From: Sasha Levin Date: Tue, 22 Oct 2024 17:39:25 +0000 (-0400) Subject: Fixes for 6.11 X-Git-Tag: v5.15.170~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9fbd51f274f7cefc1cbd7019681b5c1e69acb541;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.11 Signed-off-by: Sasha Levin --- diff --git a/queue-6.11/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch b/queue-6.11/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch new file mode 100644 index 00000000000..c7cd00d22b8 --- /dev/null +++ b/queue-6.11/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch @@ -0,0 +1,74 @@ +From bc84fc504a03d21eebe1104aa2ab50556d540e5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 13:32:52 -0600 +Subject: accel/qaic: Fix the for loop used to walk SG table + +From: Pranjal Ramajor Asha Kanojiya + +[ Upstream commit c5e8e93897b7bb0a336bf3332f82f8d9f2b33f14 ] + +Only for_each_sgtable_dma_sg() should be used to walk through a SG table +to grab correct bus address and length pair after calling DMA MAP API on +a SG table as DMA MAP APIs updates the SG table and for_each_sgtable_sg() +walks through the original SG table. + +Fixes: ff13be830333 ("accel/qaic: Add datapath") +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Jeffrey Hugo +Signed-off-by: Jeffrey Hugo +Reviewed-by: Jacek Lawrynowicz +Link: https://patchwork.freedesktop.org/patch/msgid/20241004193252.3888544-1-quic_jhugo@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/accel/qaic/qaic_control.c | 2 +- + drivers/accel/qaic/qaic_data.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c +index 9e8a8cbadf6bb..d8bdab69f8009 100644 +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -496,7 +496,7 @@ static int encode_addr_size_pairs(struct dma_xfer *xfer, struct wrapper_list *wr + nents = sgt->nents; + nents_dma = nents; + *size = QAIC_MANAGE_EXT_MSG_LENGTH - msg_hdr_len - sizeof(**out_trans); +- for_each_sgtable_sg(sgt, sg, i) { ++ for_each_sgtable_dma_sg(sgt, sg, i) { + *size -= sizeof(*asp); + /* Save 1K for possible follow-up transactions. */ + if (*size < SZ_1K) { +diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c +index e86e71c1cdd86..c20eb63750f51 100644 +--- a/drivers/accel/qaic/qaic_data.c ++++ b/drivers/accel/qaic/qaic_data.c +@@ -184,7 +184,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl + nents = 0; + + size = size ? size : PAGE_SIZE; +- for (sg = sgt_in->sgl; sg; sg = sg_next(sg)) { ++ for_each_sgtable_dma_sg(sgt_in, sg, j) { + len = sg_dma_len(sg); + + if (!len) +@@ -221,7 +221,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl + + /* copy relevant sg node and fix page and length */ + sgn = sgf; +- for_each_sgtable_sg(sgt, sg, j) { ++ for_each_sgtable_dma_sg(sgt, sg, j) { + memcpy(sg, sgn, sizeof(*sg)); + if (sgn == sgf) { + sg_dma_address(sg) += offf; +@@ -301,7 +301,7 @@ static int encode_reqs(struct qaic_device *qdev, struct bo_slice *slice, + * fence. + */ + dev_addr = req->dev_addr; +- for_each_sgtable_sg(slice->sgt, sg, i) { ++ for_each_sgtable_dma_sg(slice->sgt, sg, i) { + slice->reqs[i].cmd = cmd; + slice->reqs[i].src_addr = cpu_to_le64(slice->dir == DMA_TO_DEVICE ? + sg_dma_address(sg) : dev_addr); +-- +2.43.0 + diff --git a/queue-6.11/alsa-hda-cs8409-fix-possible-null-dereference.patch b/queue-6.11/alsa-hda-cs8409-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..9e6dc5d89b0 --- /dev/null +++ b/queue-6.11/alsa-hda-cs8409-fix-possible-null-dereference.patch @@ -0,0 +1,45 @@ +From 3059a6b8b886a6aac94cd4a9b9a925c4a3c6a724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 01:16:45 +0300 +Subject: ALSA: hda/cs8409: Fix possible NULL dereference + +From: Murad Masimov + +[ Upstream commit c9bd4a82b4ed32c6d1c90500a52063e6e341517f ] + +If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then +NULL pointer dereference will occur in the next line. + +Since dolphin_fixups function is a hda_fixup function which is not supposed +to return any errors, add simple check before dereference, ignore the fail. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin") +Signed-off-by: Murad Masimov +Link: https://patch.msgid.link/20241010221649.1305-1-m.masimov@maxima.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_cs8409.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c +index 26f3c31600d7b..614327218634c 100644 +--- a/sound/pci/hda/patch_cs8409.c ++++ b/sound/pci/hda/patch_cs8409.c +@@ -1403,8 +1403,9 @@ void dolphin_fixups(struct hda_codec *codec, const struct hda_fixup *fix, int ac + kctrl = snd_hda_gen_add_kctl(&spec->gen, "Line Out Playback Volume", + &cs42l42_dac_volume_mixer); + /* Update Line Out kcontrol template */ +- kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1, +- HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE; ++ if (kctrl) ++ kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1, ++ HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE; + cs8409_enable_ur(codec, 0); + snd_hda_codec_set_name(codec, "CS8409/CS42L42"); + break; +-- +2.43.0 + diff --git a/queue-6.11/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch b/queue-6.11/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch new file mode 100644 index 00000000000..aa12a47fe5f --- /dev/null +++ b/queue-6.11/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch @@ -0,0 +1,42 @@ +From 20c9385ef1475176849129f263e14a780d3b55c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 02:03:11 +0300 +Subject: ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin + +From: Florian Klink + +[ Upstream commit dc7785e4723510616d776862ddb4c08857a1bdb2 ] + +HDMI_HPD_N_1V8 is connected to GPIO pin 0, not 1. + +This fixes HDMI hotplug/output detection. + +See https://datasheets.raspberrypi.com/cm/cm3-schematics.pdf + +Signed-off-by: Florian Klink +Reviewed-by: Stefan Wahren +Link: https://lore.kernel.org/r/20240715230311.685641-1-flokli@flokli.de +Reviewed-by: Stefan Wahren +Fixes: a54fe8a6cf66 ("ARM: dts: add Raspberry Pi Compute Module 3 and IO board") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts +index 72d26d130efaa..85f54fa595aa8 100644 +--- a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts ++++ b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts +@@ -77,7 +77,7 @@ + }; + + &hdmi { +- hpd-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>; ++ hpd-gpios = <&expgpio 0 GPIO_ACTIVE_LOW>; + power-domains = <&power RPI_POWER_DOMAIN_HDMI>; + status = "okay"; + }; +-- +2.43.0 + diff --git a/queue-6.11/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch b/queue-6.11/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch new file mode 100644 index 00000000000..631f213a11d --- /dev/null +++ b/queue-6.11/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch @@ -0,0 +1,50 @@ +From 779fb1e6d02333838f4cd637583476ced5803d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 17:07:08 +0800 +Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister + +From: Ye Bin + +[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ] + +There's issue as follows: + KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] + CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W + RIP: 0010:proto_unregister+0xee/0x400 + Call Trace: + + __do_sys_delete_module+0x318/0x580 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() +will cleanup all resource. Then when remove bnep module will call +bnep_sock_cleanup() to cleanup sock's resource. +To solve above issue just return bnep_sock_init()'s return value in +bnep_exit(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ye Bin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index ec45f77fce218..344e2e063be68 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -745,8 +745,7 @@ static int __init bnep_init(void) + if (flt[0]) + BT_INFO("BNEP filters: %s", flt); + +- bnep_sock_init(); +- return 0; ++ return bnep_sock_init(); + } + + static void __exit bnep_exit(void) +-- +2.43.0 + diff --git a/queue-6.11/bpf-check-the-remaining-info_cnt-before-repeating-bt.patch b/queue-6.11/bpf-check-the-remaining-info_cnt-before-repeating-bt.patch new file mode 100644 index 00000000000..69d6af9a810 --- /dev/null +++ b/queue-6.11/bpf-check-the-remaining-info_cnt-before-repeating-bt.patch @@ -0,0 +1,102 @@ +From 5d6df866a454ac2c4a0b3353b77e2616a172c337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 15:11:13 +0800 +Subject: bpf: Check the remaining info_cnt before repeating btf fields + +From: Hou Tao + +[ Upstream commit 797d73ee232dd1833dec4824bc53a22032e97c1c ] + +When trying to repeat the btf fields for array of nested struct, it +doesn't check the remaining info_cnt. The following splat will be +reported when the value of ret * nelems is greater than BTF_FIELDS_MAX: + + ------------[ cut here ]------------ + UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49 + index 11 is out of range for type 'btf_field_info [11]' + CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1 + Tainted: [O]=OOT_MODULE + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... + Call Trace: + + dump_stack_lvl+0x57/0x70 + dump_stack+0x10/0x20 + ubsan_epilogue+0x9/0x40 + __ubsan_handle_out_of_bounds+0x6f/0x80 + ? kallsyms_lookup_name+0x48/0xb0 + btf_parse_fields+0x992/0xce0 + map_create+0x591/0x770 + __sys_bpf+0x229/0x2410 + __x64_sys_bpf+0x1f/0x30 + x64_sys_call+0x199/0x9f0 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + RIP: 0033:0x7fea56f2cc5d + ...... + + ---[ end trace ]--- + +Fix it by checking the remaining info_cnt in btf_repeat_fields() before +repeating the btf fields. + +Fixes: 64e8ee814819 ("bpf: look into the types of the fields of a struct type recursively.") +Signed-off-by: Hou Tao +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20241008071114.3718177-2-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 9b068afd17953..5f4f1d0bc23a4 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -3528,7 +3528,7 @@ static int btf_get_field_type(const struct btf *btf, const struct btf_type *var_ + * (i + 1) * elem_size + * where i is the repeat index and elem_size is the size of an element. + */ +-static int btf_repeat_fields(struct btf_field_info *info, ++static int btf_repeat_fields(struct btf_field_info *info, int info_cnt, + u32 field_cnt, u32 repeat_cnt, u32 elem_size) + { + u32 i, j; +@@ -3548,6 +3548,12 @@ static int btf_repeat_fields(struct btf_field_info *info, + } + } + ++ /* The type of struct size or variable size is u32, ++ * so the multiplication will not overflow. ++ */ ++ if (field_cnt * (repeat_cnt + 1) > info_cnt) ++ return -E2BIG; ++ + cur = field_cnt; + for (i = 0; i < repeat_cnt; i++) { + memcpy(&info[cur], &info[0], field_cnt * sizeof(info[0])); +@@ -3592,7 +3598,7 @@ static int btf_find_nested_struct(const struct btf *btf, const struct btf_type * + info[i].off += off; + + if (nelems > 1) { +- err = btf_repeat_fields(info, ret, nelems - 1, t->size); ++ err = btf_repeat_fields(info, info_cnt, ret, nelems - 1, t->size); + if (err == 0) + ret *= nelems; + else +@@ -3686,10 +3692,10 @@ static int btf_find_field_one(const struct btf *btf, + + if (ret == BTF_FIELD_IGNORE) + return 0; +- if (nelems > info_cnt) ++ if (!info_cnt) + return -E2BIG; + if (nelems > 1) { +- ret = btf_repeat_fields(info, 1, nelems - 1, sz); ++ ret = btf_repeat_fields(info, info_cnt, 1, nelems - 1, sz); + if (ret < 0) + return ret; + } +-- +2.43.0 + diff --git a/queue-6.11/bpf-devmap-provide-rxq-after-redirect.patch b/queue-6.11/bpf-devmap-provide-rxq-after-redirect.patch new file mode 100644 index 00000000000..e4a793aa142 --- /dev/null +++ b/queue-6.11/bpf-devmap-provide-rxq-after-redirect.patch @@ -0,0 +1,156 @@ +From 8a062d1f775d23c6a4b0c4fc49960bd97075cb9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:41:18 +0200 +Subject: bpf: devmap: provide rxq after redirect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Kauer + +[ Upstream commit ca9984c5f0ab3690d98b13937b2485a978c8dd73 ] + +rxq contains a pointer to the device from where +the redirect happened. Currently, the BPF program +that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* +does not have it set. + +This is particularly bad since accessing ingress_ifindex, e.g. + +SEC("xdp") +int prog(struct xdp_md *pkt) +{ + return bpf_redirect_map(&dev_redirect_map, 0, 0); +} + +SEC("xdp/devmap") +int prog_after_redirect(struct xdp_md *pkt) +{ + bpf_printk("ifindex %i", pkt->ingress_ifindex); + return XDP_PASS; +} + +depends on access to rxq, so a NULL pointer gets dereferenced: + +<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 +<1>[ 574.475188] #PF: supervisor read access in kernel mode +<1>[ 574.475194] #PF: error_code(0x0000) - not-present page +<6>[ 574.475199] PGD 0 P4D 0 +<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 +<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 +<4>[ 574.475231] Workqueue: mld mld_ifc_work +<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c +<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b +<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 +<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 +<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 +<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 +<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 +<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 +<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 +<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 +<4>[ 574.475303] PKRU: 55555554 +<4>[ 574.475306] Call Trace: +<4>[ 574.475313] +<4>[ 574.475318] ? __die+0x23/0x70 +<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 +<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 +<4>[ 574.475346] ? kmem_cache_free+0x257/0x280 +<4>[ 574.475357] ? exc_page_fault+0x67/0x150 +<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30 +<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c +<4>[ 574.475386] bq_xmit_all+0x158/0x420 +<4>[ 574.475397] __dev_flush+0x30/0x90 +<4>[ 574.475407] veth_poll+0x216/0x250 [veth] +<4>[ 574.475421] __napi_poll+0x28/0x1c0 +<4>[ 574.475430] net_rx_action+0x32d/0x3a0 +<4>[ 574.475441] handle_softirqs+0xcb/0x2c0 +<4>[ 574.475451] do_softirq+0x40/0x60 +<4>[ 574.475458] +<4>[ 574.475461] +<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70 +<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40 +<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420 +<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0 +<4>[ 574.475502] ip6_finish_output2+0x2be/0x640 +<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0 +<4>[ 574.475521] ip6_finish_output+0x194/0x300 +<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 +<4>[ 574.475538] mld_sendpack+0x17c/0x240 +<4>[ 574.475548] mld_ifc_work+0x192/0x410 +<4>[ 574.475557] process_one_work+0x15d/0x380 +<4>[ 574.475566] worker_thread+0x29d/0x3a0 +<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10 +<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10 +<4>[ 574.475587] kthread+0xcd/0x100 +<4>[ 574.475597] ? __pfx_kthread+0x10/0x10 +<4>[ 574.475606] ret_from_fork+0x31/0x50 +<4>[ 574.475615] ? __pfx_kthread+0x10/0x10 +<4>[ 574.475623] ret_from_fork_asm+0x1a/0x30 +<4>[ 574.475635] +<4>[ 574.475637] Modules linked in: veth br_netfilter bridge stp llc iwlmvm x86_pkg_temp_thermal iwlwifi efivarfs nvme nvme_core +<4>[ 574.475662] CR2: 0000000000000000 +<4>[ 574.475668] ---[ end trace 0000000000000000 ]--- + +Therefore, provide it to the program by setting rxq properly. + +Fixes: cb261b594b41 ("bpf: Run devmap xdp_prog on flush instead of bulk enqueue") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Florian Kauer +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20240911-devel-koalo-fix-ingress-ifindex-v4-1-5c643ae10258@linutronix.de +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index 9e0e3b0a18e40..7878be18e9d26 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -333,9 +333,11 @@ static int dev_map_hash_get_next_key(struct bpf_map *map, void *key, + + static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + struct xdp_frame **frames, int n, +- struct net_device *dev) ++ struct net_device *tx_dev, ++ struct net_device *rx_dev) + { +- struct xdp_txq_info txq = { .dev = dev }; ++ struct xdp_txq_info txq = { .dev = tx_dev }; ++ struct xdp_rxq_info rxq = { .dev = rx_dev }; + struct xdp_buff xdp; + int i, nframes = 0; + +@@ -346,6 +348,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + + xdp_convert_frame_to_buff(xdpf, &xdp); + xdp.txq = &txq; ++ xdp.rxq = &rxq; + + act = bpf_prog_run_xdp(xdp_prog, &xdp); + switch (act) { +@@ -360,7 +363,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + bpf_warn_invalid_xdp_action(NULL, xdp_prog, act); + fallthrough; + case XDP_ABORTED: +- trace_xdp_exception(dev, xdp_prog, act); ++ trace_xdp_exception(tx_dev, xdp_prog, act); + fallthrough; + case XDP_DROP: + xdp_return_frame_rx_napi(xdpf); +@@ -388,7 +391,7 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags) + } + + if (bq->xdp_prog) { +- to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev); ++ to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev, bq->dev_rx); + if (!to_send) + goto out; + } +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-incorrect-delta-propagation-between-linked-r.patch b/queue-6.11/bpf-fix-incorrect-delta-propagation-between-linked-r.patch new file mode 100644 index 00000000000..cf9694e398b --- /dev/null +++ b/queue-6.11/bpf-fix-incorrect-delta-propagation-between-linked-r.patch @@ -0,0 +1,114 @@ +From 6da093ffea5f2c012912f0de40eeb879399a22f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 15:49:11 +0200 +Subject: bpf: Fix incorrect delta propagation between linked registers + +From: Daniel Borkmann + +[ Upstream commit 3878ae04e9fc24dacb77a1d32bd87e7d8108599e ] + +Nathaniel reported a bug in the linked scalar delta tracking, which can lead +to accepting a program with OOB access. The specific code is related to the +sync_linked_regs() function and the BPF_ADD_CONST flag, which signifies a +constant offset between two scalar registers tracked by the same register id. + +The verifier attempts to track "similar" scalars in order to propagate bounds +information learned about one scalar to others. For instance, if r1 and r2 +are known to contain the same value, then upon encountering 'if (r1 != 0x1234) +goto xyz', not only does it know that r1 is equal to 0x1234 on the path where +that conditional jump is not taken, it also knows that r2 is. + +Additionally, with env->bpf_capable set, the verifier will track scalars +which should be a constant delta apart (if r1 is known to be one greater than +r2, then if r1 is known to be equal to 0x1234, r2 must be equal to 0x1233.) +The code path for the latter in adjust_reg_min_max_vals() is reached when +processing both 32 and 64-bit addition operations. While adjust_reg_min_max_vals() +knows whether dst_reg was produced by a 32 or a 64-bit addition (based on the +alu32 bool), the only information saved in dst_reg is the id of the source +register (reg->id, or'ed by BPF_ADD_CONST) and the value of the constant +offset (reg->off). + +Later, the function sync_linked_regs() will attempt to use this information +to propagate bounds information from one register (known_reg) to others, +meaning, for all R in linked_regs, it copies known_reg range (and possibly +adjusting delta) into R for the case of R->id == known_reg->id. + +For the delta adjustment, meaning, matching reg->id with BPF_ADD_CONST, the +verifier adjusts the register as reg = known_reg; reg += delta where delta +is computed as (s32)reg->off - (s32)known_reg->off and placed as a scalar +into a fake_reg to then simulate the addition of reg += fake_reg. This is +only correct, however, if the value in reg was created by a 64-bit addition. +When reg contains the result of a 32-bit addition operation, its upper 32 +bits will always be zero. sync_linked_regs() on the other hand, may cause +the verifier to believe that the addition between fake_reg and reg overflows +into those upper bits. For example, if reg was generated by adding the +constant 1 to known_reg using a 32-bit alu operation, then reg->off is 1 +and known_reg->off is 0. If known_reg is known to be the constant 0xFFFFFFFF, +sync_linked_regs() will tell the verifier that reg is equal to the constant +0x100000000. This is incorrect as the actual value of reg will be 0, as the +32-bit addition will wrap around. + +Example: + + 0: (b7) r0 = 0; R0_w=0 + 1: (18) r1 = 0x80000001; R1_w=0x80000001 + 3: (37) r1 /= 1; R1_w=scalar() + 4: (bf) r2 = r1; R1_w=scalar(id=1) R2_w=scalar(id=1) + 5: (bf) r4 = r1; R1_w=scalar(id=1) R4_w=scalar(id=1) + 6: (04) w2 += 2147483647; R2_w=scalar(id=1+2147483647,smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) + 7: (04) w4 += 0 ; R4_w=scalar(id=1+0,smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) + 8: (15) if r2 == 0x0 goto pc+1 + 10: R0=0 R1=0xffffffff80000001 R2=0x7fffffff R4=0xffffffff80000001 R10=fp0 + +What can be seen here is that r1 is copied to r2 and r4, such that {r1,r2,r4}.id +are all the same which later lets sync_linked_regs() to be invoked. Then, in +a next step constants are added with alu32 to r2 and r4, setting their ->off, +as well as id |= BPF_ADD_CONST. Next, the conditional will bind r2 and +propagate ranges to its linked registers. The verifier now believes the upper +32 bits of r4 are r4=0xffffffff80000001, while actually r4=r1=0x80000001. + +One approach for a simple fix suitable also for stable is to limit the constant +delta tracking to only 64-bit alu addition. If necessary at some later point, +BPF_ADD_CONST could be split into BPF_ADD_CONST64 and BPF_ADD_CONST32 to avoid +mixing the two under the tradeoff to further complicate sync_linked_regs(). +However, none of the added tests from dedf56d775c0 ("selftests/bpf: Add tests +for add_const") make this necessary at this point, meaning, BPF CI also passes +with just limiting tracking to 64-bit alu addition. + +Fixes: 98d7ca374ba4 ("bpf: Track delta between "linked" registers.") +Reported-by: Nathaniel Theis +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Reviewed-by: Eduard Zingerman +Link: https://lore.kernel.org/bpf/20241016134913.32249-1-daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 42d6bc5392757..5b8b1d0e76cf1 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -14136,12 +14136,13 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, + * r1 += 0x1 + * if r2 < 1000 goto ... + * use r1 in memory access +- * So remember constant delta between r2 and r1 and update r1 after +- * 'if' condition. ++ * So for 64-bit alu remember constant delta between r2 and r1 and ++ * update r1 after 'if' condition. + */ +- if (env->bpf_capable && BPF_OP(insn->code) == BPF_ADD && +- dst_reg->id && is_reg_const(src_reg, alu32)) { +- u64 val = reg_const_value(src_reg, alu32); ++ if (env->bpf_capable && ++ BPF_OP(insn->code) == BPF_ADD && !alu32 && ++ dst_reg->id && is_reg_const(src_reg, false)) { ++ u64 val = reg_const_value(src_reg, false); + + if ((dst_reg->id & BPF_ADD_CONST) || + /* prevent overflow in find_equal_scalars() later */ +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-iter-task-tid-filtering.patch b/queue-6.11/bpf-fix-iter-task-tid-filtering.patch new file mode 100644 index 00000000000..2460aad7b6f --- /dev/null +++ b/queue-6.11/bpf-fix-iter-task-tid-filtering.patch @@ -0,0 +1,40 @@ +From 044684dcd5a3998c97542b44eff2a8226b9b1a03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 14:00:47 -0700 +Subject: bpf: Fix iter/task tid filtering + +From: Jordan Rome + +[ Upstream commit 9495a5b731fcaf580448a3438d63601c88367661 ] + +In userspace, you can add a tid filter by setting +the "task.tid" field for "bpf_iter_link_info". +However, `get_pid_task` when called for the +`BPF_TASK_ITER_TID` type should have been using +`PIDTYPE_PID` (tid) instead of `PIDTYPE_TGID` (pid). + +Fixes: f0d74c4da1f0 ("bpf: Parameterize task iterators.") +Signed-off-by: Jordan Rome +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241016210048.1213935-1-linux@jordanrome.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/task_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c +index 02aa9db8d7961..5af9e130e500f 100644 +--- a/kernel/bpf/task_iter.c ++++ b/kernel/bpf/task_iter.c +@@ -99,7 +99,7 @@ static struct task_struct *task_seq_get_next(struct bpf_iter_seq_task_common *co + rcu_read_lock(); + pid = find_pid_ns(common->pid, common->ns); + if (pid) { +- task = get_pid_task(pid, PIDTYPE_TGID); ++ task = get_pid_task(pid, PIDTYPE_PID); + *tid = common->pid; + } + rcu_read_unlock(); +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-kfunc-btf-caching-for-modules.patch b/queue-6.11/bpf-fix-kfunc-btf-caching-for-modules.patch new file mode 100644 index 00000000000..f47c671b8c7 --- /dev/null +++ b/queue-6.11/bpf-fix-kfunc-btf-caching-for-modules.patch @@ -0,0 +1,82 @@ +From 2cf822c5a1530459071ddb8a5d6a32c05d57e3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 15:27:07 +0200 +Subject: bpf: fix kfunc btf caching for modules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 6cb86a0fdece87e126323ec1bb19deb16a52aedf ] + +The verifier contains a cache for looking up module BTF objects when +calling kfuncs defined in modules. This cache uses a 'struct +bpf_kfunc_btf_tab', which contains a sorted list of BTF objects that +were already seen in the current verifier run, and the BTF objects are +looked up by the offset stored in the relocated call instruction using +bsearch(). + +The first time a given offset is seen, the module BTF is loaded from the +file descriptor passed in by libbpf, and stored into the cache. However, +there's a bug in the code storing the new entry: it stores a pointer to +the new cache entry, then calls sort() to keep the cache sorted for the +next lookup using bsearch(), and then returns the entry that was just +stored through the stored pointer. However, because sort() modifies the +list of entries in place *by value*, the stored pointer may no longer +point to the right entry, in which case the wrong BTF object will be +returned. + +The end result of this is an intermittent bug where, if a BPF program +calls two functions with the same signature in two different modules, +the function from the wrong module may sometimes end up being called. +Whether this happens depends on the order of the calls in the BPF +program (as that affects whether sort() reorders the array of BTF +objects), making it especially hard to track down. Simon, credited as +reporter below, spent significant effort analysing and creating a +reproducer for this issue. The reproducer is added as a selftest in a +subsequent patch. + +The fix is straight forward: simply don't use the stored pointer after +calling sort(). Since we already have an on-stack pointer to the BTF +object itself at the point where the function return, just use that, and +populate it from the cache entry in the branch where the lookup +succeeds. + +Fixes: 2357672c54c3 ("bpf: Introduce BPF support for kernel module function calls") +Reported-by: Simon Sundberg +Acked-by: Jiri Olsa +Acked-by: Kumar Kartikeya Dwivedi +Signed-off-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20241010-fix-kfunc-btf-caching-for-modules-v2-1-745af6c1af98@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 5c5dea5e137e7..a8d49b2b58e1e 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2715,10 +2715,16 @@ static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, + b->module = mod; + b->offset = offset; + ++ /* sort() reorders entries by value, so b may no longer point ++ * to the right entry after this ++ */ + sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]), + kfunc_btf_cmp_by_off, NULL); ++ } else { ++ btf = b->btf; + } +- return b->btf; ++ ++ return btf; + } + + void bpf_free_kfunc_btf_tab(struct bpf_kfunc_btf_tab *tab) +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch b/queue-6.11/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch new file mode 100644 index 00000000000..33d39f32cc0 --- /dev/null +++ b/queue-6.11/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch @@ -0,0 +1,44 @@ +From 547f3ac4a0f509ac9c0977c5fed8da30dd141427 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 19:32:51 +0000 +Subject: bpf: Fix link info netfilter flags to populate defrag flag + +From: Tyrone Wu + +[ Upstream commit 92f3715e1eba1d41e55be06159dc3d856b18326d ] + +This fix correctly populates the `bpf_link_info.netfilter.flags` field +when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag. + +Fixes: 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link") +Signed-off-by: Tyrone Wu +Signed-off-by: Daniel Borkmann +Acked-by: Florian Westphal +Cc: Daniel Xu +Link: https://lore.kernel.org/bpf/20241011193252.178997-1-wudevelops@gmail.com +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 5257d5e7eb09d..797fe8a9971e7 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -150,11 +150,12 @@ static int bpf_nf_link_fill_link_info(const struct bpf_link *link, + struct bpf_link_info *info) + { + struct bpf_nf_link *nf_link = container_of(link, struct bpf_nf_link, link); ++ const struct nf_defrag_hook *hook = nf_link->defrag_hook; + + info->netfilter.pf = nf_link->hook_ops.pf; + info->netfilter.hooknum = nf_link->hook_ops.hooknum; + info->netfilter.priority = nf_link->hook_ops.priority; +- info->netfilter.flags = 0; ++ info->netfilter.flags = hook ? BPF_F_NETFILTER_IP_DEFRAG : 0; + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-memory-leak-in-bpf_core_apply.patch b/queue-6.11/bpf-fix-memory-leak-in-bpf_core_apply.patch new file mode 100644 index 00000000000..4802a665fc7 --- /dev/null +++ b/queue-6.11/bpf-fix-memory-leak-in-bpf_core_apply.patch @@ -0,0 +1,36 @@ +From 1ef4c7cc9f30db21d34ab8126764c58682e0a103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:09:58 +0200 +Subject: bpf: Fix memory leak in bpf_core_apply + +From: Jiri Olsa + +[ Upstream commit 45126b155e3b5201179cdc038504bf93a8ccd921 ] + +We need to free specs properly. + +Fixes: 3d2786d65aaa ("bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos") +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/bpf/20241007160958.607434-1-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 7783b16b87cfe..9b068afd17953 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -8905,6 +8905,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, + if (!type) { + bpf_log(ctx->log, "relo #%u: bad type id %u\n", + relo_idx, relo->type_id); ++ kfree(specs); + return -EINVAL; + } + +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-print_reg_state-s-constant-scalar-dump.patch b/queue-6.11/bpf-fix-print_reg_state-s-constant-scalar-dump.patch new file mode 100644 index 00000000000..24dd0b47e4f --- /dev/null +++ b/queue-6.11/bpf-fix-print_reg_state-s-constant-scalar-dump.patch @@ -0,0 +1,41 @@ +From 87076f4a0662631bcf9d3cda08f1c65be8708e7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 15:49:12 +0200 +Subject: bpf: Fix print_reg_state's constant scalar dump + +From: Daniel Borkmann + +[ Upstream commit 3e9e708757ca3b7eb65a820031d62fea1a265709 ] + +print_reg_state() should not consider adding reg->off to reg->var_off.value +when dumping scalars. Scalars can be produced with reg->off != 0 through +BPF_ADD_CONST, and thus as-is this can skew the register log dump. + +Fixes: 98d7ca374ba4 ("bpf: Track delta between "linked" registers.") +Reported-by: Nathaniel Theis +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241016134913.32249-2-daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/log.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c +index 5aebfc3051e3a..4a858fdb6476f 100644 +--- a/kernel/bpf/log.c ++++ b/kernel/bpf/log.c +@@ -688,8 +688,7 @@ static void print_reg_state(struct bpf_verifier_env *env, + if (t == SCALAR_VALUE && reg->precise) + verbose(env, "P"); + if (t == SCALAR_VALUE && tnum_is_const(reg->var_off)) { +- /* reg->off should be 0 for SCALAR_VALUE */ +- verbose_snum(env, reg->var_off.value + reg->off); ++ verbose_snum(env, reg->var_off.value); + return; + } + +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch b/queue-6.11/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch new file mode 100644 index 00000000000..9cf8bc643b1 --- /dev/null +++ b/queue-6.11/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch @@ -0,0 +1,67 @@ +From 21cfd4e2edc6152d0c1638c154e300e280356f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 15:11:53 +0300 +Subject: bpf: Fix truncation bug in coerce_reg_to_size_sx() + +From: Dimitar Kanaliev + +[ Upstream commit ae67b9fb8c4e981e929a665dcaa070f4b05ebdb4 ] + +coerce_reg_to_size_sx() updates the register state after a sign-extension +operation. However, there's a bug in the assignment order of the unsigned +min/max values, leading to incorrect truncation: + + 0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar() + 1: (57) r0 &= 1 ; R0_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1,var_off=(0x0; 0x1)) + 2: (07) r0 += 254 ; R0_w=scalar(smin=umin=smin32=umin32=254,smax=umax=smax32=umax32=255,var_off=(0xfe; 0x1)) + 3: (bf) r0 = (s8)r0 ; R0_w=scalar(smin=smin32=-2,smax=smax32=-1,umin=umin32=0xfffffffe,umax=0xffffffff,var_off=(0xfffffffffffffffe; 0x1)) + +In the current implementation, the unsigned 32-bit min/max values +(u32_min_value and u32_max_value) are assigned directly from the 64-bit +signed min/max values (s64_min and s64_max): + + reg->umin_value = reg->u32_min_value = s64_min; + reg->umax_value = reg->u32_max_value = s64_max; + +Due to the chain assigmnent, this is equivalent to: + + reg->u32_min_value = s64_min; // Unintended truncation + reg->umin_value = reg->u32_min_value; + reg->u32_max_value = s64_max; // Unintended truncation + reg->umax_value = reg->u32_max_value; + +Fixes: 1f9a1ea821ff ("bpf: Support new sign-extension load insns") +Reported-by: Shung-Hsi Yu +Reported-by: Zac Ecob +Signed-off-by: Dimitar Kanaliev +Acked-by: Yonghong Song +Reviewed-by: Shung-Hsi Yu +Link: https://lore.kernel.org/r/20241014121155.92887-2-dimitar.kanaliev@siteground.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index a8d49b2b58e1e..42d6bc5392757 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6255,10 +6255,10 @@ static void coerce_reg_to_size_sx(struct bpf_reg_state *reg, int size) + + /* both of s64_max/s64_min positive or negative */ + if ((s64_max >= 0) == (s64_min >= 0)) { +- reg->smin_value = reg->s32_min_value = s64_min; +- reg->smax_value = reg->s32_max_value = s64_max; +- reg->umin_value = reg->u32_min_value = s64_min; +- reg->umax_value = reg->u32_max_value = s64_max; ++ reg->s32_min_value = reg->smin_value = s64_min; ++ reg->s32_max_value = reg->smax_value = s64_max; ++ reg->u32_min_value = reg->umin_value = s64_min; ++ reg->u32_max_value = reg->umax_value = s64_max; + reg->var_off = tnum_range(s64_min, s64_max); + return; + } +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch b/queue-6.11/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch new file mode 100644 index 00000000000..97f2865e427 --- /dev/null +++ b/queue-6.11/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch @@ -0,0 +1,128 @@ +From 6093d88d160ce418a9758ea0df282202142e12b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:43:11 +0000 +Subject: bpf: fix unpopulated name_len field in perf_event link info + +From: Tyrone Wu + +[ Upstream commit 4deecdd29cf29844c7bd164d72dc38d2e672f64e ] + +Previously when retrieving `bpf_link_info.perf_event` for +kprobe/uprobe/tracepoint, the `name_len` field was not populated by the +kernel, leaving it to reflect the value initially set by the user. This +behavior was inconsistent with how other input/output string buffer +fields function (e.g. `raw_tracepoint.tp_name_len`). + +This patch fills `name_len` with the actual size of the string name. + +Fixes: 1b715e1b0ec5 ("bpf: Support ->fill_link_info for perf_event") +Signed-off-by: Tyrone Wu +Acked-by: Jiri Olsa +Acked-by: Yafang Shao +Link: https://lore.kernel.org/r/20241008164312.46269-1-wudevelops@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 21fb9c4d498fb..26e69d4fc3dad 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3636,15 +3636,16 @@ static void bpf_perf_link_dealloc(struct bpf_link *link) + } + + static int bpf_perf_link_fill_common(const struct perf_event *event, +- char __user *uname, u32 ulen, ++ char __user *uname, u32 *ulenp, + u64 *probe_offset, u64 *probe_addr, + u32 *fd_type, unsigned long *missed) + { + const char *buf; +- u32 prog_id; ++ u32 prog_id, ulen; + size_t len; + int err; + ++ ulen = *ulenp; + if (!ulen ^ !uname) + return -EINVAL; + +@@ -3652,10 +3653,17 @@ static int bpf_perf_link_fill_common(const struct perf_event *event, + probe_offset, probe_addr, missed); + if (err) + return err; ++ ++ if (buf) { ++ len = strlen(buf); ++ *ulenp = len + 1; ++ } else { ++ *ulenp = 1; ++ } + if (!uname) + return 0; ++ + if (buf) { +- len = strlen(buf); + err = bpf_copy_to_user(uname, buf, ulen, len); + if (err) + return err; +@@ -3680,7 +3688,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + + uname = u64_to_user_ptr(info->perf_event.kprobe.func_name); + ulen = info->perf_event.kprobe.name_len; +- err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr, ++ err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr, + &type, &missed); + if (err) + return err; +@@ -3688,7 +3696,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + info->perf_event.type = BPF_PERF_EVENT_KRETPROBE; + else + info->perf_event.type = BPF_PERF_EVENT_KPROBE; +- ++ info->perf_event.kprobe.name_len = ulen; + info->perf_event.kprobe.offset = offset; + info->perf_event.kprobe.missed = missed; + if (!kallsyms_show_value(current_cred())) +@@ -3710,7 +3718,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event, + + uname = u64_to_user_ptr(info->perf_event.uprobe.file_name); + ulen = info->perf_event.uprobe.name_len; +- err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr, ++ err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr, + &type, NULL); + if (err) + return err; +@@ -3719,6 +3727,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event, + info->perf_event.type = BPF_PERF_EVENT_URETPROBE; + else + info->perf_event.type = BPF_PERF_EVENT_UPROBE; ++ info->perf_event.uprobe.name_len = ulen; + info->perf_event.uprobe.offset = offset; + info->perf_event.uprobe.cookie = event->bpf_cookie; + return 0; +@@ -3744,12 +3753,18 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event, + { + char __user *uname; + u32 ulen; ++ int err; + + uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name); + ulen = info->perf_event.tracepoint.name_len; ++ err = bpf_perf_link_fill_common(event, uname, &ulen, NULL, NULL, NULL, NULL); ++ if (err) ++ return err; ++ + info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT; ++ info->perf_event.tracepoint.name_len = ulen; + info->perf_event.tracepoint.cookie = event->bpf_cookie; +- return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL); ++ return 0; + } + + static int bpf_perf_link_fill_perf_event(const struct perf_event *event, +-- +2.43.0 + diff --git a/queue-6.11/bpf-fix-unpopulated-path_size-when-uprobe_multi-fiel.patch b/queue-6.11/bpf-fix-unpopulated-path_size-when-uprobe_multi-fiel.patch new file mode 100644 index 00000000000..bdec6ddcb02 --- /dev/null +++ b/queue-6.11/bpf-fix-unpopulated-path_size-when-uprobe_multi-fiel.patch @@ -0,0 +1,88 @@ +From e37e857740314751fbcb4bf5218e6966bc46b19c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 00:08:02 +0000 +Subject: bpf: Fix unpopulated path_size when uprobe_multi fields unset + +From: Tyrone Wu + +[ Upstream commit ad6b5b6ea9b764018249285a4fe0a2226bef4caa ] + +Previously when retrieving `bpf_link_info.uprobe_multi` with `path` and +`path_size` fields unset, the `path_size` field is not populated +(remains 0). This behavior was inconsistent with how other input/output +string buffer fields work, as the field should be populated in cases +when: +- both buffer and length are set (currently works as expected) +- both buffer and length are unset (not working as expected) + +This patch now fills the `path_size` field when `path` and `path_size` +are unset. + +Fixes: e56fdbfb06e2 ("bpf: Add link_info support for uprobe multi link") +Signed-off-by: Tyrone Wu +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241011000803.681190-1-wudevelops@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 36 +++++++++++++++++------------------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index add26dc27d7e3..d9bc5ef1cafc3 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -3222,7 +3222,8 @@ static int bpf_uprobe_multi_link_fill_link_info(const struct bpf_link *link, + struct bpf_uprobe_multi_link *umulti_link; + u32 ucount = info->uprobe_multi.count; + int err = 0, i; +- long left; ++ char *p, *buf; ++ long left = 0; + + if (!upath ^ !upath_size) + return -EINVAL; +@@ -3236,26 +3237,23 @@ static int bpf_uprobe_multi_link_fill_link_info(const struct bpf_link *link, + info->uprobe_multi.pid = umulti_link->task ? + task_pid_nr_ns(umulti_link->task, task_active_pid_ns(current)) : 0; + +- if (upath) { +- char *p, *buf; +- +- upath_size = min_t(u32, upath_size, PATH_MAX); +- +- buf = kmalloc(upath_size, GFP_KERNEL); +- if (!buf) +- return -ENOMEM; +- p = d_path(&umulti_link->path, buf, upath_size); +- if (IS_ERR(p)) { +- kfree(buf); +- return PTR_ERR(p); +- } +- upath_size = buf + upath_size - p; +- left = copy_to_user(upath, p, upath_size); ++ upath_size = upath_size ? min_t(u32, upath_size, PATH_MAX) : PATH_MAX; ++ buf = kmalloc(upath_size, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ p = d_path(&umulti_link->path, buf, upath_size); ++ if (IS_ERR(p)) { + kfree(buf); +- if (left) +- return -EFAULT; +- info->uprobe_multi.path_size = upath_size; ++ return PTR_ERR(p); + } ++ upath_size = buf + upath_size - p; ++ ++ if (upath) ++ left = copy_to_user(upath, p, upath_size); ++ kfree(buf); ++ if (left) ++ return -EFAULT; ++ info->uprobe_multi.path_size = upath_size; + + if (!uoffsets && !ucookies && !uref_ctr_offsets) + return 0; +-- +2.43.0 + diff --git a/queue-6.11/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch b/queue-6.11/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch new file mode 100644 index 00000000000..a19143993f7 --- /dev/null +++ b/queue-6.11/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch @@ -0,0 +1,103 @@ +From 9c555d2aae4d28bc57fd2743b6013581e1d7c0b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2024 14:56:24 +0200 +Subject: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 09d88791c7cd888d5195c84733caf9183dcfbd16 ] + +The bpf_redirect_info is shared between the SKB and XDP redirect paths, +and the two paths use the same numeric flag values in the ri->flags +field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that +if skb bpf_redirect_neigh() is used with a non-NULL params argument and, +subsequently, an XDP redirect is performed using the same +bpf_redirect_info struct, the XDP path will get confused and end up +crashing, which syzbot managed to trigger. + +With the stack-allocated bpf_redirect_info, the structure is no longer +shared between the SKB and XDP paths, so the crash doesn't happen +anymore. However, different code paths using identically-numbered flag +values in the same struct field still seems like a bit of a mess, so +this patch cleans that up by moving the flag definitions together and +redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap +with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make +sure the overlap is not re-introduced by mistake. + +Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support") +Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6 +Link: https://lore.kernel.org/bpf/20240920125625.59465-1-toke@redhat.