 x3 : +0000000000000000 +[ 615.267528] x2 : 0000000000000025 x1 : 0000000000000000 x0 : +0000000000000000 +[ 615.268747] Call trace: +[ 615.269180] strnlen+0x6c/0xe0 +[ 615.269767] trace_event_get_offsets_qdisc_reset+0x94/0x3d0 +[ 615.270716] trace_event_raw_event_qdisc_reset+0xe8/0x4e8 +[ 615.271667] __traceiter_qdisc_reset+0xa0/0x140 +[ 615.272499] qdisc_reset+0x554/0x848 +[ 615.273134] netif_set_real_num_tx_queues+0x360/0x9a8 +[ 615.274050] veth_init_queues+0x110/0x220 [veth] +[ 615.275110] veth_newlink+0x538/0xa50 [veth] +[ 615.276172] __rtnl_newlink+0x11e4/0x1bc8 +[ 615.276944] rtnl_newlink+0xac/0x120 +[ 615.277657] rtnetlink_rcv_msg+0x4e4/0x1370 +[ 615.278409] netlink_rcv_skb+0x25c/0x4f0 +[ 615.279122] rtnetlink_rcv+0x48/0x70 +[ 615.279769] netlink_unicast+0x5a8/0x7b8 +[ 615.280462] netlink_sendmsg+0xa70/0x1190 + +Yeoreum and I don't know if the patch we wrote will fix the underlying +cause, but we think that priority is to prevent kernel panic happening. +So, we're sending this patch. + +Fixes: 51270d573a8d ("tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string") +Link: https://lore.kernel.org/lkml/20240229143432.273b4871@gandalf.local.home/t/ +Cc: netdev@vger.kernel.org +Tested-by: Yunseong Kim +Signed-off-by: Yunseong Kim +Signed-off-by: Yeoreum Yun +Link: https://lore.kernel.org/r/20240624173320.24945-4-yskelg@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/trace/events/qdisc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h +index 1f4258308b967..69453b8de29e6 100644 +--- a/include/trace/events/qdisc.h ++++ b/include/trace/events/qdisc.h +@@ -81,7 +81,7 @@ TRACE_EVENT(qdisc_reset, + TP_ARGS(q), + + TP_STRUCT__entry( +- __string( dev, qdisc_dev(q)->name ) ++ __string( dev, qdisc_dev(q) ? qdisc_dev(q)->name : "(null)" ) + __string( kind, q->ops->id ) + __field( u32, parent ) + __field( u32, handle ) +-- +2.43.0 + diff --git a/queue-6.9/vxlan-pull-inner-ip-header-in-vxlan_xmit_one.patch b/queue-6.9/vxlan-pull-inner-ip-header-in-vxlan_xmit_one.patch new file mode 100644 index 00000000000..6df05399305 --- /dev/null +++ b/queue-6.9/vxlan-pull-inner-ip-header-in-vxlan_xmit_one.patch @@ -0,0 +1,58 @@ +From c2469c4cb7c9120e08d567e078d09355fe0fdab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 15:34:57 +0200 +Subject: vxlan: Pull inner IP header in vxlan_xmit_one(). + +From: Guillaume Nault + +[ Upstream commit 31392048f55f98cb01ca709d32d06d926ab9760a ] + +Ensure the inner IP header is part of the skb's linear data before +setting old_iph. Otherwise, on a non-linear skb, old_iph could point +outside of the packet data. + +Unlike classical VXLAN, which always encapsulates Ethernet packets, +VXLAN-GPE can transport IP packets directly. In that case, we need to +look at skb->protocol to figure out if an Ethernet header is present. + +Fixes: d342894c5d2f ("vxlan: virtual extensible lan") +Signed-off-by: Guillaume Nault +Link: https://patch.msgid.link/2aa75f6fa62ac9dbe4f16ad5ba75dd04a51d4b99.1718804000.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index b2d054f59f30f..49779ba3c4b7b 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -2336,7 +2336,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + struct ip_tunnel_key *pkey; + struct ip_tunnel_key key; + struct vxlan_dev *vxlan = netdev_priv(dev); +- const struct iphdr *old_iph = ip_hdr(skb); ++ const struct iphdr *old_iph; + struct vxlan_metadata _md; + struct vxlan_metadata *md = &_md; + unsigned int pkt_len = skb->len; +@@ -2350,8 +2350,15 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + bool use_cache; + bool udp_sum = false; + bool xnet = !net_eq(vxlan->net, dev_net(vxlan->dev)); ++ bool no_eth_encap; + __be32 vni = 0; + ++ no_eth_encap = flags & VXLAN_F_GPE && skb->protocol != htons(ETH_P_TEB); ++ if (!skb_vlan_inet_prepare(skb, no_eth_encap)) ++ goto drop; ++ ++ old_iph = ip_hdr(skb); ++ + info = skb_tunnel_info(skb); + use_cache = ip_tunnel_dst_cache_usable(skb, info); + +-- +2.43.0 + diff --git a/queue-6.9/workqueue-increase-worker-desc-s-length-to-32.patch