From: Sasha Levin Date: Sun, 9 Apr 2023 12:31:03 +0000 (-0400) Subject: Fixes for 6.2 X-Git-Tag: v5.15.107~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a1735e1fb5ead9ad29cb7a9234e43965a6891e79;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.2 Signed-off-by: Sasha Levin --- diff --git a/queue-6.2/alsa-hda-hdmi-preserve-the-previous-pcm-device-upon-.patch b/queue-6.2/alsa-hda-hdmi-preserve-the-previous-pcm-device-upon-.patch new file mode 100644 index 00000000000..7757c43638d --- /dev/null +++ b/queue-6.2/alsa-hda-hdmi-preserve-the-previous-pcm-device-upon-.patch @@ -0,0 +1,93 @@ +From 33f1c82f1dc25eac9147b7962e77048bd031cbe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 16:22:17 +0200 +Subject: ALSA: hda/hdmi: Preserve the previous PCM device upon re-enablement + +From: Takashi Iwai + +[ Upstream commit f785f5ee968f7045268b8be6b0abc850c4a4277c ] + +When a DRM driver turns on or off the screen with the audio +capability, it notifies the ELD to HD-audio HDMI codec driver via +component ops. HDMI codec driver, in turn, attaches or detaches the +PCM stream for the given port on the fly. + +The problem is that, since the recent code change, the HDMI driver +always treats the PCM stream assignment dynamically; this ended up the +confusion of the PCM device appearance. e.g. when a screen goes once +off and on again, it may appear on a different PCM device before the +screen-off. Although the application should treat such a change, it +doesn't seem working gracefully with the current pipewire (maybe +PulseAudio, too). + +As a workaround, this patch changes the HDMI codec driver behavior +slightly to be more consistent. Now it remembers the previous PCM +slot for the given port and try to assign to it. That is, if a port +is re-enabled, the driver tries to use the same PCM slot that was +assigned to that port previously. If it conflicts, a new slot is +searched and used like before, instead. + +Note that multiple monitor connections are the only typical case where +the PCM slot preservation is effective. As long as only a single +monitor is connected, the behavior isn't changed, and the first PCM +slot is still assigned always. + +Fixes: ef6f5494faf6 ("ALSA: hda/hdmi: Use only dynamic PCM device allocation") +Reviewed-by: Jaroslav Kysela +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217259 +Link: https://lore.kernel.org/r/20230331142217.19791-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 9ea633fe93393..4ffa3a59f419f 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -81,6 +81,7 @@ struct hdmi_spec_per_pin { + struct delayed_work work; + struct hdmi_pcm *pcm; /* pointer to spec->pcm_rec[n] dynamically*/ + int pcm_idx; /* which pcm is attached. -1 means no pcm is attached */ ++ int prev_pcm_idx; /* previously assigned pcm index */ + int repoll_count; + bool setup; /* the stream has been set up by prepare callback */ + bool silent_stream; +@@ -1380,9 +1381,17 @@ static void hdmi_attach_hda_pcm(struct hdmi_spec *spec, + /* pcm already be attached to the pin */ + if (per_pin->pcm) + return; ++ /* try the previously used slot at first */ ++ idx = per_pin->prev_pcm_idx; ++ if (idx >= 0) { ++ if (!test_bit(idx, &spec->pcm_bitmap)) ++ goto found; ++ per_pin->prev_pcm_idx = -1; /* no longer valid, clear it */ ++ } + idx = hdmi_find_pcm_slot(spec, per_pin); + if (idx == -EBUSY) + return; ++ found: + per_pin->pcm_idx = idx; + per_pin->pcm = get_hdmi_pcm(spec, idx); + set_bit(idx, &spec->pcm_bitmap); +@@ -1398,6 +1407,7 @@ static void hdmi_detach_hda_pcm(struct hdmi_spec *spec, + return; + idx = per_pin->pcm_idx; + per_pin->pcm_idx = -1; ++ per_pin->prev_pcm_idx = idx; /* remember the previous index */ + per_pin->pcm = NULL; + if (idx >= 0 && idx < spec->pcm_used) + clear_bit(idx, &spec->pcm_bitmap); +@@ -1924,6 +1934,7 @@ static int hdmi_add_pin(struct hda_codec *codec, hda_nid_t pin_nid) + + per_pin->pcm = NULL; + per_pin->pcm_idx = -1; ++ per_pin->prev_pcm_idx = -1; + per_pin->pin_nid = pin_nid; + per_pin->pin_nid_idx = spec->num_nids; + per_pin->dev_id = i; +-- +2.39.2 + diff --git a/queue-6.2/arm64-compat-work-around-uninitialized-variable-warn.patch b/queue-6.2/arm64-compat-work-around-uninitialized-variable-warn.patch new file mode 100644 index 00000000000..64181d66191 --- /dev/null +++ b/queue-6.2/arm64-compat-work-around-uninitialized-variable-warn.patch @@ -0,0 +1,93 @@ +From 8072c4c79b6de9e694f13b87966abc14a2d9a13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 12:36:25 +0200 +Subject: arm64: compat: Work around uninitialized variable warning + +From: Ard Biesheuvel + +[ Upstream commit 32d85999680601d01b2a36713c9ffd7397c8688b ] + +Dan reports that smatch complains about a potential uninitialized +variable being used in the compat alignment fixup code. + +The logic is not wrong per se, but we do end up using an uninitialized +variable if reading the instruction that triggered the alignment fault +from user space faults, even if the fault ensures that the uninitialized +value doesn't propagate any further. + +Given that we just give up and return 1 if any fault occurs when reading +the instruction, let's get rid of the 'success handling' pattern that +captures the fault in a variable and aborts later, and instead, just +return 1 immediately if any of the get_user() calls result in an +exception. + +Fixes: 3fc24ef32d3b ("arm64: compat: Implement misalignment fixups for multiword loads") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/r/202304021214.gekJ8yRc-lkp@intel.com/ +Signed-off-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20230404103625.2386382-1-ardb@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/compat_alignment.c | 32 ++++++++++++---------------- + 1 file changed, 14 insertions(+), 18 deletions(-) + +diff --git a/arch/arm64/kernel/compat_alignment.c b/arch/arm64/kernel/compat_alignment.c +index 5edec2f49ec98..deff21bfa6800 100644 +--- a/arch/arm64/kernel/compat_alignment.c ++++ b/arch/arm64/kernel/compat_alignment.c +@@ -314,36 +314,32 @@ int do_compat_alignment_fixup(unsigned long addr, struct pt_regs *regs) + int (*handler)(unsigned long addr, u32 instr, struct pt_regs *regs); + unsigned int type; + u32 instr = 0; +- u16 tinstr = 0; + int isize = 4; + int thumb2_32b = 0; +- int fault; + + instrptr = instruction_pointer(regs); + + if (compat_thumb_mode(regs)) { + __le16 __user *ptr = (__le16 __user *)(instrptr & ~1); ++ u16 tinstr, tinst2; + +- fault = alignment_get_thumb(regs, ptr, &tinstr); +- if (!fault) { +- if (IS_T32(tinstr)) { +- /* Thumb-2 32-bit */ +- u16 tinst2; +- fault = alignment_get_thumb(regs, ptr + 1, &tinst2); +- instr = ((u32)tinstr << 16) | tinst2; +- thumb2_32b = 1; +- } else { +- isize = 2; +- instr = thumb2arm(tinstr); +- } ++ if (alignment_get_thumb(regs, ptr, &tinstr)) ++ return 1; ++ ++ if (IS_T32(tinstr)) { /* Thumb-2 32-bit */ ++ if (alignment_get_thumb(regs, ptr + 1, &tinst2)) ++ return 1; ++ instr = ((u32)tinstr << 16) | tinst2; ++ thumb2_32b = 1; ++ } else { ++ isize = 2; ++ instr = thumb2arm(tinstr); + } + } else { +- fault = alignment_get_arm(regs, (__le32 __user *)instrptr, &instr); ++ if (alignment_get_arm(regs, (__le32 __user *)instrptr, &instr)) ++ return 1; + } + +- if (fault) +- return 1; +- + switch (CODING_BITS(instr)) { + case 0x00000000: /* 3.13.4 load/store instruction extensions */ + if (LDSTHD_I_BIT(instr)) +-- +2.39.2 + diff --git a/queue-6.2/asoc-codecs-lpass-fix-the-order-or-clks-turn-off-dur.patch b/queue-6.2/asoc-codecs-lpass-fix-the-order-or-clks-turn-off-dur.patch new file mode 100644 index 00000000000..3ae3f5150d0 --- /dev/null +++ b/queue-6.2/asoc-codecs-lpass-fix-the-order-or-clks-turn-off-dur.patch @@ -0,0 +1,84 @@ +From f4f5a8dc5fd6adb03b163930b0a3612b320d5f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Mar 2023 11:01:25 +0000 +Subject: ASoC: codecs: lpass: fix the order or clks turn off during suspend + +From: Srinivas Kandagatla + +[ Upstream commit a4a3203426f4b67535d6442ddc5dca8878a0678f ] + +The order in which clocks are stopped matters as some of the clock +like NPL are derived from MCLK. + +Without this patch, Dragonboard RB5 DSP would crash with below error: + qcom_q6v5_pas 17300000.remoteproc: fatal error received: + ABT_dal.c:278:ABTimeout: AHB Bus hang is detected, + Number of bus hang detected := 2 , addr0 = 0x3370000 , addr1 = 0x0!!! + +Turn off fsgen first, followed by npl and then finally mclk, which is exactly +the opposite order of enable sequence. + +Fixes: 1dc3459009c3 ("ASoC: codecs: lpass: register mclk after runtime pm") +Reported-by: Amit Pundir +Signed-off-by: Srinivas Kandagatla +Tested-by: Amit Pundir +Link: https://lore.kernel.org/r/20230323110125.23790-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-rx-macro.c | 4 ++-- + sound/soc/codecs/lpass-tx-macro.c | 4 ++-- + sound/soc/codecs/lpass-wsa-macro.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/codecs/lpass-rx-macro.c b/sound/soc/codecs/lpass-rx-macro.c +index 8621cfabcf5b6..1639f3b66facb 100644 +--- a/sound/soc/codecs/lpass-rx-macro.c ++++ b/sound/soc/codecs/lpass-rx-macro.c +@@ -3667,9 +3667,9 @@ static int __maybe_unused rx_macro_runtime_suspend(struct device *dev) + regcache_cache_only(rx->regmap, true); + regcache_mark_dirty(rx->regmap); + +- clk_disable_unprepare(rx->mclk); +- clk_disable_unprepare(rx->npl); + clk_disable_unprepare(rx->fsgen); ++ clk_disable_unprepare(rx->npl); ++ clk_disable_unprepare(rx->mclk); + + return 0; + } +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 8facdb922f076..9f33289ce2174 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -2093,9 +2093,9 @@ static int __maybe_unused tx_macro_runtime_suspend(struct device *dev) + regcache_cache_only(tx->regmap, true); + regcache_mark_dirty(tx->regmap); + +- clk_disable_unprepare(tx->mclk); +- clk_disable_unprepare(tx->npl); + clk_disable_unprepare(tx->fsgen); ++ clk_disable_unprepare(tx->npl); ++ clk_disable_unprepare(tx->mclk); + + return 0; + } +diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c +index c0b86d69c72e3..01149b20b4c93 100644 +--- a/sound/soc/codecs/lpass-wsa-macro.c ++++ b/sound/soc/codecs/lpass-wsa-macro.c +@@ -2504,9 +2504,9 @@ static int __maybe_unused wsa_macro_runtime_suspend(struct device *dev) + regcache_cache_only(wsa->regmap, true); + regcache_mark_dirty(wsa->regmap); + +- clk_disable_unprepare(wsa->mclk); +- clk_disable_unprepare(wsa->npl); + clk_disable_unprepare(wsa->fsgen); ++ clk_disable_unprepare(wsa->npl); ++ clk_disable_unprepare(wsa->mclk); + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.2/asoc-sof-ipc4-ensure-dsp-is-in-d0i0-during-sof_ipc4_.patch b/queue-6.2/asoc-sof-ipc4-ensure-dsp-is-in-d0i0-during-sof_ipc4_.patch new file mode 100644 index 00000000000..fd9955829aa --- /dev/null +++ b/queue-6.2/asoc-sof-ipc4-ensure-dsp-is-in-d0i0-during-sof_ipc4_.patch @@ -0,0 +1,59 @@ +From 850b63c2c0a87e7b15dd7aa9c6cd343bf80e5039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 10:55:38 +0200 +Subject: ASoC: SOF: ipc4: Ensure DSP is in D0I0 during sof_ipc4_set_get_data() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ranjani Sridharan + +[ Upstream commit e51f49512d98783b90799c9cc2002895ec3aa0eb ] + +The set_get_data() IPC op bypasses the check for the no_pm flag as done +with the regular IPC tx_msg op. Since set_get_data should be performed +when the DSP is in D0I0, set the DSP power state to D0I0 before sending +the IPC's in sof_ipc4_set_get_data(). + +Fixes: ceb89acc4dc8 ("ASoC: SOF: ipc4: Add support for mandatory message handling functionality") +Signed-off-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230322085538.10214-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc4.