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 13 +++++-------- + net/core/filter.c | 8 +++++--- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 35bcf52dbc652..fea4bca4066c1 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -6046,11 +6046,6 @@ enum { + BPF_F_MARK_ENFORCE = (1ULL << 6), + }; + +-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */ +-enum { +- BPF_F_INGRESS = (1ULL << 0), +-}; +- + /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */ + enum { + BPF_F_TUNINFO_IPV6 = (1ULL << 0), +@@ -6197,10 +6192,12 @@ enum { + BPF_F_BPRM_SECUREEXEC = (1ULL << 0), + }; + +-/* Flags for bpf_redirect_map helper */ ++/* Flags for bpf_redirect and bpf_redirect_map helpers */ + enum { +- BPF_F_BROADCAST = (1ULL << 3), +- BPF_F_EXCLUDE_INGRESS = (1ULL << 4), ++ BPF_F_INGRESS = (1ULL << 0), /* used for skb path */ ++ BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */ ++ BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */ ++#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS) + }; + + #define __bpf_md_ptr(type, name) \ +diff --git a/net/core/filter.c b/net/core/filter.c +index 0e719c7c43bb7..b7a5f525e65b8 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2437,9 +2437,9 @@ static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *dev, + + /* Internal, non-exposed redirect flags. */ + enum { +- BPF_F_NEIGH = (1ULL << 1), +- BPF_F_PEER = (1ULL << 2), +- BPF_F_NEXTHOP = (1ULL << 3), ++ BPF_F_NEIGH = (1ULL << 16), ++ BPF_F_PEER = (1ULL << 17), ++ BPF_F_NEXTHOP = (1ULL << 18), + #define BPF_F_REDIRECT_INTERNAL (BPF_F_NEIGH | BPF_F_PEER | BPF_F_NEXTHOP) + }; + +@@ -2449,6 +2449,8 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags) + struct sk_buff *clone; + int ret; + ++ BUILD_BUG_ON(BPF_F_REDIRECT_INTERNAL & BPF_F_REDIRECT_FLAGS); ++ + if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL))) + return -EINVAL; + +-- +2.43.0 + diff --git a/queue-6.11/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch b/queue-6.11/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch new file mode 100644 index 00000000000..56ec58059fa --- /dev/null +++ b/queue-6.11/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch @@ -0,0 +1,83 @@ +From af58c2a5c6b69e2d5004375ea41fb85daf0579d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:39 +0200 +Subject: bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock + +From: Michal Luczaj + +[ Upstream commit 9c5bd93edf7b8834aecaa7c340b852d5990d7c78 ] + +Don't mislead the callers of bpf_{sk,msg}_redirect_{map,hash}(): make sure +to immediately and visibly fail the forwarding of unsupported af_vsock +packets. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-1-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 5 +++++ + net/core/sock_map.c | 8 ++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 2d4149075091b..f127fc268a5ef 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2715,6 +2715,11 @@ static inline bool sk_is_stream_unix(const struct sock *sk) + return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM; + } + ++static inline bool sk_is_vsock(const struct sock *sk) ++{ ++ return sk->sk_family == AF_VSOCK; ++} ++ + /** + * sk_eat_skb - Release a skb if it is no longer needed + * @sk: socket to eat this skb from +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 724b6856fcc3e..219fd8f1ca2a4 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -656,6 +656,8 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb, + sk = __sock_map_lookup_elem(map, key); + if (unlikely(!sk || !sock_map_redirect_allowed(sk))) + return SK_DROP; ++ if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk)) ++ return SK_DROP; + + skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS); + return SK_PASS; +@@ -684,6 +686,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg, + return SK_DROP; + if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk)) + return SK_DROP; ++ if (sk_is_vsock(sk)) ++ return SK_DROP; + + msg->flags = flags; + msg->sk_redir = sk; +@@ -1258,6 +1262,8 @@ BPF_CALL_4(bpf_sk_redirect_hash, struct sk_buff *, skb, + sk = __sock_hash_lookup_elem(map, key); + if (unlikely(!sk || !sock_map_redirect_allowed(sk))) + return SK_DROP; ++ if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk)) ++ return SK_DROP; + + skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS); + return SK_PASS; +@@ -1286,6 +1292,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg, + return SK_DROP; + if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk)) + return SK_DROP; ++ if (sk_is_vsock(sk)) ++ return SK_DROP; + + msg->flags = flags; + msg->sk_redir = sk; +-- +2.43.0 + diff --git a/queue-6.11/bpf-sync_linked_regs-must-preserve-subreg_def.patch b/queue-6.11/bpf-sync_linked_regs-must-preserve-subreg_def.patch new file mode 100644 index 00000000000..516c06a77b0 --- /dev/null +++ b/queue-6.11/bpf-sync_linked_regs-must-preserve-subreg_def.patch @@ -0,0 +1,79 @@ +From cdc3e4354d579cac65f644e226a8e79efe53cfb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 14:08:43 -0700 +Subject: bpf: sync_linked_regs() must preserve subreg_def + +From: Eduard Zingerman + +[ Upstream commit e9bd9c498cb0f5843996dbe5cbce7a1836a83c70 ] + +Range propagation must not affect subreg_def marks, otherwise the +following example is rewritten by verifier incorrectly when +BPF_F_TEST_RND_HI32 flag is set: + + 0: call bpf_ktime_get_ns call bpf_ktime_get_ns + 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff + 2: w1 = w0 rewrites w1 = w0 + 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) + 4: r1 >>= 32 r11 <<= 32 (r) + 5: r0 = r1 r1 |= r11 (r) + 6: exit; if w0 < 0xa goto pc+0 + r1 >>= 32 + r0 = r1 + exit + +(or zero extension of w1 at (2) is missing for architectures that + require zero extension for upper register half). + +The following happens w/o this patch: +- r0 is marked as not a subreg at (0); +- w1 is marked as subreg at (2); +- w1 subreg_def is overridden at (3) by copy_register_state(); +- w1 is read at (5) but mark_insn_zext() does not mark (2) + for zero extension, because w1 subreg_def is not set; +- because of BPF_F_TEST_RND_HI32 flag verifier inserts random + value for hi32 bits of (2) (marked (r)); +- this random value is read at (5). + +Fixes: 75748837b7e5 ("bpf: Propagate scalar ranges through register assignments.") +Reported-by: Lonial Con +Signed-off-by: Lonial Con +Signed-off-by: Eduard Zingerman +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Closes: https://lore.kernel.org/bpf/7e2aa30a62d740db182c170fdd8f81c596df280d.camel@gmail.com +Link: https://lore.kernel.org/bpf/20240924210844.1758441-1-eddyz87@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d5215cb1747f1..5c5dea5e137e7 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -15140,8 +15140,12 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, + continue; + if ((!(reg->id & BPF_ADD_CONST) && !(known_reg->id & BPF_ADD_CONST)) || + reg->off == known_reg->off) { ++ s32 saved_subreg_def = reg->subreg_def; ++ + copy_register_state(reg, known_reg); ++ reg->subreg_def = saved_subreg_def; + } else { ++ s32 saved_subreg_def = reg->subreg_def; + s32 saved_off = reg->off; + + fake_reg.type = SCALAR_VALUE; +@@ -15154,6 +15158,7 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, + * otherwise another find_equal_scalars() will be incorrect. + */ + reg->off = saved_off; ++ reg->subreg_def = saved_subreg_def; + + scalar32_min_max_add(reg, &fake_reg); + scalar_min_max_add(reg, &fake_reg); +-- +2.43.0 + diff --git a/queue-6.11/bpf-use-raw_spinlock_t-in-ringbuf.patch b/queue-6.11/bpf-use-raw_spinlock_t-in-ringbuf.patch new file mode 100644 index 00000000000..84786fae039 --- /dev/null +++ b/queue-6.11/bpf-use-raw_spinlock_t-in-ringbuf.patch @@ -0,0 +1,113 @@ +From 6e42950105ee79c8fb3c5042982980302b840177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2024 16:06:59 -0300 +Subject: bpf: Use raw_spinlock_t in ringbuf + +From: Wander Lairson Costa + +[ Upstream commit 8b62645b09f870d70c7910e7550289d444239a46 ] + +The function __bpf_ringbuf_reserve is invoked from a tracepoint, which +disables preemption. Using spinlock_t in this context can lead to a +"sleep in atomic" warning in the RT variant. This issue is illustrated +in the example below: + +BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs +preempt_count: 1, expected: 0 +RCU nest depth: 1, expected: 1 +INFO: lockdep is turned off. +Preemption disabled at: +[] migrate_enable+0xc0/0x39c +CPU: 7 PID: 556208 Comm: test_progs Tainted: G +Hardware name: Qualcomm SA8775P Ride (DT) +Call trace: + dump_backtrace+0xac/0x130 + show_stack+0x1c/0x30 + dump_stack_lvl+0xac/0xe8 + dump_stack+0x18/0x30 + __might_resched+0x3bc/0x4fc + rt_spin_lock+0x8c/0x1a4 + __bpf_ringbuf_reserve+0xc4/0x254 + bpf_ringbuf_reserve_dynptr+0x5c/0xdc + bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238 + trace_call_bpf+0x238/0x774 + perf_call_bpf_enter.isra.0+0x104/0x194 + perf_syscall_enter+0x2f8/0x510 + trace_sys_enter+0x39c/0x564 + syscall_trace_enter+0x220/0x3c0 + do_el0_svc+0x138/0x1dc + el0_svc+0x54/0x130 + el0t_64_sync_handler+0x134/0x150 + el0t_64_sync+0x17c/0x180 + +Switch the spinlock to raw_spinlock_t to avoid this error. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: Brian Grech +Signed-off-by: Wander Lairson Costa +Signed-off-by: Wander Lairson Costa +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/r/20240920190700.617253-1-wander@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index e20b90c361316..de3b681d1d13d 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -29,7 +29,7 @@ struct bpf_ringbuf { + u64 mask; + struct page **pages; + int nr_pages; +- spinlock_t spinlock ____cacheline_aligned_in_smp; ++ raw_spinlock_t spinlock ____cacheline_aligned_in_smp; + /* For user-space producer ring buffers, an atomic_t busy bit is used + * to synchronize access to the ring buffers in the kernel, rather than + * the spinlock that is used for kernel-producer ring buffers. This is +@@ -173,7 +173,7 @@ static struct bpf_ringbuf *bpf_ringbuf_alloc(size_t data_sz, int numa_node) + if (!rb) + return NULL; + +- spin_lock_init(&rb->spinlock); ++ raw_spin_lock_init(&rb->spinlock); + atomic_set(&rb->busy, 0); + init_waitqueue_head(&rb->waitq); + init_irq_work(&rb->work, bpf_ringbuf_notify); +@@ -421,10 +421,10 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size) + cons_pos = smp_load_acquire(&rb->consumer_pos); + + if (in_nmi()) { +- if (!spin_trylock_irqsave(&rb->spinlock, flags)) ++ if (!raw_spin_trylock_irqsave(&rb->spinlock, flags)) + return NULL; + } else { +- spin_lock_irqsave(&rb->spinlock, flags); ++ raw_spin_lock_irqsave(&rb->spinlock, flags); + } + + pend_pos = rb->pending_pos; +@@ -450,7 +450,7 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size) + */ + if (new_prod_pos - cons_pos > rb->mask || + new_prod_pos - pend_pos > rb->mask) { +- spin_unlock_irqrestore(&rb->spinlock, flags); ++ raw_spin_unlock_irqrestore(&rb->spinlock, flags); + return NULL; + } + +@@ -462,7 +462,7 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size) + /* pairs with consumer's smp_load_acquire() */ + smp_store_release(&rb->producer_pos, new_prod_pos); + +- spin_unlock_irqrestore(&rb->spinlock, flags); ++ raw_spin_unlock_irqrestore(&rb->spinlock, flags); + + return (void *)hdr + BPF_RINGBUF_HDR_SZ; + } +-- +2.43.0 + diff --git a/queue-6.11/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch b/queue-6.11/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch new file mode 100644 index 00000000000..7ed17cdb346 --- /dev/null +++ b/queue-6.11/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch @@ -0,0 +1,45 @@ +From d9f38f348aecdbc97d431c17bd43bd543b60c6da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:42 +0200 +Subject: bpf, vsock: Drop static vsock_bpf_prot initialization + +From: Michal Luczaj + +[ Upstream commit 19039f279797efbe044cae41ee216c5fe481fc33 ] + +vsock_bpf_prot is set up at runtime. Remove the superfluous init. + +No functional change intended. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-4-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/vsock_bpf.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c +index c42c5cc18f324..4aa6e74ec2957 100644 +--- a/net/vmw_vsock/vsock_bpf.c ++++ b/net/vmw_vsock/vsock_bpf.c +@@ -114,14 +114,6 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg, + return copied; + } + +-/* Copy of original proto with updated sock_map methods */ +-static struct proto vsock_bpf_prot = { +- .close = sock_map_close, +- .recvmsg = vsock_bpf_recvmsg, +- .sock_is_readable = sk_msg_is_readable, +- .unhash = sock_map_unhash, +-}; +- + static void vsock_bpf_rebuild_protos(struct proto *prot, const struct proto *base) + { + *prot = *base; +-- +2.43.0 + diff --git a/queue-6.11/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch b/queue-6.11/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch new file mode 100644 index 00000000000..7d5703486e4 --- /dev/null +++ b/queue-6.11/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch @@ -0,0 +1,44 @@ +From 0c198c5cf7f64fb0ba332c5a0f2317425a00d53e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 15:09:02 -0700 +Subject: cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed() + +From: Josh Poimboeuf + +[ Upstream commit b0bf1afde7c34698cf61422fa8ee60e690dc25c3 ] + +The barrier_nospec() after the array bounds check is overkill and +painfully slow for arches which implement it. + +Furthermore, most arches don't implement it, so they remain exposed to +Spectre v1 (which can affect pretty much any CPU with branch +prediction). + +Instead, clamp the user pointer to a valid range so it's guaranteed to +be a valid array index even when the bounds check mispredicts. + +Fixes: 8270cb10c068 ("cdrom: Fix spectre-v1 gadget") +Signed-off-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/1d86f4d9d8fba68e5ca64cdeac2451b95a8bf872.1729202937.git.jpoimboe@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 9b0f37d4b9d49..6a99a459b80b2 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2313,7 +2313,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, + return -EINVAL; + + /* Prevent arg from speculatively bypassing the length check */ +- barrier_nospec(); ++ arg = array_index_nospec(arg, cdi->capacity); + + info = kmalloc(sizeof(*info), GFP_KERNEL); + if (!info) +-- +2.43.0 + diff --git a/queue-6.11/clk-rockchip-fix-finding-of-maximum-clock-id.patch b/queue-6.11/clk-rockchip-fix-finding-of-maximum-clock-id.patch new file mode 100644 index 00000000000..48323f78f68 --- /dev/null +++ b/queue-6.11/clk-rockchip-fix-finding-of-maximum-clock-id.patch @@ -0,0 +1,39 @@ +From 817e55746382df4cb09ce77167e6fb78a93fe33d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 13:32:05 +0000 +Subject: clk: rockchip: fix finding of maximum clock ID + +From: Yao Zi + +[ Upstream commit ad1081a0da2744141d12e94ff816ac91feb871ca ] + +If an ID of a branch's child is greater than current maximum, we should +set new maximum to the child's ID, instead of its parent's. + +Fixes: 2dc66a5ab2c6 ("clk: rockchip: rk3588: fix CLK_NR_CLKS usage") +Signed-off-by: Yao Zi +Link: https://lore.kernel.org/r/20240912133204.29089-2-ziyao@disroot.org +Reviewed-by: Sebastian Reichel +Reviewed-by: Heiko Stuebner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk.c b/drivers/clk/rockchip/clk.c +index 2fa7253c73b2c..88629a9abc9c9 100644 +--- a/drivers/clk/rockchip/clk.c ++++ b/drivers/clk/rockchip/clk.c +@@ -439,7 +439,7 @@ unsigned long rockchip_clk_find_max_clk_id(struct rockchip_clk_branch *list, + if (list->id > max) + max = list->id; + if (list->child && list->child->id > max) +- max = list->id; ++ max = list->child->id; + } + + return max; +-- +2.43.0 + diff --git a/queue-6.11/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch b/queue-6.11/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch new file mode 100644 index 00000000000..10c57204ed6 --- /dev/null +++ b/queue-6.11/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch @@ -0,0 +1,55 @@ +From 70b4bf77e09ee31d6cb7e03bab4e9447c6030b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 12:23:04 +0000 +Subject: cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory + systems + +From: Dhananjay Ugwekar + +[ Upstream commit c10e50a469b5ec91eabf653526a22bdce03a9bca ] + +While switching the driver mode between active and passive, Collaborative +Processor Performance Control (CPPC) is disabled in +amd_pstate_unregister_driver(). But, it is not enabled back while registering +the new driver (passive or active). This leads to the new driver mode not +working correctly, so enable it back in amd_pstate_register_driver(). + +Fixes: 3ca7bc818d8c ("cpufreq: amd-pstate: Add guided mode control support via sysfs") +Signed-off-by: Dhananjay Ugwekar +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20241004122303.94283-1-Dhananjay.Ugwekar@amd.com +Signed-off-by: Mario Limonciello +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/amd-pstate.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c +index 589fde37ccd7a..929b9097a6c17 100644 +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -1281,11 +1281,21 @@ static int amd_pstate_register_driver(int mode) + return -EINVAL; + + cppc_state = mode; ++ ++ ret = amd_pstate_enable(true); ++ if (ret) { ++ pr_err("failed to enable cppc during amd-pstate driver registration, return %d\n", ++ ret); ++ amd_pstate_driver_cleanup(); ++ return ret; ++ } ++ + ret = cpufreq_register_driver(current_pstate_driver); + if (ret) { + amd_pstate_driver_cleanup(); + return ret; + } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.11/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch b/queue-6.11/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch new file mode 100644 index 00000000000..d35bf4e9af7 --- /dev/null +++ b/queue-6.11/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch @@ -0,0 +1,183 @@ +From 39b235d7c28406c1c2aa83204e7ddfe11f286d6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 19:01:48 +0530 +Subject: drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit e7457532cb7167516263150ceae86f36d6ef9683 ] + +This patch addresses a double unlock issue in the amdgpu_mes_add_ring +function. The mutex was being unlocked twice under certain error +conditions, which could lead to undefined behavior. + +The fix ensures that the mutex is unlocked only once before jumping to +the clean_up_memory label. The unlock operation is moved to just before +the goto statement within the conditional block that checks the return +value of amdgpu_ring_init. This prevents the second unlock attempt after +the clean_up_memory label, which is no longer necessary as the mutex is +already unlocked by this point in the code flow. + +This change resolves the potential double unlock and maintains the +correct mutex handling throughout the function. + +Fixes below: +Commit d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue +submission"), leads to the following Smatch static checker warning: + + drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c:1240 amdgpu_mes_add_ring() + warn: double unlock '&adev->mes.mutex_hidden' (orig line 1213) + +drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c + 1143 int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id, + 1144 int queue_type, int idx, + 1145 struct amdgpu_mes_ctx_data *ctx_data, + 1146 struct amdgpu_ring **out) + 1147 { + 1148 struct amdgpu_ring *ring; + 1149 struct amdgpu_mes_gang *gang; + 1150 struct amdgpu_mes_queue_properties qprops = {0}; + 1151 int r, queue_id, pasid; + 1152 + 1153 /* + 1154 * Avoid taking any other locks under MES lock to avoid circular + 1155 * lock dependencies. + 1156 */ + 1157 amdgpu_mes_lock(&adev->mes); + 1158 gang = idr_find(&adev->mes.gang_id_idr, gang_id); + 1159 if (!gang) { + 1160 DRM_ERROR("gang id %d doesn't exist\n", gang_id); + 1161 amdgpu_mes_unlock(&adev->mes); + 1162 return -EINVAL; + 1163 } + 1164 pasid = gang->process->pasid; + 1165 + 1166 ring = kzalloc(sizeof(struct amdgpu_ring), GFP_KERNEL); + 1167 if (!ring) { + 1168 amdgpu_mes_unlock(&adev->mes); + 1169 return -ENOMEM; + 1170 } + 1171 + 1172 ring->ring_obj = NULL; + 1173 ring->use_doorbell = true; + 1174 ring->is_mes_queue = true; + 1175 ring->mes_ctx = ctx_data; + 1176 ring->idx = idx; + 1177 ring->no_scheduler = true; + 1178 + 1179 if (queue_type == AMDGPU_RING_TYPE_COMPUTE) { + 1180 int offset = offsetof(struct amdgpu_mes_ctx_meta_data, + 1181 compute[ring->idx].mec_hpd); + 1182 ring->eop_gpu_addr = + 1183 amdgpu_mes_ctx_get_offs_gpu_addr(ring, offset); + 1184 } + 1185 + 1186 switch (queue_type) { + 1187 case AMDGPU_RING_TYPE_GFX: + 1188 ring->funcs = adev->gfx.gfx_ring[0].funcs; + 1189 ring->me = adev->gfx.gfx_ring[0].me; + 1190 ring->pipe = adev->gfx.gfx_ring[0].pipe; + 1191 break; + 1192 case AMDGPU_RING_TYPE_COMPUTE: + 1193 ring->funcs = adev->gfx.compute_ring[0].funcs; + 1194 ring->me = adev->gfx.compute_ring[0].me; + 1195 ring->pipe = adev->gfx.compute_ring[0].pipe; + 1196 break; + 1197 case AMDGPU_RING_TYPE_SDMA: + 1198 ring->funcs = adev->sdma.instance[0].ring.funcs; + 1199 break; + 1200 default: + 1201 BUG(); + 1202 } + 1203 + 1204 r = amdgpu_ring_init(adev, ring, 1024, NULL, 0, + 1205 AMDGPU_RING_PRIO_DEFAULT, NULL); + 1206 if (r) + 1207 goto clean_up_memory; + 1208 + 1209 amdgpu_mes_ring_to_queue_props(adev, ring, &qprops); + 1210 + 1211 dma_fence_wait(gang->process->vm->last_update, false); + 1212 dma_fence_wait(ctx_data->meta_data_va->last_pt_update, false); + 1213 amdgpu_mes_unlock(&adev->mes); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + 1214 + 1215 r = amdgpu_mes_add_hw_queue(adev, gang_id, &qprops, &queue_id); + 1216 if (r) + 1217 goto clean_up_ring; + ^^^^^^^^^^^^^^^^^^ + + 1218 + 1219 ring->hw_queue_id = queue_id; + 1220 ring->doorbell_index = qprops.doorbell_off; + 1221 + 1222 if (queue_type == AMDGPU_RING_TYPE_GFX) + 1223 sprintf(ring->name, "gfx_%d.%d.%d", pasid, gang_id, queue_id); + 1224 else if (queue_type == AMDGPU_RING_TYPE_COMPUTE) + 1225 sprintf(ring->name, "compute_%d.%d.%d", pasid, gang_id, + 1226 queue_id); + 1227 else if (queue_type == AMDGPU_RING_TYPE_SDMA) + 1228 sprintf(ring->name, "sdma_%d.%d.%d", pasid, gang_id, + 1229 queue_id); + 1230 else + 1231 BUG(); + 1232 + 1233 *out = ring; + 1234 return 0; + 1235 + 1236 clean_up_ring: + 1237 amdgpu_ring_fini(ring); + 1238 clean_up_memory: + 1239 kfree(ring); +--> 1240 amdgpu_mes_unlock(&adev->mes); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + 1241 return r; + 1242 } + +Fixes: d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue submission") +Cc: Christian König +Cc: Alex Deucher +Cc: Hawking Zhang +Suggested-by: Jack Xiao +Reported by: Dan Carpenter +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Jack Xiao +Signed-off-by: Alex Deucher +(cherry picked from commit bfaf1883605fd0c0dbabacd67ed49708470d5ea4) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +index 1cb1ec7beefed..2304a13fcb048 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +@@ -1124,8 +1124,10 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id, + + r = amdgpu_ring_init(adev, ring, 1024, NULL, 0, + AMDGPU_RING_PRIO_DEFAULT, NULL); +- if (r) ++ if (r) { ++ amdgpu_mes_unlock(&adev->mes); + goto clean_up_memory; ++ } + + amdgpu_mes_ring_to_queue_props(adev, ring, &qprops); + +@@ -1158,7 +1160,6 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id, + amdgpu_ring_fini(ring); + clean_up_memory: + kfree(ring); +- amdgpu_mes_unlock(&adev->mes); + return r; + } + +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-a6xx-insert-a-fence-wait-before-smmu-table-u.patch b/queue-6.11/drm-msm-a6xx-insert-a-fence-wait-before-smmu-table-u.patch new file mode 100644 index 00000000000..cff5b62c91f --- /dev/null +++ b/queue-6.11/drm-msm-a6xx-insert-a-fence-wait-before-smmu-table-u.patch @@ -0,0 +1,87 @@ +From 97e3f39b2b99f73b7f98654e2334cb02f33064d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 15:13:34 -0700 +Subject: drm/msm/a6xx+: Insert a fence wait before SMMU table update + +From: Rob Clark + +[ Upstream commit 77ad507dbb7ec1ecd60fc081d03616960ef596fd ] + +The CP_SMMU_TABLE_UPDATE _should_ be waiting for idle, but on some +devices (x1-85, possibly others), it seems to pass that barrier while +there are still things in the event completion FIFO waiting to be +written back to memory. + +Work around that by adding a fence wait before context switch. The +CP_EVENT_WRITE that writes the fence is the last write from a submit, +so seeing this value hit memory is a reliable indication that it is +safe to proceed with the context switch. + +v2: Only emit CP_WAIT_TIMESTAMP on a7xx, as it is not supported on a6xx. + Conversely, I've not been able to reproduce this issue on a6xx, so + hopefully it is limited to a7xx, or perhaps just certain a7xx + devices. + +Fixes: af66706accdf ("drm/msm/a6xx: Add skeleton A7xx support") +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/63 +Signed-off-by: Rob Clark +Reviewed-by: Akhil P Oommen +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +index bcaec86ac67a5..89b379060596d 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +@@ -101,9 +101,10 @@ static void get_stats_counter(struct msm_ringbuffer *ring, u32 counter, + } + + static void a6xx_set_pagetable(struct a6xx_gpu *a6xx_gpu, +- struct msm_ringbuffer *ring, struct msm_file_private *ctx) ++ struct msm_ringbuffer *ring, struct msm_gem_submit *submit) + { + bool sysprof = refcount_read(&a6xx_gpu->base.base.sysprof_active) > 1; ++ struct msm_file_private *ctx = submit->queue->ctx; + struct adreno_gpu *adreno_gpu = &a6xx_gpu->base; + phys_addr_t ttbr; + u32 asid; +@@ -115,6 +116,15 @@ static void a6xx_set_pagetable(struct a6xx_gpu *a6xx_gpu, + if (msm_iommu_pagetable_params(ctx->aspace->mmu, &ttbr, &asid)) + return; + ++ if (adreno_gpu->info->family >= ADRENO_7XX_GEN1) { ++ /* Wait for previous submit to complete before continuing: */ ++ OUT_PKT7(ring, CP_WAIT_TIMESTAMP, 4); ++ OUT_RING(ring, 0); ++ OUT_RING(ring, lower_32_bits(rbmemptr(ring, fence))); ++ OUT_RING(ring, upper_32_bits(rbmemptr(ring, fence))); ++ OUT_RING(ring, submit->seqno - 1); ++ } ++ + if (!sysprof) { + if (!adreno_is_a7xx(adreno_gpu)) { + /* Turn off protected mode to write to special registers */ +@@ -193,7 +203,7 @@ static void a6xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit) + struct msm_ringbuffer *ring = submit->ring; + unsigned int i, ibs = 0; + +- a6xx_set_pagetable(a6xx_gpu, ring, submit->queue->ctx); ++ a6xx_set_pagetable(a6xx_gpu, ring, submit); + + get_stats_counter(ring, REG_A6XX_RBBM_PERFCTR_CP(0), + rbmemptr_stats(ring, index, cpcycles_start)); +@@ -283,7 +293,7 @@ static void a7xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit) + OUT_PKT7(ring, CP_THREAD_CONTROL, 1); + OUT_RING(ring, CP_THREAD_CONTROL_0_SYNC_THREADS | CP_SET_THREAD_BR); + +- a6xx_set_pagetable(a6xx_gpu, ring, submit->queue->ctx); ++ a6xx_set_pagetable(a6xx_gpu, ring, submit); + + get_stats_counter(ring, REG_A7XX_RBBM_PERFCTR_CP(0), + rbmemptr_stats(ring, index, cpcycles_start)); +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch b/queue-6.11/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch new file mode 100644 index 00000000000..855d51ea6db --- /dev/null +++ b/queue-6.11/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch @@ -0,0 +1,57 @@ +From ac6ccb79459563a6da183062fafed2a0123dbd83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:36:09 -0700 +Subject: drm/msm: Allocate memory for disp snapshot with kvzalloc() + +From: Douglas Anderson + +[ Upstream commit e4a45582db1b792c57bdb52c45958264f7fcfbdc ] + +With the "drm/msm: add a display mmu fault handler" series [1] we saw +issues in the field where memory allocation was failing when +allocating space for registers in msm_disp_state_dump_regs(). +Specifically we were seeing an order 5 allocation fail. It's not +surprising that order 5 allocations will sometimes fail after the +system has been up and running for a while. + +There's no need here for contiguous memory. Change the allocation to +kvzalloc() which should make it much less likely to fail. + +[1] https://lore.kernel.org/r/20240628214848.4075651-1-quic_abhinavk@quicinc.com/ + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/619658/ +Link: https://lore.kernel.org/r/20241014093605.2.I72441365ffe91f3dceb17db0a8ec976af8139590@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index bb149281d31fa..4d55e3cf570f0 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -26,7 +26,7 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b + end_addr = base_addr + aligned_len; + + if (!(*reg)) +- *reg = kzalloc(len_padded, GFP_KERNEL); ++ *reg = kvzalloc(len_padded, GFP_KERNEL); + + if (*reg) + dump_addr = *reg; +@@ -162,7 +162,7 @@ void msm_disp_state_free(void *data) + + list_for_each_entry_safe(block, tmp, &disp_state->blocks, node) { + list_del(&block->node); +- kfree(block->state); ++ kvfree(block->state); + kfree(block); + } + +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch b/queue-6.11/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch new file mode 100644 index 00000000000..d8361cd2886 --- /dev/null +++ b/queue-6.11/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch @@ -0,0 +1,79 @@ +From 535fb980916e918aacf5ea6def065ed77d6adc11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:36:08 -0700 +Subject: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() + +From: Douglas Anderson + +[ Upstream commit 293f53263266bc4340d777268ab4328a97f041fa ] + +If the allocation in msm_disp_state_dump_regs() failed then +`block->state` can be NULL. The msm_disp_state_print_regs() function +_does_ have code to try to handle it with: + + if (*reg) + dump_addr = *reg; + +...but since "dump_addr" is initialized to NULL the above is actually +a noop. The code then goes on to dereference `dump_addr`. + +Make the function print "Registers not stored" when it sees a NULL to +solve this. Since we're touching the code, fix +msm_disp_state_print_regs() not to pointlessly take a double-pointer +and properly mark the pointer as `const`. + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/619657/ +Link: https://lore.kernel.org/r/20241014093605.1.Ia1217cecec9ef09eb3c6d125360cc6c8574b0e73@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index add72bbc28b17..bb149281d31fa 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -48,20 +48,21 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b + } + } + +-static void msm_disp_state_print_regs(u32 **reg, u32 len, void __iomem *base_addr, +- struct drm_printer *p) ++static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len, ++ void __iomem *base_addr, struct drm_printer *p) + { + int i; +- u32 *dump_addr = NULL; + void __iomem *addr; + u32 num_rows; + ++ if (!dump_addr) { ++ drm_printf(p, "Registers not stored\n"); ++ return; ++ } ++ + addr = base_addr; + num_rows = len / REG_DUMP_ALIGN; + +- if (*reg) +- dump_addr = *reg; +- + for (i = 0; i < num_rows; i++) { + drm_printf(p, "0x%lx : %08x %08x %08x %08x\n", + (unsigned long)(addr - base_addr), +@@ -89,7 +90,7 @@ void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p) + + list_for_each_entry_safe(block, tmp, &state->blocks, node) { + drm_printf(p, "====================%s================\n", block->name); +- msm_disp_state_print_regs(&block->state, block->size, block->base_addr, p); ++ msm_disp_state_print_regs(block->state, block->size, block->base_addr, p); + } + + drm_printf(p, "===================dpu drm state================\n"); +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch b/queue-6.11/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch new file mode 100644 index 00000000000..dfb66f303fd --- /dev/null +++ b/queue-6.11/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch @@ -0,0 +1,82 @@ +From 04e3c659c022b5504d6a46791bdc6306ee73dc7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 06:22:46 +0300 +Subject: drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds() + +From: Dmitry Baryshkov + +[ Upstream commit 3a0851b442d1f63ba42ecfa2506d3176cfabf9d4 ] + +Make _dpu_crtc_setup_lm_bounds() check that CRTC width is not +overflowing LM requirements. Rename the function accordingly. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Reviewed-by: Abhinav Kumar +Tested-by: Abhinav Kumar # sc7280 +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/612237/ +Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-3-617e1ecc4b7a@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index e81feb0d67f3e..db6c57900781d 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -711,12 +711,13 @@ void dpu_crtc_complete_commit(struct drm_crtc *crtc) + _dpu_crtc_complete_flip(crtc); + } + +-static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc, ++static int _dpu_crtc_check_and_setup_lm_bounds(struct drm_crtc *crtc, + struct drm_crtc_state *state) + { + struct dpu_crtc_state *cstate = to_dpu_crtc_state(state); + struct drm_display_mode *adj_mode = &state->adjusted_mode; + u32 crtc_split_width = adj_mode->hdisplay / cstate->num_mixers; ++ struct dpu_kms *dpu_kms = _dpu_crtc_get_kms(crtc); + int i; + + for (i = 0; i < cstate->num_mixers; i++) { +@@ -727,7 +728,12 @@ static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc, + r->y2 = adj_mode->vdisplay; + + trace_dpu_crtc_setup_lm_bounds(DRMID(crtc), i, r); ++ ++ if (drm_rect_width(r) > dpu_kms->catalog->caps->max_mixer_width) ++ return -E2BIG; + } ++ ++ return 0; + } + + static void _dpu_crtc_get_pcc_coeff(struct drm_crtc_state *state, +@@ -803,7 +809,7 @@ static void dpu_crtc_atomic_begin(struct drm_crtc *crtc, + + DRM_DEBUG_ATOMIC("crtc%d\n", crtc->base.id); + +- _dpu_crtc_setup_lm_bounds(crtc, crtc->state); ++ _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc->state); + + /* encoder will trigger pending mask now */ + drm_for_each_encoder_mask(encoder, crtc->dev, crtc->state->encoder_mask) +@@ -1189,8 +1195,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + if (crtc_state->active_changed) + crtc_state->mode_changed = true; + +- if (cstate->num_mixers) +- _dpu_crtc_setup_lm_bounds(crtc, crtc_state); ++ if (cstate->num_mixers) { ++ rc = _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc_state); ++ if (rc) ++ return rc; ++ } + + /* FIXME: move this to dpu_plane_atomic_check? */ + drm_atomic_crtc_state_for_each_plane_state(plane, pstate, crtc_state) { +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dpu-don-t-always-program-merge_3d-block.patch b/queue-6.11/drm-msm-dpu-don-t-always-program-merge_3d-block.patch new file mode 100644 index 00000000000..19a2f6327b7 --- /dev/null +++ b/queue-6.11/drm-msm-dpu-don-t-always-program-merge_3d-block.patch @@ -0,0 +1,39 @@ +From 1b20078bfca6a4cfbf1e10f0cc7baf64b72fd0f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 20:46:19 -0700 +Subject: drm/msm/dpu: don't always program merge_3d block + +From: Jessica Zhang + +[ Upstream commit f87f3b80abaf7949e638dd17dfdc267066eb52d5 ] + +Only program the merge_3d block for the video phys encoder when the 3d +blend mode is not NONE + +Fixes: 3e79527a33a8 ("drm/msm/dpu: enable merge_3d support on sm8150/sm8250") +Suggested-by: Abhinav Kumar +Signed-off-by: Jessica Zhang +Patchwork: https://patchwork.freedesktop.org/patch/619095/ +Link: https://lore.kernel.org/r/20241009-merge3d-fix-v1-1-0d0b6f5c244e@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +index 8864ace938e03..d8a2edebfe8c3 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +@@ -302,7 +302,7 @@ static void dpu_encoder_phys_vid_setup_timing_engine( + intf_cfg.stream_sel = 0; /* Don't care value for video mode */ + intf_cfg.mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc); + intf_cfg.dsc = dpu_encoder_helper_get_dsc(phys_enc); +- if (phys_enc->hw_pp->merge_3d) ++ if (intf_cfg.mode_3d && phys_enc->hw_pp->merge_3d) + intf_cfg.merge_3d = phys_enc->hw_pp->merge_3d->idx; + + spin_lock_irqsave(phys_enc->enc_spinlock, lock_flags); +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dpu-don-t-always-set-merge_3d-pending-flush.patch b/queue-6.11/drm-msm-dpu-don-t-always-set-merge_3d-pending-flush.patch new file mode 100644 index 00000000000..7c02cecafd4 --- /dev/null +++ b/queue-6.11/drm-msm-dpu-don-t-always-set-merge_3d-pending-flush.patch @@ -0,0 +1,99 @@ +From 75c1e2c7f5ac095af5517d27abbc25991d05891c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 20:41:13 -0700 +Subject: drm/msm/dpu: Don't always set merge_3d pending flush + +From: Jessica Zhang + +[ Upstream commit 40dad89cb86ce824f2080441b2a6b7aedf695329 ] + +Don't set the merge_3d pending flush bits if the mode_3d is +BLEND_3D_NONE. + +Always flushing merge_3d can cause timeout issues when there are +multiple commits with concurrent writeback enabled. + +This is because the video phys enc waits for the hw_ctl flush register +to be completely cleared [1] in its wait_for_commit_done(), but the WB +encoder always sets the merge_3d pending flush during each commit +regardless of if the merge_3d is actually active. + +This means that the hw_ctl flush register will never be 0 when there are +multiple CWB commits and the video phys enc will hit vblank timeout +errors after the first CWB commit. + +[1] commit fe9df3f50c39 ("drm/msm/dpu: add real wait_for_commit_done()") + +Fixes: 3e79527a33a8 ("drm/msm/dpu: enable merge_3d support on sm8150/sm8250") +Fixes: d7d0e73f7de3 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback") +Signed-off-by: Jessica Zhang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/619092/ +Link: https://lore.kernel.org/r/20241009-mode3d-fix-v1-1-c0258354fadc@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 5 ++++- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +index ba8878d21cf0e..8864ace938e03 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +@@ -440,10 +440,12 @@ static void dpu_encoder_phys_vid_enable(struct dpu_encoder_phys *phys_enc) + struct dpu_hw_ctl *ctl; + const struct msm_format *fmt; + u32 fmt_fourcc; ++ u32 mode_3d; + + ctl = phys_enc->hw_ctl; + fmt_fourcc = dpu_encoder_get_drm_fmt(phys_enc); + fmt = mdp_get_format(&phys_enc->dpu_kms->base, fmt_fourcc, 0); ++ mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc); + + DPU_DEBUG_VIDENC(phys_enc, "\n"); + +@@ -466,7 +468,8 @@ static void dpu_encoder_phys_vid_enable(struct dpu_encoder_phys *phys_enc) + goto skip_flush; + + ctl->ops.update_pending_flush_intf(ctl, phys_enc->hw_intf->idx); +- if (ctl->ops.update_pending_flush_merge_3d && phys_enc->hw_pp->merge_3d) ++ if (mode_3d && ctl->ops.update_pending_flush_merge_3d && ++ phys_enc->hw_pp->merge_3d) + ctl->ops.update_pending_flush_merge_3d(ctl, phys_enc->hw_pp->merge_3d->idx); + + if (ctl->ops.update_pending_flush_cdm && phys_enc->hw_cdm) +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c +index 882c717859cec..07035ab77b792 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c +@@ -275,6 +275,7 @@ static void _dpu_encoder_phys_wb_update_flush(struct dpu_encoder_phys *phys_enc) + struct dpu_hw_pingpong *hw_pp; + struct dpu_hw_cdm *hw_cdm; + u32 pending_flush = 0; ++ u32 mode_3d; + + if (!phys_enc) + return; +@@ -283,6 +284,7 @@ static void _dpu_encoder_phys_wb_update_flush(struct dpu_encoder_phys *phys_enc) + hw_pp = phys_enc->hw_pp; + hw_ctl = phys_enc->hw_ctl; + hw_cdm = phys_enc->hw_cdm; ++ mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc); + + DPU_DEBUG("[wb:%d]\n", hw_wb->idx - WB_0); + +@@ -294,7 +296,8 @@ static void _dpu_encoder_phys_wb_update_flush(struct dpu_encoder_phys *phys_enc) + if (hw_ctl->ops.update_pending_flush_wb) + hw_ctl->ops.update_pending_flush_wb(hw_ctl, hw_wb->idx); + +- if (hw_ctl->ops.update_pending_flush_merge_3d && hw_pp && hw_pp->merge_3d) ++ if (mode_3d && hw_ctl->ops.update_pending_flush_merge_3d && ++ hw_pp && hw_pp->merge_3d) + hw_ctl->ops.update_pending_flush_merge_3d(hw_ctl, + hw_pp->merge_3d->idx); + +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch b/queue-6.11/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch new file mode 100644 index 00000000000..4832a2f0796 --- /dev/null +++ b/queue-6.11/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch @@ -0,0 +1,62 @@ +From 061459540c63520e16367198d43513c71c1e6f68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 06:22:44 +0300 +Subject: drm/msm/dpu: make sure phys resources are properly initialized + +From: Dmitry Baryshkov + +[ Upstream commit bfecbc2cfba9b06d67d9d249c33d92e570e2fa70 ] + +The commit b954fa6baaca ("drm/msm/dpu: Refactor rm iterator") removed +zero-init of the hw_ctl array, but didn't change the error condition, +that checked for hw_ctl[i] being NULL. At the same time because of the +early returns in case of an error dpu_encoder_phys might be left with +the resources assigned in the previous state. Rework assigning of hw_pp +/ hw_ctl to the dpu_encoder_phys in order to make sure they are always +set correctly. + +Fixes: b954fa6baaca ("drm/msm/dpu: Refactor rm iterator") +Suggested-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/612233/ +Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-1-617e1ecc4b7a@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 3b171bf227d16..949ebda2fa829 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -1174,21 +1174,20 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc, + for (i = 0; i < dpu_enc->num_phys_encs; i++) { + struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i]; + +- if (!dpu_enc->hw_pp[i]) { ++ phys->hw_pp = dpu_enc->hw_pp[i]; ++ if (!phys->hw_pp) { + DPU_ERROR_ENC(dpu_enc, + "no pp block assigned at idx: %d\n", i); + return; + } + +- if (!hw_ctl[i]) { ++ phys->hw_ctl = i < num_ctl ? to_dpu_hw_ctl(hw_ctl[i]) : NULL; ++ if (!phys->hw_ctl) { + DPU_ERROR_ENC(dpu_enc, + "no ctl block assigned at idx: %d\n", i); + return; + } + +- phys->hw_pp = dpu_enc->hw_pp[i]; +- phys->hw_ctl = to_dpu_hw_ctl(hw_ctl[i]); +- + phys->cached_mode = crtc_state->adjusted_mode; + if (phys->ops.atomic_mode_set) + phys->ops.atomic_mode_set(phys, crtc_state, conn_state); +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dpu-move-crtc-resource-assignment-to-dpu_enc.patch b/queue-6.11/drm-msm-dpu-move-crtc-resource-assignment-to-dpu_enc.patch new file mode 100644 index 00000000000..57944c82147 --- /dev/null +++ b/queue-6.11/drm-msm-dpu-move-crtc-resource-assignment-to-dpu_enc.patch @@ -0,0 +1,153 @@ +From cb9d909e0b6d8362866dd6229c47a3c6758c77fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 06:22:45 +0300 +Subject: drm/msm/dpu: move CRTC resource assignment to + dpu_encoder_virt_atomic_check + +From: Dmitry Baryshkov + +[ Upstream commit 3ae133b0192b9b0c9f560bbc096887053150195f ] + +Historically CRTC resources (LMs and CTLs) were assigned in +dpu_crtc_atomic_begin(). The commit 9222cdd27e82 ("drm/msm/dpu: move hw +resource tracking to crtc state") simply moved resources to +struct dpu_crtc_state, without changing the code sequence. Later on the +commit b107603b4ad0 ("drm/msm/dpu: map mixer/ctl hw blocks in encoder +modeset") rearanged the code, but still kept the cstate->num_mixers +assignment to happen during commit phase. This makes dpu_crtc_state +inconsistent between consequent atomic_check() calls. + +Move CRTC resource assignment to happen at the end of +dpu_encoder_virt_atomic_check(). + +Fixes: b107603b4ad0 ("drm/msm/dpu: map mixer/ctl hw blocks in encoder modeset") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/612235/ +Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-2-617e1ecc4b7a@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 3 -- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 59 +++++++++++++-------- + 2 files changed, 38 insertions(+), 24 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index 4c1be2f0555f7..e81feb0d67f3e 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -1091,9 +1091,6 @@ static void dpu_crtc_disable(struct drm_crtc *crtc, + + dpu_core_perf_crtc_update(crtc, 0); + +- memset(cstate->mixers, 0, sizeof(cstate->mixers)); +- cstate->num_mixers = 0; +- + /* disable clk & bw control until clk & bw properties are set */ + cstate->bw_control = false; + cstate->bw_split_vote = false; +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 949ebda2fa829..bd3698bf0cf74 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -624,6 +624,40 @@ static struct msm_display_topology dpu_encoder_get_topology( + return topology; + } + ++static void dpu_encoder_assign_crtc_resources(struct dpu_kms *dpu_kms, ++ struct drm_encoder *drm_enc, ++ struct dpu_global_state *global_state, ++ struct drm_crtc_state *crtc_state) ++{ ++ struct dpu_crtc_state *cstate; ++ struct dpu_hw_blk *hw_ctl[MAX_CHANNELS_PER_ENC]; ++ struct dpu_hw_blk *hw_lm[MAX_CHANNELS_PER_ENC]; ++ struct dpu_hw_blk *hw_dspp[MAX_CHANNELS_PER_ENC]; ++ int num_lm, num_ctl, num_dspp, i; ++ ++ cstate = to_dpu_crtc_state(crtc_state); ++ ++ memset(cstate->mixers, 0, sizeof(cstate->mixers)); ++ ++ num_ctl = dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state, ++ drm_enc->base.id, DPU_HW_BLK_CTL, hw_ctl, ARRAY_SIZE(hw_ctl)); ++ num_lm = dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state, ++ drm_enc->base.id, DPU_HW_BLK_LM, hw_lm, ARRAY_SIZE(hw_lm)); ++ num_dspp = dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state, ++ drm_enc->base.id, DPU_HW_BLK_DSPP, hw_dspp, ++ ARRAY_SIZE(hw_dspp)); ++ ++ for (i = 0; i < num_lm; i++) { ++ int ctl_idx = (i < num_ctl) ? i : (num_ctl-1); ++ ++ cstate->mixers[i].hw_lm = to_dpu_hw_mixer(hw_lm[i]); ++ cstate->mixers[i].lm_ctl = to_dpu_hw_ctl(hw_ctl[ctl_idx]); ++ cstate->mixers[i].hw_dspp = i < num_dspp ? to_dpu_hw_dspp(hw_dspp[i]) : NULL; ++ } ++ ++ cstate->num_mixers = num_lm; ++} ++ + static int dpu_encoder_virt_atomic_check( + struct drm_encoder *drm_enc, + struct drm_crtc_state *crtc_state, +@@ -692,6 +726,9 @@ static int dpu_encoder_virt_atomic_check( + if (!crtc_state->active_changed || crtc_state->enable) + ret = dpu_rm_reserve(&dpu_kms->rm, global_state, + drm_enc, crtc_state, topology); ++ if (!ret) ++ dpu_encoder_assign_crtc_resources(dpu_kms, drm_enc, ++ global_state, crtc_state); + } + + trace_dpu_enc_atomic_check_flags(DRMID(drm_enc), adj_mode->flags); +@@ -1093,14 +1130,11 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc, + struct dpu_encoder_virt *dpu_enc; + struct msm_drm_private *priv; + struct dpu_kms *dpu_kms; +- struct dpu_crtc_state *cstate; + struct dpu_global_state *global_state; + struct dpu_hw_blk *hw_pp[MAX_CHANNELS_PER_ENC]; + struct dpu_hw_blk *hw_ctl[MAX_CHANNELS_PER_ENC]; +- struct dpu_hw_blk *hw_lm[MAX_CHANNELS_PER_ENC]; +- struct dpu_hw_blk *hw_dspp[MAX_CHANNELS_PER_ENC] = { NULL }; + struct dpu_hw_blk *hw_dsc[MAX_CHANNELS_PER_ENC]; +- int num_lm, num_ctl, num_pp, num_dsc; ++ int num_ctl, num_pp, num_dsc; + unsigned int dsc_mask = 0; + int i; + +@@ -1129,11 +1163,6 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc, + ARRAY_SIZE(hw_pp)); + num_ctl = dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state, + drm_enc->base.id, DPU_HW_BLK_CTL, hw_ctl, ARRAY_SIZE(hw_ctl)); +- num_lm = dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state, +- drm_enc->base.id, DPU_HW_BLK_LM, hw_lm, ARRAY_SIZE(hw_lm)); +- dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state, +- drm_enc->base.id, DPU_HW_BLK_DSPP, hw_dspp, +- ARRAY_SIZE(hw_dspp)); + + for (i = 0; i < MAX_CHANNELS_PER_ENC; i++) + dpu_enc->hw_pp[i] = i < num_pp ? to_dpu_hw_pingpong(hw_pp[i]) +@@ -1159,18 +1188,6 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc, + dpu_enc->cur_master->hw_cdm = hw_cdm ? to_dpu_hw_cdm(hw_cdm) : NULL; + } + +- cstate = to_dpu_crtc_state(crtc_state); +- +- for (i = 0; i < num_lm; i++) { +- int ctl_idx = (i < num_ctl) ? i : (num_ctl-1); +- +- cstate->mixers[i].hw_lm = to_dpu_hw_mixer(hw_lm[i]); +- cstate->mixers[i].lm_ctl = to_dpu_hw_ctl(hw_ctl[ctl_idx]); +- cstate->mixers[i].hw_dspp = to_dpu_hw_dspp(hw_dspp[i]); +- } +- +- cstate->num_mixers = num_lm; +- + for (i = 0; i < dpu_enc->num_phys_encs; i++) { + struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i]; + +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch b/queue-6.11/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch new file mode 100644 index 00000000000..f8807a51ab2 --- /dev/null +++ b/queue-6.11/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch @@ -0,0 +1,47 @@ +From bf4eeba0b25a727292cf4f669e0d13fc0bc2a334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 01:01:49 -0400 +Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate + calculation + +From: Jonathan Marek + +[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ] + +When (mode->clock * 1000) is larger than (1<<31), int to unsigned long +conversion will sign extend the int to 64 bits and the pclk_rate value +will be incorrect. + +Fix this by making the result of the multiplication unsigned. + +Note that above (1<<32) would still be broken and require more changes, but +its unlikely anyone will need that anytime soon. + +Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions") +Signed-off-by: Jonathan Marek +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/618434/ +Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 1205aa398e445..a98d24b7cb00b 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -550,7 +550,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, + { + unsigned long pclk_rate; + +- pclk_rate = mode->clock * 1000; ++ pclk_rate = mode->clock * 1000u; + + if (dsc) + pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc); +-- +2.43.0 + diff --git a/queue-6.11/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch b/queue-6.11/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch new file mode 100644 index 00000000000..e4d1a22d6fa --- /dev/null +++ b/queue-6.11/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch @@ -0,0 +1,39 @@ +From f1d650cd58e04e1695d94fe2848127ed9b6f3164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 01:01:48 -0400 +Subject: drm/msm/dsi: improve/fix dsc pclk calculation + +From: Jonathan Marek + +[ Upstream commit 24436a540d16ca6a523b8e5441180001c31b6b35 ] + +drm_mode_vrefresh() can introduce a large rounding error, avoid it. + +Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression") +Signed-off-by: Jonathan Marek +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/618432/ +Link: https://lore.kernel.org/r/20241007050157.26855-1-jonathan@marek.ca +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 185d7de0bf376..1205aa398e445 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -542,7 +542,7 @@ static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mo + + int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; + +- return new_htotal * mode->vtotal * drm_mode_vrefresh(mode); ++ return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal); + } + + static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, +-- +2.43.0 + diff --git a/queue-6.11/drm-panel-himax-hx83102-adjust-power-and-gamma-to-op.patch b/queue-6.11/drm-panel-himax-hx83102-adjust-power-and-gamma-to-op.patch new file mode 100644 index 00000000000..b18ef98993b --- /dev/null +++ b/queue-6.11/drm-panel-himax-hx83102-adjust-power-and-gamma-to-op.patch @@ -0,0 +1,57 @@ +From 971616729a3c92fa3a0b3d67cb07da4b59cf8c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 10:08:19 +0800 +Subject: drm/panel: himax-hx83102: Adjust power and gamma to optimize + brightness + +From: Cong Yang + +[ Upstream commit fcf38bc321fbc87dfcd829f42e64e541f17599f7 ] + +The current panel brightness is only 360 nit. Adjust the power and gamma to +optimize the panel brightness. The brightness after adjustment is 390 nit. + +Fixes: 3179338750d8 ("drm/panel: himax-hx83102: Support for IVO t109nw41 MIPI-DSI panel") +Signed-off-by: Cong Yang +Reviewed-by: Douglas Anderson +Reviewed-by: Linus Walleij +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20241011020819.1254157-1-yangcong5@huaqin.corp-partner.google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-himax-hx83102.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-himax-hx83102.c b/drivers/gpu/drm/panel/panel-himax-hx83102.c +index 6e4b7e4644ce0..8b48bba181316 100644 +--- a/drivers/gpu/drm/panel/panel-himax-hx83102.c ++++ b/drivers/gpu/drm/panel/panel-himax-hx83102.c +@@ -298,7 +298,7 @@ static int ivo_t109nw41_init(struct hx83102 *ctx) + msleep(60); + + hx83102_enable_extended_cmds(&dsi_ctx, true); +- mipi_dsi_dcs_write_seq_multi(&dsi_ctx, HX83102_SETPOWER, 0x2c, 0xed, 0xed, 0x0f, 0xcf, 0x42, ++ mipi_dsi_dcs_write_seq_multi(&dsi_ctx, HX83102_SETPOWER, 0x2c, 0xed, 0xed, 0x27, 0xe7, 0x52, + 0xf5, 0x39, 0x36, 0x36, 0x36, 0x36, 0x32, 0x8b, 0x11, 0x65, 0x00, 0x88, + 0xfa, 0xff, 0xff, 0x8f, 0xff, 0x08, 0xd6, 0x33); + mipi_dsi_dcs_write_seq_multi(&dsi_ctx, HX83102_SETDISP, 0x00, 0x47, 0xb0, 0x80, 0x00, 0x12, +@@ -343,11 +343,11 @@ static int ivo_t109nw41_init(struct hx83102 *ctx) + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); +- mipi_dsi_dcs_write_seq_multi(&dsi_ctx, HX83102_SETGMA, 0x04, 0x04, 0x06, 0x0a, 0x0a, 0x05, +- 0x12, 0x14, 0x17, 0x13, 0x2c, 0x33, 0x39, 0x4b, 0x4c, 0x56, 0x61, 0x78, +- 0x7a, 0x41, 0x50, 0x68, 0x73, 0x04, 0x04, 0x06, 0x0a, 0x0a, 0x05, 0x12, +- 0x14, 0x17, 0x13, 0x2c, 0x33, 0x39, 0x4b, 0x4c, 0x56, 0x61, 0x78, 0x7a, +- 0x41, 0x50, 0x68, 0x73); ++ mipi_dsi_dcs_write_seq_multi(&dsi_ctx, HX83102_SETGMA, 0x00, 0x07, 0x10, 0x17, 0x1c, 0x33, ++ 0x48, 0x50, 0x57, 0x50, 0x68, 0x6e, 0x71, 0x7f, 0x81, 0x8a, 0x8e, 0x9b, ++ 0x9c, 0x4d, 0x56, 0x5d, 0x73, 0x00, 0x07, 0x10, 0x17, 0x1c, 0x33, 0x48, ++ 0x50, 0x57, 0x50, 0x68, 0x6e, 0x71, 0x7f, 0x81, 0x8a, 0x8e, 0x9b, 0x9c, ++ 0x4d, 0x56, 0x5d, 0x73); + mipi_dsi_dcs_write_seq_multi(&dsi_ctx, HX83102_SETTP1, 0x07, 0x10, 0x10, 0x1a, 0x26, 0x9e, + 0x00, 0x4f, 0xa0, 0x14, 0x14, 0x00, 0x00, 0x00, 0x00, 0x12, 0x0a, 0x02, + 0x02, 0x00, 0x33, 0x02, 0x04, 0x18, 0x01); +-- +2.43.0 + diff --git a/queue-6.11/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch b/queue-6.11/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch new file mode 100644 index 00000000000..d8f1b0ec5a4 --- /dev/null +++ b/queue-6.11/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch @@ -0,0 +1,42 @@ +From d55888977c8e8e50ad4eafc486167556b92e0227 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2024 13:37:56 -0500 +Subject: drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check + +From: Ian Forbes + +[ Upstream commit 4809a017a2bc42ff239d53ade4b2e70f2fe81348 ] + +Handle unlikely ENOMEN condition and other errors in +vmw_stdu_connector_atomic_check. + +Signed-off-by: Ian Forbes +Reported-by: Dan Carpenter +Fixes: 75c3e8a26a35 ("drm/vmwgfx: Trigger a modeset when the screen moves") +Reviewed-by: Zack Rusin +Reviewed-by: Martin Krastev +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240809183756.27283-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +index fab155a68054a..82d18b88f4a7e 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +@@ -886,6 +886,10 @@ static int vmw_stdu_connector_atomic_check(struct drm_connector *conn, + struct drm_crtc_state *new_crtc_state; + + conn_state = drm_atomic_get_connector_state(state, conn); ++ ++ if (IS_ERR(conn_state)) ++ return PTR_ERR(conn_state); ++ + du = vmw_connector_to_stdu(conn); + + if (!conn_state->crtc) +-- +2.43.0 + diff --git a/queue-6.11/drm-xe-don-t-free-job-in-tdr.patch b/queue-6.11/drm-xe-don-t-free-job-in-tdr.patch new file mode 100644 index 00000000000..68fbfcb45f3 --- /dev/null +++ b/queue-6.11/drm-xe-don-t-free-job-in-tdr.patch @@ -0,0 +1,49 @@ +From 3a2670cb08c092296eb7900e1c3f5c9aeafd268e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 17:16:57 -0700 +Subject: drm/xe: Don't free job in TDR + +From: Matthew Brost + +[ Upstream commit 82926f52d7a09c65d916c0ef8d4305fc95d68c0c ] + +Freeing job in TDR is not safe as TDR can pass the run_job thread +resulting in UAF. It is only safe for free job to naturally be called by +the scheduler. Rather free job in TDR, add to pending list. + +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2811 +Cc: Matthew Auld +Fixes: e275d61c5f3f ("drm/xe/guc: Handle timing out of signaled jobs gracefully") +Signed-off-by: Matthew Brost +Reviewed-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20241003001657.3517883-3-matthew.brost@intel.com +(cherry picked from commit ea2f6a77d0c40d97f4a4dc93fee4afe15d94926d) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_guc_submit.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c +index 690f821f8bf5a..dfd809e7bbd25 100644 +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -1101,10 +1101,13 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job) + + /* + * TDR has fired before free job worker. Common if exec queue +- * immediately closed after last fence signaled. ++ * immediately closed after last fence signaled. Add back to pending ++ * list so job can be freed and kick scheduler ensuring free job is not ++ * lost. + */ + if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &job->fence->flags)) { +- guc_exec_queue_free_job(drm_job); ++ xe_sched_add_pending_job(sched, job); ++ xe_sched_submission_start(sched); + + return DRM_GPU_SCHED_STAT_NOMINAL; + } +-- +2.43.0 + diff --git a/queue-6.11/drm-xe-fix-unbalanced-rpm-put-with-declare_wedged.patch b/queue-6.11/drm-xe-fix-unbalanced-rpm-put-with-declare_wedged.patch new file mode 100644 index 00000000000..f98e469844d --- /dev/null +++ b/queue-6.11/drm-xe-fix-unbalanced-rpm-put-with-declare_wedged.patch @@ -0,0 +1,50 @@ +From 5de0435885f689183952ace355ddc109d26ce951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 09:48:10 +0100 +Subject: drm/xe: fix unbalanced rpm put() with declare_wedged() + +From: Matthew Auld + +[ Upstream commit 761f916af44279a99db4e78c5f5ee839b31107ea ] + +Technically the or_reset() means we call the action on failure, however +that would lead to unbalanced rpm put(). Move the get() earlier to fix +this. It should be extremely unlikely to ever trigger this in practice. + +Fixes: 90936a0a4c54 ("drm/xe: Don't suspend device upon wedge") +Signed-off-by: Matthew Auld +Cc: Matthew Brost +Cc: Nirmoy Das +Reviewed-by: Matthew Brost +Reviewed-by: Nirmoy Das +Link: https://patchwork.freedesktop.org/patch/msgid/20241009084808.204432-4-matthew.auld@intel.com +(cherry picked from commit a187c1b0a800565a4db6372268692aff99df7f53) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c +index 8a44a2b6dcbb6..fb394189d9e23 100644 +--- a/drivers/gpu/drm/xe/xe_device.c ++++ b/drivers/gpu/drm/xe/xe_device.c +@@ -960,13 +960,13 @@ void xe_device_declare_wedged(struct xe_device *xe) + return; + } + ++ xe_pm_runtime_get_noresume(xe); ++ + if (drmm_add_action_or_reset(&xe->drm, xe_device_wedged_fini, xe)) { + drm_err(&xe->drm, "Failed to register xe_device_wedged_fini clean-up. Although device is wedged.\n"); + return; + } + +- xe_pm_runtime_get_noresume(xe); +- + if (!atomic_xchg(&xe->wedged.flag, 1)) { + xe->needs_flr_on_fini = true; + drm_err(&xe->drm, +-- +2.43.0 + diff --git a/queue-6.11/drm-xe-fix-unbalanced-rpm-put-with-fence_fini.patch b/queue-6.11/drm-xe-fix-unbalanced-rpm-put-with-fence_fini.patch new file mode 100644 index 00000000000..7674688a755 --- /dev/null +++ b/queue-6.11/drm-xe-fix-unbalanced-rpm-put-with-fence_fini.patch @@ -0,0 +1,148 @@ +From d7cff62963ac41ee65ad9872ce06fd24ffad92ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 09:48:09 +0100 +Subject: drm/xe: fix unbalanced rpm put() with fence_fini() + +From: Matthew Auld + +[ Upstream commit 03a86c24aea0920a1ca20a0d7771d5e176db538d ] + +Currently we can call fence_fini() twice if something goes wrong when +sending the GuC CT for the tlb request, since we signal the fence and +return an error, leading to the caller also calling fini() on the error +path in the case of stack version of the flow, which leads to an extra +rpm put() which might later cause device to enter suspend when it +shouldn't. It looks like we can just drop the fini() call since the +fence signaller side will already call this for us. + +There are known mysterious splats with device going to sleep even with +an rpm ref, and this could be one candidate. + +v2 (Matt B): + - Prefer warning if we detect double fini() + +Fixes: f002702290fc ("drm/xe: Hold a PM ref when GT TLB invalidations are inflight") +Signed-off-by: Matthew Auld +Cc: Matthew Brost +Cc: Nirmoy Das +Reviewed-by: Matthew Brost +Reviewed-by: Nirmoy Das +Link: https://patchwork.freedesktop.org/patch/msgid/20241009084808.204432-3-matthew.auld@intel.com +(cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 29 +++++++++------------ + drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h | 1 - + drivers/gpu/drm/xe/xe_vm.c | 8 ++---- + 3 files changed, 15 insertions(+), 23 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c +index 87cb76a8718c9..82795133e129e 100644 +--- a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c ++++ b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c +@@ -36,6 +36,15 @@ static long tlb_timeout_jiffies(struct xe_gt *gt) + return hw_tlb_timeout + 2 * delay; + } + ++static void xe_gt_tlb_invalidation_fence_fini(struct xe_gt_tlb_invalidation_fence *fence) ++{ ++ if (WARN_ON_ONCE(!fence->gt)) ++ return; ++ ++ xe_pm_runtime_put(gt_to_xe(fence->gt)); ++ fence->gt = NULL; /* fini() should be called once */ ++} ++ + static void + __invalidation_fence_signal(struct xe_device *xe, struct xe_gt_tlb_invalidation_fence *fence) + { +@@ -203,7 +212,7 @@ static int send_tlb_invalidation(struct xe_guc *guc, + tlb_timeout_jiffies(gt)); + } + spin_unlock_irq(>->tlb_invalidation.pending_lock); +- } else if (ret < 0) { ++ } else { + __invalidation_fence_signal(xe, fence); + } + if (!ret) { +@@ -265,10 +274,8 @@ int xe_gt_tlb_invalidation_ggtt(struct xe_gt *gt) + + xe_gt_tlb_invalidation_fence_init(gt, &fence, true); + ret = xe_gt_tlb_invalidation_guc(gt, &fence); +- if (ret < 0) { +- xe_gt_tlb_invalidation_fence_fini(&fence); ++ if (ret) + return ret; +- } + + xe_gt_tlb_invalidation_fence_wait(&fence); + } else if (xe_device_uc_enabled(xe) && !xe_device_wedged(xe)) { +@@ -494,7 +501,8 @@ static const struct dma_fence_ops invalidation_fence_ops = { + * @stack: fence is stack variable + * + * Initialize TLB invalidation fence for use. xe_gt_tlb_invalidation_fence_fini +- * must be called if fence is not signaled. ++ * will be automatically called when fence is signalled (all fences must signal), ++ * even on error. + */ + void xe_gt_tlb_invalidation_fence_init(struct xe_gt *gt, + struct xe_gt_tlb_invalidation_fence *fence, +@@ -514,14 +522,3 @@ void xe_gt_tlb_invalidation_fence_init(struct xe_gt *gt, + dma_fence_get(&fence->base); + fence->gt = gt; + } +- +-/** +- * xe_gt_tlb_invalidation_fence_fini - Finalize TLB invalidation fence +- * @fence: TLB invalidation fence to finalize +- * +- * Drop PM ref which fence took durinig init. +- */ +-void xe_gt_tlb_invalidation_fence_fini(struct xe_gt_tlb_invalidation_fence *fence) +-{ +- xe_pm_runtime_put(gt_to_xe(fence->gt)); +-} +diff --git a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h +index a84065fa324c7..f430d5797af70 100644 +--- a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h ++++ b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h +@@ -28,7 +28,6 @@ int xe_guc_tlb_invalidation_done_handler(struct xe_guc *guc, u32 *msg, u32 len); + void xe_gt_tlb_invalidation_fence_init(struct xe_gt *gt, + struct xe_gt_tlb_invalidation_fence *fence, + bool stack); +-void xe_gt_tlb_invalidation_fence_fini(struct xe_gt_tlb_invalidation_fence *fence); + + static inline void + xe_gt_tlb_invalidation_fence_wait(struct xe_gt_tlb_invalidation_fence *fence) +diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c +index 49ba9a1e375f4..3ac41f70ea6b1 100644 +--- a/drivers/gpu/drm/xe/xe_vm.c ++++ b/drivers/gpu/drm/xe/xe_vm.c +@@ -3377,10 +3377,8 @@ int xe_vm_invalidate_vma(struct xe_vma *vma) + + ret = xe_gt_tlb_invalidation_vma(tile->primary_gt, + &fence[fence_id], vma); +- if (ret < 0) { +- xe_gt_tlb_invalidation_fence_fini(&fence[fence_id]); ++ if (ret) + goto wait; +- } + ++fence_id; + + if (!tile->media_gt) +@@ -3392,10 +3390,8 @@ int xe_vm_invalidate_vma(struct xe_vma *vma) + + ret = xe_gt_tlb_invalidation_vma(tile->media_gt, + &fence[fence_id], vma); +- if (ret < 0) { +- xe_gt_tlb_invalidation_fence_fini(&fence[fence_id]); ++ if (ret) + goto wait; +- } + ++fence_id; + } + } +-- +2.43.0 + diff --git a/queue-6.11/drm-xe-take-job-list-lock-in-xe_sched_add_pending_jo.patch b/queue-6.11/drm-xe-take-job-list-lock-in-xe_sched_add_pending_jo.patch new file mode 100644 index 00000000000..fea590b5715 --- /dev/null +++ b/queue-6.11/drm-xe-take-job-list-lock-in-xe_sched_add_pending_jo.patch @@ -0,0 +1,43 @@ +From 8d30d74cd5e49d7ea556f9ea96ed56ea2356097c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 17:16:56 -0700 +Subject: drm/xe: Take job list lock in xe_sched_add_pending_job + +From: Matthew Brost + +[ Upstream commit ed931fb40e353586f26c3327813d142f782f5f78 ] + +A fragile micro optimization in xe_sched_add_pending_job relied on both +the GPU scheduler being stopped and fence signaling stopped to safely +add a job to the pending list without the job list lock in +xe_sched_add_pending_job. Remove this optimization and just take the job +list lock. + +Fixes: 7ddb9403dd74 ("drm/xe: Sample ctx timestamp to determine if jobs have timed out") +Signed-off-by: Matthew Brost +Reviewed-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20241003001657.3517883-2-matthew.brost@intel.com +(cherry picked from commit 90521df5fc43980e4575bd8c5b1cb62afe1a9f5f) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_gpu_scheduler.h b/drivers/gpu/drm/xe/xe_gpu_scheduler.h +index 6aac7fe686735..6bdd0a5b36122 100644 +--- a/drivers/gpu/drm/xe/xe_gpu_scheduler.h ++++ b/drivers/gpu/drm/xe/xe_gpu_scheduler.h +@@ -51,7 +51,9 @@ xe_sched_invalidate_job(struct xe_sched_job *job, int threshold) + static inline void xe_sched_add_pending_job(struct xe_gpu_scheduler *sched, + struct xe_sched_job *job) + { ++ spin_lock(&sched->base.job_list_lock); + list_add(&job->drm.list, &sched->base.pending_list); ++ spin_unlock(&sched->base.job_list_lock); + } + + static inline +-- +2.43.0 + diff --git a/queue-6.11/drm-xe-use-bookkeep-slots-for-external-bo-s-in-exec-.patch b/queue-6.11/drm-xe-use-bookkeep-slots-for-external-bo-s-in-exec-.patch new file mode 100644 index 00000000000..66b7bff7ba7 --- /dev/null +++ b/queue-6.11/drm-xe-use-bookkeep-slots-for-external-bo-s-in-exec-.patch @@ -0,0 +1,73 @@ +From dd381de616b766734959487cd2bcef69663e6e78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 08:26:22 -0700 +Subject: drm/xe: Use bookkeep slots for external BO's in exec IOCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Brost + +[ Upstream commit e7518276e9388d36f103e8c1c7e99898a30d11f5 ] + +Fix external BO's dma-resv usage in exec IOCTL using bookkeep slots +rather than write slots. This leaves syncing to user space rather than +the KMD blindly enforcing write semantics on every external BO. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: José Roberto de Souza +Cc: Kenneth Graunke +Cc: Paulo Zanoni +Reported-by: Simona Vetter +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2673 +Signed-off-by: Matthew Brost +Reviewed-by: José Roberto de Souza +Reviewed-by: Kenneth Graunke +Link: https://patchwork.freedesktop.org/patch/msgid/20240911152622.903058-1-matthew.brost@intel.com +(cherry picked from commit b8b1163248759ba18509f7443a2d19b15b4c1df8) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_exec.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_exec.c b/drivers/gpu/drm/xe/xe_exec.c +index f36980aa26e69..6e5ba381eaded 100644 +--- a/drivers/gpu/drm/xe/xe_exec.c ++++ b/drivers/gpu/drm/xe/xe_exec.c +@@ -40,11 +40,6 @@ + * user knows an exec writes to a BO and reads from the BO in the next exec, it + * is the user's responsibility to pass in / out fence between the two execs). + * +- * Implicit dependencies for external BOs are handled by using the dma-buf +- * implicit dependency uAPI (TODO: add link). To make this works each exec must +- * install the job's fence into the DMA_RESV_USAGE_WRITE slot of every external +- * BO mapped in the VM. +- * + * We do not allow a user to trigger a bind at exec time rather we have a VM + * bind IOCTL which uses the same in / out fence interface as exec. In that + * sense, a VM bind is basically the same operation as an exec from the user +@@ -58,8 +53,8 @@ + * behind any pending kernel operations on any external BOs in VM or any BOs + * private to the VM. This is accomplished by the rebinds waiting on BOs + * DMA_RESV_USAGE_KERNEL slot (kernel ops) and kernel ops waiting on all BOs +- * slots (inflight execs are in the DMA_RESV_USAGE_BOOKING for private BOs and +- * in DMA_RESV_USAGE_WRITE for external BOs). ++ * slots (inflight execs are in the DMA_RESV_USAGE_BOOKKEEP for private BOs and ++ * for external BOs). + * + * Rebinds / dma-resv usage applies to non-compute mode VMs only as for compute + * mode VMs we use preempt fences and a rebind worker (TODO: add link). +@@ -292,7 +287,8 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file) + xe_sched_job_arm(job); + if (!xe_vm_in_lr_mode(vm)) + drm_gpuvm_resv_add_fence(&vm->gpuvm, exec, &job->drm.s_fence->finished, +- DMA_RESV_USAGE_BOOKKEEP, DMA_RESV_USAGE_WRITE); ++ DMA_RESV_USAGE_BOOKKEEP, ++ DMA_RESV_USAGE_BOOKKEEP); + + for (i = 0; i < num_syncs; i++) { + xe_sync_entry_signal(&syncs[i], &job->drm.s_fence->finished); +-- +2.43.0 + diff --git a/queue-6.11/elevator-do-not-request_module-if-elevator-exists.patch b/queue-6.11/elevator-do-not-request_module-if-elevator-exists.patch new file mode 100644 index 00000000000..32683f6359f --- /dev/null +++ b/queue-6.11/elevator-do-not-request_module-if-elevator-exists.patch @@ -0,0 +1,65 @@ +From adc2ce0604e5a56670f1fa24f21c44379dc728c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 10:01:21 -0700 +Subject: elevator: do not request_module if elevator exists + +From: Breno Leitao + +[ Upstream commit b4ff6e93bfd0093ce3ffc7322e89fbaa8300488f ] + +Whenever an I/O elevator is changed, the system attempts to load a +module for the new elevator. This occurs regardless of whether the +elevator is already loaded or built directly into the kernel. This +behavior introduces unnecessary overhead and potential issues. + +This makes the operation slower, and more error-prone. For instance, +making the problem fixed by [1] visible for users that doesn't even rely +on modules being available through modules. + +Do not try to load the ioscheduler if it is already visible. + +This change brings two main benefits: it improves the performance of +elevator changes, and it reduces the likelihood of errors occurring +during this process. + +[1] Commit e3accac1a976 ("block: Fix elv_iosched_local_module handling of "none" scheduler") + +Fixes: 734e1a860312 ("block: Prevent deadlocks when switching elevators") +Signed-off-by: Breno Leitao +Link: https://lore.kernel.org/r/20241011170122.3880087-1-leitao@debian.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/elevator.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/block/elevator.c b/block/elevator.c +index 4122026b11f1a..8f155512bcd84 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -709,13 +709,21 @@ int elv_iosched_load_module(struct gendisk *disk, const char *buf, + size_t count) + { + char elevator_name[ELV_NAME_MAX]; ++ struct elevator_type *found; ++ const char *name; + + if (!elv_support_iosched(disk->queue)) + return -EOPNOTSUPP; + + strscpy(elevator_name, buf, sizeof(elevator_name)); ++ name = strstrip(elevator_name); + +- request_module("%s-iosched", strstrip(elevator_name)); ++ spin_lock(&elv_list_lock); ++ found = __elevator_find(name); ++ spin_unlock(&elv_list_lock); ++ ++ if (!found) ++ request_module("%s-iosched", name); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.11/elevator-remove-argument-from-elevator_find_get.patch b/queue-6.11/elevator-remove-argument-from-elevator_find_get.patch new file mode 100644 index 00000000000..3f7ad64762f --- /dev/null +++ b/queue-6.11/elevator-remove-argument-from-elevator_find_get.patch @@ -0,0 +1,60 @@ +From 974401ab765527f411bc760c87877134381614e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 08:56:15 -0700 +Subject: elevator: Remove argument from elevator_find_get + +From: Breno Leitao + +[ Upstream commit ee7ff15bf507d4cf9a2b11b00690dfe6046ad325 ] + +Commit e4eb37cc0f3ed ("block: Remove elevator required features") +removed the usage of `struct request_queue` from elevator_find_get(), +but didn't removed the argument. + +Remove the "struct request_queue *q" argument from elevator_find_get() +given it is useless. + +Fixes: e4eb37cc0f3e ("block: Remove elevator required features") +Signed-off-by: Breno Leitao +Link: https://lore.kernel.org/r/20241011155615.3361143-1-leitao@debian.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/elevator.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/block/elevator.c b/block/elevator.c +index 8f155512bcd84..640fcc891b0d2 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -106,8 +106,7 @@ static struct elevator_type *__elevator_find(const char *name) + return NULL; + } + +-static struct elevator_type *elevator_find_get(struct request_queue *q, +- const char *name) ++static struct elevator_type *elevator_find_get(const char *name) + { + struct elevator_type *e; + +@@ -569,7 +568,7 @@ static struct elevator_type *elevator_get_default(struct request_queue *q) + !blk_mq_is_shared_tags(q->tag_set->flags)) + return NULL; + +- return elevator_find_get(q, "mq-deadline"); ++ return elevator_find_get("mq-deadline"); + } + + /* +@@ -697,7 +696,7 @@ static int elevator_change(struct request_queue *q, const char *elevator_name) + if (q->elevator && elevator_match(q->elevator->type, elevator_name)) + return 0; + +- e = elevator_find_get(q, elevator_name); ++ e = elevator_find_get(elevator_name); + if (!e) + return -EINVAL; + ret = elevator_switch(q, e); +-- +2.43.0 + diff --git a/queue-6.11/fgraph-allocate-ret_stack_list-with-proper-size.patch b/queue-6.11/fgraph-allocate-ret_stack_list-with-proper-size.patch new file mode 100644 index 00000000000..57afb1fbbd9 --- /dev/null +++ b/queue-6.11/fgraph-allocate-ret_stack_list-with-proper-size.patch @@ -0,0 +1,54 @@ +From 16e9fc4fe3e673aaf95a9d0fb5832c0306c4a4dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2024 21:52:12 -0400 +Subject: fgraph: Allocate ret_stack_list with proper size + +From: Steven Rostedt + +[ Upstream commit fae4078c289a2f24229c0de652249948b1cd6bdb ] + +The ret_stack_list is an array of ret_stack shadow stacks for the function +graph usage. When the first function graph is enabled, all tasks in the +system get a shadow stack. The ret_stack_list is a 32 element array of +pointers to these shadow stacks. It allocates the shadow stack in batches +(32 stacks at a time), assigns them to running tasks, and continues until +all tasks are covered. + +When the function graph shadow stack changed from an array of +ftrace_ret_stack structures to an array of longs, the allocation of +ret_stack_list went from allocating an array of 32 elements to just a +block defined by SHADOW_STACK_SIZE. Luckily, that's defined as PAGE_SIZE +and is much more than enough to hold 32 pointers. But it is way overkill +for the amount needed to allocate. + +Change the allocation of ret_stack_list back to a kcalloc() of +FTRACE_RETSTACK_ALLOC_SIZE pointers. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20241018215212.23f13f40@rorschach +Fixes: 42675b723b484 ("function_graph: Convert ret_stack to a series of longs") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/fgraph.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c +index 43f4e3f57438b..41e7a15dcb50c 100644 +--- a/kernel/trace/fgraph.c ++++ b/kernel/trace/fgraph.c +@@ -1162,7 +1162,8 @@ static int start_graph_tracing(void) + unsigned long **ret_stack_list; + int ret; + +- ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); ++ ret_stack_list = kcalloc(FTRACE_RETSTACK_ALLOC_SIZE, ++ sizeof(*ret_stack_list), GFP_KERNEL); + + if (!ret_stack_list) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.11/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch b/queue-6.11/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch new file mode 100644 index 00000000000..d4f12829481 --- /dev/null +++ b/queue-6.11/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch @@ -0,0 +1,51 @@ +From 4f16c699aeececeb9389a2631f4ce56ede9e17c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 18:40:02 +0800 +Subject: firmware: arm_scmi: Fix the double free in + scmi_debugfs_common_setup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit 39b13dce1a91cdfc3bec9238f9e89094551bd428 ] + +Clang static checker(scan-build) throws below warning: + | drivers/firmware/arm_scmi/driver.c:line 2915, column 2 + | Attempt to free released memory. + +When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup() +will run twice which causes double free of 'dbg->name'. + +Remove the redundant scmi_debugfs_common_cleanup() to fix this problem. + +Fixes: c3d4aed763ce ("firmware: arm_scmi: Populate a common SCMI debugfs root") +Signed-off-by: Su Hui +Reviewed-by: Cristian Marussi +Message-Id: <20241011104001.1546476-1-suhui@nfschina.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/driver.