b/queue-6.9/workqueue-increase-worker-desc-s-length-to-32.patch new file mode 100644 index 00000000000..13da03bd7da --- /dev/null +++ b/queue-6.9/workqueue-increase-worker-desc-s-length-to-32.patch @@ -0,0 +1,40 @@ +From 5b2122bdc1d6391382b552ebb35d0a6500a05374 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 16:52:15 +0800 +Subject: workqueue: Increase worker desc's length to 32 + +From: Wenchao Hao + +[ Upstream commit 231035f18d6b80e5c28732a20872398116a54ecd ] + +Commit 31c89007285d ("workqueue.c: Increase workqueue name length") +increased WQ_NAME_LEN from 24 to 32, but forget to increase +WORKER_DESC_LEN, which would cause truncation when setting kworker's +desc from workqueue_struct's name, process_one_work() for example. + +Fixes: 31c89007285d ("workqueue.c: Increase workqueue name length") + +Signed-off-by: Wenchao Hao +CC: Audra Mitchell +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + include/linux/workqueue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h +index 158784dd189ab..72031fa804147 100644 +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -92,7 +92,7 @@ enum wq_misc_consts { + WORK_BUSY_RUNNING = 1 << 1, + + /* maximum string length for set_worker_desc() */ +- WORKER_DESC_LEN = 24, ++ WORKER_DESC_LEN = 32, + }; + + /* Convenience constants - of type 'unsigned long', not 'enum'! */ +-- +2.43.0 + diff --git a/queue-6.9/xdp-remove-warn-from-__xdp_reg_mem_model.patch b/queue-6.9/xdp-remove-warn-from-__xdp_reg_mem_model.patch new file mode 100644 index 00000000000..c826ae0119f --- /dev/null +++ b/queue-6.9/xdp-remove-warn-from-__xdp_reg_mem_model.patch @@ -0,0 +1,76 @@ +From 351edcea01a50af3aff1b2dd75985797f3993b32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 11:07:47 +0300 +Subject: xdp: Remove WARN() from __xdp_reg_mem_model() + +From: Daniil Dulov + +[ Upstream commit 7e9f79428372c6eab92271390851be34ab26bfb4 ] + +syzkaller reports a warning in __xdp_reg_mem_model(). + +The warning occurs only if __mem_id_init_hash_table() returns an error. It +returns the error in two cases: + + 1. memory allocation fails; + 2. rhashtable_init() fails when some fields of rhashtable_params + struct are not initialized properly. + +The second case cannot happen since there is a static const rhashtable_params +struct with valid fields. So, warning is only triggered when there is a +problem with memory allocation. + +Thus, there is no sense in using WARN() to handle this error and it can be +safely removed. + +WARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299 + +CPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +RIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299 + +Call Trace: + xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344 + xdp_test_run_setup net/bpf/test_run.c:188 [inline] + bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377 + bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267 + bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240 + __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649 + __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Found by Linux Verification Center (linuxtesting.org) with syzkaller. + +Fixes: 8d5d88527587 ("xdp: rhashtable with allocator ID to pointer mapping") +Signed-off-by: Daniil Dulov +Signed-off-by: Daniel Borkmann +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/all/20240617162708.492159-1-d.dulov@aladdin.ru +Link: https://lore.kernel.org/bpf/20240624080747.36858-1-d.dulov@aladdin.ru +Signed-off-by: Sasha Levin +--- + net/core/xdp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/core/xdp.c b/net/core/xdp.c +index 41693154e426f..022c12059cf2f 100644 +--- a/net/core/xdp.c ++++ b/net/core/xdp.c +@@ -295,10 +295,8 @@ static struct xdp_mem_allocator *__xdp_reg_mem_model(struct xdp_mem_info *mem, + mutex_lock(&mem_id_lock); + ret = __mem_id_init_hash_table(); + mutex_unlock(&mem_id_lock); +- if (ret < 0) { +- WARN_ON(1); ++ if (ret < 0) + return ERR_PTR(ret); +- } + } + + xdp_alloc = kzalloc(sizeof(*xdp_alloc), gfp); +-- +2.43.0 +