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/soc/sof/ipc4.c b/sound/soc/sof/ipc4.c +index 74cd7e9560193..280fc89043b16 100644 +--- a/sound/soc/sof/ipc4.c ++++ b/sound/soc/sof/ipc4.c +@@ -393,6 +393,9 @@ static int sof_ipc4_tx_msg(struct snd_sof_dev *sdev, void *msg_data, size_t msg_ + static int sof_ipc4_set_get_data(struct snd_sof_dev *sdev, void *data, + size_t payload_bytes, bool set) + { ++ const struct sof_dsp_power_state target_state = { ++ .state = SOF_DSP_PM_D0, ++ }; + size_t payload_limit = sdev->ipc->max_payload_size; + struct sof_ipc4_msg *ipc4_msg = data; + struct sof_ipc4_msg tx = {{ 0 }}; +@@ -423,6 +426,11 @@ static int sof_ipc4_set_get_data(struct snd_sof_dev *sdev, void *data, + + tx.extension |= SOF_IPC4_MOD_EXT_MSG_FIRST_BLOCK(1); + ++ /* ensure the DSP is in D0i0 before sending IPC */ ++ ret = snd_sof_dsp_set_power_state(sdev, &target_state); ++ if (ret < 0) ++ return ret; ++ + /* Serialise IPC TX */ + mutex_lock(&sdev->ipc->tx_mutex); + +-- +2.39.2 + diff --git a/queue-6.2/drivers-vmbus-check-for-channel-allocation-before-lo.patch b/queue-6.2/drivers-vmbus-check-for-channel-allocation-before-lo.patch new file mode 100644 index 00000000000..4b74191fb18 --- /dev/null +++ b/queue-6.2/drivers-vmbus-check-for-channel-allocation-before-lo.patch @@ -0,0 +1,48 @@ +From 4bc2851c4ea3318201e4e4cfbfbf3eade851a273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Feb 2023 22:44:11 +0200 +Subject: Drivers: vmbus: Check for channel allocation before looking up relids + +From: Mohammed Gamal + +[ Upstream commit 1eb65c8687316c65140b48fad27133d583178e15 ] + +relid2channel() assumes vmbus channel array to be allocated when called. +However, in cases such as kdump/kexec, not all relids will be reset by the host. +When the second kernel boots and if the guest receives a vmbus interrupt during +vmbus driver initialization before vmbus_connect() is called, before it finishes, +or if it fails, the vmbus interrupt service routine is called which in turn calls +relid2channel() and can cause a null pointer dereference. + +Print a warning and error out in relid2channel() for a channel id that's invalid +in the second kernel. + +Fixes: 8b6a877c060e ("Drivers: hv: vmbus: Replace the per-CPU channel lists with a global array of channels") + +Signed-off-by: Mohammed Gamal +Reviewed-by: Dexuan Cui +Link: https://lore.kernel.org/r/20230217204411.212709-1-mgamal@redhat.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/connection.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c +index 9dc27e5d367a2..da51b50787dff 100644 +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -409,6 +409,10 @@ void vmbus_disconnect(void) + */ + struct vmbus_channel *relid2channel(u32 relid) + { ++ if (vmbus_connection.channels == NULL) { ++ pr_warn_once("relid2channel: relid=%d: No channels mapped!\n", relid); ++ return NULL; ++ } + if (WARN_ON(relid >= MAX_CHANNEL_RELIDS)) + return NULL; + return READ_ONCE(vmbus_connection.channels[relid]); +-- +2.39.2 + diff --git a/queue-6.2/drm-i915-huc-cancel-huc-delayed-load-timer-on-reset.patch b/queue-6.2/drm-i915-huc-cancel-huc-delayed-load-timer-on-reset.patch new file mode 100644 index 00000000000..8c745b83ff1 --- /dev/null +++ b/queue-6.2/drm-i915-huc-cancel-huc-delayed-load-timer-on-reset.patch @@ -0,0 +1,73 @@ +From ff1d8156b09e7b561136c992a39ccc82e39d5613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 13:55:56 -0700 +Subject: drm/i915/huc: Cancel HuC delayed load timer on reset. + +From: Daniele Ceraolo Spurio + +[ Upstream commit c74237496fbc799257b091179dd01a3200f7314d ] + +In the rare case where we do a full GT reset after starting the HuC +load and before it completes (which basically boils down to i915 hanging +during init), we need to cancel the delayed load fence, as it will be +re-initialized in the post-reset recovery. + +Fixes: 27536e03271d ("drm/i915/huc: track delayed HuC load with a fence") +Signed-off-by: Daniele Ceraolo Spurio +Cc: Alan Previn +Reviewed-by: Alan Previn +Link: https://patchwork.freedesktop.org/patch/msgid/20230313205556.1174503-1-daniele.ceraolospurio@intel.com +(cherry picked from commit cdf7911f7dbcb37228409a63bf75630776c45a15) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_huc.c | 7 +++++++ + drivers/gpu/drm/i915/gt/uc/intel_huc.h | 7 +------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_huc.c b/drivers/gpu/drm/i915/gt/uc/intel_huc.c +index 410905da8e974..0c103ca160d10 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_huc.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_huc.c +@@ -235,6 +235,13 @@ static void delayed_huc_load_fini(struct intel_huc *huc) + i915_sw_fence_fini(&huc->delayed_load.fence); + } + ++int intel_huc_sanitize(struct intel_huc *huc) ++{ ++ delayed_huc_load_complete(huc); ++ intel_uc_fw_sanitize(&huc->fw); ++ return 0; ++} ++ + static bool vcs_supported(struct intel_gt *gt) + { + intel_engine_mask_t mask = gt->info.engine_mask; +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_huc.h b/drivers/gpu/drm/i915/gt/uc/intel_huc.h +index 52db03620c609..db555b3c1f562 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_huc.h ++++ b/drivers/gpu/drm/i915/gt/uc/intel_huc.h +@@ -41,6 +41,7 @@ struct intel_huc { + } delayed_load; + }; + ++int intel_huc_sanitize(struct intel_huc *huc); + void intel_huc_init_early(struct intel_huc *huc); + int intel_huc_init(struct intel_huc *huc); + void intel_huc_fini(struct intel_huc *huc); +@@ -54,12 +55,6 @@ bool intel_huc_is_authenticated(struct intel_huc *huc); + void intel_huc_register_gsc_notifier(struct intel_huc *huc, struct bus_type *bus); + void intel_huc_unregister_gsc_notifier(struct intel_huc *huc, struct bus_type *bus); + +-static inline int intel_huc_sanitize(struct intel_huc *huc) +-{ +- intel_uc_fw_sanitize(&huc->fw); +- return 0; +-} +- + static inline bool intel_huc_is_supported(struct intel_huc *huc) + { + return intel_uc_fw_is_supported(&huc->fw); +-- +2.39.2 + diff --git a/queue-6.2/ethtool-reset-lanes-when-lanes-is-omitted.patch b/queue-6.2/ethtool-reset-lanes-when-lanes-is-omitted.patch new file mode 100644 index 00000000000..0688502e518 --- /dev/null +++ b/queue-6.2/ethtool-reset-lanes-when-lanes-is-omitted.patch @@ -0,0 +1,93 @@ +From bc71394ced0f38d3ac21223a6f29a0c3c1d534e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:20:53 -0700 +Subject: ethtool: reset #lanes when lanes is omitted + +From: Andy Roulin + +[ Upstream commit e847c7675e19ef344913724dc68f83df31ad6a17 ] + +If the number of lanes was forced and then subsequently the user +omits this parameter, the ksettings->lanes is reset. The driver +should then reset the number of lanes to the device's default +for the specified speed. + +However, although the ksettings->lanes is set to 0, the mod variable +is not set to true to indicate the driver and userspace should be +notified of the changes. + +The consequence is that the same ethtool operation will produce +different results based on the initial state. + +If the initial state is: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 2 + Duplex: Full + Auto-negotiation: on + +then executing 'ethtool -s swp1 speed 50000 autoneg off' will yield: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 2 + Duplex: Full + Auto-negotiation: off + +While if the initial state is: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 1 + Duplex: Full + Auto-negotiation: off + +executing the same 'ethtool -s swp1 speed 50000 autoneg off' results in: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 1 + Duplex: Full + Auto-negotiation: off + +This patch fixes this behavior. Omitting lanes will always results in +the driver choosing the default lane width for the chosen speed. In this +scenario, regardless of the initial state, the end state will be, e.g., + +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 2 + Duplex: Full + Auto-negotiation: off + +Fixes: 012ce4dd3102 ("ethtool: Extend link modes settings uAPI with lanes") +Signed-off-by: Andy Roulin +Reviewed-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/ac238d6b-8726-8156-3810-6471291dbc7f@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/linkmodes.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ethtool/linkmodes.c b/net/ethtool/linkmodes.c +index 126e06c713a3a..2d91f2a8c7626 100644 +--- a/net/ethtool/linkmodes.c ++++ b/net/ethtool/linkmodes.c +@@ -282,11 +282,12 @@ static int ethnl_update_linkmodes(struct genl_info *info, struct nlattr **tb, + "lanes configuration not supported by device"); + return -EOPNOTSUPP; + } +- } else if (!lsettings->autoneg) { +- /* If autoneg is off and lanes parameter is not passed from user, +- * set the lanes parameter to 0. ++ } else if (!lsettings->autoneg && ksettings->lanes) { ++ /* If autoneg is off and lanes parameter is not passed from user but ++ * it was defined previously then set the lanes parameter to 0. + */ + ksettings->lanes = 0; ++ *mod = true; + } + + ret = ethnl_update_bitset(ksettings->link_modes.advertising, +-- +2.39.2 + diff --git a/queue-6.2/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch b/queue-6.2/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch new file mode 100644 index 00000000000..0c8dba4d2c7 --- /dev/null +++ b/queue-6.2/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch @@ -0,0 +1,37 @@ +From dd9bdc2031ab3fab81fc1680b74fac162a2b1575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:54:43 +0530 +Subject: gpio: davinci: Add irq chip flag to skip set wake + +From: Dhruva Gole + +[ Upstream commit 7b75c4703609a3ebaf67271813521bc0281e1ec1 ] + +Add the IRQCHIP_SKIP_SET_WAKE flag since there are no special IRQ Wake +bits that can be set to enable wakeup IRQ. + +Fixes: 3d9edf09d452 ("[ARM] 4457/2: davinci: GPIO support") +Signed-off-by: Dhruva Gole +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c +index 39b00855499b2..7a26919ff127b 100644 +--- a/drivers/gpio/gpio-davinci.c ++++ b/drivers/gpio/gpio-davinci.c +@@ -325,7 +325,7 @@ static struct irq_chip gpio_irqchip = { + .irq_enable = gpio_irq_enable, + .irq_disable = gpio_irq_disable, + .irq_set_type = gpio_irq_type, +- .flags = IRQCHIP_SET_TYPE_MASKED, ++ .flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_SKIP_SET_WAKE, + }; + + static void gpio_irq_handler(struct irq_desc *desc) +-- +2.39.2 + diff --git a/queue-6.2/gpio-davinci-do-not-clear-the-bank-intr-enable-bit-i.patch b/queue-6.2/gpio-davinci-do-not-clear-the-bank-intr-enable-bit-i.patch new file mode 100644 index 00000000000..3610dfe05a2 --- /dev/null +++ b/queue-6.2/gpio-davinci-do-not-clear-the-bank-intr-enable-bit-i.patch @@ -0,0 +1,43 @@ +From 3bbf1fe368ca5db2b9848447fbd9d91ffc08cf61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:54:42 +0530 +Subject: gpio: davinci: Do not clear the bank intr enable bit in save_context + +From: Dhruva Gole + +[ Upstream commit fe092498cb9638418c96675be320c74a16306b48 ] + +The interrupt enable bits might be set if we want to use the GPIO as +wakeup source. Clearing this will mean disabling of interrupts in the GPIO +banks that we may want to wakeup from. +Thus remove the line that was clearing this bit from the driver's save +context function. + +Cc: Devarsh Thakkar +Fixes: 0651a730924b ("gpio: davinci: Add support for system suspend/resume PM") +Signed-off-by: Dhruva Gole +Reviewed-by: Linus Walleij +Acked-by: Keerthy +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-davinci.