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 6b6957f4743fe..dc09f2d755f41 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -2902,10 +2902,8 @@ static struct scmi_debug_info *scmi_debugfs_common_setup(struct scmi_info *info) + dbg->top_dentry = top_dentry; + + if (devm_add_action_or_reset(info->dev, +- scmi_debugfs_common_cleanup, dbg)) { +- scmi_debugfs_common_cleanup(dbg); ++ scmi_debugfs_common_cleanup, dbg)) + return NULL; +- } + + return dbg; + } +-- +2.43.0 + diff --git a/queue-6.11/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch b/queue-6.11/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch new file mode 100644 index 00000000000..4665a8188c1 --- /dev/null +++ b/queue-6.11/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch @@ -0,0 +1,115 @@ +From 0d4a58dd2551feb487d3329340266ac32ee81fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:07:17 -0700 +Subject: firmware: arm_scmi: Queue in scmi layer for mailbox implementation + +From: Justin Chen + +[ Upstream commit da1642bc97c4ef67f347edcd493bd0a52f88777b ] + +send_message() does not block in the MBOX implementation. This is +because the mailbox layer has its own queue. However, this confuses +the per xfer timeouts as they all start their timeout ticks in +parallel. + +Consider a case where the xfer timeout is 30ms and a SCMI transaction +takes 25ms: + + | 0ms: Message #0 is queued in mailbox layer and sent out, then sits + | at scmi_wait_for_message_response() with a timeout of 30ms + | 1ms: Message #1 is queued in mailbox layer but not sent out yet. + | Since send_message() doesn't block, it also sits at + | scmi_wait_for_message_response() with a timeout of 30ms + | ... + | 25ms: Message #0 is completed, txdone is called and message #1 is sent + | 31ms: Message #1 times out since the count started at 1ms. Even though + | it has only been inflight for 6ms. + +Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type") +Signed-off-by: Justin Chen +Message-Id: <20241014160717.1678953-1-justin.chen@broadcom.com> +Reviewed-by: Cristian Marussi +Tested-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/mailbox.c | 32 +++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/mailbox.c b/drivers/firmware/arm_scmi/mailbox.c +index 0219a12e3209a..06087cb785f36 100644 +--- a/drivers/firmware/arm_scmi/mailbox.c ++++ b/drivers/firmware/arm_scmi/mailbox.c +@@ -24,6 +24,7 @@ + * @chan_platform_receiver: Optional Platform Receiver mailbox unidirectional channel + * @cinfo: SCMI channel info + * @shmem: Transmit/Receive shared memory area ++ * @chan_lock: Lock that prevents multiple xfers from being queued + */ + struct scmi_mailbox { + struct mbox_client cl; +@@ -32,6 +33,7 @@ struct scmi_mailbox { + struct mbox_chan *chan_platform_receiver; + struct scmi_chan_info *cinfo; + struct scmi_shared_mem __iomem *shmem; ++ struct mutex chan_lock; + }; + + #define client_to_scmi_mailbox(c) container_of(c, struct scmi_mailbox, cl) +@@ -255,6 +257,7 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev, + + cinfo->transport_info = smbox; + smbox->cinfo = cinfo; ++ mutex_init(&smbox->chan_lock); + + return 0; + } +@@ -284,13 +287,23 @@ static int mailbox_send_message(struct scmi_chan_info *cinfo, + struct scmi_mailbox *smbox = cinfo->transport_info; + int ret; + +- ret = mbox_send_message(smbox->chan, xfer); ++ /* ++ * The mailbox layer has its own queue. However the mailbox queue ++ * confuses the per message SCMI timeouts since the clock starts when ++ * the message is submitted into the mailbox queue. So when multiple ++ * messages are queued up the clock starts on all messages instead of ++ * only the one inflight. ++ */ ++ mutex_lock(&smbox->chan_lock); + +- /* mbox_send_message returns non-negative value on success, so reset */ +- if (ret > 0) +- ret = 0; ++ ret = mbox_send_message(smbox->chan, xfer); ++ /* mbox_send_message returns non-negative value on success */ ++ if (ret < 0) { ++ mutex_unlock(&smbox->chan_lock); ++ return ret; ++ } + +- return ret; ++ return 0; + } + + static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret, +@@ -298,13 +311,10 @@ static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret, + { + struct scmi_mailbox *smbox = cinfo->transport_info; + +- /* +- * NOTE: we might prefer not to need the mailbox ticker to manage the +- * transfer queueing since the protocol layer queues things by itself. +- * Unfortunately, we have to kick the mailbox framework after we have +- * received our message. +- */ + mbox_client_txdone(smbox->chan, ret); ++ ++ /* Release channel */ ++ mutex_unlock(&smbox->chan_lock); + } + + static void mailbox_fetch_response(struct scmi_chan_info *cinfo, +-- +2.43.0 + diff --git a/queue-6.11/genetlink-hold-rcu-in-genlmsg_mcast.patch b/queue-6.11/genetlink-hold-rcu-in-genlmsg_mcast.patch new file mode 100644 index 00000000000..8fa18b5dd7a --- /dev/null +++ b/queue-6.11/genetlink-hold-rcu-in-genlmsg_mcast.patch @@ -0,0 +1,242 @@ +From adeaf59afa73a051251235aa3787c9e84d740e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:12:17 +0000 +Subject: genetlink: hold RCU in genlmsg_mcast() + +From: Eric Dumazet + +[ Upstream commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db ] + +While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw +one lockdep splat [1]. + +genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU. + +Instead of letting all callers guard genlmsg_multicast_allns() +with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast(). + +This also means the @flags parameter is useless, we need to always use +GFP_ATOMIC. + +[1] +[10882.424136] ============================= +[10882.424166] WARNING: suspicious RCU usage +[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted +[10882.424400] ----------------------------- +[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!! +[10882.424469] +other info that might help us debug this: + +[10882.424500] +rcu_scheduler_active = 2, debug_locks = 1 +[10882.424744] 2 locks held by ip/15677: +[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219) +[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209) +[10882.426465] +stack backtrace: +[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156 +[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[10882.427046] Call Trace: +[10882.427131] +[10882.427244] dump_stack_lvl (lib/dump_stack.c:123) +[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) +[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7)) +[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink +[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink +[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115) +[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210) +[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink +[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201) +[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551) +[10882.428069] genl_rcv (net/netlink/genetlink.c:1220) +[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357) +[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901) +[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1)) + +Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners") +Signed-off-by: Eric Dumazet +Cc: James Chapman +Cc: Tom Parkin +Cc: Johannes Berg +Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + include/net/genetlink.h | 3 +-- + net/l2tp/l2tp_netlink.c | 4 ++-- + net/netlink/genetlink.c | 28 ++++++++++++++-------------- + net/wireless/nl80211.c | 8 ++------ + 5 files changed, 20 insertions(+), 25 deletions(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 7eb94894bd68f..717931267bda0 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -2130,7 +2130,7 @@ static int tcmu_netlink_event_send(struct tcmu_dev *udev, + } + + ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0, +- TCMU_MCGRP_CONFIG, GFP_KERNEL); ++ TCMU_MCGRP_CONFIG); + + /* Wait during an add as the listener may not be up yet */ + if (ret == 0 || +diff --git a/include/net/genetlink.h b/include/net/genetlink.h +index 9ab49bfeae789..c1d91f1d20f6c 100644 +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -531,13 +531,12 @@ static inline int genlmsg_multicast(const struct genl_family *family, + * @skb: netlink message as socket buffer + * @portid: own netlink portid to avoid sending to yourself + * @group: offset of multicast group in groups array +- * @flags: allocation flags + * + * This function must hold the RTNL or rcu_read_lock(). + */ + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags); ++ unsigned int group); + + /** + * genlmsg_unicast - unicast a netlink message +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index fc43ecbd128cc..28e77a222a39b 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -116,7 +116,7 @@ static int l2tp_tunnel_notify(struct genl_family *family, + NLM_F_ACK, tunnel, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +@@ -144,7 +144,7 @@ static int l2tp_session_notify(struct genl_family *family, + NLM_F_ACK, session, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index feb54c63a1165..07ad65774fe29 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1501,15 +1501,11 @@ static int genl_ctrl_event(int event, const struct genl_family *family, + if (IS_ERR(msg)) + return PTR_ERR(msg); + +- if (!family->netnsok) { ++ if (!family->netnsok) + genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0, + 0, GFP_KERNEL); +- } else { +- rcu_read_lock(); +- genlmsg_multicast_allns(&genl_ctrl, msg, 0, +- 0, GFP_ATOMIC); +- rcu_read_unlock(); +- } ++ else ++ genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0); + + return 0; + } +@@ -1929,23 +1925,23 @@ static int __init genl_init(void) + + core_initcall(genl_init); + +-static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, +- gfp_t flags) ++static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group) + { + struct sk_buff *tmp; + struct net *net, *prev = NULL; + bool delivered = false; + int err; + ++ rcu_read_lock(); + for_each_net_rcu(net) { + if (prev) { +- tmp = skb_clone(skb, flags); ++ tmp = skb_clone(skb, GFP_ATOMIC); + if (!tmp) { + err = -ENOMEM; + goto error; + } + err = nlmsg_multicast(prev->genl_sock, tmp, +- portid, group, flags); ++ portid, group, GFP_ATOMIC); + if (!err) + delivered = true; + else if (err != -ESRCH) +@@ -1954,27 +1950,31 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + + prev = net; + } ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC); ++ ++ rcu_read_unlock(); + +- err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); + if (!err) + delivered = true; + else if (err != -ESRCH) + return err; + return delivered ? 0 : -ESRCH; + error: ++ rcu_read_unlock(); ++ + kfree_skb(skb); + return err; + } + + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags) ++ unsigned int group) + { + if (WARN_ON_ONCE(group >= family->n_mcgrps)) + return -EINVAL; + + group = family->mcgrp_offset + group; +- return genlmsg_mcast(skb, portid, group, flags); ++ return genlmsg_mcast(skb, portid, group); + } + EXPORT_SYMBOL(genlmsg_multicast_allns); + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index f18e1716339e0..3766efacfd64f 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -17967,10 +17967,8 @@ void nl80211_common_reg_change_event(enum nl80211_commands cmd_id, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +@@ -18703,10 +18701,8 @@ void nl80211_send_beacon_hint_event(struct wiphy *wiphy, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +-- +2.43.0 + diff --git a/queue-6.11/iio-accel-bma400-fix-uninitialized-variable-field_va.patch b/queue-6.11/iio-accel-bma400-fix-uninitialized-variable-field_va.patch new file mode 100644 index 00000000000..b116704ce81 --- /dev/null +++ b/queue-6.11/iio-accel-bma400-fix-uninitialized-variable-field_va.patch @@ -0,0 +1,46 @@ +From 5abd35b058a4a1a9b96b9b53e45194b68d555926 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 04:36:20 -0400 +Subject: iio: accel: bma400: Fix uninitialized variable field_value in tap + event handling. + +From: Mikhail Lobanov + +[ Upstream commit db9795a43dc944f048a37b65e06707f60f713e34 ] + +In the current implementation, the local variable field_value is used +without prior initialization, which may lead to reading uninitialized +memory. Specifically, in the macro set_mask_bits, the initial +(potentially uninitialized) value of the buffer is copied into old__, +and a mask is applied to calculate new__. A similar issue was resolved in +commit 6ee2a7058fea ("iio: accel: bma400: Fix smatch warning based on use +of unintialized value."). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 961db2da159d ("iio: accel: bma400: Add support for single and double tap events") +Signed-off-by: Mikhail Lobanov +Link: https://patch.msgid.link/20240910083624.27224-1-m.lobanov@rosalinux.ru +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/bma400_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/accel/bma400_core.c b/drivers/iio/accel/bma400_core.c +index e90e2f01550ad..04083b7395ab8 100644 +--- a/drivers/iio/accel/bma400_core.c ++++ b/drivers/iio/accel/bma400_core.c +@@ -1219,7 +1219,8 @@ static int bma400_activity_event_en(struct bma400_data *data, + static int bma400_tap_event_en(struct bma400_data *data, + enum iio_event_direction dir, int state) + { +- unsigned int mask, field_value; ++ unsigned int mask; ++ unsigned int field_value = 0; + int ret; + + /* +-- +2.43.0 + diff --git a/queue-6.11/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch b/queue-6.11/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch new file mode 100644 index 00000000000..22ae37895ae --- /dev/null +++ b/queue-6.11/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch @@ -0,0 +1,41 @@ +From e07c9d12a5a40f4e29c64b0697663a795ca69396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 23:04:52 +0200 +Subject: iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in + Kconfig + +From: Javier Carrasco + +[ Upstream commit a985576af824426e33100554a5958a6beda60a13 ] + +This driver makes use of triggered buffers, but does not select the +required modules. + +Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. + +Fixes: 6c7bc1d27bb2 ("iio: adc: ti-lmp92064: add buffering support") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241003-iio-select-v1-6-67c0385197cd@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig +index cceac30e2bb9f..c16316664db38 100644 +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -1486,6 +1486,8 @@ config TI_LMP92064 + tristate "Texas Instruments LMP92064 ADC driver" + depends on SPI + select REGMAP_SPI ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say yes here to build support for the LMP92064 Precision Current and Voltage + sensor. +-- +2.43.0 + diff --git a/queue-6.11/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch b/queue-6.11/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch new file mode 100644 index 00000000000..95eb3cb9b05 --- /dev/null +++ b/queue-6.11/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch @@ -0,0 +1,70 @@ +From 74ce524a374aa3b686de8633d82e048cccb7e78d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 22:06:38 +0200 +Subject: iio: frequency: {admv4420,adrf6780}: format Kconfig entries + +From: Javier Carrasco + +[ Upstream commit 5c9644a683e1690387a476a4f5f6bd5cf9a1d695 ] + +Format the entries of these drivers in the Kconfig, where spaces +instead of tabs were used. + +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-1-7345d228040f@gmail.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 6b8e9dbfaed4 ("iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig") +Signed-off-by: Sasha Levin +--- + drivers/iio/frequency/Kconfig | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig +index 89ae09db5ca5f..7b1a7ed163ced 100644 +--- a/drivers/iio/frequency/Kconfig ++++ b/drivers/iio/frequency/Kconfig +@@ -92,25 +92,25 @@ config ADMV1014 + module will be called admv1014. + + config ADMV4420 +- tristate "Analog Devices ADMV4420 K Band Downconverter" +- depends on SPI +- help +- Say yes here to build support for Analog Devices K Band +- Downconverter with integrated Fractional-N PLL and VCO. ++ tristate "Analog Devices ADMV4420 K Band Downconverter" ++ depends on SPI ++ help ++ Say yes here to build support for Analog Devices K Band ++ Downconverter with integrated Fractional-N PLL and VCO. + +- To compile this driver as a module, choose M here: the +- module will be called admv4420. ++ To compile this driver as a module, choose M here: the ++ module will be called admv4420. + + config ADRF6780 +- tristate "Analog Devices ADRF6780 Microwave Upconverter" +- depends on SPI +- depends on COMMON_CLK +- help +- Say yes here to build support for Analog Devices ADRF6780 +- 5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter. +- +- To compile this driver as a module, choose M here: the +- module will be called adrf6780. ++ tristate "Analog Devices ADRF6780 Microwave Upconverter" ++ depends on SPI ++ depends on COMMON_CLK ++ help ++ Say yes here to build support for Analog Devices ADRF6780 ++ 5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter. ++ ++ To compile this driver as a module, choose M here: the ++ module will be called adrf6780. + + endmenu + endmenu +-- +2.43.0 + diff --git a/queue-6.11/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch b/queue-6.11/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch new file mode 100644 index 00000000000..6cf01e48541 --- /dev/null +++ b/queue-6.11/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch @@ -0,0 +1,37 @@ +From a8eeeb7f9be011a1b75d8f561179cf1b779e5b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 22:06:39 +0200 +Subject: iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig + +From: Javier Carrasco + +[ Upstream commit 6b8e9dbfaed471627f7b863633b9937717df1d4d ] + +This driver makes use of regmap_spi, but does not select the required +module. +Add the missing 'select REGMAP_SPI'. + +Fixes: b59c04155901 ("iio: frequency: admv4420.c: Add support for ADMV4420") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-2-7345d228040f@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/frequency/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig +index 7b1a7ed163ced..583cbdf4e8cda 100644 +--- a/drivers/iio/frequency/Kconfig ++++ b/drivers/iio/frequency/Kconfig +@@ -94,6 +94,7 @@ config ADMV1014 + config ADMV4420 + tristate "Analog Devices ADMV4420 K Band Downconverter" + depends on SPI ++ select REGMAP_SPI + help + Say yes here to build support for Analog Devices K Band + Downconverter with integrated Fractional-N PLL and VCO. +-- +2.43.0 + diff --git a/queue-6.11/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch b/queue-6.11/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch new file mode 100644 index 00000000000..61ab83696c4 --- /dev/null +++ b/queue-6.11/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch @@ -0,0 +1,112 @@ +From ba80dfabf802f05b2e967732cf38508f09626fa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:47:13 -0400 +Subject: ipv4: give an IPv4 dev to blackhole_netdev + +From: Xin Long + +[ Upstream commit 22600596b6756b166fd052d5facb66287e6f0bad ] + +After commit 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to +invalidate dst entries"), blackhole_netdev was introduced to invalidate +dst cache entries on the TX path whenever the cache times out or is +flushed. + +When two UDP sockets (sk1 and sk2) send messages to the same destination +simultaneously, they are using the same dst cache. If the dst cache is +invalidated on one path (sk2) while the other (sk1) is still transmitting, +sk1 may try to use the invalid dst entry. + + CPU1 CPU2 + + udp_sendmsg(sk1) udp_sendmsg(sk2) + udp_send_skb() + ip_output() + <--- dst timeout or flushed + dst_dev_put() + ip_finish_output2() + ip_neigh_for_gw() + +This results in a scenario where ip_neigh_for_gw() returns -EINVAL because +blackhole_dev lacks an in_dev, which is needed to initialize the neigh in +arp_constructor(). This error is then propagated back to userspace, +breaking the UDP application. + +The patch fixes this issue by assigning an in_dev to blackhole_dev for +IPv4, similar to what was done for IPv6 in commit e5f80fcf869a ("ipv6: +give an IPv6 dev to blackhole_netdev"). This ensures that even when the +dst entry is invalidated with blackhole_dev, it will not fail to create +the neigh entry. + +As devinet_init() is called ealier than blackhole_netdev_init() in system +booting, it can not assign the in_dev to blackhole_dev in devinet_init(). +As Paolo suggested, add a separate late_initcall() in devinet.c to ensure +inet_blackhole_dev_init() is called after blackhole_netdev_init(). + +Fixes: 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to invalidate dst entries") +Signed-off-by: Xin Long +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/3000792d45ca44e16c785ebe2b092e610e5b3df1.1728499633.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index ddab151164542..4d0c8d501ab7c 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -288,17 +288,19 @@ static struct in_device *inetdev_init(struct net_device *dev) + /* Account for reference dev->ip_ptr (below) */ + refcount_set(&in_dev->refcnt, 1); + +- err = devinet_sysctl_register(in_dev); +- if (err) { +- in_dev->dead = 1; +- neigh_parms_release(&arp_tbl, in_dev->arp_parms); +- in_dev_put(in_dev); +- in_dev = NULL; +- goto out; ++ if (dev != blackhole_netdev) { ++ err = devinet_sysctl_register(in_dev); ++ if (err) { ++ in_dev->dead = 1; ++ neigh_parms_release(&arp_tbl, in_dev->arp_parms); ++ in_dev_put(in_dev); ++ in_dev = NULL; ++ goto out; ++ } ++ ip_mc_init_dev(in_dev); ++ if (dev->flags & IFF_UP) ++ ip_mc_up(in_dev); + } +- ip_mc_init_dev(in_dev); +- if (dev->flags & IFF_UP) +- ip_mc_up(in_dev); + + /* we can receive as soon as ip_ptr is set -- do this last */ + rcu_assign_pointer(dev->ip_ptr, in_dev); +@@ -337,6 +339,19 @@ static void inetdev_destroy(struct in_device *in_dev) + in_dev_put(in_dev); + } + ++static int __init inet_blackhole_dev_init(void) ++{ ++ int err = 0; ++ ++ rtnl_lock(); ++ if (!inetdev_init(blackhole_netdev)) ++ err = -ENOMEM; ++ rtnl_unlock(); ++ ++ return err; ++} ++late_initcall(inet_blackhole_dev_init); ++ + int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b) + { + const struct in_ifaddr *ifa; +-- +2.43.0 + diff --git a/queue-6.11/irqchip-renesas-rzg2l-fix-missing-put_device.patch b/queue-6.11/irqchip-renesas-rzg2l-fix-missing-put_device.patch new file mode 100644 index 00000000000..f8a235049da --- /dev/null +++ b/queue-6.11/irqchip-renesas-rzg2l-fix-missing-put_device.patch @@ -0,0 +1,81 @@ +From ec183dcaf7490b282d5e62ef6faef4713f6048de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 18:20:03 +0100 +Subject: irqchip/renesas-rzg2l: Fix missing put_device + +From: Fabrizio Castro + +[ Upstream commit d038109ac1c6bf619473dda03a16a6de58170f7f ] + +rzg2l_irqc_common_init() calls of_find_device_by_node(), but the +corresponding put_device() call is missing. This also gets reported by +make coccicheck. + +Make use of the cleanup interfaces from cleanup.h to call into +__free_put_device(), which in turn calls into put_device when leaving +function rzg2l_irqc_common_init() and variable "dev" goes out of scope. + +To prevent that the device is put on successful completion, assign NULL to +"dev" to prevent __free_put_device() from calling into put_device() within +the successful path. + +"make coccicheck" will still complain about missing put_device() calls, +but those are false positives now. + +Fixes: 3fed09559cd8 ("irqchip: Add RZ/G2L IA55 Interrupt Controller driver") +Signed-off-by: Fabrizio Castro +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20241011172003.1242841-1-fabrizio.castro.jz@renesas.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index 693ff285ca2c6..99e27e01b0b19 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -530,12 +531,12 @@ static int rzg2l_irqc_parse_interrupts(struct rzg2l_irqc_priv *priv, + static int rzg2l_irqc_common_init(struct device_node *node, struct device_node *parent, + const struct irq_chip *irq_chip) + { ++ struct platform_device *pdev = of_find_device_by_node(node); ++ struct device *dev __free(put_device) = pdev ? &pdev->dev : NULL; + struct irq_domain *irq_domain, *parent_domain; +- struct platform_device *pdev; + struct reset_control *resetn; + int ret; + +- pdev = of_find_device_by_node(node); + if (!pdev) + return -ENODEV; + +@@ -591,6 +592,17 @@ static int rzg2l_irqc_common_init(struct device_node *node, struct device_node * + + register_syscore_ops(&rzg2l_irqc_syscore_ops); + ++ /* ++ * Prevent the cleanup function from invoking put_device by assigning ++ * NULL to dev. ++ * ++ * make coccicheck will complain about missing put_device calls, but ++ * those are false positives, as dev will be automatically "put" via ++ * __free_put_device on the failing path. ++ * On the successful path we don't actually want to "put" dev. ++ */ ++ dev = NULL; ++ + return 0; + + pm_put: +-- +2.43.0 + diff --git a/queue-6.11/irqchip-riscv-imsic-fix-output-text-of-base-address.patch b/queue-6.11/irqchip-riscv-imsic-fix-output-text-of-base-address.patch new file mode 100644 index 00000000000..3135ffa1f9d --- /dev/null +++ b/queue-6.11/irqchip-riscv-imsic-fix-output-text-of-base-address.patch @@ -0,0 +1,38 @@ +From 50a9b21fada0407168e7eb3696b25bf439458987 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 10:56:11 +0200 +Subject: irqchip/riscv-imsic: Fix output text of base address + +From: Andrew Jones + +[ Upstream commit 4a1361e9a5c5dbb5c9f647762ae0cb1a605101fa ] + +The "per-CPU IDs ... at base ..." info log is outputting a physical +address, not a PPN. + +Fixes: 027e125acdba ("irqchip/riscv-imsic: Add device MSI domain support for platform devices") +Signed-off-by: Andrew Jones +Signed-off-by: Thomas Gleixner +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/all/20240909085610.46625-2-ajones@ventanamicro.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-riscv-imsic-platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-riscv-imsic-platform.c b/drivers/irqchip/irq-riscv-imsic-platform.c +index 11723a763c102..c5ec66e0bfd33 100644 +--- a/drivers/irqchip/irq-riscv-imsic-platform.c ++++ b/drivers/irqchip/irq-riscv-imsic-platform.c +@@ -340,7 +340,7 @@ int imsic_irqdomain_init(void) + imsic->fwnode, global->hart_index_bits, global->guest_index_bits); + pr_info("%pfwP: group-index-bits: %d, group-index-shift: %d\n", + imsic->fwnode, global->group_index_bits, global->group_index_shift); +- pr_info("%pfwP: per-CPU IDs %d at base PPN %pa\n", ++ pr_info("%pfwP: per-CPU IDs %d at base address %pa\n", + imsic->fwnode, global->nr_ids, &global->base_addr); + pr_info("%pfwP: total %d interrupts available\n", + imsic->fwnode, num_possible_cpus() * (global->nr_ids - 1)); +-- +2.43.0 + diff --git a/queue-6.11/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch b/queue-6.11/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch new file mode 100644 index 00000000000..0b62e7c9371 --- /dev/null +++ b/queue-6.11/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch @@ -0,0 +1,39 @@ +From d46f9bffebdb44c35af7e539f4e160ae788e7a01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 16:02:44 +0200 +Subject: lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW + +From: Timo Grautstueck + +[ Upstream commit ab8851431bef5cc44f0f3f0da112e883fd4d0df5 ] + +Just a grammar fix in lib/Kconfig.debug, under the config option +RUST_BUILD_ASSERT_ALLOW. + +Reported-by: Miguel Ojeda +Closes: https://github.com/Rust-for-Linux/linux/issues/1006 +Fixes: ecaa6ddff2fd ("rust: add `build_error` crate") +Signed-off-by: Timo Grautstueck +Link: https://lore.kernel.org/r/20241006140244.5509-1-timo.grautstueck@web.de +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index a30c03a661726..8079f5c2dfe4f 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -3023,7 +3023,7 @@ config RUST_BUILD_ASSERT_ALLOW + bool "Allow unoptimized build-time assertions" + depends on RUST + help +- Controls how are `build_error!` and `build_assert!` handled during build. ++ Controls how `build_error!` and `build_assert!` are handled during the build. + + If calls to them exist in the binary, it may indicate a violated invariant + or that the optimizer failed to verify the invariant during compilation. +-- +2.43.0 + diff --git a/queue-6.11/macsec-don-t-increment-counters-for-an-unrelated-sa.patch b/queue-6.11/macsec-don-t-increment-counters-for-an-unrelated-sa.patch new file mode 100644 index 00000000000..4c67d9ac82e --- /dev/null +++ b/queue-6.11/macsec-don-t-increment-counters-for-an-unrelated-sa.patch @@ -0,0 +1,83 @@ +From 57b9af0be7ba8283a895703006acf900e93bdab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:16:37 +0200 +Subject: macsec: don't increment counters for an unrelated SA + +From: Sabrina Dubroca + +[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ] + +On RX, we shouldn't be incrementing the stats for an arbitrary SA in +case the actual SA hasn't been set up. Those counters are intended to +track packets for their respective AN when the SA isn't currently +configured. Due to the way MACsec is implemented, we don't keep +counters unless the SA is configured, so we can't track those packets, +and those counters will remain at 0. + +The RXSC's stats keeps track of those packets without telling us which +AN they belonged to. We could add counters for non-existent SAs, and +then find a way to integrate them in the dump to userspace, but I +don't think it's worth the effort. + +Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics") +Reported-by: Paolo Abeni +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 2da70bc3dd869..2a31d09d43ed4 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -154,19 +154,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) + return sa; + } + +-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc) +-{ +- struct macsec_rx_sa *sa = NULL; +- int an; +- +- for (an = 0; an < MACSEC_NUM_AN; an++) { +- sa = macsec_rxsa_get(rx_sc->sa[an]); +- if (sa) +- break; +- } +- return sa; +-} +- + static void free_rx_sc_rcu(struct rcu_head *head) + { + struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); +@@ -1208,15 +1195,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + /* If validateFrames is Strict or the C bit in the + * SecTAG is set, discard + */ +- struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc); + if (hdr->tci_an & MACSEC_TCI_C || + secy->validate_frames == MACSEC_VALIDATE_STRICT) { + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotUsingSA++; + u64_stats_update_end(&rxsc_stats->syncp); + DEV_STATS_INC(secy->netdev, rx_errors); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); + goto drop_nosa; + } + +@@ -1226,8 +1210,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsUnusedSA++; + u64_stats_update_end(&rxsc_stats->syncp); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA); + goto deliver; + } + +-- +2.43.0 + diff --git a/queue-6.11/mm-don-t-install-pmd-mappings-when-thps-are-disabled.patch b/queue-6.11/mm-don-t-install-pmd-mappings-when-thps-are-disabled.patch new file mode 100644 index 00000000000..639ad3a8fb2 --- /dev/null +++ b/queue-6.11/mm-don-t-install-pmd-mappings-when-thps-are-disabled.patch @@ -0,0 +1,76 @@ +From b13b8a326a0c338769aa6ea6633e039a9632f95b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 12:24:45 +0200 +Subject: mm: don't install PMD mappings when THPs are disabled by the + hw/process/vma + +From: David Hildenbrand + +[ Upstream commit 2b0f922323ccfa76219bcaacd35cd50aeaa13592 ] + +We (or rather, readahead logic :) ) might be allocating a THP in the +pagecache and then try mapping it into a process that explicitly disabled +THP: we might end up installing PMD mappings. + +This is a problem for s390x KVM, which explicitly remaps all PMD-mapped +THPs to be PTE-mapped in s390_enable_sie()->thp_split_mm(), before +starting the VM. + +For example, starting a VM backed on a file system with large folios +supported makes the VM crash when the VM tries accessing such a mapping +using KVM. + +Is it also a problem when the HW disabled THP using +TRANSPARENT_HUGEPAGE_UNSUPPORTED? At least on x86 this would be the case +without X86_FEATURE_PSE. + +In the future, we might be able to do better on s390x and only disallow +PMD mappings -- what s390x and likely TRANSPARENT_HUGEPAGE_UNSUPPORTED +really wants. For now, fix it by essentially performing the same check as +would be done in __thp_vma_allowable_orders() or in shmem code, where this +works as expected, and disallow PMD mappings, making us fallback to PTE +mappings. + +Link: https://lkml.kernel.org/r/20241011102445.934409-3-david@redhat.com +Fixes: 793917d997df ("mm/readahead: Add large folio readahead") +Signed-off-by: David Hildenbrand +Reported-by: Leo Fu +Tested-by: Thomas Huth +Cc: Thomas Huth +Cc: Matthew Wilcox (Oracle) +Cc: Ryan Roberts +Cc: Christian Borntraeger +Cc: Janosch Frank +Cc: Claudio Imbrenda +Cc: Hugh Dickins +Cc: Kefeng Wang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/memory.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/mm/memory.c b/mm/memory.c +index cda2c12c500b8..cb66345e398d2 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4719,6 +4719,15 @@ vm_fault_t do_set_pmd(struct vm_fault *vmf, struct page *page) + pmd_t entry; + vm_fault_t ret = VM_FAULT_FALLBACK; + ++ /* ++ * It is too late to allocate a small folio, we already have a large ++ * folio in the pagecache: especially s390 KVM cannot tolerate any ++ * PMD mappings, but PTE-mapped THP are fine. So let's simply refuse any ++ * PMD mappings if THPs are disabled. ++ */ ++ if (thp_disabled_by_hw() || vma_thp_disabled(vma, vma->vm_flags)) ++ return ret; ++ + if (!thp_vma_suitable_order(vma, haddr, PMD_ORDER)) + return ret; + +-- +2.43.0 + diff --git a/queue-6.11/mm-huge_memory-add-vma_thp_disabled-and-thp_disabled.patch b/queue-6.11/mm-huge_memory-add-vma_thp_disabled-and-thp_disabled.patch new file mode 100644 index 00000000000..c49be75432f --- /dev/null +++ b/queue-6.11/mm-huge_memory-add-vma_thp_disabled-and-thp_disabled.patch @@ -0,0 +1,133 @@ +From dbbe0e282428ba978e9aa1f22932a381b4216f8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 12:24:44 +0200 +Subject: mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() + +From: Kefeng Wang + +[ Upstream commit 963756aac1f011d904ddd9548ae82286d3a91f96 ] + +Patch series "mm: don't install PMD mappings when THPs are disabled by the +hw/process/vma". + +During testing, it was found that we can get PMD mappings in processes +where THP (and more precisely, PMD mappings) are supposed to be disabled. +While it works as expected for anon+shmem, the pagecache is the +problematic bit. + +For s390 KVM this currently means that a VM backed by a file located on +filesystem with large folio support can crash when KVM tries accessing the +problematic page, because the readahead logic might decide to use a +PMD-sized THP and faulting it into the page tables will install a PMD +mapping, something that s390 KVM cannot tolerate. + +This might also be a problem with HW that does not support PMD mappings, +but I did not try reproducing it. + +Fix it by respecting the ways to disable THPs when deciding whether we can +install a PMD mapping. khugepaged should already be taking care of not +collapsing if THPs are effectively disabled for the hw/process/vma. + +This patch (of 2): + +Add vma_thp_disabled() and thp_disabled_by_hw() helpers to be shared by +shmem_allowable_huge_orders() and __thp_vma_allowable_orders(). + +[david@redhat.com: rename to vma_thp_disabled(), split out thp_disabled_by_hw() ] +Link: https://lkml.kernel.org/r/20241011102445.934409-2-david@redhat.com +Fixes: 793917d997df ("mm/readahead: Add large folio readahead") +Signed-off-by: Kefeng Wang +Signed-off-by: David Hildenbrand +Reported-by: Leo Fu +Tested-by: Thomas Huth +Reviewed-by: Ryan Roberts +Cc: Boqiao Fu +Cc: Christian Borntraeger +Cc: Claudio Imbrenda +Cc: Hugh Dickins +Cc: Janosch Frank +Cc: Matthew Wilcox +Cc: +Signed-off-by: Andrew Morton +Stable-dep-of: 2b0f922323cc ("mm: don't install PMD mappings when THPs are disabled by the hw/process/vma") +Signed-off-by: Sasha Levin +--- + include/linux/huge_mm.h | 18 ++++++++++++++++++ + mm/huge_memory.c | 13 +------------ + mm/shmem.c | 7 +------ + 3 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h +index e25d9ebfdf89a..6d334c211176c 100644 +--- a/include/linux/huge_mm.h ++++ b/include/linux/huge_mm.h +@@ -308,6 +308,24 @@ static inline void count_mthp_stat(int order, enum mthp_stat_item item) + (transparent_hugepage_flags & \ + (1<vm_mm->flags); ++} ++ ++static inline bool thp_disabled_by_hw(void) ++{ ++ /* If the hardware/firmware marked hugepage support disabled. */ ++ return transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED); ++} ++ + unsigned long thp_get_unmapped_area(struct file *filp, unsigned long addr, + unsigned long len, unsigned long pgoff, unsigned long flags); + unsigned long thp_get_unmapped_area_vmflags(struct file *filp, unsigned long addr, +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index d12ec1c8c7f07..e44508e46e897 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -106,18 +106,7 @@ unsigned long __thp_vma_allowable_orders(struct vm_area_struct *vma, + if (!vma->vm_mm) /* vdso */ + return 0; + +- /* +- * Explicitly disabled through madvise or prctl, or some +- * architectures may disable THP for some mappings, for +- * example, s390 kvm. +- * */ +- if ((vm_flags & VM_NOHUGEPAGE) || +- test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags)) +- return 0; +- /* +- * If the hardware/firmware marked hugepage support disabled. +- */ +- if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) ++ if (thp_disabled_by_hw() || vma_thp_disabled(vma, vm_flags)) + return 0; + + /* khugepaged doesn't collapse DAX vma, but page fault is fine. */ +diff --git a/mm/shmem.c b/mm/shmem.c +index a332323eea0b9..27f496d6e43eb 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1642,12 +1642,7 @@ unsigned long shmem_allowable_huge_orders(struct inode *inode, + loff_t i_size; + int order; + +- if (vma && ((vm_flags & VM_NOHUGEPAGE) || +- test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags))) +- return 0; +- +- /* If the hardware/firmware marked hugepage support disabled. */ +- if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) ++ if (thp_disabled_by_hw() || (vma && vma_thp_disabled(vma, vm_flags))) + return 0; + + global_huge = shmem_huge_global_enabled(inode, index, shmem_huge_force, +-- +2.43.0 + diff --git a/queue-6.11/mm-shmem-move-shmem_huge_global_enabled-into-shmem_a.patch b/queue-6.11/mm-shmem-move-shmem_huge_global_enabled-into-shmem_a.patch new file mode 100644 index 00000000000..9de64e203e1 --- /dev/null +++ b/queue-6.11/mm-shmem-move-shmem_huge_global_enabled-into-shmem_a.patch @@ -0,0 +1,204 @@ +From 572920c37b50519aaefb9d2e8d07051eeb99d5c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 13:43:19 +0800 +Subject: mm: shmem: move shmem_huge_global_enabled() into + shmem_allowable_huge_orders() + +From: Baolin Wang + +[ Upstream commit 6beeab870e70b2d4f49baf6c6be9da1b61c169f8 ] + +Move shmem_huge_global_enabled() into shmem_allowable_huge_orders(), so +that shmem_allowable_huge_orders() can also help to find the allowable +huge orders for tmpfs. Moreover the shmem_huge_global_enabled() can +become static. While we are at it, passing the vma instead of mm for +shmem_huge_global_enabled() makes code cleaner. + +No functional changes. + +Link: https://lkml.kernel.org/r/8e825146bb29ee1a1c7bd64d2968ff3e19be7815.1721626645.git.baolin.wang@linux.alibaba.com +Signed-off-by: Baolin Wang +Reviewed-by: Ryan Roberts +Acked-by: David Hildenbrand +Cc: Barry Song <21cnbao@gmail.com> +Cc: Hugh Dickins +Cc: Lance Yang +Cc: Matthew Wilcox (Oracle) +Cc: Zi Yan +Signed-off-by: Andrew Morton +Stable-dep-of: 2b0f922323cc ("mm: don't install PMD mappings when THPs are disabled by the hw/process/vma") +Signed-off-by: Sasha Levin +--- + include/linux/shmem_fs.h | 12 ++-------- + mm/huge_memory.c | 12 +++------- + mm/shmem.c | 47 +++++++++++++++++++++++++--------------- + 3 files changed, 35 insertions(+), 36 deletions(-) + +diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h +index 405ee8d3589a5..1564d7d3ca615 100644 +--- a/include/linux/shmem_fs.h ++++ b/include/linux/shmem_fs.h +@@ -111,21 +111,13 @@ extern void shmem_truncate_range(struct inode *inode, loff_t start, loff_t end); + int shmem_unuse(unsigned int type); + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +-extern bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, bool shmem_huge_force, +- struct mm_struct *mm, unsigned long vm_flags); + unsigned long shmem_allowable_huge_orders(struct inode *inode, + struct vm_area_struct *vma, pgoff_t index, +- bool global_huge); ++ bool shmem_huge_force); + #else +-static __always_inline bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, +- bool shmem_huge_force, struct mm_struct *mm, +- unsigned long vm_flags) +-{ +- return false; +-} + static inline unsigned