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c +index fa51a91afa54f..39b00855499b2 100644 +--- a/drivers/gpio/gpio-davinci.c ++++ b/drivers/gpio/gpio-davinci.c +@@ -642,9 +642,6 @@ static void davinci_gpio_save_context(struct davinci_gpio_controller *chips, + context->set_falling = readl_relaxed(&g->set_falling); + } + +- /* Clear Bank interrupt enable bit */ +- writel_relaxed(0, base + BINTEN); +- + /* Clear all interrupt status registers */ + writel_relaxed(GENMASK(31, 0), &g->intstat); + } +-- +2.39.2 + diff --git a/queue-6.2/gpio-gpio_regmap-select-regmap-instead-of-depending-.patch b/queue-6.2/gpio-gpio_regmap-select-regmap-instead-of-depending-.patch new file mode 100644 index 00000000000..cdfcd77c075 --- /dev/null +++ b/queue-6.2/gpio-gpio_regmap-select-regmap-instead-of-depending-.patch @@ -0,0 +1,47 @@ +From 2bba38f404abe97d0c2855c5812b9f9ce160e5e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:48 -0800 +Subject: gpio: GPIO_REGMAP: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit d49765b5f4320a402fbc4ed5edfd73d87640f27c ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +Fixes: ebe363197e52 ("gpio: add a reusable generic gpio_chip using regmap") +Signed-off-by: Randy Dunlap +Cc: Michael Walle +Cc: Linus Walleij +Cc: Bartosz Golaszewski +Cc: linux-gpio@vger.kernel.org +Acked-by: Michael Walle +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig +index e9917a45b005a..42e5042d01495 100644 +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -100,7 +100,7 @@ config GPIO_GENERIC + tristate + + config GPIO_REGMAP +- depends on REGMAP ++ select REGMAP + tristate + + # put drivers in the right section, in alphabetical order +-- +2.39.2 + diff --git a/queue-6.2/gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch b/queue-6.2/gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch new file mode 100644 index 00000000000..ce950cc8eb5 --- /dev/null +++ b/queue-6.2/gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch @@ -0,0 +1,73 @@ +From c9471b0c4d01045a5598b4d2f7f7baa237f82745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 10:28:09 -0700 +Subject: gve: Secure enough bytes in the first TX desc for all TCP pkts + +From: Shailend Chand + +[ Upstream commit 3ce9345580974863c060fa32971537996a7b2d57 ] + +Non-GSO TCP packets whose SKBs' linear portion did not include the +entire TCP header were not populating the first Tx descriptor with +as many bytes as the vNIC expected. This change ensures that all +TCP packets populate the first descriptor with the correct number of +bytes. + +Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") +Signed-off-by: Shailend Chand +Link: https://lore.kernel.org/r/20230403172809.2939306-1-shailend@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve.h | 2 ++ + drivers/net/ethernet/google/gve/gve_tx.c | 12 +++++------- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h +index 64eb0442c82fd..005cb9dfe078b 100644 +--- a/drivers/net/ethernet/google/gve/gve.h ++++ b/drivers/net/ethernet/google/gve/gve.h +@@ -47,6 +47,8 @@ + + #define GVE_RX_BUFFER_SIZE_DQO 2048 + ++#define GVE_GQ_TX_MIN_PKT_DESC_BYTES 182 ++ + /* Each slot in the desc ring has a 1:1 mapping to a slot in the data ring */ + struct gve_rx_desc_queue { + struct gve_rx_desc *desc_ring; /* the descriptor ring */ +diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c +index 4888bf05fbedb..5e11b82367545 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx.c ++++ b/drivers/net/ethernet/google/gve/gve_tx.c +@@ -284,8 +284,8 @@ static inline int gve_skb_fifo_bytes_required(struct gve_tx_ring *tx, + int bytes; + int hlen; + +- hlen = skb_is_gso(skb) ? skb_checksum_start_offset(skb) + +- tcp_hdrlen(skb) : skb_headlen(skb); ++ hlen = skb_is_gso(skb) ? skb_checksum_start_offset(skb) + tcp_hdrlen(skb) : ++ min_t(int, GVE_GQ_TX_MIN_PKT_DESC_BYTES, skb->len); + + pad_bytes = gve_tx_fifo_pad_alloc_one_frag(&tx->tx_fifo, + hlen); +@@ -454,13 +454,11 @@ static int gve_tx_add_skb_copy(struct gve_priv *priv, struct gve_tx_ring *tx, st + pkt_desc = &tx->desc[idx]; + + l4_hdr_offset = skb_checksum_start_offset(skb); +- /* If the skb is gso, then we want the tcp header in the first segment +- * otherwise we want the linear portion of the skb (which will contain +- * the checksum because skb->csum_start and skb->csum_offset are given +- * relative to skb->head) in the first segment. ++ /* If the skb is gso, then we want the tcp header alone in the first segment ++ * otherwise we want the minimum required by the gVNIC spec. + */ + hlen = is_gso ? l4_hdr_offset + tcp_hdrlen(skb) : +- skb_headlen(skb); ++ min_t(int, GVE_GQ_TX_MIN_PKT_DESC_BYTES, skb->len); + + info->skb = skb; + /* We don't want to split the header, so if necessary, pad to the end +-- +2.39.2 + diff --git a/queue-6.2/ice-fix-wrong-fallback-logic-for-fdir.patch b/queue-6.2/ice-fix-wrong-fallback-logic-for-fdir.patch new file mode 100644 index 00000000000..40839480f6d --- /dev/null +++ b/queue-6.2/ice-fix-wrong-fallback-logic-for-fdir.patch @@ -0,0 +1,59 @@ +From 5181cadb33a4c63675c0f2fe72e79b899def3669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 10:24:15 +0800 +Subject: ice: fix wrong fallback logic for FDIR + +From: Simei Su + +[ Upstream commit b4a01ace20f5c93c724abffc0a83ec84f514b98d ] + +When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure, +the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr +returns failure, the fdir context info for irq handler will not be cleared +which may lead to inconsistent or memory leak issue. This patch refines +failure cases to resolve this issue. + +Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF") +Signed-off-by: Simei Su +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +index a2645ff3100e4..f4ef76e37098c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +@@ -1871,7 +1871,7 @@ int ice_vc_add_fdir_fltr(struct ice_vf *vf, u8 *msg) + v_ret = VIRTCHNL_STATUS_SUCCESS; + stat->status = VIRTCHNL_FDIR_FAILURE_RULE_NORESOURCE; + dev_dbg(dev, "VF %d: set FDIR context failed\n", vf->vf_id); +- goto err_free_conf; ++ goto err_rem_entry; + } + + ret = ice_vc_fdir_write_fltr(vf, conf, true, is_tun); +@@ -1880,15 +1880,16 @@ int ice_vc_add_fdir_fltr(struct ice_vf *vf, u8 *msg) + stat->status = VIRTCHNL_FDIR_FAILURE_RULE_NORESOURCE; + dev_err(dev, "VF %d: writing FDIR rule failed, ret:%d\n", + vf->vf_id, ret); +- goto err_rem_entry; ++ goto err_clr_irq; + } + + exit: + kfree(stat); + return ret; + +-err_rem_entry: ++err_clr_irq: + ice_vc_fdir_clear_irq_ctx(vf); ++err_rem_entry: + ice_vc_fdir_remove_entry(vf, conf, conf->flow_id); + err_free_conf: + devm_kfree(dev, conf); +-- +2.39.2 + diff --git a/queue-6.2/ice-reset-fdir-counter-in-fdir-init-stage.patch b/queue-6.2/ice-reset-fdir-counter-in-fdir-init-stage.patch new file mode 100644 index 00000000000..0fa6ed5758e --- /dev/null +++ b/queue-6.2/ice-reset-fdir-counter-in-fdir-init-stage.patch @@ -0,0 +1,61 @@ +From db58f6e44601cc68e23ab2ea03245995ddb874dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 10:49:11 +0000 +Subject: ice: Reset FDIR counter in FDIR init stage + +From: Lingyu Liu + +[ Upstream commit 83c911dc5e0e8e6eaa6431c06972a8f159bfe2fc ] + +Reset the FDIR counters when FDIR inits. Without this patch, +when VF initializes or resets, all the FDIR counters are not +cleaned, which may cause unexpected behaviors for future FDIR +rule create (e.g., rule conflict). + +Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF") +Signed-off-by: Junfeng Guo +Signed-off-by: Lingyu Liu +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/ice/ice_virtchnl_fdir.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +index f4ef76e37098c..7f72604079723 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +@@ -541,6 +541,21 @@ static void ice_vc_fdir_rem_prof_all(struct ice_vf *vf) + } + } + ++/** ++ * ice_vc_fdir_reset_cnt_all - reset all FDIR counters for this VF FDIR ++ * @fdir: pointer to the VF FDIR structure ++ */ ++static void ice_vc_fdir_reset_cnt_all(struct ice_vf_fdir *fdir) ++{ ++ enum ice_fltr_ptype flow; ++ ++ for (flow = ICE_FLTR_PTYPE_NONF_NONE; ++ flow < ICE_FLTR_PTYPE_MAX; flow++) { ++ fdir->fdir_fltr_cnt[flow][0] = 0; ++ fdir->fdir_fltr_cnt[flow][1] = 0; ++ } ++} ++ + /** + * ice_vc_fdir_has_prof_conflict + * @vf: pointer to the VF structure +@@ -1998,6 +2013,7 @@ void ice_vf_fdir_init(struct ice_vf *vf) + spin_lock_init(&fdir->ctx_lock); + fdir->ctx_irq.flags = 0; + fdir->ctx_done.flags = 0; ++ ice_vc_fdir_reset_cnt_all(fdir); + } + + /** +-- +2.39.2 + diff --git a/queue-6.2/icmp-guard-against-too-small-mtu.patch b/queue-6.2/icmp-guard-against-too-small-mtu.patch new file mode 100644 index 00000000000..6fc1b0da8dc --- /dev/null +++ b/queue-6.2/icmp-guard-against-too-small-mtu.patch @@ -0,0 +1,86 @@ +From 634d5b8d62ee2c4bcec1a81383880d69a2d22f91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 17:45:02 +0000 +Subject: icmp: guard against too small mtu + +From: Eric Dumazet + +[ Upstream commit 7d63b67125382ff0ffdfca434acbc94a38bd092b ] + +syzbot was able to trigger a panic [1] in icmp_glue_bits(), or +more exactly in skb_copy_and_csum_bits() + +There is no repro yet, but I think the issue is that syzbot +manages to lower device mtu to a small value, fooling __icmp_send() + +__icmp_send() must make sure there is enough room for the +packet to include at least the headers. + +We might in the future refactor skb_copy_and_csum_bits() and its +callers to no longer crash when something bad happens. + +[1] +kernel BUG at net/core/skbuff.c:3343 ! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 15766 Comm: syz-executor.0 Not tainted 6.3.0-rc4-syzkaller-00039-gffe78bbd5121 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:skb_copy_and_csum_bits+0x798/0x860 net/core/skbuff.c:3343 +Code: f0 c1 c8 08 41 89 c6 e9 73 ff ff ff e8 61 48 d4 f9 e9 41 fd ff ff 48 8b 7c 24 48 e8 52 48 d4 f9 e9 c3 fc ff ff e8 c8 27 84 f9 <0f> 0b 48 89 44 24 28 e8 3c 48 d4 f9 48 8b 44 24 28 e9 9d fb ff ff +RSP: 0018:ffffc90000007620 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000001e8 RCX: 0000000000000100 +RDX: ffff8880276f6280 RSI: ffffffff87fdd138 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 00000000000001e8 R11: 0000000000000001 R12: 000000000000003c +R13: 0000000000000000 R14: ffff888028244868 R15: 0000000000000b0e +FS: 00007fbc81f1c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2df43000 CR3: 00000000744db000 CR4: 0000000000150ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +icmp_glue_bits+0x7b/0x210 net/ipv4/icmp.c:353 +__ip_append_data+0x1d1b/0x39f0 net/ipv4/ip_output.c:1161 +ip_append_data net/ipv4/ip_output.c:1343 [inline] +ip_append_data+0x115/0x1a0 net/ipv4/ip_output.c:1322 +icmp_push_reply+0xa8/0x440 net/ipv4/icmp.c:370 +__icmp_send+0xb80/0x1430 net/ipv4/icmp.c:765 +ipv4_send_dest_unreach net/ipv4/route.c:1239 [inline] +ipv4_link_failure+0x5a9/0x9e0 net/ipv4/route.c:1246 +dst_link_failure include/net/dst.h:423 [inline] +arp_error_report+0xcb/0x1c0 net/ipv4/arp.c:296 +neigh_invalidate+0x20d/0x560 net/core/neighbour.c:1079 +neigh_timer_handler+0xc77/0xff0 net/core/neighbour.c:1166 +call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700 +expire_timers+0x29b/0x4b0 kernel/time/timer.c:1751 +__run_timers kernel/time/timer.c:2022 [inline] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d373d60fddbdc915e666@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230330174502.1915328-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 46aa2d65e40ab..635ed4f057495 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -746,6 +746,11 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + room = 576; + room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen; + room -= sizeof(struct icmphdr); ++ /* Guard against tiny mtu. We need to include at least one ++ * IP network header for this message to make any sense. ++ */ ++ if (room <= (int)sizeof(struct iphdr)) ++ goto ende; + + icmp_param.data_len = skb_in->len - icmp_param.offset; + if (icmp_param.data_len > room) +-- +2.39.2 + diff --git a/queue-6.2/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch b/queue-6.2/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch new file mode 100644 index 00000000000..4d5e09ae3bf --- /dev/null +++ b/queue-6.2/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch @@ -0,0 +1,101 @@ +From 861103fb094cfe63b5f407bc91db05500d815ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 15:34:17 +0800 +Subject: ipv6: Fix an uninit variable access bug in __ip6_make_skb() + +From: Ziyang Xuan + +[ Upstream commit ea30388baebcce37fd594d425a65037ca35e59e8 ] + +Syzbot reported a bug as following: + +===================================================== +BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] +BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] +BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] +BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 + arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] + arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] + atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] + __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 + ip6_finish_skb include/net/ipv6.h:1122 [inline] + ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 + rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 + rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 + inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 + __sys_sendmsg net/socket.c:2559 [inline] + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:766 [inline] + slab_alloc_node mm/slub.c:3452 [inline] + __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 + __do_kmalloc_node mm/slab_common.c:967 [inline] + __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 + kmalloc_reserve net/core/skbuff.c:492 [inline] + __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 + alloc_skb include/linux/skbuff.h:1270 [inline] + __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 + ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 + rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 + inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 + __sys_sendmsg net/socket.c:2559 [inline] + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +It is because icmp6hdr does not in skb linear region under the scenario +of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will +trigger the uninit variable access bug. + +Use a local variable icmp6_type to carry the correct value in different +scenarios. + +Fixes: 14878f75abd5 ("[IPV6]: Add ICMPMsgStats MIB (RFC 4293) [rev 2]") +Reported-by: syzbot+8257f4dcef79de670baf@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3d605ec1d0a7f2a269a1a6936ac7f2b85975ee9c +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index c314fdde0097c..95a55c6630add 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1965,8 +1965,13 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, + IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); + if (proto == IPPROTO_ICMPV6) { + struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); ++ u8 icmp6_type; + +- ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type); ++ if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ icmp6_type = fl6->fl6_icmp_type; ++ else ++ icmp6_type = icmp6_hdr(skb)->icmp6_type; ++ ICMP6MSGOUT_INC_STATS(net, idev, icmp6_type); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); + } + +-- +2.39.2 + diff --git a/queue-6.2/kvm-s390-pv-fix-external-interruption-loop-not-alway.patch b/queue-6.2/kvm-s390-pv-fix-external-interruption-loop-not-alway.patch new file mode 100644 index 00000000000..3dba9d671f3 --- /dev/null +++ b/queue-6.2/kvm-s390-pv-fix-external-interruption-loop-not-alway.patch @@ -0,0 +1,100 @@ +From 46661ceb20ec0fb37d6fbbb6c98a178fae1f4e66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Feb 2023 09:55:20 +0100 +Subject: KVM: s390: pv: fix external interruption loop not always detected + +From: Nico Boehr + +[ Upstream commit 21f27df854008b86349a203bf97fef79bb11f53e ] + +To determine whether the guest has caused an external interruption loop +upon code 20 (external interrupt) intercepts, the ext_new_psw needs to +be inspected to see whether external interrupts are enabled. + +Under non-PV, ext_new_psw can simply be taken from guest lowcore. Under +PV, KVM can only access the encrypted guest lowcore and hence the +ext_new_psw must not be taken from guest lowcore. + +handle_external_interrupt() incorrectly did that and hence was not able +to reliably tell whether an external interruption loop is happening or +not. False negatives cause spurious failures of my kvm-unit-test +for extint loops[1] under PV. + +Since code 20 is only caused under PV if and only if the guest's +ext_new_psw is enabled for external interrupts, false positive detection +of a external interruption loop can not happen. + +Fix this issue by instead looking at the guest PSW in the state +description. Since the PSW swap for external interrupt is done by the +ultravisor before the intercept is caused, this reliably tells whether +the guest is enabled for external interrupts in the ext_new_psw. + +Also update the comments to explain better what is happening. + +[1] https://lore.kernel.org/kvm/20220812062151.1980937-4-nrb@linux.ibm.com/ + +Signed-off-by: Nico Boehr +Reviewed-by: Janosch Frank +Reviewed-by: Christian Borntraeger +Fixes: 201ae986ead7 ("KVM: s390: protvirt: Implement interrupt injection") +Link: https://lore.kernel.org/r/20230213085520.100756-2-nrb@linux.ibm.com +Message-Id: <20230213085520.100756-2-nrb@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/intercept.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index 0ee02dae14b2b..2cda8d9d7c6ef 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -271,10 +271,18 @@ static int handle_prog(struct kvm_vcpu *vcpu) + * handle_external_interrupt - used for external interruption interceptions + * @vcpu: virtual cpu + * +- * This interception only occurs if the CPUSTAT_EXT_INT bit was set, or if +- * the new PSW does not have external interrupts disabled. In the first case, +- * we've got to deliver the interrupt manually, and in the second case, we +- * drop to userspace to handle the situation there. ++ * This interception occurs if: ++ * - the CPUSTAT_EXT_INT bit was already set when the external interrupt ++ * occurred. In this case, the interrupt needs to be injected manually to ++ * preserve interrupt priority. ++ * - the external new PSW has external interrupts enabled, which will cause an ++ * interruption loop. We drop to userspace in this case. ++ * ++ * The latter case can be detected by inspecting the external mask bit in the ++ * external new psw. ++ * ++ * Under PV, only the latter case can occur, since interrupt priorities are ++ * handled in the ultravisor. + */ + static int handle_external_interrupt(struct kvm_vcpu *vcpu) + { +@@ -285,10 +293,18 @@ static int handle_external_interrupt(struct kvm_vcpu *vcpu) + + vcpu->stat.exit_external_interrupt++; + +- rc = read_guest_lc(vcpu, __LC_EXT_NEW_PSW, &newpsw, sizeof(psw_t)); +- if (rc) +- return rc; +- /* We can not handle clock comparator or timer interrupt with bad PSW */ ++ if (kvm_s390_pv_cpu_is_protected(vcpu)) { ++ newpsw = vcpu->arch.sie_block->gpsw; ++ } else { ++ rc = read_guest_lc(vcpu, __LC_EXT_NEW_PSW, &newpsw, sizeof(psw_t)); ++ if (rc) ++ return rc; ++ } ++ ++ /* ++ * Clock comparator or timer interrupt with external interrupt enabled ++ * will cause interrupt loop. Drop to userspace. ++ */ + if ((eic == EXT_IRQ_CLK_COMP || eic == EXT_IRQ_CPU_TIMER) && + (newpsw.mask & PSW_MASK_EXT)) + return -EOPNOTSUPP; +-- +2.39.2 + diff --git a/queue-6.2/l2tp-generate-correct-module-alias-strings.patch b/queue-6.2/l2tp-generate-correct-module-alias-strings.patch new file mode 100644 index 00000000000..00a2a3df17a --- /dev/null +++ b/queue-6.2/l2tp-generate-correct-module-alias-strings.patch @@ -0,0 +1,82 @@ +From 12de266019186d49559737a12292ab5272a47c90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 11:54:42 +0200 +Subject: l2tp: generate correct module alias strings + +From: Andrea Righi + +[ Upstream commit 154e07c164859fc90bf4e8143f2f6c1af9f3a35e ] + +Commit 65b32f801bfb ("uapi: move IPPROTO_L2TP to in.h") moved the +definition of IPPROTO_L2TP from a define to an enum, but since +__stringify doesn't work properly with enums, we ended up breaking the +modalias strings for the l2tp modules: + + $ modinfo l2tp_ip l2tp_ip6 | grep alias + alias: net-pf-2-proto-IPPROTO_L2TP + alias: net-pf-2-proto-2-type-IPPROTO_L2TP + alias: net-pf-10-proto-IPPROTO_L2TP + alias: net-pf-10-proto-2-type-IPPROTO_L2TP + +Use the resolved number directly in MODULE_ALIAS_*() macros (as we +already do with SOCK_DGRAM) to fix the alias strings: + +$ modinfo l2tp_ip l2tp_ip6 | grep alias +alias: net-pf-2-proto-115 +alias: net-pf-2-proto-115-type-2 +alias: net-pf-10-proto-115 +alias: net-pf-10-proto-115-type-2 + +Moreover, fix the ordering of the parameters passed to +MODULE_ALIAS_NET_PF_PROTO_TYPE() by switching proto and type. + +Fixes: 65b32f801bfb ("uapi: move IPPROTO_L2TP to in.h") +Link: https://lore.kernel.org/lkml/ZCQt7hmodtUaBlCP@righiandr-XPS-13-7390 +Signed-off-by: Guillaume Nault +Signed-off-by: Andrea Righi +Reviewed-by: Wojciech Drewek +Tested-by: Wojciech Drewek +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ip.c | 8 ++++---- + net/l2tp/l2tp_ip6.c | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 4db5a554bdbd9..41a74fc84ca13 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -677,8 +677,8 @@ MODULE_AUTHOR("James Chapman "); + MODULE_DESCRIPTION("L2TP over IP"); + MODULE_VERSION("1.0"); + +-/* Use the value of SOCK_DGRAM (2) directory, because __stringify doesn't like +- * enums ++/* Use the values of SOCK_DGRAM (2) as type and IPPROTO_L2TP (115) as protocol, ++ * because __stringify doesn't like enums + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 2, IPPROTO_L2TP); +-MODULE_ALIAS_NET_PF_PROTO(PF_INET, IPPROTO_L2TP); ++MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 115, 2); ++MODULE_ALIAS_NET_PF_PROTO(PF_INET, 115); +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 2478aa60145fb..5137ea1861ce2 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -806,8 +806,8 @@ MODULE_AUTHOR("Chris Elston "); + MODULE_DESCRIPTION("L2TP IP encapsulation for IPv6"); + MODULE_VERSION("1.0"); + +-/* Use the value of SOCK_DGRAM (2) directory, because __stringify doesn't like +- * enums ++/* Use the values of SOCK_DGRAM (2) as type and IPPROTO_L2TP (115) as protocol, ++ * because __stringify doesn't like enums + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 2, IPPROTO_L2TP); +-MODULE_ALIAS_NET_PF_PROTO(PF_INET6, IPPROTO_L2TP); ++MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 115, 2); ++MODULE_ALIAS_NET_PF_PROTO(PF_INET6, 115); +-- +2.39.2 + diff --git a/queue-6.2/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch b/queue-6.2/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch new file mode 100644 index 00000000000..cc05cb0a7ab --- /dev/null +++ b/queue-6.2/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch @@ -0,0 +1,80 @@ +From d01f525250bcfa6a4000d61e33e78ba100414975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 19:21:44 -0700 +Subject: net: don't let netpoll invoke NAPI if in xmit context + +From: Jakub Kicinski + +[ Upstream commit 275b471e3d2daf1472ae8fa70dc1b50c9e0b9e75 ] + +Commit 0db3dc73f7a3 ("[NETPOLL]: tx lock deadlock fix") narrowed +down the region under netif_tx_trylock() inside netpoll_send_skb(). +(At that point in time netif_tx_trylock() would lock all queues of +the device.) Taking the tx lock was problematic because driver's +cleanup method may take the same lock. So the change made us hold +the xmit lock only around xmit, and expected the driver to take +care of locking within ->ndo_poll_controller(). + +Unfortunately this only works if netpoll isn't itself called with +the xmit lock already held. Netpoll code is careful and uses +trylock(). The drivers, however, may be using plain lock(). +Printing while holding the xmit lock is going to result in rare +deadlocks. + +Luckily we record the xmit lock owners, so we can scan all the queues, +the same way we scan NAPI owners. If any of the xmit locks is held +by the local CPU we better not attempt any polling. + +It would be nice if we could narrow down the check to only the NAPIs +and the queue we're trying to use. I don't see a way to do that now. + +Reported-by: Roman Gushchin +Fixes: 0db3dc73f7a3 ("[NETPOLL]: tx lock deadlock fix") +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 9be762e1d0428..4ac8d0ad9f6fc 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -137,6 +137,20 @@ static void queue_process(struct work_struct *work) + } + } + ++static int netif_local_xmit_active(struct net_device *dev) ++{ ++ int i; ++ ++ for (i = 0; i < dev->num_tx_queues; i++) { ++ struct netdev_queue *txq = netdev_get_tx_queue(dev, i); ++ ++ if (READ_ONCE(txq->xmit_lock_owner) == smp_processor_id()) ++ return 1; ++ } ++ ++ return 0; ++} ++ + static void poll_one_napi(struct napi_struct *napi) + { + int work; +@@ -183,7 +197,10 @@ void netpoll_poll_dev(struct net_device *dev) + if (!ni || down_trylock(&ni->dev_lock)) + return; + +- if (!netif_running(dev)) { ++ /* Some drivers will take the same locks in poll and xmit, ++ * we can't poll if local CPU is already in xmit. ++ */ ++ if (!netif_running(dev) || netif_local_xmit_active(dev)) { + up(&ni->dev_lock); + return; + } +-- +2.39.2 + diff --git a/queue-6.2/net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch b/queue-6.2/net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch new file mode 100644 index 00000000000..681abefe890 --- /dev/null +++ b/queue-6.2/net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch @@ -0,0 +1,91 @@ +From 091025df6e2cc974b706305d3c446f7e86829577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 10:40:13 +0200 +Subject: net: dsa: mv88e6xxx: Reset mv88e6393x force WD event bit + +From: Gustav Ekelund + +[ Upstream commit 089b91a0155c4de1209a07ff2a7dd299ff3ece47 ] + +The force watchdog event bit is not cleared during SW reset in the +mv88e6393x switch. This is a different behavior compared to mv886390 which +clears the force WD event bit as advertised. This causes a force WD event +to be handled over and over again as the SW reset following the event never +clears the force WD event bit. + +Explicitly clear the watchdog event register to 0 in irq_action when +handling an event to prevent the switch from sending