long shmem_allowable_huge_orders(struct inode *inode, + struct vm_area_struct *vma, pgoff_t index, +- bool global_huge) ++ bool shmem_huge_force) + { + return 0; + } +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 26843caa46962..d12ec1c8c7f07 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -159,16 +159,10 @@ unsigned long __thp_vma_allowable_orders(struct vm_area_struct *vma, + * Must be done before hugepage flags check since shmem has its + * own flags. + */ +- if (!in_pf && shmem_file(vma->vm_file)) { +- bool global_huge = shmem_huge_global_enabled(file_inode(vma->vm_file), +- vma->vm_pgoff, !enforce_sysfs, +- vma->vm_mm, vm_flags); +- +- if (!vma_is_anon_shmem(vma)) +- return global_huge ? orders : 0; ++ if (!in_pf && shmem_file(vma->vm_file)) + return shmem_allowable_huge_orders(file_inode(vma->vm_file), +- vma, vma->vm_pgoff, global_huge); +- } ++ vma, vma->vm_pgoff, ++ !enforce_sysfs); + + if (!vma_is_anonymous(vma)) { + /* +diff --git a/mm/shmem.c b/mm/shmem.c +index d2ca6d4300bb8..a332323eea0b9 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -549,9 +549,10 @@ static bool shmem_confirm_swap(struct address_space *mapping, + static int shmem_huge __read_mostly = SHMEM_HUGE_NEVER; + + static bool __shmem_huge_global_enabled(struct inode *inode, pgoff_t index, +- bool shmem_huge_force, struct mm_struct *mm, ++ bool shmem_huge_force, struct vm_area_struct *vma, + unsigned long vm_flags) + { ++ struct mm_struct *mm = vma ? vma->vm_mm : NULL; + loff_t i_size; + + if (!S_ISREG(inode->i_mode)) +@@ -581,15 +582,15 @@ static bool __shmem_huge_global_enabled(struct inode *inode, pgoff_t index, + } + } + +-bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, +- bool shmem_huge_force, struct mm_struct *mm, ++static bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, ++ bool shmem_huge_force, struct vm_area_struct *vma, + unsigned long vm_flags) + { + if (HPAGE_PMD_ORDER > MAX_PAGECACHE_ORDER) + return false; + + return __shmem_huge_global_enabled(inode, index, shmem_huge_force, +- mm, vm_flags); ++ vma, vm_flags); + } + + #if defined(CONFIG_SYSFS) +@@ -772,6 +773,13 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo, + { + return 0; + } ++ ++static bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, ++ bool shmem_huge_force, struct vm_area_struct *vma, ++ unsigned long vm_flags) ++{ ++ return false; ++} + #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + + /* +@@ -1625,22 +1633,33 @@ static gfp_t limit_gfp_mask(gfp_t huge_gfp, gfp_t limit_gfp) + #ifdef CONFIG_TRANSPARENT_HUGEPAGE + unsigned long shmem_allowable_huge_orders(struct inode *inode, + struct vm_area_struct *vma, pgoff_t index, +- bool global_huge) ++ bool shmem_huge_force) + { + unsigned long mask = READ_ONCE(huge_shmem_orders_always); + unsigned long within_size_orders = READ_ONCE(huge_shmem_orders_within_size); +- unsigned long vm_flags = vma->vm_flags; ++ unsigned long vm_flags = vma ? vma->vm_flags : 0; ++ bool global_huge; + loff_t i_size; + int order; + +- if ((vm_flags & VM_NOHUGEPAGE) || +- test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags)) ++ if (vma && ((vm_flags & VM_NOHUGEPAGE) || ++ test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags))) + return 0; + + /* If the hardware/firmware marked hugepage support disabled. */ + if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) + return 0; + ++ global_huge = shmem_huge_global_enabled(inode, index, shmem_huge_force, ++ vma, vm_flags); ++ if (!vma || !vma_is_anon_shmem(vma)) { ++ /* ++ * For tmpfs, we now only support PMD sized THP if huge page ++ * is enabled, otherwise fallback to order 0. ++ */ ++ return global_huge ? BIT(HPAGE_PMD_ORDER) : 0; ++ } ++ + /* + * Following the 'deny' semantics of the top level, force the huge + * option off from all mounts. +@@ -2086,7 +2105,7 @@ static int shmem_get_folio_gfp(struct inode *inode, pgoff_t index, + struct mm_struct *fault_mm; + struct folio *folio; + int error; +- bool alloced, huge; ++ bool alloced; + unsigned long orders = 0; + + if (WARN_ON_ONCE(!shmem_mapping(inode->i_mapping))) +@@ -2159,14 +2178,8 @@ static int shmem_get_folio_gfp(struct inode *inode, pgoff_t index, + return 0; + } + +- huge = shmem_huge_global_enabled(inode, index, false, fault_mm, +- vma ? vma->vm_flags : 0); +- /* Find hugepage orders that are allowed for anonymous shmem. */ +- if (vma && vma_is_anon_shmem(vma)) +- orders = shmem_allowable_huge_orders(inode, vma, index, huge); +- else if (huge) +- orders = BIT(HPAGE_PMD_ORDER); +- ++ /* Find hugepage orders that are allowed for anonymous shmem and tmpfs. */ ++ orders = shmem_allowable_huge_orders(inode, vma, index, false); + if (orders > 0) { + gfp_t huge_gfp; + +-- +2.43.0 + diff --git a/queue-6.11/mm-shmem-rename-shmem_is_huge-to-shmem_huge_global_e.patch b/queue-6.11/mm-shmem-rename-shmem_is_huge-to-shmem_huge_global_e.patch new file mode 100644 index 00000000000..867d6f2c973 --- /dev/null +++ b/queue-6.11/mm-shmem-rename-shmem_is_huge-to-shmem_huge_global_e.patch @@ -0,0 +1,126 @@ +From f889441f621418288eba885fba5240bcfa554f74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 13:43:18 +0800 +Subject: mm: shmem: rename shmem_is_huge() to shmem_huge_global_enabled() + +From: Baolin Wang + +[ Upstream commit d58a2a581f132529eefac5377676011562b631b8 ] + +shmem_is_huge() is now used to check if the top-level huge page is +enabled, thus rename it to reflect its usage. + +Link: https://lkml.kernel.org/r/da53296e0ab6359aa083561d9dc01e4223d60fbe.1721626645.git.baolin.wang@linux.alibaba.com +Signed-off-by: Baolin Wang +Reviewed-by: Ryan Roberts +Acked-by: David Hildenbrand +Cc: Barry Song <21cnbao@gmail.com> +Cc: Hugh Dickins +Cc: Lance Yang +Cc: Matthew Wilcox (Oracle) +Cc: Zi Yan +Signed-off-by: Andrew Morton +Stable-dep-of: 2b0f922323cc ("mm: don't install PMD mappings when THPs are disabled by the hw/process/vma") +Signed-off-by: Sasha Levin +--- + include/linux/shmem_fs.h | 9 +++++---- + mm/huge_memory.c | 5 +++-- + mm/shmem.c | 15 ++++++++------- + 3 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h +index 1d06b1e5408a5..405ee8d3589a5 100644 +--- a/include/linux/shmem_fs.h ++++ b/include/linux/shmem_fs.h +@@ -111,14 +111,15 @@ extern void shmem_truncate_range(struct inode *inode, loff_t start, loff_t end); + int shmem_unuse(unsigned int type); + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +-extern bool shmem_is_huge(struct inode *inode, pgoff_t index, bool shmem_huge_force, +- struct mm_struct *mm, unsigned long vm_flags); ++extern bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, bool shmem_huge_force, ++ struct mm_struct *mm, unsigned long vm_flags); + unsigned long shmem_allowable_huge_orders(struct inode *inode, + struct vm_area_struct *vma, pgoff_t index, + bool global_huge); + #else +-static __always_inline bool shmem_is_huge(struct inode *inode, pgoff_t index, bool shmem_huge_force, +- struct mm_struct *mm, unsigned long vm_flags) ++static __always_inline bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, ++ bool shmem_huge_force, struct mm_struct *mm, ++ unsigned long vm_flags) + { + return false; + } +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 99b146d16a185..26843caa46962 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -160,8 +160,9 @@ unsigned long __thp_vma_allowable_orders(struct vm_area_struct *vma, + * own flags. + */ + if (!in_pf && shmem_file(vma->vm_file)) { +- bool global_huge = shmem_is_huge(file_inode(vma->vm_file), vma->vm_pgoff, +- !enforce_sysfs, vma->vm_mm, vm_flags); ++ bool global_huge = shmem_huge_global_enabled(file_inode(vma->vm_file), ++ vma->vm_pgoff, !enforce_sysfs, ++ vma->vm_mm, vm_flags); + + if (!vma_is_anon_shmem(vma)) + return global_huge ? orders : 0; +diff --git a/mm/shmem.c b/mm/shmem.c +index 5a77acf6ac6a6..d2ca6d4300bb8 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -548,9 +548,9 @@ static bool shmem_confirm_swap(struct address_space *mapping, + + static int shmem_huge __read_mostly = SHMEM_HUGE_NEVER; + +-static bool __shmem_is_huge(struct inode *inode, pgoff_t index, +- bool shmem_huge_force, struct mm_struct *mm, +- unsigned long vm_flags) ++static bool __shmem_huge_global_enabled(struct inode *inode, pgoff_t index, ++ bool shmem_huge_force, struct mm_struct *mm, ++ unsigned long vm_flags) + { + loff_t i_size; + +@@ -581,14 +581,15 @@ static bool __shmem_is_huge(struct inode *inode, pgoff_t index, + } + } + +-bool shmem_is_huge(struct inode *inode, pgoff_t index, ++bool shmem_huge_global_enabled(struct inode *inode, pgoff_t index, + bool shmem_huge_force, struct mm_struct *mm, + unsigned long vm_flags) + { + if (HPAGE_PMD_ORDER > MAX_PAGECACHE_ORDER) + return false; + +- return __shmem_is_huge(inode, index, shmem_huge_force, mm, vm_flags); ++ return __shmem_huge_global_enabled(inode, index, shmem_huge_force, ++ mm, vm_flags); + } + + #if defined(CONFIG_SYSFS) +@@ -1156,7 +1157,7 @@ static int shmem_getattr(struct mnt_idmap *idmap, + STATX_ATTR_NODUMP); + generic_fillattr(idmap, request_mask, inode, stat); + +- if (shmem_is_huge(inode, 0, false, NULL, 0)) ++ if (shmem_huge_global_enabled(inode, 0, false, NULL, 0)) + stat->blksize = HPAGE_PMD_SIZE; + + if (request_mask & STATX_BTIME) { +@@ -2158,7 +2159,7 @@ static int shmem_get_folio_gfp(struct inode *inode, pgoff_t index, + return 0; + } + +- huge = shmem_is_huge(inode, index, false, fault_mm, ++ huge = shmem_huge_global_enabled(inode, index, false, fault_mm, + vma ? vma->vm_flags : 0); + /* Find hugepage orders that are allowed for anonymous shmem. */ + if (vma && vma_is_anon_shmem(vma)) +-- +2.43.0 + diff --git a/queue-6.11/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch b/queue-6.11/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch new file mode 100644 index 00000000000..f734a686ceb --- /dev/null +++ b/queue-6.11/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch @@ -0,0 +1,37 @@ +From dba616e89270d0d3e24fb2ddef903e44524d0a58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:59:01 +0800 +Subject: net: bcmasp: fix potential memory leak in bcmasp_xmit() + +From: Wang Hai + +[ Upstream commit fed07d3eb8a8d9fcc0e455175a89bc6445d6faed ] + +The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb +in case of mapping fails, add dev_kfree_skb() to fix it. + +Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller") +Signed-off-by: Wang Hai +Acked-by: Florian Fainelli +Link: https://patch.msgid.link/20241014145901.48940-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +index 82768b0e90262..9ea16ef4139d3 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +@@ -322,6 +322,7 @@ static netdev_tx_t bcmasp_xmit(struct sk_buff *skb, struct net_device *dev) + } + /* Rewind so we do not have a hole */ + spb_index = intf->tx_spb_index; ++ dev_kfree_skb(skb); + return NETDEV_TX_OK; + } + +-- +2.43.0 + diff --git a/queue-6.11/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch b/queue-6.11/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch new file mode 100644 index 00000000000..28b39742645 --- /dev/null +++ b/queue-6.11/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch @@ -0,0 +1,42 @@ +From ff4f18cc35a59f66b27b4505fe7dcccc8ce49bdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 13:43:42 -0700 +Subject: net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361 + +From: Peter Rashleigh + +[ Upstream commit 1833d8a26f057128fd63e126b4428203ece84684 ] + +According to the Marvell datasheet the 88E6361 has two VTU pages +(4k VIDs per page) so the max_vid should be 8191, not 4095. + +In the current implementation mv88e6xxx_vtu_walk() gives unexpected +results because of this error. I verified that mv88e6xxx_vtu_walk() +works correctly on the MV88E6361 with this patch in place. + +Fixes: 12899f299803 ("net: dsa: mv88e6xxx: enable support for 88E6361 switch") +Signed-off-by: Peter Rashleigh +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20241014204342.5852-1-peter@rashleigh.ca +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 5b4e2ce5470d9..284270a4ade1c 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -6347,7 +6347,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = { + .invalid_port_mask = BIT(1) | BIT(2) | BIT(8), + .num_internal_phys = 5, + .internal_phys_offset = 3, +- .max_vid = 4095, ++ .max_vid = 8191, + .max_sid = 63, + .port_base_addr = 0x0, + .phy_base_addr = 0x0, +-- +2.43.0 + diff --git a/queue-6.11/net-dsa-vsc73xx-fix-reception-from-vlan-unaware-brid.patch b/queue-6.11/net-dsa-vsc73xx-fix-reception-from-vlan-unaware-brid.patch new file mode 100644 index 00000000000..1e6b6c599bc --- /dev/null +++ b/queue-6.11/net-dsa-vsc73xx-fix-reception-from-vlan-unaware-brid.patch @@ -0,0 +1,47 @@ +From 409aef464f99805ca4b126b909dd7b3d4cef009f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 18:30:41 +0300 +Subject: net: dsa: vsc73xx: fix reception from VLAN-unaware bridges + +From: Vladimir Oltean + +[ Upstream commit 11d06f0aaef89f4cad68b92510bd9decff2d7b87 ] + +Similar to the situation described for sja1105 in commit 1f9fc48fd302 +("net: dsa: sja1105: fix reception from VLAN-unaware bridges"), the +vsc73xx driver uses tag_8021q and doesn't need the ds->untag_bridge_pvid +request. In fact, this option breaks packet reception. + +The ds->untag_bridge_pvid option strips VLANs from packets received on +VLAN-unaware bridge ports. But those VLANs should already be stripped +by tag_vsc73xx_8021q.c as part of vsc73xx_rcv() - they are not VLANs in +VLAN-unaware mode, but DSA tags. Thus, dsa_software_vlan_untag() tries +to untag a VLAN that doesn't exist, corrupting the packet. + +Fixes: 93e4649efa96 ("net: dsa: provide a software untagging function on RX for VLAN-aware bridges") +Tested-by: Pawel Dembicki +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Reviewed-by: Linus Walleij +Link: https://patch.msgid.link/20241014153041.1110364-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/vitesse-vsc73xx-core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c +index 212421e9d42e4..f5a1fefb76509 100644 +--- a/drivers/net/dsa/vitesse-vsc73xx-core.c ++++ b/drivers/net/dsa/vitesse-vsc73xx-core.c +@@ -721,7 +721,6 @@ static int vsc73xx_setup(struct dsa_switch *ds) + + dev_info(vsc->dev, "set up the switch\n"); + +- ds->untag_bridge_pvid = true; + ds->max_num_bridges = DSA_TAG_8021Q_MAX_NUM_BRIDGES; + + /* Issue RESET */ +-- +2.43.0 + diff --git a/queue-6.11/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch b/queue-6.11/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch new file mode 100644 index 00000000000..6fa7072d7fd --- /dev/null +++ b/queue-6.11/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch @@ -0,0 +1,47 @@ +From b3a6d66cdd77096ac18867a4839e7c6a5cb74f60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 19:04:34 +0800 +Subject: net: ethernet: aeroflex: fix potential memory leak in + greth_start_xmit_gbit() + +From: Wang Hai + +[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ] + +The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb +in case of skb->len being too long, add dev_kfree_skb() to fix it. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Wang Hai +Reviewed-by: Gerhard Engleder +Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 27af7746d645b..adf6f67c5fcba 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -484,7 +484,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + + if (unlikely(skb->len > MAX_FRAME_SIZE)) { + dev->stats.tx_errors++; +- goto out; ++ goto len_error; + } + + /* Save skb pointer. */ +@@ -575,6 +575,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + map_error: + if (net_ratelimit()) + dev_warn(greth->dev, "Could not create TX DMA mapping\n"); ++len_error: + dev_kfree_skb(skb); + out: + return err; +-- +2.43.0 + diff --git a/queue-6.11/net-ethernet-mtk_eth_soc-fix-memory-corruption-durin.patch b/queue-6.11/net-ethernet-mtk_eth_soc-fix-memory-corruption-durin.patch new file mode 100644 index 00000000000..a5fe98b546c --- /dev/null +++ b/queue-6.11/net-ethernet-mtk_eth_soc-fix-memory-corruption-durin.patch @@ -0,0 +1,39 @@ +From dd0230984cee23bf13bd08c6199d2c184f182431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 10:17:55 +0200 +Subject: net: ethernet: mtk_eth_soc: fix memory corruption during fq dma init + +From: Felix Fietkau + +[ Upstream commit 88806efc034a9830f483963326b99930ad519af1 ] + +The loop responsible for allocating up to MTK_FQ_DMA_LENGTH buffers must +only touch as many descriptors, otherwise it ends up corrupting unrelated +memory. Fix the loop iteration count accordingly. + +Fixes: c57e55819443 ("net: ethernet: mtk_eth_soc: handle dma buffer size soc specific") +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241015081755.31060-1-nbd@nbd.name +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 16ca427cf4c3f..ed7313c10a052 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1171,7 +1171,7 @@ static int mtk_init_fq_dma(struct mtk_eth *eth) + if (unlikely(dma_mapping_error(eth->dma_dev, dma_addr))) + return -ENOMEM; + +- for (i = 0; i < cnt; i++) { ++ for (i = 0; i < len; i++) { + struct mtk_tx_dma_v2 *txd; + + txd = eth->scratch_ring + (j * MTK_FQ_DMA_LENGTH + i) * soc->tx.desc_size; +-- +2.43.0 + diff --git a/queue-6.11/net-ethernet-rtsn-fix-potential-memory-leak-in-rtsn_.patch b/queue-6.11/net-ethernet-rtsn-fix-potential-memory-leak-in-rtsn_.patch new file mode 100644 index 00000000000..4685ddfaefe --- /dev/null +++ b/queue-6.11/net-ethernet-rtsn-fix-potential-memory-leak-in-rtsn_.patch @@ -0,0 +1,41 @@ +From 63d3e80a15c48eb4b1af3220393cb3ee227876a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:42:50 +0800 +Subject: net: ethernet: rtsn: fix potential memory leak in rtsn_start_xmit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wang Hai + +[ Upstream commit c186b7a7f2387d9e09ad408420570be025b187c5 ] + +The rtsn_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of skb->len being too long, add dev_kfree_skb_any() to fix it. + +Fixes: b0d3969d2b4d ("net: ethernet: rtsn: Add support for Renesas Ethernet-TSN") +Signed-off-by: Wang Hai +Reviewed-by: Niklas Söderlund +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014144250.38802-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rtsn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/rtsn.c b/drivers/net/ethernet/renesas/rtsn.c +index 0e6cea42f0077..da90adef6b2b7 100644 +--- a/drivers/net/ethernet/renesas/rtsn.c ++++ b/drivers/net/ethernet/renesas/rtsn.c +@@ -1057,6 +1057,7 @@ static netdev_tx_t rtsn_start_xmit(struct sk_buff *skb, struct net_device *ndev) + if (skb->len >= TX_DS) { + priv->stats.tx_dropped++; + priv->stats.tx_errors++; ++ dev_kfree_skb_any(skb); + goto out; + } + +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch b/queue-6.11/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch new file mode 100644 index 00000000000..cebef5fa347 --- /dev/null +++ b/queue-6.11/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch @@ -0,0 +1,47 @@ +From 898ef1694d7a0e576cec40ae9b68376ac1d7a1e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:05 +0300 +Subject: net/mlx5: Check for invalid vector index on EQ creation + +From: Maher Sanalla + +[ Upstream commit d4f25be27e3ef7e23998fbd3dd4bff0602de7ae5 ] + +Currently, mlx5 driver does not enforce vector index to be lower than +the maximum number of supported completion vectors when requesting a +new completion EQ. Thus, mlx5_comp_eqn_get() fails when trying to +acquire an IRQ with an improper vector index. + +To prevent the case above, enforce that vector index value is +valid and lower than maximum in mlx5_comp_eqn_get() before handling the +request. + +Fixes: f14c1a14e632 ("net/mlx5: Allocate completion EQs dynamically") +Signed-off-by: Maher Sanalla +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +index cb7e7e4104aff..99d9e8863bfd6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +@@ -1080,6 +1080,12 @@ int mlx5_comp_eqn_get(struct mlx5_core_dev *dev, u16 vecidx, int *eqn) + struct mlx5_eq_comp *eq; + int ret = 0; + ++ if (vecidx >= table->max_comp_eqs) { ++ mlx5_core_dbg(dev, "Requested vector index %u should be less than %u", ++ vecidx, table->max_comp_eqs); ++ return -EINVAL; ++ } ++ + mutex_lock(&table->comp_lock); + eq = xa_load(&table->comp_eqs, vecidx); + if (eq) { +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5-fix-command-bitmask-initialization.patch b/queue-6.11/net-mlx5-fix-command-bitmask-initialization.patch new file mode 100644 index 00000000000..0b70d39d1d0 --- /dev/null +++ b/queue-6.11/net-mlx5-fix-command-bitmask-initialization.patch @@ -0,0 +1,100 @@ +From 194d16e086e9fbf5148ed128ae45518b818f3f0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:06 +0300 +Subject: net/mlx5: Fix command bitmask initialization + +From: Shay Drory + +[ Upstream commit d62b14045c6511a7b2d4948d1a83a4e592deeb05 ] + +Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit +isn't Initialize during command bitmask Initialization, only during +MANAGE_PAGES. + +In addition, mlx5_cmd_trigger_completions() is trying to trigger +completion for MANAGE_PAGES command as well. + +Hence, in case health error occurred before any MANAGE_PAGES command +have been invoke (for example, during mlx5_enable_hca()), +mlx5_cmd_trigger_completions() will try to trigger completion for +MANAGE_PAGES command, which will result in null-ptr-deref error.[1] + +Fix it by Initialize command bitmask correctly. + +While at it, re-write the code for better understanding. + +[1] +BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] +Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078 +CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] +Call Trace: + + dump_stack_lvl+0x7e/0xc0 + kasan_report+0xb9/0xf0 + kasan_check_range+0xec/0x190 + mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] + mlx5_cmd_flush+0x94/0x240 [mlx5_core] + enter_error_state+0x6c/0xd0 [mlx5_core] + mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core] + process_one_work+0x787/0x1490 + ? lockdep_hardirqs_on_prepare+0x400/0x400 + ? pwq_dec_nr_in_flight+0xda0/0xda0 + ? assign_work+0x168/0x240 + worker_thread+0x586/0xd30 + ? rescuer_thread+0xae0/0xae0 + kthread+0x2df/0x3b0 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x2d/0x70 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork_asm+0x11/0x20 + + +Fixes: 9b98d395b85d ("net/mlx5: Start health poll at earlier stage of driver load") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Reviewed-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 20768ef2e9d2b..86d63c5f27ce2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1760,6 +1760,10 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + } + } + ++#define MLX5_MAX_MANAGE_PAGES_CMD_ENT 1 ++#define MLX5_CMD_MASK ((1UL << (cmd->vars.max_reg_cmds + \ ++ MLX5_MAX_MANAGE_PAGES_CMD_ENT)) - 1) ++ + static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + { + struct mlx5_cmd *cmd = &dev->cmd; +@@ -1771,7 +1775,7 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + /* wait for pending handlers to complete */ + mlx5_eq_synchronize_cmd_irq(dev); + spin_lock_irqsave(&dev->cmd.alloc_lock, flags); +- vector = ~dev->cmd.vars.bitmask & ((1ul << (1 << dev->cmd.vars.log_sz)) - 1); ++ vector = ~dev->cmd.vars.bitmask & MLX5_CMD_MASK; + if (!vector) + goto no_trig; + +@@ -2345,7 +2349,7 @@ int mlx5_cmd_enable(struct mlx5_core_dev *dev) + + cmd->state = MLX5_CMDIF_STATE_DOWN; + cmd->vars.max_reg_cmds = (1 << cmd->vars.log_sz) - 1; +- cmd->vars.bitmask = (1UL << cmd->vars.max_reg_cmds) - 1; ++ cmd->vars.bitmask = MLX5_CMD_MASK; + + sema_init(&cmd->vars.sem, cmd->vars.max_reg_cmds); + sema_init(&cmd->vars.pages_sem, 1); +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch b/queue-6.11/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch new file mode 100644 index 00000000000..96a5de88383 --- /dev/null +++ b/queue-6.11/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch @@ -0,0 +1,72 @@ +From 35bdc15d4d64d39895320ed6103f7de31aa97f39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:07 +0300 +Subject: net/mlx5: Unregister notifier on eswitch init failure + +From: Cosmin Ratiu + +[ Upstream commit 1da9cfd6c41c2e6bbe624d0568644e1521c33e12 ] + +It otherwise remains registered and a subsequent attempt at eswitch +enabling might trigger warnings of the sort: + +[ 682.589148] ------------[ cut here ]------------ +[ 682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered +[ 682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90 +[...snipped] +[ 682.610052] Call Trace: +[ 682.610369] +[ 682.610663] ? __warn+0x7c/0x110 +[ 682.611050] ? notifier_chain_register+0x3e/0x90 +[ 682.611556] ? report_bug+0x148/0x170 +[ 682.611977] ? handle_bug+0x36/0x70 +[ 682.612384] ? exc_invalid_op+0x13/0x60 +[ 682.612817] ? asm_exc_invalid_op+0x16/0x20 +[ 682.613284] ? notifier_chain_register+0x3e/0x90 +[ 682.613789] atomic_notifier_chain_register+0x25/0x40 +[ 682.614322] mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core] +[ 682.614965] mlx5_eswitch_enable+0xc9/0x100 [mlx5_core] +[ 682.615551] mlx5_device_enable_sriov+0x25/0x340 [mlx5_core] +[ 682.616170] mlx5_core_sriov_configure+0x50/0x170 [mlx5_core] +[ 682.616789] sriov_numvfs_store+0xb0/0x1b0 +[ 682.617248] kernfs_fop_write_iter+0x117/0x1a0 +[ 682.617734] vfs_write+0x231/0x3f0 +[ 682.618138] ksys_write+0x63/0xe0 +[ 682.618536] do_syscall_64+0x4c/0x100 +[ 682.618958] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: 7624e58a8b3a ("net/mlx5: E-switch, register event handler before arming the event") +Signed-off-by: Cosmin Ratiu +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 17f78091ad30e..7aef30dbd82d6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1489,7 +1489,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs) + } + + if (err) +- goto abort; ++ goto err_esw_enable; + + esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED; + +@@ -1503,7 +1503,8 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs) + + return 0; + +-abort: ++err_esw_enable: ++ mlx5_eq_notifier_unregister(esw->dev, &esw->nb); + mlx5_esw_acls_ns_cleanup(esw); + return err; + } +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5e-don-t-call-cleanup-on-profile-rollback-fai.patch b/queue-6.11/net-mlx5e-don-t-call-cleanup-on-profile-rollback-fai.patch new file mode 100644 index 00000000000..3d098860acc --- /dev/null +++ b/queue-6.11/net-mlx5e-don-t-call-cleanup-on-profile-rollback-fai.patch @@ -0,0 +1,86 @@ +From 1623c9bb472b89c62159f03dbcd623b37920c162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:08 +0300 +Subject: net/mlx5e: Don't call cleanup on profile rollback failure + +From: Cosmin Ratiu + +[ Upstream commit 4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0 ] + +When profile rollback fails in mlx5e_netdev_change_profile, the netdev +profile var is left set to NULL. Avoid a crash when unloading the driver +by not calling profile->cleanup in such a case. + +This was encountered while testing, with the original trigger that +the wq rescuer thread creation got interrupted (presumably due to +Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by +mlx5e_priv_init, the profile rollback also fails for the same reason +(signal still active) so the profile is left as NULL, leading to a crash +later in _mlx5e_remove. + + [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) + [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR + [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 + [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 + [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR + [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 + [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 + [ 745.538222] #PF: supervisor read access in kernel mode + + [ 745.551290] Call Trace: + [ 745.551590] + [ 745.551866] ? __die+0x20/0x60 + [ 745.552218] ? page_fault_oops+0x150/0x400 + [ 745.555307] ? exc_page_fault+0x79/0x240 + [ 745.555729] ? asm_exc_page_fault+0x22/0x30 + [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] + [ 745.556698] auxiliary_bus_remove+0x18/0x30 + [ 745.557134] device_release_driver_internal+0x1df/0x240 + [ 745.557654] bus_remove_device+0xd7/0x140 + [ 745.558075] device_del+0x15b/0x3c0 + [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] + [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] + [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] + [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] + [ 745.560694] pci_device_remove+0x39/0xa0 + [ 745.561112] device_release_driver_internal+0x1df/0x240 + [ 745.561631] driver_detach+0x47/0x90 + [ 745.562022] bus_remove_driver+0x84/0x100 + [ 745.562444] pci_unregister_driver+0x3b/0x90 + [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] + [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 + [ 745.563886] ? kmem_cache_free+0x1b0/0x460 + [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 + [ 745.564825] do_syscall_64+0x6d/0x140 + [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + [ 745.565725] RIP: 0033:0x7f1579b1288b + +Fixes: 3ef14e463f6e ("net/mlx5e: Separate between netdev objects and mlx5e profiles initialization") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 16b67c457b605..3e11c1c6d4f69 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6508,7 +6508,9 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + mlx5e_dcbnl_delete_app(priv); + unregister_netdev(priv->netdev); + _mlx5e_suspend(adev, false); +- priv->profile->cleanup(priv); ++ /* Avoid cleanup if profile rollback failed. */ ++ if (priv->profile) ++ priv->profile->cleanup(priv); + mlx5e_destroy_netdev(priv); + mlx5e_devlink_port_unregister(mlx5e_dev); + mlx5e_destroy_devlink(mlx5e_dev); +-- +2.43.0 + diff --git a/queue-6.11/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch b/queue-6.11/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch new file mode 100644 index 00000000000..d78d2665232 --- /dev/null +++ b/queue-6.11/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch @@ -0,0 +1,76 @@ +From 08454056a6574e60ff1d9f44bb1a8bc93eb208da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 14:43:43 +0200 +Subject: net: ravb: Only advertise Rx/Tx timestamps if hardware supports it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit 126e799602f45e9ce1ded03ee9eadda68bf470e0 ] + +Recent work moving the reporting of Rx software timestamps to the core +[1] highlighted an issue where hardware time stamping was advertised +for the platforms where it is not supported. + +Fix this by covering advertising support for hardware timestamps only if +the hardware supports it. Due to the Tx implementation in RAVB software +Tx timestamping is also only considered if the hardware supports +hardware timestamps. This should be addressed in future, but this fix +only reflects what the driver currently implements. + +1. Commit 277901ee3a26 ("ravb: Remove setting of RX software timestamp") + +Fixes: 7e09a052dc4e ("ravb: Exclude gPTP feature support for RZ/G2L") +Signed-off-by: Niklas Söderlund +Reviewed-by: Paul Barker +Tested-by: Paul Barker +Reviewed-by: Sergey Shtylyov +Link: https://patch.msgid.link/20241014124343.3875285-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 25 ++++++++++++------------ + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index d2a6518532f37..907af4651c553 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1750,20 +1750,19 @@ static int ravb_get_ts_info(struct net_device *ndev, + struct ravb_private *priv = netdev_priv(ndev); + const struct ravb_hw_info *hw_info = priv->info; + +- info->so_timestamping = +- SOF_TIMESTAMPING_TX_SOFTWARE | +- SOF_TIMESTAMPING_TX_HARDWARE | +- SOF_TIMESTAMPING_RX_HARDWARE | +- SOF_TIMESTAMPING_RAW_HARDWARE; +- info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON); +- info->rx_filters = +- (1 << HWTSTAMP_FILTER_NONE) | +- (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) | +- (1 << HWTSTAMP_FILTER_ALL); +- if (hw_info->gptp || hw_info->ccc_gac) ++ if (hw_info->gptp || hw_info->ccc_gac) { ++ info->so_timestamping = ++ SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_RAW_HARDWARE; ++ info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON); ++ info->rx_filters = ++ (1 << HWTSTAMP_FILTER_NONE) | ++ (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) | ++ (1 << HWTSTAMP_FILTER_ALL); + info->phc_index = ptp_clock_index(priv->ptp.clock); +- else +- info->phc_index = 0; ++ } + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.11/net-smc-fix-memory-leak-when-using-percpu-refs.patch b/queue-6.11/net-smc-fix-memory-leak-when-using-percpu-refs.patch new file mode 100644 index 00000000000..dc1854a4ba3 --- /dev/null +++ b/queue-6.11/net-smc-fix-memory-leak-when-using-percpu-refs.patch @@ -0,0 +1,57 @@ +From bda33472c40ba65b76823e5d9d06be5dc45c99e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:56:24 +0000 +Subject: net/smc: Fix memory leak when using percpu refs + +From: Kai Shen + +[ Upstream commit 25c12b459db8365fee84b63f3dd7910f70627f29 ] + +This patch adds missing percpu_ref_exit when releasing percpu refs. +When releasing percpu refs, percpu_ref_exit should be called. +Otherwise, memory leak happens. + +Fixes: 79a22238b4f2 ("net/smc: Use percpu ref for wr tx reference") +Signed-off-by: Kai Shen +Reviewed-by: Dust Li +Reviewed-by: Wenjia Zhang +Link: https://patch.msgid.link/20241010115624.7769-1-KaiShen@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_wr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c +index 0021065a600a0..994c0cd4fddbf 100644 +--- a/net/smc/smc_wr.c ++++ b/net/smc/smc_wr.c +@@ -648,8 +648,10 @@ void smc_wr_free_link(struct smc_link *lnk) + smc_wr_tx_wait_no_pending_sends(lnk); + percpu_ref_kill(&lnk->wr_reg_refs); + wait_for_completion(&lnk->reg_ref_comp); ++ percpu_ref_exit(&lnk->wr_reg_refs); + percpu_ref_kill(&lnk->wr_tx_refs); + wait_for_completion(&lnk->tx_ref_comp); ++ percpu_ref_exit(&lnk->wr_tx_refs); + + if (lnk->wr_rx_dma_addr) { + ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr, +@@ -912,11 +914,13 @@ int smc_wr_create_link(struct smc_link *lnk) + init_waitqueue_head(&lnk->wr_reg_wait); + rc = percpu_ref_init(&lnk->wr_reg_refs, smcr_wr_reg_refs_free, 0, GFP_KERNEL); + if (rc) +- goto dma_unmap; ++ goto cancel_ref; + init_completion(&lnk->reg_ref_comp); + init_waitqueue_head(&lnk->wr_rx_empty_wait); + return rc; + ++cancel_ref: ++ percpu_ref_exit(&lnk->wr_tx_refs); + dma_unmap: + if (lnk->wr_rx_v2_dma_addr) { + ib_dma_unmap_single(ibdev, lnk->wr_rx_v2_dma_addr, +-- +2.43.0 + diff --git a/queue-6.11/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch b/queue-6.11/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch new file mode 100644 index 00000000000..7fbaf179fae --- /dev/null +++ b/queue-6.11/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch @@ -0,0 +1,41 @@ +From 1fc4e4db464453c55809e4b9d0d828385732d2e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 19:53:21 +0800 +Subject: net/smc: Fix searching in list of known pnetids in + smc_pnet_add_pnetid + +From: Li RongQing + +[ Upstream commit 82ac39ebd6db0c9f7a97a934bda1e3e101a9d201 ] + +pnetid of pi (not newly allocated pe) should be compared + +Fixes: e888a2e8337c ("net/smc: introduce list of pnetids for Ethernet devices") +Reviewed-by: D. Wythe +Reviewed-by: Wen Gu +Signed-off-by: Li RongQing +Reviewed-by: Simon Horman +Reviewed-by: Gerd Bayer +Link: https://patch.msgid.link/20241014115321.33234-1-lirongqing@baidu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_pnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c +index 2adb92b8c4699..dbcc72b43d0c0 100644 +--- a/net/smc/smc_pnet.c ++++ b/net/smc/smc_pnet.c +@@ -753,7 +753,7 @@ static int smc_pnet_add_pnetid(struct net *net, u8 *pnetid) + + write_lock(&sn->pnetids_ndev.lock); + list_for_each_entry(pi, &sn->pnetids_ndev.list, list) { +- if (smc_pnet_match(pnetid, pe->pnetid)) { ++ if (smc_pnet_match(pnetid, pi->pnetid)) { + refcount_inc(&pi->refcnt); + kfree(pe); + goto unlock; +-- +2.43.0 + diff --git a/queue-6.11/net-sparx5-fix-source-port-register-when-mirroring.patch b/queue-6.11/net-sparx5-fix-source-port-register-when-mirroring.patch new file mode 100644 index 00000000000..e1b24aa8ccf --- /dev/null +++ b/queue-6.11/net-sparx5-fix-source-port-register-when-mirroring.patch @@ -0,0 +1,65 @@ +From ea52b876cd57f6f945e8fac34969b779f7df4aeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:49:56 +0200 +Subject: net: sparx5: fix source port register when mirroring + +From: Daniel Machon + +[ Upstream commit 8a6be4bd6fb319cee63d228e37c8dda5fd1eb74a ] + +When port mirroring is added to a port, the bit position of the source +port, needs to be written to the register ANA_AC_PROBE_PORT_CFG. This +register is replicated for n_ports > 32, and therefore we need to derive +the correct register from the port number. + +Before this patch, we wrongly calculate the register from portno / +BITS_PER_BYTE, where the divisor ought to be 32, causing any port >=8 to +be written to the wrong register. We fix this, by using do_div(), where +the dividend is the register, the remainder is the bit position and the +divisor is now 32. + +Fixes: 4e50d72b3b95 ("net: sparx5: add port mirroring implementation") +Signed-off-by: Daniel Machon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241009-mirroring-fix-v1-1-9ec962301989@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/microchip/sparx5/sparx5_mirror.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mirror.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mirror.c +index 15db423be4aa6..459a53676ae96 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mirror.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mirror.c +@@ -31,10 +31,10 @@ static u64 sparx5_mirror_port_get(struct sparx5 *sparx5, u32 idx) + /* Add port to mirror (only front ports) */ + static void sparx5_mirror_port_add(struct sparx5 *sparx5, u32 idx, u32 portno) + { +- u32 val, reg = portno; ++ u64 reg = portno; ++ u32 val; + +- reg = portno / BITS_PER_BYTE; +- val = BIT(portno % BITS_PER_BYTE); ++ val = BIT(do_div(reg, 32)); + + if (reg == 0) + return spx5_rmw(val, val, sparx5, ANA_AC_PROBE_PORT_CFG(idx)); +@@ -45,10 +45,10 @@ static void sparx5_mirror_port_add(struct sparx5 *sparx5, u32 idx, u32 portno) + /* Delete port from mirror (only front ports) */ + static void sparx5_mirror_port_del(struct sparx5 *sparx5, u32 idx, u32 portno) + { +- u32 val, reg = portno; ++ u64 reg = portno; ++ u32 val; + +- reg = portno / BITS_PER_BYTE; +- val = BIT(portno % BITS_PER_BYTE); ++ val = BIT(do_div(reg, 32)); + + if (reg == 0) + return spx5_rmw(0, val, sparx5, ANA_AC_PROBE_PORT_CFG(idx)); +-- +2.43.0 + diff --git a/queue-6.11/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch b/queue-6.11/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch new file mode 100644 index 00000000000..9194d4d858e --- /dev/null +++ b/queue-6.11/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch @@ -0,0 +1,91 @@ +From 480861afeb32e47740d90e1956c9201520149e92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 10:29:08 -0400 +Subject: net: stmmac: dwmac-tegra: Fix link bring-up sequence + +From: Paritosh Dixit + +[ Upstream commit 1cff6ff302f5703a627f9ee1d99131161ea2683e ] + +The Tegra MGBE driver sometimes fails to initialize, reporting the +following error, and as a result, it is unable to acquire an IP +address with DHCP: + + tegra-mgbe 6800000.ethernet: timeout waiting for link to become ready + +As per the recommendation from the Tegra hardware design team, fix this +issue by: +- clearing the PHY_RDY bit before setting the CDR_RESET bit and then +setting PHY_RDY bit before clearing CDR_RESET bit. This ensures valid +data is present at UPHY RX inputs before starting the CDR lock. +- adding the required delays when bringing up the UPHY lane. Note we +need to use delays here because there is no alternative, such as +polling, for these cases. Using the usleep_range() instead of ndelay() +as sleeping is preferred over busy wait loop. + +Without this change we would see link failures on boot sometimes as +often as 1 in 5 boots. With this fix we have not observed any failures +in over 1000 boots. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Signed-off-by: Paritosh Dixit +Link: https://patch.msgid.link/20241010142908.602712-1-paritoshd@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index 362f85136c3ef..6fdd94c8919ec 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -127,10 +127,12 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_ + value &= ~XPCS_WRAP_UPHY_RX_CONTROL_AUX_RX_IDDQ; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_SLEEP; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 500ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CAL_EN; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); +@@ -143,22 +145,30 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_ + return err; + } + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_DATA_EN; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); +- value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; ++ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); +- value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; ++ value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ msleep(30); /* 30ms delay needed as per HW design */ ++ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); ++ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; ++ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); ++ + err = readl_poll_timeout(mgbe->xpcs + XPCS_WRAP_IRQ_STATUS, value, + value & XPCS_WRAP_IRQ_STATUS_PCS_LINK_STS, + 500, 500 * 2000); +-- +2.43.0 + diff --git a/queue-6.11/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch b/queue-6.11/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch new file mode 100644 index 00000000000..2e38540c47a --- /dev/null +++ b/queue-6.11/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch @@ -0,0 +1,36 @@ +From e0b22bab7d5164d8081f1e07ad18e2858baccbab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:51:15 +0800 +Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit() + +From: Wang Hai + +[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ] + +The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb() to fix it. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Wang Hai +Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index c9faa85408593..0a68b526e4a82 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1359,6 +1359,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb, + netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n", + skb->data, skb_len); + ret = NETDEV_TX_OK; ++ dev_kfree_skb_any(skb); + goto out; + } + +-- +2.43.0 + diff --git a/queue-6.11/net-usb-usbnet-fix-race-in-probe-failure.patch b/queue-6.11/net-usb-usbnet-fix-race-in-probe-failure.patch new file mode 100644 index 00000000000..6da7e226fe2 --- /dev/null +++ b/queue-6.11/net-usb-usbnet-fix-race-in-probe-failure.patch @@ -0,0 +1,37 @@ +From 85c9e5ca8baf7530854761ecb5a3d1a65a4de857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 15:19:14 +0200 +Subject: net: usb: usbnet: fix race in probe failure + +From: Oliver Neukum + +[ Upstream commit b62f4c186c70aa235fef2da68d07325d85ca3ade ] + +The same bug as in the disconnect code path also exists +in the case of a failure late during the probe process. +The flag must also be set. + +Signed-off-by: Oliver Neukum +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/20241010131934.1499695-1-oneukum@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 2506aa8c603ec..ee1b5fd7b4919 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1870,6 +1870,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + * may trigger an error resubmitting itself and, worse, + * schedule a timer. So we kill it all just in case. + */ ++ usbnet_mark_going_away(dev); + cancel_work_sync(&dev->kevent); + del_timer_sync(&dev->delay); + free_netdev(net); +-- +2.43.0 + diff --git a/queue-6.11/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch b/queue-6.11/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch new file mode 100644 index 00000000000..2506549a0ca --- /dev/null +++ b/queue-6.11/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch @@ -0,0 +1,46 @@ +From 842e2fcc9eb88e36cf868b32738e95a76efe04b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:37:04 +0800 +Subject: net: xilinx: axienet: fix potential memory leak in + axienet_start_xmit() + +From: Wang Hai + +[ Upstream commit 99714e37e8333bbc22496fe80f241d5b35380e83 ] + +The axienet_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb_any() to fix it. + +Fixes: 71791dc8bdea ("net: axienet: Check for DMA mapping errors") +Signed-off-by: Wang Hai +Reviewed-by: Radhey Shyam Pandey +Link: https://patch.msgid.link/20241014143704.31938-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 5dbfee4aee43c..0c4c57e7fddc2 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -989,6 +989,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + if (net_ratelimit()) + netdev_err(ndev, "TX DMA mapping error\n"); + ndev->stats.tx_dropped++; ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + desc_set_phys_addr(lp, phys, cur_p); +@@ -1009,6 +1010,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + ndev->stats.tx_dropped++; + axienet_free_tx_chain(lp, orig_tail_ptr, ii + 1, + true, NULL, 0); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + desc_set_phys_addr(lp, phys, cur_p); +-- +2.43.0 + diff --git a/queue-6.11/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch b/queue-6.11/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch new file mode 100644 index 00000000000..b47b7521e09 --- /dev/null +++ b/queue-6.11/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch @@ -0,0 +1,111 @@ +From c5f917f56e219230e9449bae4b397ba75bf018c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 09:42:30 +0000 +Subject: netdevsim: use cond_resched() in nsim_dev_trap_report_work() + +From: Eric Dumazet + +[ Upstream commit a1494d532e28598bde7a5544892ef9c7dbfafa93 ] + +I am still seeing many syzbot reports hinting that syzbot +might fool nsim_dev_trap_report_work() with hundreds of ports [1] + +Lets use cond_resched(), and system_unbound_wq +instead of implicit system_wq. + +[1] +INFO: task syz-executor:20633 blocked for more than 143 seconds. + Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006 +... +NMI backtrace for cpu 1 +CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: events nsim_dev_trap_report_work + RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210 +Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0 +RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246 +RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00 +RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577 +R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000 +R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00 +FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Call Trace: + + + + __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 + spin_unlock_bh include/linux/spinlock.h:396 [inline] + nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] + nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + +Fixes: ba5e1272142d ("netdevsim: avoid potential loop in nsim_dev_trap_report_work()") +Reported-by: syzbot+d383dc9579a76f56c251@syzkaller.appspotmail.com +Reported-by: syzbot+c596faae21a68bf7afd0@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Link: https://patch.msgid.link/20241012094230.3893510-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/dev.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 92a7a36b93ac0..3e0b61202f0c9 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -836,7 +836,8 @@ static void nsim_dev_trap_report_work(struct work_struct *work) + nsim_dev = nsim_trap_data->nsim_dev; + + if (!devl_trylock(priv_to_devlink(nsim_dev))) { +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 1); ++ queue_delayed_work(system_unbound_wq, ++ &nsim_dev->trap_data->trap_report_dw, 1); + return; + } + +@@ -848,11 +849,12 @@ static void nsim_dev_trap_report_work(struct work_struct *work) + continue; + + nsim_dev_trap_report(nsim_dev_port); ++ cond_resched(); + } + devl_unlock(priv_to_devlink(nsim_dev)); +- +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, +- msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); ++ queue_delayed_work(system_unbound_wq, ++ &nsim_dev->trap_data->trap_report_dw, ++ msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); + } + + static int nsim_dev_traps_init(struct devlink *devlink) +@@ -907,8 +909,9 @@ static int nsim_dev_traps_init(struct devlink *devlink) + + INIT_DELAYED_WORK(&nsim_dev->trap_data->trap_report_dw, + nsim_dev_trap_report_work); +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, +- msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); ++ queue_delayed_work(system_unbound_wq, ++ &nsim_dev->trap_data->trap_report_dw, ++ msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); + + return 0; + +-- +2.43.0 + diff --git a/queue-6.11/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch b/queue-6.11/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch new file mode 100644 index 00000000000..9582fcfd557 --- /dev/null +++ b/queue-6.11/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch @@ -0,0 +1,89 @@ +From 3de09ba783479db4b3dc2622068e193262a1fd4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 13:21:00 +0200 +Subject: nvme-pci: fix race condition between reset and nvme_dev_disable() + +From: Maurizio Lombardi + +[ Upstream commit 26bc0a81f64ce00fc4342c38eeb2eddaad084dd2 ] + +nvme_dev_disable() modifies the dev->online_queues field, therefore +nvme_pci_update_nr_queues() should avoid racing against it, otherwise +we could end up passing invalid values to blk_mq_update_nr_hw_queues(). + + WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347 + pci_irq_get_affinity+0x187/0x210 + Workqueue: nvme-reset-wq nvme_reset_work [nvme] + RIP: 0010:pci_irq_get_affinity+0x187/0x210 + Call Trace: + + ? blk_mq_pci_map_queues+0x87/0x3c0 + ? pci_irq_get_affinity+0x187/0x210 + blk_mq_pci_map_queues+0x87/0x3c0 + nvme_pci_map_queues+0x189/0x460 [nvme] + blk_mq_update_nr_hw_queues+0x2a/0x40 + nvme_reset_work+0x1be/0x2a0 [nvme] + +Fix the bug by locking the shutdown_lock mutex before using +dev->online_queues. Give up if nvme_dev_disable() is running or if +it has been executed already. + +Fixes: 949928c1c731 ("NVMe: Fix possible queue use after freed") +Tested-by: Yi Zhang +Reviewed-by: Christoph Hellwig +Signed-off-by: Maurizio Lombardi +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 7990c3f22ecf6..4b9fda0b1d9a3 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2506,17 +2506,29 @@ static unsigned int nvme_pci_nr_maps(struct nvme_dev *dev) + return 1; + } + +-static void nvme_pci_update_nr_queues(struct nvme_dev *dev) ++static bool nvme_pci_update_nr_queues(struct nvme_dev *dev) + { + if (!dev->ctrl.tagset) { + nvme_alloc_io_tag_set(&dev->ctrl, &dev->tagset, &nvme_mq_ops, + nvme_pci_nr_maps(dev), sizeof(struct nvme_iod)); +- return; ++ return true; ++ } ++ ++ /* Give up if we are racing with nvme_dev_disable() */ ++ if (!mutex_trylock(&dev->shutdown_lock)) ++ return false; ++ ++ /* Check if nvme_dev_disable() has been executed already */ ++ if (!dev->online_queues) { ++ mutex_unlock(&dev->shutdown_lock); ++ return false; + } + + blk_mq_update_nr_hw_queues(&dev->tagset, dev->online_queues - 1); + /* free previously allocated queues that are no longer usable */ + nvme_free_queues(dev, dev->online_queues); ++ mutex_unlock(&dev->shutdown_lock); ++ return true; + } + + static int nvme_pci_enable(struct nvme_dev *dev) +@@ -2797,7 +2809,8 @@ static void nvme_reset_work(struct work_struct *work) + nvme_dbbuf_set(dev); + nvme_unquiesce_io_queues(&dev->ctrl); + nvme_wait_freeze(&dev->ctrl); +- nvme_pci_update_nr_queues(dev); ++ if (!nvme_pci_update_nr_queues(dev)) ++ goto out; + nvme_unfreeze(&dev->ctrl); + } else { + dev_warn(dev->ctrl.device, "IO queues lost\n"); +-- +2.43.0 + diff --git a/queue-6.11/octeontx2-af-fix-potential-integer-overflows-on-inte.patch b/queue-6.11/octeontx2-af-fix-potential-integer-overflows-on-inte.patch new file mode 100644 index 00000000000..8f854cb4e93 --- /dev/null +++ b/queue-6.11/octeontx2-af-fix-potential-integer-overflows-on-inte.patch @@ -0,0 +1,49 @@ +From 2b53f8f7c351a4380a316cf8b28a1029c8b14b4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 16:45:19 +0100 +Subject: octeontx2-af: Fix potential integer overflows on integer shifts + +From: Colin Ian King + +[ Upstream commit 637c4f6fe40befa04f19c38b5d15429cbb9191d9 ] + +The left shift int 32 bit integer constants 1 is evaluated using 32 bit +arithmetic and then assigned to a 64 bit unsigned integer. In the case +where the shift is 32 or more this can lead to an overflow. Avoid this +by shifting using the BIT_ULL macro instead. + +Fixes: 019aba04f08c ("octeontx2-af: Modify SMQ flush sequence to drop packets") +Signed-off-by: Colin Ian King +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20241010154519.768785-1-colin.i.king@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index 82832a24fbd86..da69350c6f765 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -2411,7 +2411,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link)); + if (!(cfg & BIT_ULL(12))) + continue; +- bmap |= (1 << i); ++ bmap |= BIT_ULL(i); + cfg &= ~BIT_ULL(12); + rvu_write64(rvu, blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link), cfg); +@@ -2432,7 +2432,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr, + + /* Set NIX_AF_TL3_TL2_LINKX_CFG[ENA] for the TL3/TL2 queue */ + for (i = 0; i < (rvu->hw->cgx_links + rvu->hw->lbk_links); i++) { +- if (!(bmap & (1 << i))) ++ if (!(bmap & BIT_ULL(i))) + continue; + cfg = rvu_read64(rvu, blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link)); +-- +2.43.0 + diff --git a/queue-6.11/patch-hwmon-jc42-properly-detect-tse2004-compliant-d.patch b/queue-6.11/patch-hwmon-jc42-properly-detect-tse2004-compliant-d.patch new file mode 100644 index 00000000000..ece5a345910 --- /dev/null +++ b/queue-6.11/patch-hwmon-jc42-properly-detect-tse2004-compliant-d.patch @@ -0,0 +1,49 @@ +From 272a071a6f4d3ad9c018aa6b14fef93188864eda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:04:26 +0200 +Subject: [PATCH} hwmon: (jc42) Properly detect TSE2004-compliant devices again + +From: Jean Delvare + +[ Upstream commit eabb03810194b75417b09cff8a526d26939736ac ] + +Commit b3e992f69c23 ("hwmon: (jc42) Strengthen detect function") +attempted to make the detect function more robust for +TSE2004-compliant devices by checking capability bits which, according +to the JEDEC 21-C specification, should always be set. Unfortunately, +not all real-world implementations fully adhere to this specification, +so this change caused a regression. + +Stop testing bit 7 (EVSD) of the Capabilities register, as it was +found to be 0 on one real-world device. + +Also stop testing bits 0 (EVENT) and 2 (RANGE) as vendor datasheets +(Renesas TSE2004GB2B0, ST STTS2004) suggest that they may not always +be set either. + +Signed-off-by: Jean Delvare +Message-ID: <20241014141204.026f4641@endymion.delvare> +Fixes: b3e992f69c23 ("hwmon: (jc42) Strengthen detect function") +Message-ID: <20241014220426.0c8f4d9c@endymion.delvare> +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/jc42.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/jc42.c b/drivers/hwmon/jc42.c +index a260cff750a58..c459dce496a6e 100644 +--- a/drivers/hwmon/jc42.c ++++ b/drivers/hwmon/jc42.c +@@ -417,7 +417,7 @@ static int jc42_detect(struct i2c_client *client, struct i2c_board_info *info) + return -ENODEV; + + if ((devid & TSE2004_DEVID_MASK) == TSE2004_DEVID && +- (cap & 0x00e7) != 0x00e7) ++ (cap & 0x0062) != 0x0062) + return -ENODEV; + + for (i = 0; i < ARRAY_SIZE(jc42_chips); i++) { +-- +2.43.0 + diff --git a/queue-6.11/ravb-remove-setting-of-rx-software-timestamp.patch b/queue-6.11/ravb-remove-setting-of-rx-software-timestamp.patch new file mode 100644 index 00000000000..2a987005e75 --- /dev/null +++ b/queue-6.11/ravb-remove-setting-of-rx-software-timestamp.patch @@ -0,0 +1,54 @@ +From fbd6be010b45c7e93b0f4f791a67665ffe4e33f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 14:27:55 +0300 +Subject: ravb: Remove setting of RX software timestamp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gal Pressman + +[ Upstream commit 277901ee3a2620679e2c8797377d2a72f4358068 ] + +The responsibility for reporting of RX software timestamp has moved to +the core layer (see __ethtool_get_ts_info()), remove usage from the +device drivers. + +Reviewed-by: Carolina Jubran +Reviewed-by: Rahul Rameshbabu +Signed-off-by: Gal Pressman +Reviewed-by: Niklas Söderlund +Reviewed-by: Sergey Shtylyov +Link: https://patch.msgid.link/20240901112803.212753-8-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 126e799602f4 ("net: ravb: Only advertise Rx/Tx timestamps if hardware supports it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 6b82df11fe8d0..d2a6518532f37 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1752,8 +1752,6 @@ static int ravb_get_ts_info(struct net_device *ndev, + + info->so_timestamping = + SOF_TIMESTAMPING_TX_SOFTWARE | +- SOF_TIMESTAMPING_RX_SOFTWARE | +- SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_TX_HARDWARE | + SOF_TIMESTAMPING_RX_HARDWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; +@@ -1764,6 +1762,8 @@ static int ravb_get_ts_info(struct net_device *ndev, + (1 << HWTSTAMP_FILTER_ALL); + if (hw_info->gptp || hw_info->ccc_gac) + info->phc_index = ptp_clock_index(priv->ptp.clock); ++ else ++ info->phc_index = 0; + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-add-a-check-for-memory-allocation.patch b/queue-6.11/rdma-bnxt_re-add-a-check-for-memory-allocation.patch new file mode 100644 index 00000000000..ed3e7331449 --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-add-a-check-for-memory-allocation.patch @@ -0,0 +1,40 @@ +From 7d8797c462d6a5390eacaab631496aff57491a95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:58 -0700 +Subject: RDMA/bnxt_re: Add a check for memory allocation + +From: Kalesh AP + +[ Upstream commit c5c1ae73b7741fa3b58e6e001b407825bb971225 ] + +__alloc_pbl() can return error when memory allocation fails. +Driver is not checking the status on one of the instances. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Link: https://patch.msgid.link/r/1726715161-18941-4-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index dfc943fab87b4..1fdffd6a0f480 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -244,6 +244,8 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + sginfo.pgsize = npde * pg_size; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); ++ if (rc) ++ goto fail; + + /* Alloc PBL pages */ + sginfo.npages = npbl; +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-avoid-cpu-lockups-due-fifo-occupancy-ch.patch b/queue-6.11/rdma-bnxt_re-avoid-cpu-lockups-due-fifo-occupancy-ch.patch new file mode 100644 index 00000000000..7591187e68c --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-avoid-cpu-lockups-due-fifo-occupancy-ch.patch @@ -0,0 +1,60 @@ +From 43ffdd84a83dcbe8f037153a2156d4ee8001f8c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:38 -0700 +Subject: RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop + +From: Selvin Xavier + +[ Upstream commit 8be3e5b0c96beeefe9d5486b96575d104d3e7d17 ] + +Driver waits indefinitely for the fifo occupancy to go below a threshold +as soon as the pacing interrupt is received. This can cause soft lockup on +one of the processors, if the rate of DB is very high. + +Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th +if the loop is taking more time. Pacing will be continuing until the +occupancy is below the threshold. This is ensured by the checks in +bnxt_re_pacing_timer_exp and further scheduling the work for pacing based +on the fifo occupancy. + +Fixes: 2ad4e6303a6d ("RDMA/bnxt_re: Implement doorbell pacing algorithm") +Link: https://patch.msgid.link/r/1728373302-19530-7-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Kalesh AP +Reviewed-by: Chandramohan Akula +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index e06adb2dfe6f9..c905a51aabfba 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -518,6 +518,7 @@ static bool is_dbr_fifo_full(struct bnxt_re_dev *rdev) + static void __wait_for_fifo_occupancy_below_th(struct bnxt_re_dev *rdev) + { + struct bnxt_qplib_db_pacing_data *pacing_data = rdev->qplib_res.pacing_data; ++ u32 retry_fifo_check = 1000; + u32 fifo_occup; + + /* loop shouldn't run infintely as the occupancy usually goes +@@ -531,6 +532,14 @@ static void __wait_for_fifo_occupancy_below_th(struct bnxt_re_dev *rdev) + + if (fifo_occup < pacing_data->pacing_th) + break; ++ if (!retry_fifo_check--) { ++ dev_info_once(rdev_to_dev(rdev), ++ "%s: fifo_occup = 0x%xfifo_max_depth = 0x%x pacing_th = 0x%x\n", ++ __func__, fifo_occup, pacing_data->fifo_max_depth, ++ pacing_data->pacing_th); ++ break; ++ } ++ + } + } + +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-change-the-sequence-of-updating-the-cq-.patch b/queue-6.11/rdma-bnxt_re-change-the-sequence-of-updating-the-cq-.patch new file mode 100644 index 00000000000..8468528d22e --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-change-the-sequence-of-updating-the-cq-.patch @@ -0,0 +1,77 @@ +From aeca5c620efe097c5a7345e5f5e638c14d527234 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:40 -0700 +Subject: RDMA/bnxt_re: Change the sequence of updating the CQ toggle value + +From: Chandramohan Akula + +[ Upstream commit 2df411353dacc4b0c911f8c4944f8ffab955391c ] + +Currently the CQ toggle value in the shared page (read by the userlib) is +updated as part of the cqn_handler. There is a potential race of +application calling the CQ ARM doorbell immediately and using the old +toggle value. + +Change the sequence of updating CQ toggle value to update in the +bnxt_qplib_service_nq function immediately after reading the toggle value +to be in sync with the HW updated value. + +Fixes: e275919d9669 ("RDMA/bnxt_re: Share a page to expose per CQ info with userspace") +Link: https://patch.msgid.link/r/1728373302-19530-9-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Chandramohan Akula +Reviewed-by: Selvin Xavier +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 8 +------- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 5 +++++ + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index c905a51aabfba..9b7093eb439c6 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1257,15 +1257,9 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq, + { + struct bnxt_re_cq *cq = container_of(handle, struct bnxt_re_cq, + qplib_cq); +- u32 *cq_ptr; + +- if (cq->ib_cq.comp_handler) { +- if (cq->uctx_cq_page) { +- cq_ptr = (u32 *)cq->uctx_cq_page; +- *cq_ptr = cq->qplib_cq.toggle; +- } ++ if (cq->ib_cq.comp_handler) + (*cq->ib_cq.comp_handler)(&cq->ib_cq, cq->ib_cq.cq_context); +- } + + return 0; + } +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 19bb45329a19b..03d517be9c52e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -327,6 +327,7 @@ static void bnxt_qplib_service_nq(struct tasklet_struct *t) + case NQ_BASE_TYPE_CQ_NOTIFICATION: + { + struct nq_cn *nqcne = (struct nq_cn *)nqe; ++ struct bnxt_re_cq *cq_p; + + q_handle = le32_to_cpu(nqcne->cq_handle_low); + q_handle |= (u64)le32_to_cpu(nqcne->cq_handle_high) +@@ -337,6 +338,10 @@ static void bnxt_qplib_service_nq(struct tasklet_struct *t) + cq->toggle = (le16_to_cpu(nqe->info10_type) & + NQ_CN_TOGGLE_MASK) >> NQ_CN_TOGGLE_SFT; + cq->dbinfo.toggle = cq->toggle; ++ cq_p = container_of(cq, struct bnxt_re_cq, qplib_cq); ++ if (cq_p->uctx_cq_page) ++ *((u32 *)cq_p->uctx_cq_page) = cq->toggle; ++ + bnxt_qplib_armen_db(&cq->dbinfo, + DBC_DBC_TYPE_CQ_ARMENA); + spin_lock_bh(&cq->compl_lock); +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch b/queue-6.11/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch new file mode 100644 index 00000000000..54fdb47ce7e --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch @@ -0,0 +1,59 @@ +From a32ea29e4be9b604a2e2c8a1b7e3aebaca609eb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:41 -0700 +Subject: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages + +From: Bhargava Chenna Marreddy + +[ Upstream commit 7988bdbbb85ac85a847baf09879edcd0f70521dc ] + +Avoid memory corruption while setting up Level-2 PBL pages for the non MR +resources when num_pages > 256K. + +There will be a single PDE page address (contiguous pages in the case of > +PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid +memory access after 256K PBL entries in the PDE. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Link: https://patch.msgid.link/r/1728373302-19530-10-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Bhargava Chenna Marreddy +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 1fdffd6a0f480..96ceec1e8199a 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -257,22 +257,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + dst_virt_ptr = + (dma_addr_t **)hwq->pbl[PBL_LVL_0].pg_arr; + src_phys_ptr = hwq->pbl[PBL_LVL_1].pg_map_arr; +- if (hwq_attr->type == HWQ_TYPE_MR) { +- /* For MR it is expected that we supply only 1 contigous +- * page i.e only 1 entry in the PDL that will contain +- * all the PBLs for the user supplied memory region +- */ +- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; +- i++) +- dst_virt_ptr[0][i] = src_phys_ptr[i] | +- flag; +- } else { +- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; +- i++) +- dst_virt_ptr[PTR_PG(i)][PTR_IDX(i)] = +- src_phys_ptr[i] | +- PTU_PDE_VALID; +- } ++ for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; i++) ++ dst_virt_ptr[0][i] = src_phys_ptr[i] | flag; ++ + /* Alloc or init PTEs */ + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_2], + hwq_attr->sginfo); +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-a-possible-memory-leak.patch b/queue-6.11/rdma-bnxt_re-fix-a-possible-memory-leak.patch new file mode 100644 index 00000000000..f8d0651b4d5 --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-a-possible-memory-leak.patch @@ -0,0 +1,43 @@ +From ee57260072df1c9e1f80ad414a544d877004cd7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:56 -0700 +Subject: RDMA/bnxt_re: Fix a possible memory leak + +From: Kalesh AP + +[ Upstream commit 3fc5410f225d1651580a4aeb7c72f55e28673b53 ] + +In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails +driver is not freeing the memory allocated for "rdev->chip_ctx". + +Fixes: 0ac20faf5d83 ("RDMA/bnxt_re: Reorg the bar mapping") +Link: https://patch.msgid.link/r/1726715161-18941-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Kalesh AP +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 9714b9ab75240..2a450d7ad1990 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -184,8 +184,11 @@ static int bnxt_re_setup_chip_ctx(struct bnxt_re_dev *rdev, u8 wqe_mode) + + bnxt_re_set_db_offset(rdev); + rc = bnxt_qplib_map_db_bar(&rdev->qplib_res); +- if (rc) ++ if (rc) { ++ kfree(rdev->chip_ctx); ++ rdev->chip_ctx = NULL; + return rc; ++ } + + if (bnxt_qplib_determine_atomics(en_dev->pdev)) + ibdev_info(&rdev->ibdev, +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch b/queue-6.11/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch new file mode 100644 index 00000000000..106142f16f5 --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch @@ -0,0 +1,47 @@ +From 6256372c2d5c9492cb15ead658f0a2fc5988c58d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:57 -0700 +Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure + +From: Saravanan Vajravel + +[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ] + +Driver uses internal data structure to construct WQE frame. +It used avid type as u16 which can accommodate up to 64K AVs. +When outstanding AVID crosses 64K, driver truncates AVID and +hence it uses incorrect AVID to WR. This leads to WR failure +due to invalid AV ID and QP is moved to error state with reason +set to 19 (INVALID AVID). When RDMA CM path is used, this issue +hits QP1 and it is moved to error state + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Reviewed-by: Chandramohan Akula +Signed-off-by: Saravanan Vajravel +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +index 56538b90d6c56..c7412e461436f 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +@@ -169,7 +169,7 @@ struct bnxt_qplib_swqe { + }; + u32 q_key; + u32 dst_qp; +- u16 avid; ++ u32 avid; + } send; + + /* Send Raw Ethernet and QP1 */ +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-incorrect-dereference-of-srq-in-asy.patch b/queue-6.11/rdma-bnxt_re-fix-incorrect-dereference-of-srq-in-asy.patch new file mode 100644 index 00000000000..9ef2c85fe2f --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-incorrect-dereference-of-srq-in-asy.patch @@ -0,0 +1,49 @@ +From 5e352d56aea98bc7972238654b18a0ba81444a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:35 -0700 +Subject: RDMA/bnxt_re: Fix incorrect dereference of srq in async event + +From: Kashyap Desai + +[ Upstream commit 87b4d8d28f6af8fc62766a8af7a5467b37053dfa ] + +Currently driver is not getting correct srq. Dereference only if qplib has +a valid srq. + +Fixes: b02fd3f79ec3 ("RDMA/bnxt_re: Report async events and errors") +Link: https://patch.msgid.link/r/1728373302-19530-4-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Saravanan Vajravel +Reviewed-by: Chandramohan Akula +Signed-off-by: Kashyap Desai +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 2a450d7ad1990..e06adb2dfe6f9 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1012,12 +1012,15 @@ static int bnxt_re_handle_unaffi_async_event(struct creq_func_event + static int bnxt_re_handle_qp_async_event(struct creq_qp_event *qp_event, + struct bnxt_re_qp *qp) + { +- struct bnxt_re_srq *srq = container_of(qp->qplib_qp.srq, struct bnxt_re_srq, +- qplib_srq); + struct creq_qp_error_notification *err_event; ++ struct bnxt_re_srq *srq = NULL; + struct ib_event event = {}; + unsigned int flags; + ++ if (qp->qplib_qp.srq) ++ srq = container_of(qp->qplib_qp.srq, struct bnxt_re_srq, ++ qplib_srq); ++ + if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR && + rdma_is_kernel_res(&qp->ib_qp.res)) { + flags = bnxt_re_lock_cqs(qp); +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-out-of-bound-check.patch b/queue-6.11/rdma-bnxt_re-fix-out-of-bound-check.patch new file mode 100644 index 00000000000..4e729b2a4c5 --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-out-of-bound-check.patch @@ -0,0 +1,42 @@ +From b5bec913dbfa8c4824bab87fd83fdc3de8b21a97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:34 -0700 +Subject: RDMA/bnxt_re: Fix out of bound check + +From: Kalesh AP + +[ Upstream commit a9e6e7443922ac0a48243c35d03834c96926bff1 ] + +Driver exports pacing stats only on GenP5 and P7 adapters. But while +parsing the pacing stats, driver has a check for "rdev->dbr_pacing". This +caused a trace when KASAN is enabled. + +BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re] +Write of size 8 at addr ffff8885942a6340 by task modprobe/4809 + +Fixes: 8b6573ff3420 ("bnxt_re: Update the debug counters for doorbell pacing") +Link: https://patch.msgid.link/r/1728373302-19530-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/hw_counters.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c +index 128651c015956..1e63f80917483 100644 +--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c ++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c +@@ -366,7 +366,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev, + goto done; + } + } +- if (rdev->pacing.dbr_pacing) ++ if (rdev->pacing.dbr_pacing && bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) + bnxt_re_copy_db_pacing_stats(rdev, stats); + } + +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-the-gid-table-length.patch b/queue-6.11/rdma-bnxt_re-fix-the-gid-table-length.patch new file mode 100644 index 00000000000..8132c354ced --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-the-gid-table-length.patch @@ -0,0 +1,51 @@ +From 775370b47cc92cf6ce3af0e99069a307a394e74a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:42 -0700 +Subject: RDMA/bnxt_re: Fix the GID table length + +From: Kalesh AP + +[ Upstream commit dc5006cfcf62bea88076a587344ba5e00e66d1c6 ] + +GID table length is reported by FW. The gid index which is passed to the +driver during modify_qp/create_ah is restricted by the sgid_index field of +struct ib_global_route. sgid_index is u8 and the max sgid possible is +256. + +Each GID entry in HW will have 2 GID entries in the kernel gid table. So +we can support twice the gid table size reported by FW. Also, restrict the +max GID to 256 also. + +Fixes: 847b97887ed4 ("RDMA/bnxt_re: Restrict the max_gids to 256") +Link: https://patch.msgid.link/r/1728373302-19530-11-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index 8e59422dd137e..420f8613bcd51 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -156,7 +156,14 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx)) + attr->l2_db_size = (sb->l2_db_space_size + 1) * + (0x01 << RCFW_DBR_BASE_PAGE_SHIFT); +- attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED; ++ /* ++ * Read the max gid supported by HW. ++ * For each entry in HW GID in HW table, we consume 2 ++ * GID entries in the kernel GID table. So max_gid reported ++ * to stack can be up to twice the value reported by the HW, up to 256 gids. ++ */ ++ attr->max_sgid = le32_to_cpu(sb->max_gid); ++ attr->max_sgid = min_t(u32, BNXT_QPLIB_NUM_GIDS_SUPPORTED, 2 * attr->max_sgid); + attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags); + attr->dev_cap_flags2 = le16_to_cpu(sb->dev_cap_ext_flags_2); + +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch b/queue-6.11/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch new file mode 100644 index 00000000000..d29b8e8972d --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch @@ -0,0 +1,52 @@ +From 5cceec717ad715f6cd6c5b28c57adeb9a4523fb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:33 -0700 +Subject: RDMA/bnxt_re: Fix the max CQ WQEs for older adapters + +From: Abhishek Mohapatra + +[ Upstream commit ac6df53738b465053d38d491fff87bd7d37fdc07 ] + +Older adapters doesn't support the MAX CQ WQEs reported by older FW. So +restrict the value reported to 1M always for older adapters. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://patch.msgid.link/r/1728373302-19530-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Abhishek Mohapatra +Reviewed-by: Chandramohan Akula +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 ++ + drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index 9328db92fa6db..8e59422dd137e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -137,6 +137,8 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + 6 : sb->max_sge; + attr->max_cq = le32_to_cpu(sb->max_cq); + attr->max_cq_wqes = le32_to_cpu(sb->max_cqe); ++ if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx)) ++ attr->max_cq_wqes = min_t(u32, BNXT_QPLIB_MAX_CQ_WQES, attr->max_cq_wqes); + attr->max_cq_sges = attr->max_qp_sges; + attr->max_mr = le32_to_cpu(sb->max_mr); + attr->max_mw = le32_to_cpu(sb->max_mw); +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.h b/drivers/infiniband/hw/bnxt_re/qplib_sp.h +index 16a67d70a6fc4..2f16f3db093ea 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.h +@@ -55,6 +55,7 @@ struct bnxt_qplib_dev_attr { + u32 max_qp_wqes; + u32 max_qp_sges; + u32 max_cq; ++#define BNXT_QPLIB_MAX_CQ_WQES 0xfffff + u32 max_cq_wqes; + u32 max_cq_sges; + u32 max_mr; +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-get-the-toggle-bits-from-srq-events.patch b/queue-6.11/rdma-bnxt_re-get-the-toggle-bits-from-srq-events.patch new file mode 100644 index 00000000000..350253e367e --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-get-the-toggle-bits-from-srq-events.patch @@ -0,0 +1,89 @@ +From 7d6c06b593a442c88f83119f297c07b2fbbbb02c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 08:34:03 -0700 +Subject: RDMA/bnxt_re: Get the toggle bits from SRQ events + +From: Hongguang Gao + +[ Upstream commit 640c2cf84e1de62e6bb0738dc2128d5506e7e5bc ] + +SRQ arming requires the toggle bits received from hardware. +Get the toggle bits from SRQ notification for the +gen p7 adapters. This value will be zero for the older adapters. + +Signed-off-by: Hongguang Gao +Signed-off-by: Chandramohan Akula +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/1724945645-14989-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Stable-dep-of: 2df411353dac ("RDMA/bnxt_re: Change the sequence of updating the CQ toggle value") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.h | 1 + + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 11 +++++++++++ + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 + + 3 files changed, 13 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.h b/drivers/infiniband/hw/bnxt_re/ib_verbs.h +index e98cb17173385..b368916a5bcfc 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.h ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.h +@@ -77,6 +77,7 @@ struct bnxt_re_srq { + struct bnxt_qplib_srq qplib_srq; + struct ib_umem *umem; + spinlock_t lock; /* protect srq */ ++ void *uctx_srq_page; + }; + + struct bnxt_re_qp { +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 49e4a4a50bfae..19bb45329a19b 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -54,6 +54,10 @@ + #include "qplib_rcfw.h" + #include "qplib_sp.h" + #include "qplib_fp.h" ++#include ++#include "bnxt_ulp.h" ++#include "bnxt_re.h" ++#include "ib_verbs.h" + + static void __clean_cq(struct bnxt_qplib_cq *cq, u64 qp); + +@@ -347,6 +351,7 @@ static void bnxt_qplib_service_nq(struct tasklet_struct *t) + case NQ_BASE_TYPE_SRQ_EVENT: + { + struct bnxt_qplib_srq *srq; ++ struct bnxt_re_srq *srq_p; + struct nq_srq_event *nqsrqe = + (struct nq_srq_event *)nqe; + +@@ -354,6 +359,12 @@ static void bnxt_qplib_service_nq(struct tasklet_struct *t) + q_handle |= (u64)le32_to_cpu(nqsrqe->srq_handle_high) + << 32; + srq = (struct bnxt_qplib_srq *)q_handle; ++ srq->toggle = (le16_to_cpu(nqe->info10_type) & NQ_CN_TOGGLE_MASK) ++ >> NQ_CN_TOGGLE_SFT; ++ srq->dbinfo.toggle = srq->toggle; ++ srq_p = container_of(srq, struct bnxt_re_srq, qplib_srq); ++ if (srq_p->uctx_srq_page) ++ *((u32 *)srq_p->uctx_srq_page) = srq->toggle; + bnxt_qplib_armen_db(&srq->dbinfo, + DBC_DBC_TYPE_SRQ_ARMENA); + if (nq->srqn_handler(nq, +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +index c7412e461436f..389862df818d9 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +@@ -105,6 +105,7 @@ struct bnxt_qplib_srq { + struct bnxt_qplib_sg_info sg_info; + u16 eventq_hw_ring_id; + spinlock_t lock; /* protect SRQE link list */ ++ u8 toggle; + }; + + struct bnxt_qplib_sge { +-- +2.43.0 + diff --git a/queue-6.11/rdma-bnxt_re-return-more-meaningful-error.patch b/queue-6.11/rdma-bnxt_re-return-more-meaningful-error.patch new file mode 100644 index 00000000000..16200466758 --- /dev/null +++ b/queue-6.11/rdma-bnxt_re-return-more-meaningful-error.patch @@ -0,0 +1,41 @@ +From 0b7334254206f25736de3dab7830615be340d6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:36 -0700 +Subject: RDMA/bnxt_re: Return more meaningful error + +From: Kalesh AP + +[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ] + +When the HWRM command fails, driver currently returns -EFAULT(Bad +address). This does not look correct. + +Modified to return -EIO(I/O error). + +Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling") +Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command") +Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 3ffaef0c26519..7294221b3316c 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -525,7 +525,7 @@ static int __bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw, + /* failed with status */ + dev_err(&rcfw->pdev->dev, "cmdq[%#x]=%#x status %#x\n", + cookie, opcode, evnt->status); +- rc = -EFAULT; ++ rc = -EIO; + } + + return rc; +-- +2.43.0 + diff --git a/queue-6.11/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch b/queue-6.11/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch new file mode 100644 index 00000000000..acc959cb89e --- /dev/null +++ b/queue-6.11/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch @@ -0,0 +1,42 @@ +From acd3754bcca1ae970db4f1cbcba050951beaa041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 17:13:34 +0530 +Subject: RDMA/core: Fix ENODEV error for iWARP test over vlan + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 5069d7e202f640a36cf213a432296c85113a52f7 ] + +If traffic is over vlan, cma_validate_port() fails to match vlan +net_device ifindex with bound_if_index and results in ENODEV error. +It is because rdma_copy_src_l2_addr() always assigns bound_if_index with +real net_device ifindex. +This patch fixes the issue by assigning bound_if_index with vlan +net_device index if traffic is over vlan. + +Fixes: f8ef1be816bf ("RDMA/cma: Avoid GID lookups on iWARP devices") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Link: https://patch.msgid.link/20241008114334.146702-1-anumula@chelsio.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/addr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index be0743dac3fff..c4cf26f1d1496 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -269,6 +269,8 @@ rdma_find_ndev_for_src_ip_rcu(struct net *net, const struct sockaddr *src_in) + break; + #endif + } ++ if (!ret && dev && is_vlan_dev(dev)) ++ dev = vlan_dev_real_dev(dev); + return ret ? ERR_PTR(ret) : dev; + } + +-- +2.43.0 + diff --git a/queue-6.11/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch b/queue-6.11/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch new file mode 100644 index 00000000000..95a97cb6c63 --- /dev/null +++ b/queue-6.11/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch @@ -0,0 +1,65 @@ +From 958147d813cdfcd2c1ce2b85ad3ebe17c4306d0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:53:11 +0530 +Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP + +From: Anumula Murali Mohan Reddy + +[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ] + +ip_dev_find() always returns real net_device address, whether traffic is +running on a vlan or real device, if traffic is over vlan, filling +endpoint struture with real ndev and an attempt to send a connect request +will results in RDMA_CM_EVENT_UNREACHABLE error. This patch fixes the +issue by using vlan_dev_real_dev(). + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index b3757c6a0457a..8d753e6e0c719 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2086,7 +2086,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENOMEM; + if (n->dev->flags & IFF_LOOPBACK) { + if (iptype == 4) +- pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip); ++ pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false); + else if (IS_ENABLED(CONFIG_IPV6)) + for_each_netdev(&init_net, pdev) { + if (ipv6_chk_addr(&init_net, +@@ -2101,12 +2101,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENODEV; + goto out; + } ++ if (is_vlan_dev(pdev)) ++ pdev = vlan_dev_real_dev(pdev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, + n, pdev, rt_tos2priority(tos)); +- if (!ep->l2t) { +- dev_put(pdev); ++ if (!ep->l2t) + goto out; +- } + ep->mtu = pdev->mtu; + ep->tx_chan = cxgb4_port_chan(pdev); + ep->smac_idx = ((struct port_info *)netdev_priv(pdev))->smt_idx; +@@ -2119,7 +2119,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + ep->rss_qid = cdev->rdev.lldi.rxq_ids[ + cxgb4_port_idx(pdev) * step]; + set_tcp_window(ep, (struct port_info *)netdev_priv(pdev)); +- dev_put(pdev); + } else { + pdev = get_real_dev(n->dev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, +-- +2.43.0 + diff --git a/queue-6.11/rdma-irdma-fix-misspelling-of-accept.patch b/queue-6.11/rdma-irdma-fix-misspelling-of-accept.patch new file mode 100644 index 00000000000..dded83ee49c --- /dev/null +++ b/queue-6.11/rdma-irdma-fix-misspelling-of-accept.patch @@ -0,0 +1,37 @@ +From dbe7b7e5a8ce959e78f4f11d4e2b42e03b0f7853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 18:19:13 +0200 +Subject: RDMA/irdma: Fix misspelling of "accept*" + +From: Alexander Zubkov + +[ Upstream commit 8cddfa535c931b8d8110c73bfed7354a94cbf891 ] + +There is "accept*" misspelled as "accpet*" in the comments. Fix the +spelling. + +Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") +Link: https://patch.msgid.link/r/20241008161913.19965-1-green@qrator.net +Signed-off-by: Alexander Zubkov +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c +index 36bb7e5ce6382..ce8d821bdad84 100644 +--- a/drivers/infiniband/hw/irdma/cm.c ++++ b/drivers/infiniband/hw/irdma/cm.c +@@ -3631,7 +3631,7 @@ void irdma_free_lsmm_rsrc(struct irdma_qp *iwqp) + /** + * irdma_accept - registered call for connection to be accepted + * @cm_id: cm information for passive connection +- * @conn_param: accpet parameters ++ * @conn_param: accept parameters + */ + int irdma_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + { +-- +2.43.0 + diff --git a/queue-6.11/rdma-srpt-make-slab-cache-names-unique.patch b/queue-6.11/rdma-srpt-make-slab-cache-names-unique.patch new file mode 100644 index 00000000000..ea36338f61c --- /dev/null +++ b/queue-6.11/rdma-srpt-make-slab-cache-names-unique.patch @@ -0,0 +1,195 @@ +From ed078d0b87621ad6c05e1b5b145fc8ba41e4038f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:00:48 -0700 +Subject: RDMA/srpt: Make slab cache names unique + +From: Bart Van Assche + +[ Upstream commit 4d784c042d164f10fc809e2338457036cd7c653d ] + +Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when +DEBUG_VM=y"), slab complains about duplicate cache names. Hence this +patch. The approach is as follows: +- Maintain an xarray with the slab size as index and a reference count + and a kmem_cache pointer as contents. Use srpt-${slab_size} as kmem + cache name. +- Use 512-byte alignment for all slabs instead of only for some of the + slabs. +- Increment the reference count instead of calling kmem_cache_create(). +- Decrement the reference count instead of calling kmem_cache_destroy(). + +Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data") +Link: https://patch.msgid.link/r/20241009210048.4122518-1-bvanassche@acm.org +Reported-by: Shinichiro Kawasaki +Closes: https://lore.kernel.org/linux-block/xpe6bea7rakpyoyfvspvin2dsozjmjtjktpph7rep3h25tv7fb@ooz4cu5z6bq6/ +Suggested-by: Jason Gunthorpe +Signed-off-by: Bart Van Assche +Tested-by: Shin'ichiro Kawasaki +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 80 +++++++++++++++++++++++---- + 1 file changed, 68 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 9632afbd727b6..5dfb4644446ba 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -68,6 +68,8 @@ MODULE_LICENSE("Dual BSD/GPL"); + static u64 srpt_service_guid; + static DEFINE_SPINLOCK(srpt_dev_lock); /* Protects srpt_dev_list. */ + static LIST_HEAD(srpt_dev_list); /* List of srpt_device structures. */ ++static DEFINE_MUTEX(srpt_mc_mutex); /* Protects srpt_memory_caches. */ ++static DEFINE_XARRAY(srpt_memory_caches); /* See also srpt_memory_cache_entry */ + + static unsigned srp_max_req_size = DEFAULT_MAX_REQ_SIZE; + module_param(srp_max_req_size, int, 0444); +@@ -105,6 +107,63 @@ static void srpt_recv_done(struct ib_cq *cq, struct ib_wc *wc); + static void srpt_send_done(struct ib_cq *cq, struct ib_wc *wc); + static void srpt_process_wait_list(struct srpt_rdma_ch *ch); + ++/* Type of the entries in srpt_memory_caches. */ ++struct srpt_memory_cache_entry { ++ refcount_t ref; ++ struct kmem_cache *c; ++}; ++ ++static struct kmem_cache *srpt_cache_get(unsigned int object_size) ++{ ++ struct srpt_memory_cache_entry *e; ++ char name[32]; ++ void *res; ++ ++ guard(mutex)(&srpt_mc_mutex); ++ e = xa_load(&srpt_memory_caches, object_size); ++ if (e) { ++ refcount_inc(&e->ref); ++ return e->c; ++ } ++ snprintf(name, sizeof(name), "srpt-%u", object_size); ++ e = kmalloc(sizeof(*e), GFP_KERNEL); ++ if (!e) ++ return NULL; ++ refcount_set(&e->ref, 1); ++ e->c = kmem_cache_create(name, object_size, /*align=*/512, 0, NULL); ++ if (!e->c) ++ goto free_entry; ++ res = xa_store(&srpt_memory_caches, object_size, e, GFP_KERNEL); ++ if (xa_is_err(res)) ++ goto destroy_cache; ++ return e->c; ++ ++destroy_cache: ++ kmem_cache_destroy(e->c); ++ ++free_entry: ++ kfree(e); ++ return NULL; ++} ++ ++static void srpt_cache_put(struct kmem_cache *c) ++{ ++ struct srpt_memory_cache_entry *e = NULL; ++ unsigned long object_size; ++ ++ guard(mutex)(&srpt_mc_mutex); ++ xa_for_each(&srpt_memory_caches, object_size, e) ++ if (e->c == c) ++ break; ++ if (WARN_ON_ONCE(!e)) ++ return; ++ if (!refcount_dec_and_test(&e->ref)) ++ return; ++ WARN_ON_ONCE(xa_erase(&srpt_memory_caches, object_size) != e); ++ kmem_cache_destroy(e->c); ++ kfree(e); ++} ++ + /* + * The only allowed channel state changes are those that change the channel + * state into a state with a higher numerical value. Hence the new > prev test. +@@ -2119,13 +2178,13 @@ static void srpt_release_channel_work(struct work_struct *w) + ch->sport->sdev, ch->rq_size, + ch->rsp_buf_cache, DMA_TO_DEVICE); + +- kmem_cache_destroy(ch->rsp_buf_cache); ++ srpt_cache_put(ch->rsp_buf_cache); + + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_recv_ring, + sdev, ch->rq_size, + ch->req_buf_cache, DMA_FROM_DEVICE); + +- kmem_cache_destroy(ch->req_buf_cache); ++ srpt_cache_put(ch->req_buf_cache); + + kref_put(&ch->kref, srpt_free_ch); + } +@@ -2245,8 +2304,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + INIT_LIST_HEAD(&ch->cmd_wait_list); + ch->max_rsp_size = ch->sport->port_attrib.srp_max_rsp_size; + +- ch->rsp_buf_cache = kmem_cache_create("srpt-rsp-buf", ch->max_rsp_size, +- 512, 0, NULL); ++ ch->rsp_buf_cache = srpt_cache_get(ch->max_rsp_size); + if (!ch->rsp_buf_cache) + goto free_ch; + +@@ -2280,8 +2338,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + alignment_offset = round_up(imm_data_offset, 512) - + imm_data_offset; + req_sz = alignment_offset + imm_data_offset + srp_max_req_size; +- ch->req_buf_cache = kmem_cache_create("srpt-req-buf", req_sz, +- 512, 0, NULL); ++ ch->req_buf_cache = srpt_cache_get(req_sz); + if (!ch->req_buf_cache) + goto free_rsp_ring; + +@@ -2478,7 +2535,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + ch->req_buf_cache, DMA_FROM_DEVICE); + + free_recv_cache: +- kmem_cache_destroy(ch->req_buf_cache); ++ srpt_cache_put(ch->req_buf_cache); + + free_rsp_ring: + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring, +@@ -2486,7 +2543,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + ch->rsp_buf_cache, DMA_TO_DEVICE); + + free_rsp_cache: +- kmem_cache_destroy(ch->rsp_buf_cache); ++ srpt_cache_put(ch->rsp_buf_cache); + + free_ch: + if (rdma_cm_id) +@@ -3055,7 +3112,7 @@ static void srpt_free_srq(struct srpt_device *sdev) + srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev, + sdev->srq_size, sdev->req_buf_cache, + DMA_FROM_DEVICE); +- kmem_cache_destroy(sdev->req_buf_cache); ++ srpt_cache_put(sdev->req_buf_cache); + sdev->srq = NULL; + } + +@@ -3082,8 +3139,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev) + pr_debug("create SRQ #wr= %d max_allow=%d dev= %s\n", sdev->srq_size, + sdev->device->attrs.max_srq_wr, dev_name(&device->dev)); + +- sdev->req_buf_cache = kmem_cache_create("srpt-srq-req-buf", +- srp_max_req_size, 0, 0, NULL); ++ sdev->req_buf_cache = srpt_cache_get(srp_max_req_size); + if (!sdev->req_buf_cache) + goto free_srq; + +@@ -3105,7 +3161,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev) + return 0; + + free_cache: +- kmem_cache_destroy(sdev->req_buf_cache); ++ srpt_cache_put(sdev->req_buf_cache); + + free_srq: + ib_destroy_srq(srq); +-- +2.43.0 + diff --git a/queue-6.11/reset-starfive-jh71x0-fix-accessing-the-empty-member.patch b/queue-6.11/reset-starfive-jh71x0-fix-accessing-the-empty-member.patch new file mode 100644 index 00000000000..002ef8d4cbc --- /dev/null +++ b/queue-6.11/reset-starfive-jh71x0-fix-accessing-the-empty-member.patch @@ -0,0 +1,42 @@ +From 78af91b275a214a9b1473074cb81a9b9456f3352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 04:24:42 -0700 +Subject: reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC + +From: Changhuang Liang + +[ Upstream commit 2cf59663660799ce16f4dfbed97cdceac7a7fa11 ] + +data->asserted will be NULL on JH7110 SoC since commit 82327b127d41 +("reset: starfive: Add StarFive JH7110 reset driver") was added. Add +the judgment condition to avoid errors when calling reset_control_status +on JH7110 SoC. + +Fixes: 82327b127d41 ("reset: starfive: Add StarFive JH7110 reset driver") +Signed-off-by: Changhuang Liang +Acked-by: Hal Feng +Reviewed-by: Philipp Zabel +Link: https://lore.kernel.org/r/20240925112442.1732416-1-changhuang.liang@starfivetech.com +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/starfive/reset-starfive-jh71x0.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/reset/starfive/reset-starfive-jh71x0.c b/drivers/reset/starfive/reset-starfive-jh71x0.c +index 55bbbd2de52cf..29ce3486752f3 100644 +--- a/drivers/reset/starfive/reset-starfive-jh71x0.c ++++ b/drivers/reset/starfive/reset-starfive-jh71x0.c +@@ -94,6 +94,9 @@ static int jh71x0_reset_status(struct reset_controller_dev *rcdev, + void __iomem *reg_status = data->status + offset * sizeof(u32); + u32 value = readl(reg_status); + ++ if (!data->asserted) ++ return !(value & mask); ++ + return !((value ^ data->asserted[offset]) & mask); + } + +-- +2.43.0 + diff --git a/queue-6.11/ring-buffer-fix-reader-locking-when-changing-the-sub.patch b/queue-6.11/ring-buffer-fix-reader-locking-when-changing-the-sub.patch new file mode 100644 index 00000000000..4527a5d37cd --- /dev/null +++ b/queue-6.11/ring-buffer-fix-reader-locking-when-changing-the-sub.patch @@ -0,0 +1,121 @@ +From 5124906a55e88bea64d0d818560c459dddec839c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 13:24:29 +0200 +Subject: ring-buffer: Fix reader locking when changing the sub buffer order + +From: Petr Pavlu + +[ Upstream commit 09661f75e75cb6c1d2d8326a70c311d46729235f ] + +The function ring_buffer_subbuf_order_set() updates each +ring_buffer_per_cpu and installs new sub buffers that match the requested +page order. This operation may be invoked concurrently with readers that +rely on some of the modified data, such as the head bit (RB_PAGE_HEAD), or +the ring_buffer_per_cpu.pages and reader_page pointers. However, no +exclusive access is acquired by ring_buffer_subbuf_order_set(). Modifying +the mentioned data while a reader also operates on them can then result in +incorrect memory access and various crashes. + +Fix the problem by taking the reader_lock when updating a specific +ring_buffer_per_cpu in ring_buffer_subbuf_order_set(). + +Link: https://lore.kernel.org/linux-trace-kernel/20240715145141.5528-1-petr.pavlu@suse.com/ +Link: https://lore.kernel.org/linux-trace-kernel/20241010195849.2f77cc3f@gandalf.local.home/ +Link: https://lore.kernel.org/linux-trace-kernel/20241011112850.17212b25@gandalf.local.home/ + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20241015112440.26987-1-petr.pavlu@suse.com +Fixes: 8e7b58c27b3c ("ring-buffer: Just update the subbuffers when changing their allocation order") +Signed-off-by: Petr Pavlu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 44 ++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 18 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index cebd879a30cbd..fb7b092e79313 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -6008,39 +6008,38 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order) + } + + for_each_buffer_cpu(buffer, cpu) { ++ struct buffer_data_page *old_free_data_page; ++ struct list_head old_pages; ++ unsigned long flags; + + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + continue; + + cpu_buffer = buffer->buffers[cpu]; + ++ raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); ++ + /* Clear the head bit to make the link list normal to read */ + rb_head_page_deactivate(cpu_buffer); + +- /* Now walk the list and free all the old sub buffers */ +- list_for_each_entry_safe(bpage, tmp, cpu_buffer->pages, list) { +- list_del_init(&bpage->list); +- free_buffer_page(bpage); +- } +- /* The above loop stopped an the last page needing to be freed */ +- bpage = list_entry(cpu_buffer->pages, struct buffer_page, list); +- free_buffer_page(bpage); +- +- /* Free the current reader page */ +- free_buffer_page(cpu_buffer->reader_page); ++ /* ++ * Collect buffers from the cpu_buffer pages list and the ++ * reader_page on old_pages, so they can be freed later when not ++ * under a spinlock. The pages list is a linked list with no ++ * head, adding old_pages turns it into a regular list with ++ * old_pages being the head. ++ */ ++ list_add(&old_pages, cpu_buffer->pages); ++ list_add(&cpu_buffer->reader_page->list, &old_pages); + + /* One page was allocated for the reader page */ + cpu_buffer->reader_page = list_entry(cpu_buffer->new_pages.next, + struct buffer_page, list); + list_del_init(&cpu_buffer->reader_page->list); + +- /* The cpu_buffer pages are a link list with no head */ ++ /* Install the new pages, remove the head from the list */ + cpu_buffer->pages = cpu_buffer->new_pages.next; +- cpu_buffer->new_pages.next->prev = cpu_buffer->new_pages.prev; +- cpu_buffer->new_pages.prev->next = cpu_buffer->new_pages.next; +- +- /* Clear the new_pages list */ +- INIT_LIST_HEAD(&cpu_buffer->new_pages); ++ list_del_init(&cpu_buffer->new_pages); + + cpu_buffer->head_page + = list_entry(cpu_buffer->pages, struct buffer_page, list); +@@ -6049,11 +6048,20 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order) + cpu_buffer->nr_pages = cpu_buffer->nr_pages_to_update; + cpu_buffer->nr_pages_to_update = 0; + +- free_pages((unsigned long)cpu_buffer->free_page, old_order); ++ old_free_data_page = cpu_buffer->free_page; + cpu_buffer->free_page = NULL; + + rb_head_page_activate(cpu_buffer); + ++ raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); ++ ++ /* Free old sub buffers */ ++ list_for_each_entry_safe(bpage, tmp, &old_pages, list) { ++ list_del_init(&bpage->list); ++ free_buffer_page(bpage); ++ } ++ free_pages((unsigned long)old_free_data_page, old_order); ++ + rb_check_pages(cpu_buffer); + } + +-- +2.43.0 + diff --git a/queue-6.11/riscv-bpf-fix-possible-infinite-tailcall-when-config.patch b/queue-6.11/riscv-bpf-fix-possible-infinite-tailcall-when-config.patch new file mode 100644 index 00000000000..4f889054365 --- /dev/null +++ b/queue-6.11/riscv-bpf-fix-possible-infinite-tailcall-when-config.patch @@ -0,0 +1,53 @@ +From 8905eb188c0993512791f29bf755c0193bb75f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 12:45:44 +0000 +Subject: riscv, bpf: Fix possible infinite tailcall when CONFIG_CFI_CLANG is + enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pu Lehui + +[ Upstream commit 30a59cc79754fd9ff3f41b7ee2eb21da85988548 ] + +When CONFIG_CFI_CLANG is enabled, the number of prologue instructions +skipped by tailcall needs to include the kcfi instruction, otherwise the +TCC will be initialized every tailcall is called, which may result in +infinite tailcalls. + +Fixes: e63985ecd226 ("bpf, riscv64/cfi: Support kCFI + BPF on riscv64") +Signed-off-by: Pu Lehui +Acked-by: Björn Töpel +Link: https://lore.kernel.org/r/20241008124544.171161-1-pulehui@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 99f34409fb60f..91bd5082c4d8e 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -18,6 +18,7 @@ + #define RV_MAX_REG_ARGS 8 + #define RV_FENTRY_NINSNS 2 + #define RV_FENTRY_NBYTES (RV_FENTRY_NINSNS * 4) ++#define RV_KCFI_NINSNS (IS_ENABLED(CONFIG_CFI_CLANG) ? 1 : 0) + /* imm that allows emit_imm to emit max count insns */ + #define RV_MAX_COUNT_IMM 0x7FFF7FF7FF7FF7FF + +@@ -271,7 +272,8 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx) + if (!is_tail_call) + emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx); + emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA, +- is_tail_call ? (RV_FENTRY_NINSNS + 1) * 4 : 0, /* skip reserved nops and TCC init */ ++ /* kcfi, fentry and TCC init insns will be skipped on tailcall */ ++ is_tail_call ? (RV_KCFI_NINSNS + RV_FENTRY_NINSNS + 1) * 4 : 0, + ctx); + } + +-- +2.43.0 + diff --git a/queue-6.11/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch b/queue-6.11/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch new file mode 100644 index 00000000000..9b5e30daf3d --- /dev/null +++ b/queue-6.11/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch @@ -0,0 +1,89 @@ +From 3cf438927247b0e3e60a45c17cccbe7c6696dbf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 17:36:28 +0300 +Subject: riscv, bpf: Make BPF_CMPXCHG fully ordered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrea Parri + +[ Upstream commit e59db0623f6955986d1be0880b351a1f56e7fd6d ] + +According to the prototype formal BPF memory consistency model +discussed e.g. in [1] and following the ordering properties of +the C/in-kernel macro atomic_cmpxchg(), a BPF atomic operation +with the BPF_CMPXCHG modifier is fully ordered. However, the +current RISC-V JIT lowerings fail to meet such memory ordering +property. This is illustrated by the following litmus test: + +BPF BPF__MP+success_cmpxchg+fence +{ + 0:r1=x; 0:r3=y; 0:r5=1; + 1:r2=y; 1:r4=f; 1:r7=x; +} + P0 | P1 ; + *(u64 *)(r1 + 0) = 1 | r1 = *(u64 *)(r2 + 0) ; + r2 = cmpxchg_64 (r3 + 0, r4, r5) | r3 = atomic_fetch_add((u64 *)(r4 + 0), r5) ; + | r6 = *(u64 *)(r7 + 0) ; +exists (1:r1=1 /\ 1:r6=0) + +whose "exists" clause is not satisfiable according to the BPF +memory model. Using the current RISC-V JIT lowerings, the test +can be mapped to the following RISC-V litmus test: + +RISCV RISCV__MP+success_cmpxchg+fence +{ + 0:x1=x; 0:x3=y; 0:x5=1; + 1:x2=y; 1:x4=f; 1:x7=x; +} + P0 | P1 ; + sd x5, 0(x1) | ld x1, 0(x2) ; + L00: | amoadd.d.aqrl x3, x5, 0(x4) ; + lr.d x2, 0(x3) | ld x6, 0(x7) ; + bne x2, x4, L01 | ; + sc.d x6, x5, 0(x3) | ; + bne x6, x4, L00 | ; + fence rw, rw | ; + L01: | ; +exists (1:x1=1 /\ 1:x6=0) + +where the two stores in P0 can be reordered. Update the RISC-V +JIT lowerings/implementation of BPF_CMPXCHG to emit an SC with +RELEASE ("rl") annotation in order to meet the expected memory +ordering guarantees. The resulting RISC-V JIT lowerings of +BPF_CMPXCHG match the RISC-V lowerings of the C atomic_cmpxchg(). + +Other lowerings were fixed via 20a759df3bba ("riscv, bpf: make +some atomic operations fully ordered"). + +Fixes: dd642ccb45ec ("riscv, bpf: Implement more atomic operations for RV64") +Signed-off-by: Andrea Parri +Signed-off-by: Daniel Borkmann +Reviewed-by: Puranjay Mohan +Acked-by: Björn Töpel +Link: https://lpc.events/event/18/contributions/1949/attachments/1665/3441/bpfmemmodel.2024.09.19p.pdf [1] +Link: https://lore.kernel.org/bpf/20241017143628.2673894-1-parri.andrea@gmail.com +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 91bd5082c4d8e..4cc631fa70391 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -550,8 +550,8 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64, + rv_lr_w(r0, 0, rd, 0, 0), ctx); + jmp_offset = ninsns_rvoff(8); + emit(rv_bne(RV_REG_T2, r0, jmp_offset >> 1), ctx); +- emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 0) : +- rv_sc_w(RV_REG_T3, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 1) : ++ rv_sc_w(RV_REG_T3, rs, rd, 0, 1), ctx); + jmp_offset = ninsns_rvoff(-6); + emit(rv_bne(RV_REG_T3, 0, jmp_offset >> 1), ctx); + emit(rv_fence(0x3, 0x3), ctx); +-- +2.43.0 + diff --git a/queue-6.11/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch b/queue-6.11/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch new file mode 100644 index 00000000000..8cb72a798a2 --- /dev/null +++ b/queue-6.11/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch @@ -0,0 +1,38 @@ +From e6bdc397a4b9c88f881c74ac698304709e1ee707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 17:52:39 +0200 +Subject: s390: Initialize psw mask in perf_arch_fetch_caller_regs() + +From: Heiko Carstens + +[ Upstream commit 223e7fb979fa06934f1595b6ad0ae1d4ead1147f ] + +Also initialize regs->psw.mask in perf_arch_fetch_caller_regs(). +This way user_mode(regs) will return false, like it should. + +It looks like all current users initialize regs to zero, so that this +doesn't fix a bug currently. However it is better to not rely on callers +to do this. + +Fixes: 914d52e46490 ("s390: implement perf_arch_fetch_caller_regs") +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/perf_event.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/include/asm/perf_event.h b/arch/s390/include/asm/perf_event.h +index 9917e2717b2b4..66aff768f8151 100644 +--- a/arch/s390/include/asm/perf_event.h ++++ b/arch/s390/include/asm/perf_event.h +@@ -73,6 +73,7 @@ struct perf_sf_sde_regs { + #define SAMPLE_FREQ_MODE(hwc) (SAMPL_FLAGS(hwc) & PERF_CPUM_SF_FREQ_MODE) + + #define perf_arch_fetch_caller_regs(regs, __ip) do { \ ++ (regs)->psw.mask = 0; \ + (regs)->psw.addr = (__ip); \ + (regs)->gprs[15] = (unsigned long)__builtin_frame_address(0) - \ + offsetof(struct stack_frame, back_chain); \ +-- +2.43.0 + diff --git a/queue-6.11/s390-pci-handle-pci-error-codes-other-than-0x3a.patch b/queue-6.11/s390-pci-handle-pci-error-codes-other-than-0x3a.patch new file mode 100644 index 00000000000..ec96124c587 --- /dev/null +++ b/queue-6.11/s390-pci-handle-pci-error-codes-other-than-0x3a.patch @@ -0,0 +1,65 @@ +From 58ef005fe16afd8927dd1376f3ae54c98cc59c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 14:01:39 +0200 +Subject: s390/pci: Handle PCI error codes other than 0x3a + +From: Niklas Schnelle + +[ Upstream commit 3cd03ea57e8e16cc78cc357d5e9f26078426f236 ] + +The Linux implementation of PCI error recovery for s390 was based on the +understanding that firmware error recovery is a two step process with an +optional initial error event to indicate the cause of the error if known +followed by either error event 0x3A (Success) or 0x3B (Failure) to +indicate whether firmware was able to recover. While this has been the +case in testing and the error cases seen in the wild it turns out this +is not correct. Instead firmware only generates 0x3A for some error and +service scenarios and expects the OS to perform recovery for all PCI +events codes except for those indicating permanent error (0x3B, 0x40) +and those indicating errors on the function measurement block (0x2A, +0x2B, 0x2C). Align Linux behavior with these expectations. + +Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") +Reviewed-by: Gerd Bayer +Signed-off-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_event.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c +index dbe95ec5917e5..d4f19d33914cb 100644 +--- a/arch/s390/pci/pci_event.c ++++ b/arch/s390/pci/pci_event.c +@@ -280,18 +280,19 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf) + goto no_pdev; + + switch (ccdf->pec) { +- case 0x003a: /* Service Action or Error Recovery Successful */ ++ case 0x002a: /* Error event concerns FMB */ ++ case 0x002b: ++ case 0x002c: ++ break; ++ case 0x0040: /* Service Action or Error Recovery Failed */ ++ case 0x003b: ++ zpci_event_io_failure(pdev, pci_channel_io_perm_failure); ++ break; ++ default: /* PCI function left in the error state attempt to recover */ + ers_res = zpci_event_attempt_error_recovery(pdev); + if (ers_res != PCI_ERS_RESULT_RECOVERED) + zpci_event_io_failure(pdev, pci_channel_io_perm_failure); + break; +- default: +- /* +- * Mark as frozen not permanently failed because the device +- * could be subsequently recovered by the platform. +- */ +- zpci_event_io_failure(pdev, pci_channel_io_frozen); +- break; + } + pci_dev_put(pdev); + no_pdev: +-- +2.43.0 + diff --git a/queue-6.11/sched-core-disable-page-allocation-in-task_tick_mm_c.patch b/queue-6.11/sched-core-disable-page-allocation-in-task_tick_mm_c.patch new file mode 100644 index 00000000000..ed9440feb7f --- /dev/null +++ b/queue-6.11/sched-core-disable-page-allocation-in-task_tick_mm_c.patch @@ -0,0 +1,134 @@ +From 9d2cf0dd25362f5c9d723d7b24e25e1ae1724d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 21:44:32 -0400 +Subject: sched/core: Disable page allocation in task_tick_mm_cid() + +From: Waiman Long + +[ Upstream commit 73ab05aa46b02d96509cb029a8d04fca7bbde8c7 ] + +With KASAN and PREEMPT_RT enabled, calling task_work_add() in +task_tick_mm_cid() may cause the following splat. + +[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe +[ 63.696416] preempt_count: 10001, expected: 0 +[ 63.696416] RCU nest depth: 1, expected: 1 + +This problem is caused by the following call trace. + + sched_tick() [ acquire rq->__lock ] + -> task_tick_mm_cid() + -> task_work_add() + -> __kasan_record_aux_stack() + -> kasan_save_stack() + -> stack_depot_save_flags() + -> alloc_pages_mpol_noprof() + -> __alloc_pages_noprof() + -> get_page_from_freelist() + -> rmqueue() + -> rmqueue_pcplist() + -> __rmqueue_pcplist() + -> rmqueue_bulk() + -> rt_spin_lock() + +The rq lock is a raw_spinlock_t. We can't sleep while holding +it. IOW, we can't call alloc_pages() in stack_depot_save_flags(). + +The task_tick_mm_cid() function with its task_work_add() call was +introduced by commit 223baf9d17f2 ("sched: Fix performance regression +introduced by mm_cid") in v6.4 kernel. + +Fortunately, there is a kasan_record_aux_stack_noalloc() variant that +calls stack_depot_save_flags() while not allowing it to allocate +new pages. To allow task_tick_mm_cid() to use task_work without +page allocation, a new TWAF_NO_ALLOC flag is added to enable calling +kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack() +if set. The task_tick_mm_cid() function is modified to add this new flag. + +The possible downside is the missing stack trace in a KASAN report due +to new page allocation required when task_work_add_noallloc() is called +which should be rare. + +Fixes: 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid") +Signed-off-by: Waiman Long +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20241010014432.194742-1-longman@redhat.com +Signed-off-by: Sasha Levin +--- + include/linux/task_work.h | 5 ++++- + kernel/sched/core.c | 4 +++- + kernel/task_work.c | 15 +++++++++++++-- + 3 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/include/linux/task_work.h b/include/linux/task_work.h +index cf5e7e891a776..2964171856e00 100644 +--- a/include/linux/task_work.h ++++ b/include/linux/task_work.h +@@ -14,11 +14,14 @@ init_task_work(struct callback_head *twork, task_work_func_t func) + } + + enum task_work_notify_mode { +- TWA_NONE, ++ TWA_NONE = 0, + TWA_RESUME, + TWA_SIGNAL, + TWA_SIGNAL_NO_IPI, + TWA_NMI_CURRENT, ++ ++ TWA_FLAGS = 0xff00, ++ TWAF_NO_ALLOC = 0x0100, + }; + + static inline bool task_work_pending(struct task_struct *task) +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 1af59cf714cd3..3713341c2e720 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -10262,7 +10262,9 @@ void task_tick_mm_cid(struct rq *rq, struct task_struct *curr) + return; + if (time_before(now, READ_ONCE(curr->mm->mm_cid_next_scan))) + return; +- task_work_add(curr, work, TWA_RESUME); ++ ++ /* No page allocation under rq lock */ ++ task_work_add(curr, work, TWA_RESUME | TWAF_NO_ALLOC); + } + + void sched_mm_cid_exit_signals(struct task_struct *t) +diff --git a/kernel/task_work.c b/kernel/task_work.c +index 5d14d639ac71b..c969f1f26be58 100644 +--- a/kernel/task_work.c ++++ b/kernel/task_work.c +@@ -55,15 +55,26 @@ int task_work_add(struct task_struct *task, struct callback_head *work, + enum task_work_notify_mode notify) + { + struct callback_head *head; ++ int flags = notify & TWA_FLAGS; + ++ notify &= ~TWA_FLAGS; + if (notify == TWA_NMI_CURRENT) { + if (WARN_ON_ONCE(task != current)) + return -EINVAL; + if (!IS_ENABLED(CONFIG_IRQ_WORK)) + return -EINVAL; + } else { +- /* record the work call stack in order to print it in KASAN reports */ +- kasan_record_aux_stack(work); ++ /* ++ * Record the work call stack in order to print it in KASAN ++ * reports. ++ * ++ * Note that stack allocation can fail if TWAF_NO_ALLOC flag ++ * is set and new page is needed to expand the stack buffer. ++ */ ++ if (flags & TWAF_NO_ALLOC) ++ kasan_record_aux_stack_noalloc(work); ++ else ++ kasan_record_aux_stack(work); + } + + head = READ_ONCE(task->task_works); +-- +2.43.0 + diff --git a/queue-6.11/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch b/queue-6.11/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch new file mode 100644 index 00000000000..1ef1346cd8b --- /dev/null +++ b/queue-6.11/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch @@ -0,0 +1,54 @@ +From 6e1fb4484c048da4bb9f802d9f769c6251979423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 19:34:44 +0800 +Subject: scsi: target: core: Fix null-ptr-deref in target_alloc_device() + +From: Wang Hai + +[ Upstream commit fca6caeb4a61d240f031914413fcc69534f6dc03 ] + +There is a null-ptr-deref issue reported by KASAN: + +BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] +... + kasan_report+0xb9/0xf0 + target_alloc_device+0xbc4/0xbe0 [target_core_mod] + core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] + target_core_init_configfs+0x205/0x420 [target_core_mod] + do_one_initcall+0xdd/0x4e0 +... + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +In target_alloc_device(), if allocing memory for dev queues fails, then +dev will be freed by dev->transport->free_device(), but dev->transport +is not initialized at that time, which will lead to a null pointer +reference problem. + +Fixing this bug by freeing dev with hba->backend->ops->free_device(). + +Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU") +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index bf4892544cfdb..bb84d304b07e5 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -691,7 +691,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + + dev->queues = kcalloc(nr_cpu_ids, sizeof(*dev->queues), GFP_KERNEL); + if (!dev->queues) { +- dev->transport->free_device(dev); ++ hba->backend->ops->free_device(dev); + return NULL; + } + +-- +2.43.0 + diff --git a/queue-6.11/selftests-bpf-fix-cross-compiling-urandom_read.patch b/queue-6.11/selftests-bpf-fix-cross-compiling-urandom_read.patch new file mode 100644 index 00000000000..a82da0a8f90 --- /dev/null +++ b/queue-6.11/selftests-bpf-fix-cross-compiling-urandom_read.patch @@ -0,0 +1,41 @@ +From fd70a11e308eaf2026baf9fbb2104f938698f852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 21:07:20 -0700 +Subject: selftests/bpf: Fix cross-compiling urandom_read + +From: Tony Ambardar + +[ Upstream commit fd526e121c4d6f71aed82d21a8b8277b03e60b43 ] + +Linking of urandom_read and liburandom_read.so prefers LLVM's 'ld.lld' but +falls back to using 'ld' if unsupported. However, this fallback discards +any existing makefile macro for LD and can break cross-compilation. + +Fix by changing the fallback to use the target linker $(LD), passed via +'-fuse-ld=' using an absolute path rather than a linker "flavour". + +Fixes: 08c79c9cd67f ("selftests/bpf: Don't force lld on non-x86 architectures") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241009040720.635260-1-tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 848fffa250227..555fd34c6e1fc 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -221,7 +221,7 @@ $(OUTPUT)/%:%.c + ifeq ($(SRCARCH),$(filter $(SRCARCH),x86 riscv)) + LLD := lld + else +-LLD := ld ++LLD := $(shell command -v $(LD)) + endif + + # Filter out -static for liburandom_read.so and its dependent targets so that static builds +-- +2.43.0 + diff --git a/queue-6.11/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch b/queue-6.11/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch new file mode 100644 index 00000000000..0c884749005 --- /dev/null +++ b/queue-6.11/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch @@ -0,0 +1,63 @@ +From fd52ac09a15e1b2db0f412089382a1693a964ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:43:12 +0000 +Subject: selftests/bpf: fix perf_event link info name_len assertion + +From: Tyrone Wu + +[ Upstream commit 4538a38f654a1c292fe489a9b66179262bfed088 ] + +Fix `name_len` field assertions in `bpf_link_info.perf_event` for +kprobe/uprobe/tracepoint to validate correct name size instead of 0. + +Fixes: 23cf7aa539dc ("selftests/bpf: Add selftest for fill_link_info") +Signed-off-by: Tyrone Wu +Acked-by: Jiri Olsa +Acked-by: Yafang Shao +Link: https://lore.kernel.org/r/20241008164312.46269-2-wudevelops@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +index f3932941bbaaf..745c5ada4c4bf 100644 +--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c ++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +@@ -67,8 +67,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + + ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie"); + ++ ASSERT_EQ(info.perf_event.kprobe.name_len, strlen(KPROBE_FUNC) + 1, ++ "name_len"); + if (!info.perf_event.kprobe.func_name) { +- ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len"); + info.perf_event.kprobe.func_name = ptr_to_u64(&buf); + info.perf_event.kprobe.name_len = sizeof(buf); + goto again; +@@ -79,8 +80,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + ASSERT_EQ(err, 0, "cmp_kprobe_func_name"); + break; + case BPF_PERF_EVENT_TRACEPOINT: ++ ASSERT_EQ(info.perf_event.tracepoint.name_len, strlen(TP_NAME) + 1, ++ "name_len"); + if (!info.perf_event.tracepoint.tp_name) { +- ASSERT_EQ(info.perf_event.tracepoint.name_len, 0, "name_len"); + info.perf_event.tracepoint.tp_name = ptr_to_u64(&buf); + info.perf_event.tracepoint.name_len = sizeof(buf); + goto again; +@@ -96,8 +98,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + case BPF_PERF_EVENT_URETPROBE: + ASSERT_EQ(info.perf_event.uprobe.offset, offset, "uprobe_offset"); + ++ ASSERT_EQ(info.perf_event.uprobe.name_len, strlen(UPROBE_FILE) + 1, ++ "name_len"); + if (!info.perf_event.uprobe.file_name) { +- ASSERT_EQ(info.perf_event.uprobe.name_len, 0, "name_len"); + info.perf_event.uprobe.file_name = ptr_to_u64(&buf); + info.perf_event.uprobe.name_len = sizeof(buf); + goto again; +-- +2.43.0 + diff --git a/queue-6.11/selftests-mm-fix-the-incorrect-usage-info-of-khugepa.patch b/queue-6.11/selftests-mm-fix-the-incorrect-usage-info-of-khugepa.patch new file mode 100644 index 00000000000..420fd27d3e5 --- /dev/null +++ b/queue-6.11/selftests-mm-fix-the-incorrect-usage-info-of-khugepa.patch @@ -0,0 +1,42 @@ +From ad8b93ffe0a86e3b6be297826cd34b12080fc877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 10:02:57 +0800 +Subject: selftests: mm: fix the incorrect usage() info of khugepaged + +From: Nanyong Sun + +[ Upstream commit 3e822bed2fbd1527d88f483342b1d2a468520a9a ] + +The mount option of tmpfs should be huge=advise, not madvise which is not +supported and may mislead the users. + +Link: https://lkml.kernel.org/r/20241015020257.139235-1-sunnanyong@huawei.com +Fixes: 1b03d0d558a2 ("selftests/vm: add thp collapse file and tmpfs testing") +Signed-off-by: Nanyong Sun +Reviewed-by: Baolin Wang +Reviewed-by: Anshuman Khandual +Cc: Kefeng Wang +Cc: Shuah Khan +Cc: Zach O'Keefe +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/mm/khugepaged.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/mm/khugepaged.c b/tools/testing/selftests/mm/khugepaged.c +index 829320a519e72..89dec42986825 100644 +--- a/tools/testing/selftests/mm/khugepaged.c ++++ b/tools/testing/selftests/mm/khugepaged.c +@@ -1091,7 +1091,7 @@ static void usage(void) + fprintf(stderr, "\n\t\"file,all\" mem_type requires kernel built with\n"); + fprintf(stderr, "\tCONFIG_READ_ONLY_THP_FOR_FS=y\n"); + fprintf(stderr, "\n\tif [dir] is a (sub)directory of a tmpfs mount, tmpfs must be\n"); +- fprintf(stderr, "\tmounted with huge=madvise option for khugepaged tests to work\n"); ++ fprintf(stderr, "\tmounted with huge=advise option for khugepaged tests to work\n"); + fprintf(stderr, "\n\tSupported Options:\n"); + fprintf(stderr, "\t\t-h: This help message.\n"); + fprintf(stderr, "\t\t-s: mTHP size, expressed as page order.