continuous interrupts. +Marvell aren't aware of any other stuck bits apart from the force WD +bit. + +Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family" +Signed-off-by: Gustav Ekelund +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + drivers/net/dsa/mv88e6xxx/global2.c | 20 ++++++++++++++++++++ + drivers/net/dsa/mv88e6xxx/global2.h | 1 + + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 8211a4d373e81..e57d86484a3a4 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -5518,7 +5518,7 @@ static const struct mv88e6xxx_ops mv88e6393x_ops = { + * .port_set_upstream_port method. + */ + .set_egress_port = mv88e6393x_set_egress_port, +- .watchdog_ops = &mv88e6390_watchdog_ops, ++ .watchdog_ops = &mv88e6393x_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6393x_port_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, + .reset = mv88e6352_g1_reset, +diff --git a/drivers/net/dsa/mv88e6xxx/global2.c b/drivers/net/dsa/mv88e6xxx/global2.c +index fa65ecd9cb853..ec49939968fac 100644 +--- a/drivers/net/dsa/mv88e6xxx/global2.c ++++ b/drivers/net/dsa/mv88e6xxx/global2.c +@@ -931,6 +931,26 @@ const struct mv88e6xxx_irq_ops mv88e6390_watchdog_ops = { + .irq_free = mv88e6390_watchdog_free, + }; + ++static int mv88e6393x_watchdog_action(struct mv88e6xxx_chip *chip, int irq) ++{ ++ mv88e6390_watchdog_action(chip, irq); ++ ++ /* Fix for clearing the force WD event bit. ++ * Unreleased erratum on mv88e6393x. ++ */ ++ mv88e6xxx_g2_write(chip, MV88E6390_G2_WDOG_CTL, ++ MV88E6390_G2_WDOG_CTL_UPDATE | ++ MV88E6390_G2_WDOG_CTL_PTR_EVENT); ++ ++ return IRQ_HANDLED; ++} ++ ++const struct mv88e6xxx_irq_ops mv88e6393x_watchdog_ops = { ++ .irq_action = mv88e6393x_watchdog_action, ++ .irq_setup = mv88e6390_watchdog_setup, ++ .irq_free = mv88e6390_watchdog_free, ++}; ++ + static irqreturn_t mv88e6xxx_g2_watchdog_thread_fn(int irq, void *dev_id) + { + struct mv88e6xxx_chip *chip = dev_id; +diff --git a/drivers/net/dsa/mv88e6xxx/global2.h b/drivers/net/dsa/mv88e6xxx/global2.h +index 7536b8b0ad011..c05fad5c9f19d 100644 +--- a/drivers/net/dsa/mv88e6xxx/global2.h ++++ b/drivers/net/dsa/mv88e6xxx/global2.h +@@ -363,6 +363,7 @@ int mv88e6xxx_g2_device_mapping_write(struct mv88e6xxx_chip *chip, int target, + extern const struct mv88e6xxx_irq_ops mv88e6097_watchdog_ops; + extern const struct mv88e6xxx_irq_ops mv88e6250_watchdog_ops; + extern const struct mv88e6xxx_irq_ops mv88e6390_watchdog_ops; ++extern const struct mv88e6xxx_irq_ops mv88e6393x_watchdog_ops; + + extern const struct mv88e6xxx_avb_ops mv88e6165_avb_ops; + extern const struct mv88e6xxx_avb_ops mv88e6352_avb_ops; +-- +2.39.2 + diff --git a/queue-6.2/net-ethernet-mtk_eth_soc-fix-remaining-throughput-re.patch b/queue-6.2/net-ethernet-mtk_eth_soc-fix-remaining-throughput-re.patch new file mode 100644 index 00000000000..cbb5e844f73 --- /dev/null +++ b/queue-6.2/net-ethernet-mtk_eth_soc-fix-remaining-throughput-re.patch @@ -0,0 +1,56 @@ +From 170d343347c5528f700dec96a59d62a57a2c102f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 14:49:59 +0200 +Subject: net: ethernet: mtk_eth_soc: fix remaining throughput regression + +From: Felix Fietkau + +[ Upstream commit e669ce46740a9815953bb4452a6bc5a7fdc21a50 ] + +Based on further tests, it seems that the QDMA shaper is not able to +perform shaping close to the MAC link rate without throughput loss. +This cannot be compensated by increasing the shaping rate, so it seems +to be an internal limit. + +Fix the remaining throughput regression by detecting that condition and +limiting shaping to ports with lower link speed. + +This patch intentionally ignores link speed gain from TRGMII, because +even on such links, shaping to 1000 Mbit/s incurs some throughput +degradation. + +Fixes: f63959c7eec3 ("net: ethernet: mtk_eth_soc: implement multi-queue support for per-port queues") +Tested-By: Frank Wunderlich +Reported-by: Frank Wunderlich +Signed-off-by: Felix Fietkau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index bd7c18c839d42..f56d4e7d4ae5d 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -703,6 +703,7 @@ static void mtk_mac_link_up(struct phylink_config *config, + MAC_MCR_FORCE_RX_FC); + + /* Configure speed */ ++ mac->speed = speed; + switch (speed) { + case SPEED_2500: + case SPEED_1000: +@@ -3169,6 +3170,9 @@ static int mtk_device_event(struct notifier_block *n, unsigned long event, void + if (dp->index >= MTK_QDMA_NUM_QUEUES) + return NOTIFY_DONE; + ++ if (mac->speed > 0 && mac->speed <= s.base.speed) ++ s.base.speed = 0; ++ + mtk_set_queue_speed(eth, dp->index + 3, s.base.speed); + + return NOTIFY_DONE; +-- +2.39.2 + diff --git a/queue-6.2/net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch b/queue-6.2/net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch new file mode 100644 index 00000000000..91acf2530d0 --- /dev/null +++ b/queue-6.2/net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch @@ -0,0 +1,57 @@ +From 3c5097ea3b2f5c871b5e8343c513bed562eb10ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:33:21 +0530 +Subject: net: ethernet: ti: am65-cpsw: Fix mdio cleanup in probe + +From: Siddharth Vadapalli + +[ Upstream commit c6b486fb33680ad5a3a6390ce693c835caaae3f7 ] + +In the am65_cpsw_nuss_probe() function's cleanup path, the call to +of_platform_device_destroy() for the common->mdio_dev device is invoked +unconditionally. It is possible that either the MDIO node is not present +in the device-tree, or the MDIO node is disabled in the device-tree. In +both these cases, the MDIO device is not created, resulting in a NULL +pointer dereference when the of_platform_device_destroy() function is +invoked on the common->mdio_dev device on the cleanup path. + +Fix this by ensuring that the common->mdio_dev device exists, before +attempting to invoke of_platform_device_destroy(). + +Fixes: a45cfcc69a25 ("net: ethernet: ti: am65-cpsw-nuss: use of_platform_device_create() for mdio") +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Roger Quadros +Link: https://lore.kernel.org/r/20230403090321.835877-1-s-vadapalli@ti.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 3e17152798554..9286b2b3353e3 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -2854,7 +2854,8 @@ static int am65_cpsw_nuss_probe(struct platform_device *pdev) + am65_cpsw_nuss_phylink_cleanup(common); + am65_cpts_release(common->cpts); + err_of_clear: +- of_platform_device_destroy(common->mdio_dev, NULL); ++ if (common->mdio_dev) ++ of_platform_device_destroy(common->mdio_dev, NULL); + err_pm_clear: + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); +@@ -2883,7 +2884,8 @@ static int am65_cpsw_nuss_remove(struct platform_device *pdev) + am65_cpsw_nuss_phylink_cleanup(common); + am65_cpts_release(common->cpts); + +- of_platform_device_destroy(common->mdio_dev, NULL); ++ if (common->mdio_dev) ++ of_platform_device_destroy(common->mdio_dev, NULL); + + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); +-- +2.39.2 + diff --git a/queue-6.2/net-phylink-add-phylink_expects_phy-method.patch b/queue-6.2/net-phylink-add-phylink_expects_phy-method.patch new file mode 100644 index 00000000000..18d0d41cadc --- /dev/null +++ b/queue-6.2/net-phylink-add-phylink_expects_phy-method.patch @@ -0,0 +1,71 @@ +From c2d771e27b6525a0cf5d3982e47f9cbf2ff46da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 17:14:02 +0800 +Subject: net: phylink: add phylink_expects_phy() method + +From: Michael Sit Wei Hong + +[ Upstream commit 653a180957a85c3fc30320cc7e84f5dc913a64f8 ] + +Provide phylink_expects_phy() to allow MAC drivers to check if it +is expecting a PHY to attach to. Since fixed-linked setups do not +need to attach to a PHY. + +Provides a boolean value as to if the MAC should expect a PHY. +Returns true if a PHY is expected. + +Reviewed-by: Russell King (Oracle) +Signed-off-by: Michael Sit Wei Hong +Signed-off-by: David S. Miller +Stable-dep-of: fe2cfbc96803 ("net: stmmac: check if MAC needs to attach to a PHY") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 19 +++++++++++++++++++ + include/linux/phylink.h | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 4d2519cdb8012..bf8a8ed5d5d7b 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1571,6 +1571,25 @@ void phylink_destroy(struct phylink *pl) + } + EXPORT_SYMBOL_GPL(phylink_destroy); + ++/** ++ * phylink_expects_phy() - Determine if phylink expects a phy to be attached ++ * @pl: a pointer to a &struct phylink returned from phylink_create() ++ * ++ * When using fixed-link mode, or in-band mode with 1000base-X or 2500base-X, ++ * no PHY is needed. ++ * ++ * Returns true if phylink will be expecting a PHY. ++ */ ++bool phylink_expects_phy(struct phylink *pl) ++{ ++ if (pl->cfg_link_an_mode == MLO_AN_FIXED || ++ (pl->cfg_link_an_mode == MLO_AN_INBAND && ++ phy_interface_mode_is_8023z(pl->link_config.interface))) ++ return false; ++ return true; ++} ++EXPORT_SYMBOL_GPL(phylink_expects_phy); ++ + static void phylink_phy_change(struct phy_device *phydev, bool up) + { + struct phylink *pl = phydev->phylink; +diff --git a/include/linux/phylink.h b/include/linux/phylink.h +index c492c26202b5b..637698ed5cb6c 100644 +--- a/include/linux/phylink.h ++++ b/include/linux/phylink.h +@@ -574,6 +574,7 @@ struct phylink *phylink_create(struct phylink_config *, struct fwnode_handle *, + phy_interface_t iface, + const struct phylink_mac_ops *mac_ops); + void phylink_destroy(struct phylink *); ++bool phylink_expects_phy(struct phylink *pl); + + int phylink_connect_phy(struct phylink *, struct phy_device *); + int phylink_of_phy_connect(struct phylink *, struct device_node *, u32 flags); +-- +2.39.2 + diff --git a/queue-6.2/net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch b/queue-6.2/net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch new file mode 100644 index 00000000000..5f4d88e5a68 --- /dev/null +++ b/queue-6.2/net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch @@ -0,0 +1,94 @@ +From e0423aea0067f6c3305dfe5e8efbd2f7519b5c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:28:51 +0530 +Subject: net: qrtr: Do not do DEL_SERVER broadcast after DEL_CLIENT + +From: Sricharan Ramabadhran + +[ Upstream commit 839349d13905927d8a567ca4d21d88c82028e31d ] + +On the remote side, when QRTR socket is removed, af_qrtr will call +qrtr_port_remove() which broadcasts the DEL_CLIENT packet to all neighbours +including local NS. NS upon receiving the DEL_CLIENT packet, will remove +the lookups associated with the node:port and broadcasts the DEL_SERVER +packet. + +But on the host side, due to the arrival of the DEL_CLIENT packet, the NS +would've already deleted the server belonging to that port. So when the +remote's NS again broadcasts the DEL_SERVER for that port, it throws below +error message on the host: + +"failed while handling packet from 2:-2" + +So fix this error by not broadcasting the DEL_SERVER packet when the +DEL_CLIENT packet gets processed." + +Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Ram Kumar Dharuman +Signed-off-by: Sricharan Ramabadhran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/ns.