\n"); +-- +2.43.0 + diff --git a/queue-6.11/series b/queue-6.11/series index e69de29bb2d..f98f2147654 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -0,0 +1,121 @@ +bpf-use-raw_spinlock_t-in-ringbuf.patch +iio-accel-bma400-fix-uninitialized-variable-field_va.patch +reset-starfive-jh71x0-fix-accessing-the-empty-member.patch +bpf-sync_linked_regs-must-preserve-subreg_def.patch +bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch +irqchip-riscv-imsic-fix-output-text-of-base-address.patch +bpf-devmap-provide-rxq-after-redirect.patch +cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch +lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch +bpf-fix-memory-leak-in-bpf_core_apply.patch +rdma-bnxt_re-fix-a-possible-memory-leak.patch +rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch +rdma-bnxt_re-add-a-check-for-memory-allocation.patch +rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch +x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch +arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch +clk-rockchip-fix-finding-of-maximum-clock-id.patch +bpf-check-the-remaining-info_cnt-before-repeating-bt.patch +bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch +selftests-bpf-fix-perf_event-link-info-name_len-asse.patch +riscv-bpf-fix-possible-infinite-tailcall-when-config.patch +s390-pci-handle-pci-error-codes-other-than-0x3a.patch +bpf-fix-kfunc-btf-caching-for-modules.patch +iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch +iio-frequency-admv4420-fix-missing-select-remap_spi-.patch +drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch +selftests-bpf-fix-cross-compiling-urandom_read.patch +bpf-fix-unpopulated-path_size-when-uprobe_multi-fiel.patch +sched-core-disable-page-allocation-in-task_tick_mm_c.patch +alsa-hda-cs8409-fix-possible-null-dereference.patch +firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch +rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch +rdma-irdma-fix-misspelling-of-accept.patch +rdma-srpt-make-slab-cache-names-unique.patch +elevator-do-not-request_module-if-elevator-exists.patch +elevator-remove-argument-from-elevator_find_get.patch +ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch +net-sparx5-fix-source-port-register-when-mirroring.patch +rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch +rdma-bnxt_re-fix-out-of-bound-check.patch +rdma-bnxt_re-fix-incorrect-dereference-of-srq-in-asy.patch +rdma-bnxt_re-return-more-meaningful-error.patch +rdma-bnxt_re-avoid-cpu-lockups-due-fifo-occupancy-ch.patch +rdma-bnxt_re-get-the-toggle-bits-from-srq-events.patch +rdma-bnxt_re-change-the-sequence-of-updating-the-cq-.patch +rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch +rdma-bnxt_re-fix-the-gid-table-length.patch +accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch +drm-panel-himax-hx83102-adjust-power-and-gamma-to-op.patch +drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch +drm-msm-dpu-move-crtc-resource-assignment-to-dpu_enc.patch +drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch +drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch +drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch +drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch +drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch +firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch +net-smc-fix-memory-leak-when-using-percpu-refs.patch +patch-hwmon-jc42-properly-detect-tse2004-compliant-d.patch +net-usb-usbnet-fix-race-in-probe-failure.patch +net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch +octeontx2-af-fix-potential-integer-overflows-on-inte.patch +ring-buffer-fix-reader-locking-when-changing-the-sub.patch +drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch +macsec-don-t-increment-counters-for-an-unrelated-sa.patch +netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch +net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch +net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch +net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch +net-ethernet-rtsn-fix-potential-memory-leak-in-rtsn_.patch +bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch +net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch +irqchip-renesas-rzg2l-fix-missing-put_device.patch +drm-msm-dpu-don-t-always-set-merge_3d-pending-flush.patch +drm-msm-dpu-don-t-always-program-merge_3d-block.patch +net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch +drm-msm-a6xx-insert-a-fence-wait-before-smmu-table-u.patch +tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch +net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch +genetlink-hold-rcu-in-genlmsg_mcast.patch +ravb-remove-setting-of-rx-software-timestamp.patch +net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch +net-dsa-vsc73xx-fix-reception-from-vlan-unaware-brid.patch +scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch +smb-client-fix-possible-double-free-in-smb2_set_ea.patch +smb-client-fix-oobs-when-building-smb2_ioctl-request.patch +usb-typec-altmode-should-keep-reference-to-parent.patch +s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch +drm-xe-fix-unbalanced-rpm-put-with-fence_fini.patch +drm-xe-fix-unbalanced-rpm-put-with-declare_wedged.patch +drm-xe-take-job-list-lock-in-xe_sched_add_pending_jo.patch +drm-xe-don-t-free-job-in-tdr.patch +drm-xe-use-bookkeep-slots-for-external-bo-s-in-exec-.patch +bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch +bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch +selftests-mm-fix-the-incorrect-usage-info-of-khugepa.patch +vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch +net-ethernet-mtk_eth_soc-fix-memory-corruption-durin.patch +net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch +net-mlx5-fix-command-bitmask-initialization.patch +net-mlx5-unregister-notifier-on-eswitch-init-failure.patch +net-mlx5e-don-t-call-cleanup-on-profile-rollback-fai.patch +bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch +vsock-update-rx_bytes-on-read_skb.patch +vsock-update-msg_count-on-read_skb.patch +bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch +riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch +nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch +bpf-fix-iter-task-tid-filtering.patch +bpf-fix-incorrect-delta-propagation-between-linked-r.patch +bpf-fix-print_reg_state-s-constant-scalar-dump.patch +cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch +fgraph-allocate-ret_stack_list-with-proper-size.patch +mm-shmem-rename-shmem_is_huge-to-shmem_huge_global_e.patch +mm-shmem-move-shmem_huge_global_enabled-into-shmem_a.patch +mm-huge_memory-add-vma_thp_disabled-and-thp_disabled.patch +mm-don-t-install-pmd-mappings-when-thps-are-disabled.patch +iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch +xhci-dbgtty-remove-kfifo_out-wrapper.patch +xhci-dbgtty-use-kfifo-from-tty_port-struct.patch +xhci-dbc-honor-usb-transfer-size-boundaries.patch diff --git a/queue-6.11/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch b/queue-6.11/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch new file mode 100644 index 00000000000..7a1fe0dd502 --- /dev/null +++ b/queue-6.11/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch @@ -0,0 +1,107 @@ +From 550c6072a72588bca749d5e5acaa6d8adc8d67e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 19:04:04 -0300 +Subject: smb: client: fix OOBs when building SMB2_IOCTL request + +From: Paulo Alcantara + +[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ] + +When using encryption, either enforced by the server or when using +'seal' mount option, the client will squash all compound request buffers +down for encryption into a single iov in smb2_set_next_command(). + +SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the +SMB2_IOCTL request in the first iov, and if the user passes an input +buffer that is greater than 328 bytes, smb2_set_next_command() will +end up writing off the end of @rqst->iov[0].iov_base as shown below: + + mount.cifs //srv/share /mnt -o ...,seal + ln -s $(perl -e "print('a')for 1..1024") /mnt/link + + BUG: KASAN: slab-out-of-bounds in + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + Write of size 4116 at addr ffff8881148fcab8 by task ln/859 + + CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + 1.16.3-2.fc40 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + print_report+0x156/0x4d9 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + ? __virt_addr_valid+0x145/0x310 + ? __phys_addr+0x46/0x90 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_report+0xda/0x110 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_check_range+0x10f/0x1f0 + __asan_memcpy+0x3c/0x60 + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + smb2_compound_op+0x238c/0x3840 [cifs] + ? kasan_save_track+0x14/0x30 + ? kasan_save_free_info+0x3b/0x70 + ? vfs_symlink+0x1a1/0x2c0 + ? do_symlinkat+0x108/0x1c0 + ? __pfx_smb2_compound_op+0x10/0x10 [cifs] + ? kmem_cache_free+0x118/0x3e0 + ? cifs_get_writable_path+0xeb/0x1a0 [cifs] + smb2_get_reparse_inode+0x423/0x540 [cifs] + ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] + ? rcu_is_watching+0x20/0x50 + ? __kmalloc_noprof+0x37c/0x480 + ? smb2_create_reparse_symlink+0x257/0x490 [cifs] + ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] + smb2_create_reparse_symlink+0x38f/0x490 [cifs] + ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] + ? find_held_lock+0x8a/0xa0 + ? hlock_class+0x32/0xb0 + ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] + cifs_symlink+0x24f/0x960 [cifs] + ? __pfx_make_vfsuid+0x10/0x10 + ? __pfx_cifs_symlink+0x10/0x10 [cifs] + ? make_vfsgid+0x6b/0xc0 + ? generic_permission+0x96/0x2d0 + vfs_symlink+0x1a1/0x2c0 + do_symlinkat+0x108/0x1c0 + ? __pfx_do_symlinkat+0x10/0x10 + ? strncpy_from_user+0xaa/0x160 + __x64_sys_symlinkat+0xb9/0xf0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f08d75c13bb + +Reported-by: David Howells +Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2pdu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index 3d9e6e15dd900..194a4262d57a0 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3308,6 +3308,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, + return rc; + + if (indatalen) { ++ unsigned int len; ++ ++ if (WARN_ON_ONCE(smb3_encryption_required(tcon) && ++ (check_add_overflow(total_len - 1, ++ ALIGN(indatalen, 8), &len) || ++ len > MAX_CIFS_SMALL_BUFFER_SIZE))) { ++ cifs_small_buf_release(req); ++ return -EIO; ++ } + /* + * indatalen is usually small at a couple of bytes max, so + * just allocate through generic pool +-- +2.43.0 + diff --git a/queue-6.11/smb-client-fix-possible-double-free-in-smb2_set_ea.patch b/queue-6.11/smb-client-fix-possible-double-free-in-smb2_set_ea.patch new file mode 100644 index 00000000000..d41b7b3d6ee --- /dev/null +++ b/queue-6.11/smb-client-fix-possible-double-free-in-smb2_set_ea.patch @@ -0,0 +1,59 @@ +From c062cbd3bd65b432a4d5c844079121368634ff50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 18:20:37 +0800 +Subject: smb: client: fix possible double free in smb2_set_ea() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit 19ebc1e6cab334a8193398d4152deb76019b5d34 ] + +Clang static checker(scan-build) warning: +fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. + 1304 | kfree(ea); + | ^~~~~~~~~ + +There is a double free in such case: +'ea is initialized to NULL' -> 'first successful memory allocation for +ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' +-> 'goto replay_again' -> 'second goto sea_exit before allocate memory +for ea' -> 'second memory release for ea resulted in double free'. + +Re-initialie 'ea' to NULL near to the replay_again label, it can fix this +double free problem. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Reviewed-by: Dan Carpenter +Signed-off-by: Su Hui +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c +index e9be7b43bb6b8..b9e332443b0d9 100644 +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -1156,7 +1156,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + struct cifs_fid fid; + unsigned int size[1]; + void *data[1]; +- struct smb2_file_full_ea_info *ea = NULL; ++ struct smb2_file_full_ea_info *ea; + struct smb2_query_info_rsp *rsp; + int rc, used_len = 0; + int retries = 0, cur_sleep = 1; +@@ -1177,6 +1177,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + if (!utf16_path) + return -ENOMEM; + ++ ea = NULL; + resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER; + vars = kzalloc(sizeof(*vars), GFP_KERNEL); + if (!vars) { +-- +2.43.0 + diff --git a/queue-6.11/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch b/queue-6.11/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch new file mode 100644 index 00000000000..7e8224958c7 --- /dev/null +++ b/queue-6.11/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch @@ -0,0 +1,180 @@ +From b82c586ce405ca09c2f3f2046a0ba4c22f004cca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 15:33:12 -0700 +Subject: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). + +From: Kuniyuki Iwashima + +[ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ] + +Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). + + """ + We are seeing a use-after-free from a bpf prog attached to + trace_tcp_retransmit_synack. The program passes the req->sk to the + bpf_sk_storage_get_tracing kernel helper which does check for null + before using it. + """ + +The commit 83fccfc3940c ("inet: fix potential deadlock in +reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not +to call del_timer_sync() from reqsk_timer_handler(), but it introduced a +small race window. + +Before the timer is called, expire_timers() calls detach_timer(timer, true) +to clear timer->entry.pprev and marks it as not pending. + +If reqsk_queue_unlink() checks timer_pending() just after expire_timers() +calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will +continue running and send multiple SYN+ACKs until it expires. + +The reported UAF could happen if req->sk is close()d earlier than the timer +expiration, which is 63s by default. + +The scenario would be + + 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), + but del_timer_sync() is missed + + 2. reqsk timer is executed and scheduled again + + 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but + reqsk timer still has another one, and inet_csk_accept() does not + clear req->sk for non-TFO sockets + + 4. sk is close()d + + 5. reqsk timer is executed again, and BPF touches req->sk + +Let's not use timer_pending() by passing the caller context to +__inet_csk_reqsk_queue_drop(). + +Note that reqsk timer is pinned, so the issue does not happen in most +use cases. [1] + +[0] +BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 + +Use-after-free read at 0x00000000a891fb3a (in kfence-#1): +bpf_sk_storage_get_tracing+0x2e/0x1b0 +bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda +bpf_trace_run2+0x4c/0xc0 +tcp_rtx_synack+0xf9/0x100 +reqsk_timer_handler+0xda/0x3d0 +run_timer_softirq+0x292/0x8a0 +irq_exit_rcu+0xf5/0x320 +sysvec_apic_timer_interrupt+0x6d/0x80 +asm_sysvec_apic_timer_interrupt+0x16/0x20 +intel_idle_irq+0x5a/0xa0 +cpuidle_enter_state+0x94/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 + +allocated by task 0 on cpu 9 at 260507.901592s: +sk_prot_alloc+0x35/0x140 +sk_clone_lock+0x1f/0x3f0 +inet_csk_clone_lock+0x15/0x160 +tcp_create_openreq_child+0x1f/0x410 +tcp_v6_syn_recv_sock+0x1da/0x700 +tcp_check_req+0x1fb/0x510 +tcp_v6_rcv+0x98b/0x1420 +ipv6_list_rcv+0x2258/0x26e0 +napi_complete_done+0x5b1/0x2990 +mlx5e_napi_poll+0x2ae/0x8d0 +net_rx_action+0x13e/0x590 +irq_exit_rcu+0xf5/0x320 +common_interrupt+0x80/0x90 +asm_common_interrupt+0x22/0x40 +cpuidle_enter_state+0xfb/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +freed by task 0 on cpu 9 at 260507.927527s: +rcu_core_si+0x4ff/0xf10 +irq_exit_rcu+0xf5/0x320 +sysvec_apic_timer_interrupt+0x6d/0x80 +asm_sysvec_apic_timer_interrupt+0x16/0x20 +cpuidle_enter_state+0xfb/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") +Reported-by: Martin KaFai Lau +Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.dev/ +Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.dev/ [1] +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Martin KaFai Lau +Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 64d07b842e736..cd7989b514eaa 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1044,21 +1044,31 @@ static bool reqsk_queue_unlink(struct request_sock *req) + found = __sk_nulls_del_node_init_rcu(sk); + spin_unlock(lock); + } +- if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) +- reqsk_put(req); ++ + return found; + } + +-bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++static bool __inet_csk_reqsk_queue_drop(struct sock *sk, ++ struct request_sock *req, ++ bool from_timer) + { + bool unlinked = reqsk_queue_unlink(req); + ++ if (!from_timer && timer_delete_sync(&req->rsk_timer)) ++ reqsk_put(req); ++ + if (unlinked) { + reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req); + reqsk_put(req); + } ++ + return unlinked; + } ++ ++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++{ ++ return __inet_csk_reqsk_queue_drop(sk, req, false); ++} + EXPORT_SYMBOL(inet_csk_reqsk_queue_drop); + + void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req) +@@ -1151,7 +1161,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) { + /* delete timer */ +- inet_csk_reqsk_queue_drop(sk_listener, nreq); ++ __inet_csk_reqsk_queue_drop(sk_listener, nreq, true); + goto no_ownership; + } + +@@ -1177,7 +1187,8 @@ static void reqsk_timer_handler(struct timer_list *t) + } + + drop: +- inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq); ++ __inet_csk_reqsk_queue_drop(sk_listener, oreq, true); ++ reqsk_put(req); + } + + static bool reqsk_queue_hash_req(struct request_sock *req, +-- +2.43.0 + diff --git a/queue-6.11/usb-typec-altmode-should-keep-reference-to-parent.patch b/queue-6.11/usb-typec-altmode-should-keep-reference-to-parent.patch new file mode 100644 index 00000000000..90fef3c923c --- /dev/null +++ b/queue-6.11/usb-typec-altmode-should-keep-reference-to-parent.patch @@ -0,0 +1,130 @@ +From 360c73b57cc56bb11c47f09640ff3333a439a1c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 09:37:38 -0300 +Subject: usb: typec: altmode should keep reference to parent + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ] + +The altmode device release refers to its parent device, but without keeping +a reference to it. + +When registering the altmode, get a reference to the parent and put it in +the release function. + +Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues +like this: + +[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) +[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 46.612867] ================================================================== +[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 +[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 +[ 46.614538] +[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 +[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 46.616042] Workqueue: events kobject_delayed_cleanup +[ 46.616446] Call Trace: +[ 46.616648] +[ 46.616820] dump_stack_lvl+0x5b/0x7c +[ 46.617112] ? typec_altmode_release+0x38/0x129 +[ 46.617470] print_report+0x14c/0x49e +[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 +[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab +[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d +[ 46.618807] ? typec_altmode_release+0x38/0x129 +[ 46.619161] kasan_report+0x8d/0xb4 +[ 46.619447] ? typec_altmode_release+0x38/0x129 +[ 46.619809] ? process_scheduled_works+0x3cb/0x85f +[ 46.620185] typec_altmode_release+0x38/0x129 +[ 46.620537] ? process_scheduled_works+0x3cb/0x85f +[ 46.620907] device_release+0xaf/0xf2 +[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a +[ 46.621584] process_scheduled_works+0x4f6/0x85f +[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 +[ 46.622353] ? hlock_class+0x31/0x9a +[ 46.622647] ? lock_acquired+0x361/0x3c3 +[ 46.622956] ? move_linked_works+0x46/0x7d +[ 46.623277] worker_thread+0x1ce/0x291 +[ 46.623582] ? __kthread_parkme+0xc8/0xdf +[ 46.623900] ? __pfx_worker_thread+0x10/0x10 +[ 46.624236] kthread+0x17e/0x190 +[ 46.624501] ? kthread+0xfb/0x190 +[ 46.624756] ? __pfx_kthread+0x10/0x10 +[ 46.625015] ret_from_fork+0x20/0x40 +[ 46.625268] ? __pfx_kthread+0x10/0x10 +[ 46.625532] ret_from_fork_asm+0x1a/0x30 +[ 46.625805] +[ 46.625953] +[ 46.626056] Allocated by task 678: +[ 46.626287] kasan_save_stack+0x24/0x44 +[ 46.626555] kasan_save_track+0x14/0x2d +[ 46.626811] __kasan_kmalloc+0x3f/0x4d +[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 +[ 46.627362] typec_register_port+0x23/0x491 +[ 46.627698] cros_typec_probe+0x634/0xbb6 +[ 46.628026] platform_probe+0x47/0x8c +[ 46.628311] really_probe+0x20a/0x47d +[ 46.628605] device_driver_attach+0x39/0x72 +[ 46.628940] bind_store+0x87/0xd7 +[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 +[ 46.629574] vfs_write+0x1d6/0x29b +[ 46.629856] ksys_write+0xcd/0x13b +[ 46.630128] do_syscall_64+0xd4/0x139 +[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 46.630820] +[ 46.630946] Freed by task 48: +[ 46.631182] kasan_save_stack+0x24/0x44 +[ 46.631493] kasan_save_track+0x14/0x2d +[ 46.631799] kasan_save_free_info+0x3f/0x4d +[ 46.632144] __kasan_slab_free+0x37/0x45 +[ 46.632474] kfree+0x1d4/0x252 +[ 46.632725] device_release+0xaf/0xf2 +[ 46.633017] kobject_delayed_cleanup+0x13b/0x17a +[ 46.633388] process_scheduled_works+0x4f6/0x85f +[ 46.633764] worker_thread+0x1ce/0x291 +[ 46.634065] kthread+0x17e/0x190 +[ 46.634324] ret_from_fork+0x20/0x40 +[ 46.634621] ret_from_fork_asm+0x1a/0x30 + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Heikki Krogerus +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/class.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c +index 9262fcd4144f8..d61b4c74648df 100644 +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -519,6 +519,7 @@ static void typec_altmode_release(struct device *dev) + typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); ++ put_device(alt->adev.dev.parent); + kfree(alt); + } + +@@ -568,6 +569,8 @@ typec_register_altmode(struct device *parent, + alt->adev.dev.type = &typec_altmode_dev_type; + dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id); + ++ get_device(alt->adev.dev.parent); ++ + /* Link partners and plugs with the ports */ + if (!is_port) + typec_altmode_set_partner(alt); +-- +2.43.0 + diff --git a/queue-6.11/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch b/queue-6.11/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch new file mode 100644 index 00000000000..b886c6368d6 --- /dev/null +++ b/queue-6.11/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch @@ -0,0 +1,64 @@ +From 11ec9887a59d5ccf110b089be326a65edd598a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 21:03:11 +0200 +Subject: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame + +From: Daniel Borkmann + +[ Upstream commit 4678adf94da4a9e9683817b246b58ce15fb81782 ] + +Andrew and Nikolay reported connectivity issues with Cilium's service +load-balancing in case of vmxnet3. + +If a BPF program for native XDP adds an encapsulation header such as +IPIP and transmits the packet out the same interface, then in case +of vmxnet3 a corrupted packet is being sent and subsequently dropped +on the path. + +vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp() +through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address: + + page = virt_to_page(xdpf->data); + tbi->dma_addr = page_pool_get_dma_addr(page) + + VMXNET3_XDP_HEADROOM; + dma_sync_single_for_device(&adapter->pdev->dev, + tbi->dma_addr, buf_size, + DMA_TO_DEVICE); + +The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP +BPF program could have moved xdp->data. While the passed buf_size is +correct (xdpf->len), the dma_addr needs to have a dynamic offset which +can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data - +xdp->data_hard_start. + +Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.") +Reported-by: Andrew Sauber +Reported-by: Nikolay Nikolaev +Signed-off-by: Daniel Borkmann +Tested-by: Nikolay Nikolaev +Acked-by: Anton Protopopov +Cc: William Tu +Cc: Ronak Doshi +Link: https://patch.msgid.link/a0888656d7f09028f9984498cc698bb5364d89fc.1728931137.git.daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_xdp.c b/drivers/net/vmxnet3/vmxnet3_xdp.c +index a6c787454a1ae..1341374a4588a 100644 +--- a/drivers/net/vmxnet3/vmxnet3_xdp.c ++++ b/drivers/net/vmxnet3/vmxnet3_xdp.c +@@ -148,7 +148,7 @@ vmxnet3_xdp_xmit_frame(struct vmxnet3_adapter *adapter, + } else { /* XDP buffer from page pool */ + page = virt_to_page(xdpf->data); + tbi->dma_addr = page_pool_get_dma_addr(page) + +- VMXNET3_XDP_HEADROOM; ++ (xdpf->data - (void *)xdpf); + dma_sync_single_for_device(&adapter->pdev->dev, + tbi->dma_addr, buf_size, + DMA_TO_DEVICE); +-- +2.43.0 + diff --git a/queue-6.11/vsock-update-msg_count-on-read_skb.patch b/queue-6.11/vsock-update-msg_count-on-read_skb.patch new file mode 100644 index 00000000000..6c89345b37f --- /dev/null +++ b/queue-6.11/vsock-update-msg_count-on-read_skb.patch @@ -0,0 +1,40 @@ +From ced6f0685049372ad74be21fbf9483b4ef6d8bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:41 +0200 +Subject: vsock: Update msg_count on read_skb() + +From: Michal Luczaj + +[ Upstream commit 6dafde852df8de3617d4b9f835b629aaeaccd01d ] + +Dequeuing via vsock_transport::read_skb() left msg_count outdated, which +then confused SOCK_SEQPACKET recv(). Decrease the counter. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Reviewed-by: Stefano Garzarella +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-3-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 0f67cb0c64702..645222ac84e3f 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1688,6 +1688,9 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + } + + hdr = virtio_vsock_hdr(skb); ++ if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM) ++ vvs->msg_count--; ++ + virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len)); + spin_unlock_bh(&vvs->rx_lock); + +-- +2.43.0 + diff --git a/queue-6.11/vsock-update-rx_bytes-on-read_skb.patch b/queue-6.11/vsock-update-rx_bytes-on-read_skb.patch new file mode 100644 index 00000000000..ee94c5cbe58 --- /dev/null +++ b/queue-6.11/vsock-update-rx_bytes-on-read_skb.patch @@ -0,0 +1,68 @@ +From 48bde160caf2a1d38995095dc6cdfffa34aa3405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:40 +0200 +Subject: vsock: Update rx_bytes on read_skb() + +From: Michal Luczaj + +[ Upstream commit 3543152f2d330141d9394d28855cb90b860091d2 ] + +Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt() +calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after +vsock_transport::read_skb(). + +While here, also inform the peer that we've freed up space and it has more +credit. + +Failing to update rx_bytes after packet is dequeued leads to a warning on +SOCK_STREAM recv(): + +[ 233.396654] rx_queue is empty, but rx_bytes is non-zero +[ 233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589 + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Suggested-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Reviewed-by: Stefano Garzarella +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-2-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 16ff976a86e3e..0f67cb0c64702 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1672,6 +1672,7 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + { + struct virtio_vsock_sock *vvs = vsk->trans; + struct sock *sk = sk_vsock(vsk); ++ struct virtio_vsock_hdr *hdr; + struct sk_buff *skb; + int off = 0; + int err; +@@ -1681,10 +1682,16 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + * works for types other than dgrams. + */ + skb = __skb_recv_datagram(sk, &vvs->rx_queue, MSG_DONTWAIT, &off, &err); ++ if (!skb) { ++ spin_unlock_bh(&vvs->rx_lock); ++ return err; ++ } ++ ++ hdr = virtio_vsock_hdr(skb); ++ virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len)); + spin_unlock_bh(&vvs->rx_lock); + +- if (!skb) +- return err; ++ virtio_transport_send_credit_update(vsk); + + return recv_actor(sk, skb); + } +-- +2.43.0 + diff --git a/queue-6.11/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch b/queue-6.11/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch new file mode 100644 index 00000000000..ee6b2fa3d7a --- /dev/null +++ b/queue-6.11/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch @@ -0,0 +1,102 @@ +From 3c4cf255b46ce45cd701d432eadca58ecbdd1681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 13:43:56 +0200 +Subject: x86/resctrl: Avoid overflow in MB settings in bw_validate() + +From: Martin Kletzander + +[ Upstream commit 2b5648416e47933939dc310c4ea1e29404f35630 ] + +The resctrl schemata file supports specifying memory bandwidth associated with +the Memory Bandwidth Allocation (MBA) feature via a percentage (this is the +default) or bandwidth in MiBps (when resctrl is mounted with the "mba_MBps" +option). + +The allowed range for the bandwidth percentage is from +/sys/fs/resctrl/info/MB/min_bandwidth to 100, using a granularity of +/sys/fs/resctrl/info/MB/bandwidth_gran. The supported range for the MiBps +bandwidth is 0 to U32_MAX. + +There are two issues with parsing of MiBps memory bandwidth: + +* The user provided MiBps is mistakenly rounded up to the granularity + that is unique to percentage input. + +* The user provided MiBps is parsed using unsigned long (thus accepting + values up to ULONG_MAX), and then assigned to u32 that could result in + overflow. + +Do not round up the MiBps value and parse user provided bandwidth as the u32 +it is intended to be. Use the appropriate kstrtou32() that can detect out of +range values. + +Fixes: 8205a078ba78 ("x86/intel_rdt/mba_sc: Add schemata support") +Fixes: 6ce1560d35f6 ("x86/resctrl: Switch over to the resctrl mbps_val list") +Co-developed-by: Reinette Chatre +Signed-off-by: Reinette Chatre +Signed-off-by: Martin Kletzander +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +index 50fa1fe9a073f..200d89a640270 100644 +--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c ++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +@@ -29,10 +29,10 @@ + * hardware. The allocated bandwidth percentage is rounded to the next + * control step available on the hardware. + */ +-static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r) ++static bool bw_validate(char *buf, u32 *data, struct rdt_resource *r) + { +- unsigned long bw; + int ret; ++ u32 bw; + + /* + * Only linear delay values is supported for current Intel SKUs. +@@ -42,16 +42,21 @@ static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r) + return false; + } + +- ret = kstrtoul(buf, 10, &bw); ++ ret = kstrtou32(buf, 10, &bw); + if (ret) { +- rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf); ++ rdt_last_cmd_printf("Invalid MB value %s\n", buf); + return false; + } + +- if ((bw < r->membw.min_bw || bw > r->default_ctrl) && +- !is_mba_sc(r)) { +- rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", bw, +- r->membw.min_bw, r->default_ctrl); ++ /* Nothing else to do if software controller is enabled. */ ++ if (is_mba_sc(r)) { ++ *data = bw; ++ return true; ++ } ++ ++ if (bw < r->membw.min_bw || bw > r->default_ctrl) { ++ rdt_last_cmd_printf("MB value %u out of range [%d,%d]\n", ++ bw, r->membw.min_bw, r->default_ctrl); + return false; + } + +@@ -65,7 +70,7 @@ int parse_bw(struct rdt_parse_data *data, struct resctrl_schema *s, + struct resctrl_staged_config *cfg; + u32 closid = data->rdtgrp->closid; + struct rdt_resource *r = s->res; +- unsigned long bw_val; ++ u32 bw_val; + + cfg = &d->staged_config[s->conf_type]; + if (cfg->have_new_ctrl) { +-- +2.43.0 + diff --git a/queue-6.11/xhci-dbc-honor-usb-transfer-size-boundaries.patch b/queue-6.11/xhci-dbc-honor-usb-transfer-size-boundaries.patch new file mode 100644 index 00000000000..b5598bc3be9 --- /dev/null +++ b/queue-6.11/xhci-dbc-honor-usb-transfer-size-boundaries.patch @@ -0,0 +1,149 @@ +From c8698f307278680d5e5a46bb222711651159150d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 17:00:00 +0300 +Subject: xhci: dbc: honor usb transfer size boundaries. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Nyman + +[ Upstream commit 30c9ae5ece8ecd69d36e6912c2c0896418f2468c ] + +Treat each completed full size write to /dev/ttyDBC0 as a separate usb +transfer. Make sure the size of the TRBs matches the size of the tty +write by first queuing as many max packet size TRBs as possible up to +the last TRB which will be cut short to match the size of the tty write. + +This solves an issue where userspace writes several transfers back to +back via /dev/ttyDBC0 into a kfifo before dbgtty can find available +request to turn that kfifo data into TRBs on the transfer ring. + +The boundary between transfer was lost as xhci-dbgtty then turned +everyting in the kfifo into as many 'max packet size' TRBs as possible. + +DbC would then send more data to the host than intended for that +transfer, causing host to issue a babble error. + +Refuse to write more data to kfifo until previous tty write data is +turned into properly sized TRBs with data size boundaries matching tty +write size + +Tested-by: Uday M Bhat +Tested-by: Łukasz Bartosik +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-dbgcap.h | 1 + + drivers/usb/host/xhci-dbgtty.c | 55 ++++++++++++++++++++++++++++++---- + 2 files changed, 51 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h +index 8ec813b6e9fda..9dc8f4d8077cc 100644 +--- a/drivers/usb/host/xhci-dbgcap.h ++++ b/drivers/usb/host/xhci-dbgcap.h +@@ -110,6 +110,7 @@ struct dbc_port { + struct tasklet_struct push; + + struct list_head write_pool; ++ unsigned int tx_boundary; + + bool registered; + }; +diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c +index 881f5a7e6e0e1..0266c2f5bc0d8 100644 +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) + return dbc->priv; + } + ++static unsigned int ++dbc_kfifo_to_req(struct dbc_port *port, char *packet) ++{ ++ unsigned int len; ++ ++ len = kfifo_len(&port->port.xmit_fifo); ++ ++ if (len == 0) ++ return 0; ++ ++ len = min(len, DBC_MAX_PACKET); ++ ++ if (port->tx_boundary) ++ len = min(port->tx_boundary, len); ++ ++ len = kfifo_out(&port->port.xmit_fifo, packet, len); ++ ++ if (port->tx_boundary) ++ port->tx_boundary -= len; ++ ++ return len; ++} ++ + static int dbc_start_tx(struct dbc_port *port) + __releases(&port->port_lock) + __acquires(&port->port_lock) +@@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port) + + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); +- len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); ++ len = dbc_kfifo_to_req(port, req->buf); + if (len == 0) + break; + do_tty_wake = true; +@@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, + { + struct dbc_port *port = tty->driver_data; + unsigned long flags; ++ unsigned int written = 0; + + spin_lock_irqsave(&port->port_lock, flags); +- if (count) +- count = kfifo_in(&port->port.xmit_fifo, buf, count); +- dbc_start_tx(port); ++ ++ /* ++ * Treat tty write as one usb transfer. Make sure the writes are turned ++ * into TRB request having the same size boundaries as the tty writes. ++ * Don't add data to kfifo before previous write is turned into TRBs ++ */ ++ if (port->tx_boundary) { ++ spin_unlock_irqrestore(&port->port_lock, flags); ++ return 0; ++ } ++ ++ if (count) { ++ written = kfifo_in(&port->port.xmit_fifo, buf, count); ++ ++ if (written == count) ++ port->tx_boundary = kfifo_len(&port->port.xmit_fifo); ++ ++ dbc_start_tx(port); ++ } ++ + spin_unlock_irqrestore(&port->port_lock, flags); + +- return count; ++ return written; + } + + static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) +@@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) + + spin_lock_irqsave(&port->port_lock, flags); + room = kfifo_avail(&port->port.xmit_fifo); ++ ++ if (port->tx_boundary) ++ room = 0; ++ + spin_unlock_irqrestore(&port->port_lock, flags); + + return room; +-- +2.43.0 + diff --git a/queue-6.11/xhci-dbgtty-remove-kfifo_out-wrapper.patch b/queue-6.11/xhci-dbgtty-remove-kfifo_out-wrapper.patch new file mode 100644 index 00000000000..bb780e3acdf --- /dev/null +++ b/queue-6.11/xhci-dbgtty-remove-kfifo_out-wrapper.patch @@ -0,0 +1,61 @@ +From 513f58d322267c6340ef9e67c646fd30416710b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 12:35:40 +0200 +Subject: xhci: dbgtty: remove kfifo_out() wrapper + +From: Jiri Slaby (SUSE) + +[ Upstream commit 2b217514436744dd98c4d9fa48d60610f9f67d61 ] + +There is no need to check against kfifo_len() before kfifo_out(). Just +ask the latter for data and it tells how much it retrieved. Or returns 0 +in case there are no more. + +Signed-off-by: Jiri Slaby (SUSE) +Cc: Mathias Nyman +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Link: https://lore.kernel.org/r/20240808103549.429349-5-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-dbgtty.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c +index b74e98e943932..64ea964949975 100644 +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -24,19 +24,6 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) + return dbc->priv; + } + +-static unsigned int +-dbc_send_packet(struct dbc_port *port, char *packet, unsigned int size) +-{ +- unsigned int len; +- +- len = kfifo_len(&port->write_fifo); +- if (len < size) +- size = len; +- if (size != 0) +- size = kfifo_out(&port->write_fifo, packet, size); +- return size; +-} +- + static int dbc_start_tx(struct dbc_port *port) + __releases(&port->port_lock) + __acquires(&port->port_lock) +@@ -49,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port) + + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); +- len = dbc_send_packet(port, req->buf, DBC_MAX_PACKET); ++ len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET); + if (len == 0) + break; + do_tty_wake = true; +-- +2.43.0 + diff --git a/queue-6.11/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch b/queue-6.11/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch new file mode 100644 index 00000000000..e966572acbc --- /dev/null +++ b/queue-6.11/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch @@ -0,0 +1,117 @@ +From d9ec7cfc040423373aa75fee383d6b698e6d9f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 12:35:41 +0200 +Subject: xhci: dbgtty: use kfifo from tty_port struct + +From: Jiri Slaby (SUSE) + +[ Upstream commit 866025f0237609532bc8e4af5ef4d7252d3b55b6 ] + +There is no need to define one in a custom structure. The tty_port one +is free to use. + +Signed-off-by: Jiri Slaby (SUSE) +Cc: Mathias Nyman +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Link: https://lore.kernel.org/r/20240808103549.429349-6-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-dbgcap.h | 1 - + drivers/usb/host/xhci-dbgtty.c | 17 +++++++++-------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h +index 97c5dc290138b..8ec813b6e9fda 100644 +--- a/drivers/usb/host/xhci-dbgcap.h ++++ b/drivers/usb/host/xhci-dbgcap.h +@@ -110,7 +110,6 @@ struct dbc_port { + struct tasklet_struct push; + + struct list_head write_pool; +- struct kfifo write_fifo; + + bool registered; + }; +diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c +index 64ea964949975..881f5a7e6e0e1 100644 +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -36,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port) + + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); +- len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET); ++ len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); + if (len == 0) + break; + do_tty_wake = true; +@@ -203,7 +203,7 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, + + spin_lock_irqsave(&port->port_lock, flags); + if (count) +- count = kfifo_in(&port->write_fifo, buf, count); ++ count = kfifo_in(&port->port.xmit_fifo, buf, count); + dbc_start_tx(port); + spin_unlock_irqrestore(&port->port_lock, flags); + +@@ -217,7 +217,7 @@ static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) + int status; + + spin_lock_irqsave(&port->port_lock, flags); +- status = kfifo_put(&port->write_fifo, ch); ++ status = kfifo_put(&port->port.xmit_fifo, ch); + spin_unlock_irqrestore(&port->port_lock, flags); + + return status; +@@ -240,7 +240,7 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) + unsigned int room; + + spin_lock_irqsave(&port->port_lock, flags); +- room = kfifo_avail(&port->write_fifo); ++ room = kfifo_avail(&port->port.xmit_fifo); + spin_unlock_irqrestore(&port->port_lock, flags); + + return room; +@@ -253,7 +253,7 @@ static unsigned int dbc_tty_chars_in_buffer(struct tty_struct *tty) + unsigned int chars; + + spin_lock_irqsave(&port->port_lock, flags); +- chars = kfifo_len(&port->write_fifo); ++ chars = kfifo_len(&port->port.xmit_fifo); + spin_unlock_irqrestore(&port->port_lock, flags); + + return chars; +@@ -411,7 +411,8 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc) + goto err_idr; + } + +- ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL); ++ ret = kfifo_alloc(&port->port.xmit_fifo, DBC_WRITE_BUF_SIZE, ++ GFP_KERNEL); + if (ret) + goto err_exit_port; + +@@ -440,7 +441,7 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc) + xhci_dbc_free_requests(&port->read_pool); + xhci_dbc_free_requests(&port->write_pool); + err_free_fifo: +- kfifo_free(&port->write_fifo); ++ kfifo_free(&port->port.xmit_fifo); + err_exit_port: + idr_remove(&dbc_tty_minors, port->minor); + err_idr: +@@ -465,7 +466,7 @@ static void xhci_dbc_tty_unregister_device(struct xhci_dbc *dbc) + idr_remove(&dbc_tty_minors, port->minor); + mutex_unlock(&dbc_tty_minors_lock); + +- kfifo_free(&port->write_fifo); ++ kfifo_free(&port->port.xmit_fifo); + xhci_dbc_free_requests(&port->read_pool); + xhci_dbc_free_requests(&port->read_queue); + xhci_dbc_free_requests(&port->write_pool); +-- +2.43.0 +