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c +index e595079c2cafe..3e40a1ba48f79 100644 +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -273,7 +273,7 @@ static struct qrtr_server *server_add(unsigned int service, + return NULL; + } + +-static int server_del(struct qrtr_node *node, unsigned int port) ++static int server_del(struct qrtr_node *node, unsigned int port, bool bcast) + { + struct qrtr_lookup *lookup; + struct qrtr_server *srv; +@@ -286,7 +286,7 @@ static int server_del(struct qrtr_node *node, unsigned int port) + radix_tree_delete(&node->servers, port); + + /* Broadcast the removal of local servers */ +- if (srv->node == qrtr_ns.local_node) ++ if (srv->node == qrtr_ns.local_node && bcast) + service_announce_del(&qrtr_ns.bcast_sq, srv); + + /* Announce the service's disappearance to observers */ +@@ -372,7 +372,7 @@ static int ctrl_cmd_bye(struct sockaddr_qrtr *from) + } + slot = radix_tree_iter_resume(slot, &iter); + rcu_read_unlock(); +- server_del(node, srv->port); ++ server_del(node, srv->port, true); + rcu_read_lock(); + } + rcu_read_unlock(); +@@ -458,10 +458,13 @@ static int ctrl_cmd_del_client(struct sockaddr_qrtr *from, + kfree(lookup); + } + +- /* Remove the server belonging to this port */ ++ /* Remove the server belonging to this port but don't broadcast ++ * DEL_SERVER. Neighbours would've already removed the server belonging ++ * to this port due to the DEL_CLIENT broadcast from qrtr_port_remove(). ++ */ + node = node_get(node_id); + if (node) +- server_del(node, port); ++ server_del(node, port, false); + + /* Advertise the removal of this client to all local servers */ + local_node = node_get(qrtr_ns.local_node); +@@ -566,7 +569,7 @@ static int ctrl_cmd_del_server(struct sockaddr_qrtr *from, + if (!node) + return -ENOENT; + +- return server_del(node, port); ++ return server_del(node, port, true); + } + + static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from, +-- +2.39.2 + diff --git a/queue-6.2/net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch b/queue-6.2/net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch new file mode 100644 index 00000000000..1206a6b1592 --- /dev/null +++ b/queue-6.2/net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch @@ -0,0 +1,77 @@ +From 825470f7b65155197cac8c8c2ac73acf42878b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 09:25:32 +0800 +Subject: net: qrtr: Fix a refcount bug in qrtr_recvmsg() + +From: Ziyang Xuan + +[ Upstream commit 44d807320000db0d0013372ad39b53e12d52f758 ] + +Syzbot reported a bug as following: + +refcount_t: addition on 0; use-after-free. +... +RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 +... +Call Trace: + + __refcount_add include/linux/refcount.h:199 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + kref_get include/linux/kref.h:45 [inline] + qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline] + qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline] + qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline] + qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070 + sock_recvmsg_nosec net/socket.c:1017 [inline] + sock_recvmsg+0xe2/0x160 net/socket.c:1038 + qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688 + process_one_work+0x991/0x15c0 kernel/workqueue.c:2390 + worker_thread+0x669/0x1090 kernel/workqueue.c:2537 + +It occurs in the concurrent scenario of qrtr_recvmsg() and +qrtr_endpoint_unregister() as following: + + cpu0 cpu1 +qrtr_recvmsg qrtr_endpoint_unregister +qrtr_send_resume_tx qrtr_node_release +qrtr_node_lookup mutex_lock(&qrtr_node_lock) +spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0] +radix_tree_lookup [node != NULL] __qrtr_node_release +qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, ) +kref_get(&node->ref) [WARNING] ... + mutex_unlock(&qrtr_node_lock) + +Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this +is actually improving the protection of node reference. + +Fixes: 0a7e0d0ef054 ("net: qrtr: Migrate node lookup tree to spinlock") +Reported-by: syzbot+a7492efaa5d61b51db23@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7492efaa5d61b51db23 +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/af_qrtr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c +index 5c2fb992803b7..3a70255c8d02f 100644 +--- a/net/qrtr/af_qrtr.c ++++ b/net/qrtr/af_qrtr.c +@@ -393,10 +393,12 @@ static struct qrtr_node *qrtr_node_lookup(unsigned int nid) + struct qrtr_node *node; + unsigned long flags; + ++ mutex_lock(&qrtr_node_lock); + spin_lock_irqsave(&qrtr_nodes_lock, flags); + node = radix_tree_lookup(&qrtr_nodes, nid); + node = qrtr_node_acquire(node); + spin_unlock_irqrestore(&qrtr_nodes_lock, flags); ++ mutex_unlock(&qrtr_node_lock); + + return node; + } +-- +2.39.2 + diff --git a/queue-6.2/net-stmmac-check-fwnode-for-phy-device-before-scanni.patch b/queue-6.2/net-stmmac-check-fwnode-for-phy-device-before-scanni.patch new file mode 100644 index 00000000000..ca13f43bba2 --- /dev/null +++ b/queue-6.2/net-stmmac-check-fwnode-for-phy-device-before-scanni.patch @@ -0,0 +1,80 @@ +From 4ea6a14ebaa0d8b8c99bb265eb2872356dfb8609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 10:45:41 +0800 +Subject: net: stmmac: check fwnode for phy device before scanning for phy + +From: Michael Sit Wei Hong + +[ Upstream commit 8fbc10b995a506e173f1080dfa2764f232a65e02 ] + +Some DT devices already have phy device configured in the DT/ACPI. +Current implementation scans for a phy unconditionally even though +there is a phy listed in the DT/ACPI and already attached. + +We should check the fwnode if there is any phy device listed in +fwnode and decide whether to scan for a phy to attach to. + +Fixes: fe2cfbc96803 ("net: stmmac: check if MAC needs to attach to a PHY") +Reported-by: Martin Blumenstingl +Link: https://lore.kernel.org/lkml/20230403212434.296975-1-martin.blumenstingl@googlemail.com/ +Tested-by: Guenter Roeck +Tested-by: Shahab Vahedi +Tested-by: Marek Szyprowski +Tested-by: Martin Blumenstingl +Suggested-by: Russell King (Oracle) +Signed-off-by: Michael Sit Wei Hong +Link: https://lore.kernel.org/r/20230406024541.3556305-1-michael.wei.hong.sit@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 4888536a31500..622b95bfb0b2b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1134,22 +1134,26 @@ static void stmmac_check_pcs_mode(struct stmmac_priv *priv) + static int stmmac_init_phy(struct net_device *dev) + { + struct stmmac_priv *priv = netdev_priv(dev); ++ struct fwnode_handle *phy_fwnode; + struct fwnode_handle *fwnode; +- bool phy_needed; + int ret; + ++ if (!phylink_expects_phy(priv->phylink)) ++ return 0; ++ + fwnode = of_fwnode_handle(priv->plat->phylink_node); + if (!fwnode) + fwnode = dev_fwnode(priv->device); + + if (fwnode) +- ret = phylink_fwnode_phy_connect(priv->phylink, fwnode, 0); ++ phy_fwnode = fwnode_get_phy_node(fwnode); ++ else ++ phy_fwnode = NULL; + +- phy_needed = phylink_expects_phy(priv->phylink); + /* Some DT bindings do not set-up the PHY handle. Let's try to + * manually parse it + */ +- if (!fwnode || phy_needed || ret) { ++ if (!phy_fwnode || IS_ERR(phy_fwnode)) { + int addr = priv->plat->phy_addr; + struct phy_device *phydev; + +@@ -1165,6 +1169,9 @@ static int stmmac_init_phy(struct net_device *dev) + } + + ret = phylink_connect_phy(priv->phylink, phydev); ++ } else { ++ fwnode_handle_put(phy_fwnode); ++ ret = phylink_fwnode_phy_connect(priv->phylink, fwnode, 0); + } + + if (!priv->plat->pmt) { +-- +2.39.2 + diff --git a/queue-6.2/net-stmmac-check-if-mac-needs-to-attach-to-a-phy.patch b/queue-6.2/net-stmmac-check-if-mac-needs-to-attach-to-a-phy.patch new file mode 100644 index 00000000000..641d4c999f0 --- /dev/null +++ b/queue-6.2/net-stmmac-check-if-mac-needs-to-attach-to-a-phy.patch @@ -0,0 +1,53 @@ +From a20446ec34e46403d932b93014f05611058b138e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 17:14:03 +0800 +Subject: net: stmmac: check if MAC needs to attach to a PHY + +From: Michael Sit Wei Hong + +[ Upstream commit fe2cfbc9680356a3d9f8adde8a38e715831e32f5 ] + +After the introduction of the fixed-link support, the MAC driver +no longer attempt to scan for a PHY to attach to. This causes the +non fixed-link setups to stop working. + +Using the phylink_expects_phy() to check and determine if the MAC +should expect and attach a PHY. + +Fixes: ab21cf920928 ("net: stmmac: make mdio register skips PHY scanning for fixed-link") +Signed-off-by: Michael Sit Wei Hong +Signed-off-by: Lai Peter Jun Ann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 7389718b4797b..20b51a39db38d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1135,6 +1135,7 @@ static int stmmac_init_phy(struct net_device *dev) + { + struct stmmac_priv *priv = netdev_priv(dev); + struct fwnode_handle *fwnode; ++ bool phy_needed; + int ret; + + fwnode = of_fwnode_handle(priv->plat->phylink_node); +@@ -1144,10 +1145,11 @@ static int stmmac_init_phy(struct net_device *dev) + if (fwnode) + ret = phylink_fwnode_phy_connect(priv->phylink, fwnode, 0); + ++ phy_needed = phylink_expects_phy(priv->phylink); + /* Some DT bindings do not set-up the PHY handle. Let's try to + * manually parse it + */ +- if (!fwnode || ret) { ++ if (!fwnode || phy_needed || ret) { + int addr = priv->plat->phy_addr; + struct phy_device *phydev; + +-- +2.39.2 + diff --git a/queue-6.2/net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch b/queue-6.2/net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch new file mode 100644 index 00000000000..6ecff1e2db6 --- /dev/null +++ b/queue-6.2/net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch @@ -0,0 +1,86 @@ +From 03949887d8c2a80bbe164d62ce87e0451e6d57b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:11:20 +0200 +Subject: net: stmmac: fix up RX flow hash indirection table when setting + channels + +From: Corinna Vinschen + +[ Upstream commit 218c597325f4faf7b7a6049233a30d7842b5b2dc ] + +stmmac_reinit_queues() fails to fix up the RX hash. Even if the number +of channels gets restricted, the output of `ethtool -x' indicates that +all RX queues are used: + + $ ethtool -l enp0s29f2 + Channel parameters for enp0s29f2: + Pre-set maximums: + RX: 8 + TX: 8 + Other: n/a + Combined: n/a + Current hardware settings: + RX: 8 + TX: 8 + Other: n/a + Combined: n/a + $ ethtool -x enp0s29f2 + RX flow hash indirection table for enp0s29f2 with 8 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 0 1 2 3 4 5 6 7 + [...] + $ ethtool -L enp0s29f2 rx 3 + $ ethtool -x enp0s29f2 + RX flow hash indirection table for enp0s29f2 with 3 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 0 1 2 3 4 5 6 7 + [...] + +Fix this by setting the indirection table according to the number +of specified queues. The result is now as expected: + + $ ethtool -L enp0s29f2 rx 3 + $ ethtool -x enp0s29f2 + RX flow hash indirection table for enp0s29f2 with 3 RX ring(s): + 0: 0 1 2 0 1 2 0 1 + 8: 2 0 1 2 0 1 2 0 + [...] + +Tested on Intel Elkhart Lake. + +Fixes: 0366f7e06a6b ("net: stmmac: add ethtool support for get/set channels") +Signed-off-by: Corinna Vinschen +Link: https://lore.kernel.org/r/20230403121120.489138-1-vinschen@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 20b51a39db38d..4888536a31500 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -6948,7 +6948,7 @@ static void stmmac_napi_del(struct net_device *dev) + int stmmac_reinit_queues(struct net_device *dev, u32 rx_cnt, u32 tx_cnt) + { + struct stmmac_priv *priv = netdev_priv(dev); +- int ret = 0; ++ int ret = 0, i; + + if (netif_running(dev)) + stmmac_release(dev); +@@ -6957,6 +6957,10 @@ int stmmac_reinit_queues(struct net_device *dev, u32 rx_cnt, u32 tx_cnt) + + priv->plat->rx_queues_to_use = rx_cnt; + priv->plat->tx_queues_to_use = tx_cnt; ++ if (!netif_is_rxfh_configured(dev)) ++ for (i = 0; i < ARRAY_SIZE(priv->rss.table); i++) ++ priv->rss.table[i] = ethtool_rxfh_indir_default(i, ++ rx_cnt); + + stmmac_napi_add(dev); + +-- +2.39.2 + diff --git a/queue-6.2/net-stmmac-remove-redundant-fixup-to-support-fixed-l.patch b/queue-6.2/net-stmmac-remove-redundant-fixup-to-support-fixed-l.patch new file mode 100644 index 00000000000..8247b60a2d4 --- /dev/null +++ b/queue-6.2/net-stmmac-remove-redundant-fixup-to-support-fixed-l.patch @@ -0,0 +1,43 @@ +From 45d7677c6d607354dee8488a8a8316a92d454622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 17:14:04 +0800 +Subject: net: stmmac: remove redundant fixup to support fixed-link mode + +From: Michael Sit Wei Hong + +[ Upstream commit 6fc21a6ed5953b1dd3a41ce7be1ea57f5ef8c081 ] + +Currently, intel_speed_mode_2500() will fix-up xpcs_an_inband +to 1 if the underlying controller has a max speed of 1000Mbps. +The value has been initialized and modified if it is +a fixed-linked setup earlier. + +This patch removes the fix-up to allow for fixed-linked setup +support. In stmmac_phy_setup(), ovr_an_inband is set based on +the value of xpcs_an_inband. Which in turn will return an +error in phylink_parse_mode() where MLO_AN_FIXED and +ovr_an_inband are both set. + +Fixes: c82386310d95 ("stmmac: intel: prepare to support 1000BASE-X phy interface setting") +Signed-off-by: Michael Sit Wei Hong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +index 13aa919633b47..ab9f876b6df7e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +@@ -251,7 +251,6 @@ static void intel_speed_mode_2500(struct net_device *ndev, void *intel_data) + priv->plat->mdio_bus_data->xpcs_an_inband = false; + } else { + priv->plat->max_speed = 1000; +- priv->plat->mdio_bus_data->xpcs_an_inband = true; + } + } + +-- +2.39.2 + diff --git a/queue-6.2/netlink-annotate-lockless-accesses-to-nlk-max_recvms.patch b/queue-6.2/netlink-annotate-lockless-accesses-to-nlk-max_recvms.patch new file mode 100644 index 00000000000..d2969229826 --- /dev/null +++ b/queue-6.2/netlink-annotate-lockless-accesses-to-nlk-max_recvms.patch @@ -0,0 +1,111 @@ +From 19c714893a1dc51c566ccd292e30566ecda7957b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 21:46:43 +0000 +Subject: netlink: annotate lockless accesses to nlk->max_recvmsg_len + +From: Eric Dumazet + +[ Upstream commit a1865f2e7d10dde00d35a2122b38d2e469ae67ed ] + +syzbot reported a data-race in data-race in netlink_recvmsg() [1] + +Indeed, netlink_recvmsg() can be run concurrently, +and netlink_dump() also needs protection. + +[1] +BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg + +read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0: +netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988 +sock_recvmsg_nosec net/socket.c:1017 [inline] +sock_recvmsg net/socket.c:1038 [inline] +__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194 +__do_sys_recvfrom net/socket.c:2212 [inline] +__se_sys_recvfrom net/socket.c:2208 [inline] +__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1: +netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989 +sock_recvmsg_nosec net/socket.c:1017 [inline] +sock_recvmsg net/socket.c:1038 [inline] +____sys_recvmsg+0x156/0x310 net/socket.c:2720 +___sys_recvmsg net/socket.c:2762 [inline] +do_recvmmsg+0x2e5/0x710 net/socket.c:2856 +__sys_recvmmsg net/socket.c:2935 [inline] +__do_sys_recvmmsg net/socket.c:2958 [inline] +__se_sys_recvmmsg net/socket.c:2951 [inline] +__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000000000 -> 0x0000000000001000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 + +Fixes: 9063e21fb026 ("netlink: autosize skb lengthes") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230403214643.768555-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index c642776597531..f365dfdd672d7 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1952,7 +1952,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + struct scm_cookie scm; + struct sock *sk = sock->sk; + struct netlink_sock *nlk = nlk_sk(sk); +- size_t copied; ++ size_t copied, max_recvmsg_len; + struct sk_buff *skb, *data_skb; + int err, ret; + +@@ -1985,9 +1985,10 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + #endif + + /* Record the max length of recvmsg() calls for future allocations */ +- nlk->max_recvmsg_len = max(nlk->max_recvmsg_len, len); +- nlk->max_recvmsg_len = min_t(size_t, nlk->max_recvmsg_len, +- SKB_WITH_OVERHEAD(32768)); ++ max_recvmsg_len = max(READ_ONCE(nlk->max_recvmsg_len), len); ++ max_recvmsg_len = min_t(size_t, max_recvmsg_len, ++ SKB_WITH_OVERHEAD(32768)); ++ WRITE_ONCE(nlk->max_recvmsg_len, max_recvmsg_len); + + copied = data_skb->len; + if (len < copied) { +@@ -2236,6 +2237,7 @@ static int netlink_dump(struct sock *sk) + struct netlink_ext_ack extack = {}; + struct netlink_callback *cb; + struct sk_buff *skb = NULL; ++ size_t max_recvmsg_len; + struct module *module; + int err = -ENOBUFS; + int alloc_min_size; +@@ -2258,8 +2260,9 @@ static int netlink_dump(struct sock *sk) + cb = &nlk->cb; + alloc_min_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE); + +- if (alloc_min_size < nlk->max_recvmsg_len) { +- alloc_size = nlk->max_recvmsg_len; ++ max_recvmsg_len = READ_ONCE(nlk->max_recvmsg_len); ++ if (alloc_min_size < max_recvmsg_len) { ++ alloc_size = max_recvmsg_len; + skb = alloc_skb(alloc_size, + (GFP_KERNEL & ~__GFP_DIRECT_RECLAIM) | + __GFP_NOWARN | __GFP_NORETRY); +-- +2.39.2 + diff --git a/queue-6.2/nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch b/queue-6.2/nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch new file mode 100644 index 00000000000..ca26d2258b9 --- /dev/null +++ b/queue-6.2/nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch @@ -0,0 +1,54 @@ +From 805c12e6bec2269a6e847b3fd90fc64906a5446f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 16:31:19 -0400 +Subject: NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL + +From: Chuck Lever + +[ Upstream commit 804d8e0a6e54427268790472781e03bc243f4ee3 ] + +OPDESC() simply indexes into nfsd4_ops[] by the op's operation +number, without range checking that value. It assumes callers are +careful to avoid calling it with an out-of-bounds opnum value. + +nfsd4_decode_compound() is not so careful, and can invoke OPDESC() +with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end +of nfsd4_ops[]. + +Reported-by: Jeff Layton +Fixes: f4f9ef4a1b0a ("nfsd4: opdesc will be useful outside nfs4proc.c") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4xdr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 97edb32be77f1..67bbd2d6334c4 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2476,10 +2476,12 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp) + for (i = 0; i < argp->opcnt; i++) { + op = &argp->ops[i]; + op->replay = NULL; ++ op->opdesc = NULL; + + if (xdr_stream_decode_u32(argp->xdr, &op->opnum) < 0) + return false; + if (nfsd4_opnum_in_range(argp, op)) { ++ op->opdesc = OPDESC(op); + op->status = nfsd4_dec_ops[op->opnum](argp, &op->u); + if (op->status != nfs_ok) + trace_nfsd_compound_decode_err(argp->rqstp, +@@ -2490,7 +2492,7 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp) + op->opnum = OP_ILLEGAL; + op->status = nfserr_op_illegal; + } +- op->opdesc = OPDESC(op); ++ + /* + * We'll try to cache the result in the DRC if any one + * op in the compound wants to be cached: +-- +2.39.2 + diff --git a/queue-6.2/nfsd-call-op_release-even-when-op_func-returns-an-er.patch b/queue-6.2/nfsd-call-op_release-even-when-op_func-returns-an-er.patch new file mode 100644 index 00000000000..bc9a41507d5 --- /dev/null +++ b/queue-6.2/nfsd-call-op_release-even-when-op_func-returns-an-er.patch @@ -0,0 +1,82 @@ +From 7e93c4918a5d67646e89f41e7c9cf6f13c6953ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 06:21:37 -0400 +Subject: nfsd: call op_release, even when op_func returns an error + +From: Jeff Layton + +[ Upstream commit 15a8b55dbb1ba154d82627547c5761cac884d810 ] + +For ops with "trivial" replies, nfsd4_encode_operation will shortcut +most of the encoding work and skip to just marshalling up the status. +One of the things it skips is calling op_release. This could cause a +memory leak in the layoutget codepath if there is an error at an +inopportune time. + +Have the compound processing engine always call op_release, even when +op_func sets an error in op->status. With this change, we also need +nfsd4_block_get_device_info_scsi to set the gd_device pointer to NULL +on error to avoid a double free. + +Reported-by: Zhi Li +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2181403 +Fixes: 34b1744c91cc ("nfsd4: define ->op_release for compound ops") +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/blocklayout.c | 1 + + fs/nfsd/nfs4xdr.c | 11 +++++------ + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/nfsd/blocklayout.c b/fs/nfsd/blocklayout.c +index 04697f8dc37d6..01d7fd108cf3d 100644 +--- a/fs/nfsd/blocklayout.c ++++ b/fs/nfsd/blocklayout.c +@@ -297,6 +297,7 @@ nfsd4_block_get_device_info_scsi(struct super_block *sb, + + out_free_dev: + kfree(dev); ++ gdp->gd_device = NULL; + return ret; + } + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 67bbd2d6334c4..7799835c2196e 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -5400,10 +5400,8 @@ nfsd4_encode_operation(struct nfsd4_compoundres *resp, struct nfsd4_op *op) + __be32 *p; + + p = xdr_reserve_space(xdr, 8); +- if (!p) { +- WARN_ON_ONCE(1); +- return; +- } ++ if (!p) ++ goto release; + *p++ = cpu_to_be32(op->opnum); + post_err_offset = xdr->buf->len; + +@@ -5418,8 +5416,6 @@ nfsd4_encode_operation(struct nfsd4_compoundres *resp, struct nfsd4_op *op) + op->status = encoder(resp, op->status, &op->u); + if (op->status) + trace_nfsd_compound_encode_err(rqstp, op->opnum, op->status); +- if (opdesc && opdesc->op_release) +- opdesc->op_release(&op->u); + xdr_commit_encode(xdr); + + /* nfsd4_check_resp_size guarantees enough room for error status */ +@@ -5460,6 +5456,9 @@ nfsd4_encode_operation(struct nfsd4_compoundres *resp, struct nfsd4_op *op) + } + status: + *p = op->status; ++release: ++ if (opdesc && opdesc->op_release) ++ opdesc->op_release(&op->u); + } + + /* +-- +2.39.2 + diff --git a/queue-6.2/nfsd-callback-request-does-not-use-correct-credentia.patch b/queue-6.2/nfsd-callback-request-does-not-use-correct-credentia.patch new file mode 100644 index 00000000000..378bc942e05 --- /dev/null +++ b/queue-6.2/nfsd-callback-request-does-not-use-correct-credentia.patch @@ -0,0 +1,43 @@ +From 33b26a886fa8b7a03d8af51c6c3a6c9c21a23d70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 13:22:08 -0700 +Subject: NFSD: callback request does not use correct credential for AUTH_SYS + +From: Dai Ngo + +[ Upstream commit 7de82c2f36fb26aa78440bbf0efcf360b691d98b ] + +Currently callback request does not use the credential specified in +CREATE_SESSION if the security flavor for the back channel is AUTH_SYS. + +Problem was discovered by pynfs 4.1 DELEG5 and DELEG7 test with error: +DELEG5 st_delegation.testCBSecParms : FAILURE + expected callback with uid, gid == 17, 19, got 0, 0 + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Fixes: 8276c902bbe9 ("SUNRPC: remove uid and gid from struct auth_cred") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 2a815f5a52c4b..4039ffcf90ba5 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -946,8 +946,8 @@ static const struct cred *get_backchannel_cred(struct nfs4_client *clp, struct r + if (!kcred) + return NULL; + +- kcred->uid = ses->se_cb_sec.uid; +- kcred->gid = ses->se_cb_sec.gid; ++ kcred->fsuid = ses->se_cb_sec.uid; ++ kcred->fsgid = ses->se_cb_sec.gid; + return kcred; + } + } +-- +2.39.2 + diff --git a/queue-6.2/ping-fix-potentail-null-deref-for-proc-net-icmp.patch b/queue-6.2/ping-fix-potentail-null-deref-for-proc-net-icmp.patch new file mode 100644 index 00000000000..0df260f037d --- /dev/null +++ b/queue-6.2/ping-fix-potentail-null-deref-for-proc-net-icmp.patch @@ -0,0 +1,63 @@ +From 9466b95455a98765b0364b6da11f2793bd52a0e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:49:59 -0700 +Subject: ping: Fix potentail NULL deref for /proc/net/icmp. + +From: Kuniyuki Iwashima + +[ Upstream commit ab5fb73ffa01072b4d8031cc05801fa1cb653bee ] + +After commit dbca1596bbb0 ("ping: convert to RCU lookups, get rid +of rwlock"), we use RCU for ping sockets, but we should use spinlock +for /proc/net/icmp to avoid a potential NULL deref mentioned in +the previous patch. + +Let's go back to using spinlock there. + +Note we can convert ping sockets to use hlist instead of hlist_nulls +because we do not use SLAB_TYPESAFE_BY_RCU for ping sockets. + +Fixes: dbca1596bbb0 ("ping: convert to RCU lookups, get rid of rwlock") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 409ec2a1f95b0..5178a3f3cb537 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -1089,13 +1089,13 @@ static struct sock *ping_get_idx(struct seq_file *seq, loff_t pos) + } + + void *ping_seq_start(struct seq_file *seq, loff_t *pos, sa_family_t family) +- __acquires(RCU) ++ __acquires(ping_table.lock) + { + struct ping_iter_state *state = seq->private; + state->bucket = 0; + state->family = family; + +- rcu_read_lock(); ++ spin_lock(&ping_table.lock); + + return *pos ? ping_get_idx(seq, *pos-1) : SEQ_START_TOKEN; + } +@@ -1121,9 +1121,9 @@ void *ping_seq_next(struct seq_file *seq, void *v, loff_t *pos) + EXPORT_SYMBOL_GPL(ping_seq_next); + + void ping_seq_stop(struct seq_file *seq, void *v) +- __releases(RCU) ++ __releases(ping_table.lock) + { +- rcu_read_unlock(); ++ spin_unlock(&ping_table.lock); + } + EXPORT_SYMBOL_GPL(ping_seq_stop); + +-- +2.39.2 + diff --git a/queue-6.2/platform-x86-think-lmi-clean-up-display-of-current_v.patch b/queue-6.2/platform-x86-think-lmi-clean-up-display-of-current_v.patch new file mode 100644 index 00000000000..76f2491a7f6 --- /dev/null +++ b/queue-6.2/platform-x86-think-lmi-clean-up-display-of-current_v.patch @@ -0,0 +1,60 @@ +From c44325d1eeca59ce71d568a6af31d6aa96a452cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Apr 2023 21:31:20 -0400 +Subject: platform/x86: think-lmi: Clean up display of current_value on + Thinkstation + +From: Mark Pearson + +[ Upstream commit 7065655216d4d034d71164641f3bec0b189ad6fa ] + +On ThinkStations on retrieving the attribute value the BIOS appends the +possible values to the string. +Clean up the display in the current_value_show function so the options +part is not displayed. + +Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms") +Reported by Mario Limoncello +Link: https://github.com/fwupd/fwupd/issues/5077#issuecomment-1488730526 +Signed-off-by: Mark Pearson +Link: https://lore.kernel.org/r/20230403013120.2105-2-mpearson-lenovo@squebb.ca +Tested-by: Mario Limonciello +Tested-by: Mirsad Goran Todorovac +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index 70c4ee254c43a..336b9029d1515 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -920,7 +920,7 @@ static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *at + static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) + { + struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); +- char *item, *value; ++ char *item, *value, *p; + int ret; + + ret = tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID); +@@ -931,9 +931,12 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + value = strpbrk(item, ","); + if (!value || value == item || !strlen(value + 1)) + ret = -EINVAL; +- else ++ else { ++ /* On Workstations remove the Options part after the value */ ++ p = strchrnul(value, ';'); ++ *p = '\0'; + ret = sysfs_emit(buf, "%s\n", value + 1); +- ++ } + kfree(item); + + return ret; +-- +2.39.2 + diff --git a/queue-6.2/platform-x86-think-lmi-fix-memory-leak-when-showing-.patch b/queue-6.2/platform-x86-think-lmi-fix-memory-leak-when-showing-.patch new file mode 100644 index 00000000000..5346631eaca --- /dev/null +++ b/queue-6.2/platform-x86-think-lmi-fix-memory-leak-when-showing-.patch @@ -0,0 +1,51 @@ +From 984ee005e3835ce6208ee96d57bef3c118bc1bae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 23:33:19 +0200 +Subject: platform/x86: think-lmi: Fix memory leak when showing current + settings + +From: Armin Wolf + +[ Upstream commit a3c4c053014585dcf20f4df954791b74d8a8afcd ] + +When retriving a item string with tlmi_setting(), the result has to be +freed using kfree(). In current_value_show() however, malformed +item strings are not freed, causing a memory leak. +Fix this by eliminating the early return responsible for this. + +Reported-by: Mirsad Goran Todorovac +Link: https://lore.kernel.org/platform-driver-x86/01e920bc-5882-ba0c-dd15-868bf0eca0b8@alu.unizg.hr/T/#t +Tested-by: Mirsad Goran Todorovac +Fixes: 0fdf10e5fc96 ("platform/x86: think-lmi: Split current_value to reflect only the value") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20230331213319.41040-1-W_Armin@gmx.de +Tested-by: Mario Limonciello +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index 74af3e593b2ca..4e738ec5e6fb8 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -930,10 +930,12 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + /* validate and split from `item,value` -> `value` */ + value = strpbrk(item, ","); + if (!value || value == item || !strlen(value + 1)) +- return -EINVAL; ++ ret = -EINVAL; ++ else ++ ret = sysfs_emit(buf, "%s\n", value + 1); + +- ret = sysfs_emit(buf, "%s\n", value + 1); + kfree(item); ++ + return ret; + } + +-- +2.39.2 + diff --git a/queue-6.2/platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch b/queue-6.2/platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch new file mode 100644 index 00000000000..cf2347a5a60 --- /dev/null +++ b/queue-6.2/platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch @@ -0,0 +1,58 @@ +From 4476e9ee66302dc179f02b04c22f80e7b94da3fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Apr 2023 21:31:19 -0400 +Subject: platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation + WMI strings + +From: Mark Pearson + +[ Upstream commit e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433 ] + +My previous commit introduced a memory leak where the item allocated +from tlmi_setting was not freed. +This commit also renames it to avoid confusion with the similarly name +variable in the same function. + +Fixes: 8a02d70679fc ("platform/x86: think-lmi: Add possible_values for ThinkStation") +Reported-by: Mirsad Todorovac +Link: https://lore.kernel.org/lkml/df26ff45-8933-f2b3-25f4-6ee51ccda7d8@gmx.de/T/ +Signed-off-by: Mark Pearson +Link: https://lore.kernel.org/r/20230403013120.2105-1-mpearson-lenovo@squebb.ca +Tested-by: Mario Limonciello +Tested-by: Mirsad Goran Todorovac +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index 4e738ec5e6fb8..70c4ee254c43a 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -1459,10 +1459,10 @@ static int tlmi_analyze(void) + * name string. + * Try and pull that out if it's available. + */ +- char *item, *optstart, *optend; ++ char *optitem, *optstart, *optend; + +- if (!tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID)) { +- optstart = strstr(item, "[Optional:"); ++ if (!tlmi_setting(setting->index, &optitem, LENOVO_BIOS_SETTING_GUID)) { ++ optstart = strstr(optitem, "[Optional:"); + if (optstart) { + optstart += strlen("[Optional:"); + optend = strstr(optstart, "]"); +@@ -1471,6 +1471,7 @@ static int tlmi_analyze(void) + kstrndup(optstart, optend - optstart, + GFP_KERNEL); + } ++ kfree(optitem); + } + } + /* +-- +2.39.2 + diff --git a/queue-6.2/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch b/queue-6.2/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..a7c85dbda22 --- /dev/null +++ b/queue-6.2/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,40 @@ +From 0e2b381edb9c60c3114af656bdc3fa4cd5ac55f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:41 +0100 +Subject: pwm: cros-ec: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 30006b77c7e130e01d1ab2148cc8abf73dfcc4bf ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Reviewed-by: Guenter Roeck +Fixes: 1f0d3bb02785 ("pwm: Add ChromeOS EC PWM driver") +Link: https://lore.kernel.org/r/20230228135508.1798428-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-cros-ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-cros-ec.c b/drivers/pwm/pwm-cros-ec.c +index 86df6702cb835..ad18b0ebe3f1e 100644 +--- a/drivers/pwm/pwm-cros-ec.c ++++ b/drivers/pwm/pwm-cros-ec.c +@@ -198,6 +198,7 @@ static int cros_ec_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + + state->enabled = (ret > 0); + state->period = EC_PWM_MAX_DUTY; ++ state->polarity = PWM_POLARITY_NORMAL; + + /* + * Note that "disabled" and "duty cycle == 0" are treated the same. If +-- +2.39.2 + diff --git a/queue-6.2/pwm-hibvt-explicitly-set-.polarity-in-.get_state.patch b/queue-6.2/pwm-hibvt-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..a0e6a667953 --- /dev/null +++ b/queue-6.2/pwm-hibvt-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,40 @@ +From 53be16da2a841406175ffe1f3529b8457362b2ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:40 +0100 +Subject: pwm: hibvt: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 6f57937980142715e927697a6ffd2050f38ed6f6 ] + +The driver only both polarities. Complete the implementation of +.get_state() by setting .polarity according to the configured hardware +state. + +Fixes: d09f00810850 ("pwm: Add PWM driver for HiSilicon BVT SOCs") +Link: https://lore.kernel.org/r/20230228135508.1798428-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-hibvt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-hibvt.c b/drivers/pwm/pwm-hibvt.c +index 12c05c155cab0..1b9274c5ad872 100644 +--- a/drivers/pwm/pwm-hibvt.c ++++ b/drivers/pwm/pwm-hibvt.c +@@ -146,6 +146,7 @@ static int hibvt_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + + value = readl(base + PWM_CTRL_ADDR(pwm->hwpwm)); + state->enabled = (PWM_ENABLE_MASK & value); ++ state->polarity = (PWM_POLARITY_MASK & value) ? PWM_POLARITY_INVERSED : PWM_POLARITY_NORMAL; + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.2/pwm-iqs620a-explicitly-set-.polarity-in-.get_state.patch b/queue-6.2/pwm-iqs620a-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..77f56b2b97d --- /dev/null +++ b/queue-6.2/pwm-iqs620a-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,40 @@ +From cc5abd3ebeb29da736d62e6e1a3ec1d51105355c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:42 +0100 +Subject: pwm: iqs620a: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit b20b097128d9145fadcea1cbb45c4d186cb57466 ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Fixes: 6f0841a8197b ("pwm: Add support for Azoteq IQS620A PWM generator") +Reviewed-by: Jeff LaBundy +Link: https://lore.kernel.org/r/20230228135508.1798428-4-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-iqs620a.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-iqs620a.c b/drivers/pwm/pwm-iqs620a.c +index 4987ca940b648..01208c2f58843 100644 +--- a/drivers/pwm/pwm-iqs620a.c ++++ b/drivers/pwm/pwm-iqs620a.c +@@ -126,6 +126,7 @@ static int iqs620_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + mutex_unlock(&iqs620_pwm->lock); + + state->period = IQS620_PWM_PERIOD_NS; ++ state->polarity = PWM_POLARITY_NORMAL; + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.2/pwm-meson-explicitly-set-.polarity-in-.get_state.patch b/queue-6.2/pwm-meson-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..fcc5bd3fc3f --- /dev/null +++ b/queue-6.2/pwm-meson-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,67 @@ +From cebf24573ba0f95785309b6874bd2535912256e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:44 +0100 +Subject: pwm: meson: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 8caa81eb950cb2e9d2d6959b37d853162d197f57 ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +This fixes a regression that was possible since commit c73a3107624d +("pwm: Handle .get_state() failures") which stopped to zero-initialize +the state passed to the .get_state() callback. This was reported at +https://forum.odroid.com/viewtopic.php?f=177&t=46360 . While this was an +unintended side effect, the real issue is the driver's callback not +setting the polarity. + +There is a complicating fact, that the .apply() callback fakes support +for inversed polarity. This is not (and cannot) be matched by +.get_state(). As fixing this isn't easy, only point it out in a comment +to prevent authors of other drivers from copying that approach. + +Fixes: c375bcbaabdb ("pwm: meson: Read the full hardware state in meson_pwm_get_state()") +Reported-by: Munehisa Kamata +Acked-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20230310191405.2606296-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-meson.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pwm/pwm-meson.c b/drivers/pwm/pwm-meson.c +index 16d79ca5d8f53..5cd7b90872c62 100644 +--- a/drivers/pwm/pwm-meson.c ++++ b/drivers/pwm/pwm-meson.c +@@ -162,6 +162,12 @@ static int meson_pwm_calc(struct meson_pwm *meson, struct pwm_device *pwm, + duty = state->duty_cycle; + period = state->period; + ++ /* ++ * Note this is wrong. The result is an output wave that isn't really ++ * inverted and so is wrongly identified by .get_state as normal. ++ * Fixing this needs some care however as some machines might rely on ++ * this. ++ */ + if (state->polarity == PWM_POLARITY_INVERSED) + duty = period - duty; + +@@ -358,6 +364,8 @@ static int meson_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + state->duty_cycle = 0; + } + ++ state->polarity = PWM_POLARITY_NORMAL; ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.2/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch b/queue-6.2/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..af4bf3ca548 --- /dev/null +++ b/queue-6.2/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,39 @@ +From caf2d3c02813fb1b9080ff3c7adcd7559cb55226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:43 +0100 +Subject: pwm: sprd: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 2be4dcf6627e1bcbbef8e6ba1811f5127d39202c ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support") +Link: https://lore.kernel.org/r/20230228135508.1798428-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sprd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c +index d866ce345f977..bde579a338c27 100644 +--- a/drivers/pwm/pwm-sprd.c ++++ b/drivers/pwm/pwm-sprd.c +@@ -109,6 +109,7 @@ static int sprd_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + duty = val & SPRD_PWM_DUTY_MSK; + tmp = (prescale + 1) * NSEC_PER_SEC * duty; + state->duty_cycle = DIV_ROUND_CLOSEST_ULL(tmp, chn->clk_rate); ++ state->polarity = PWM_POLARITY_NORMAL; + + /* Disable PWM clocks if the PWM channel is not in enable state. */ + if (!state->enabled) +-- +2.39.2 + diff --git a/queue-6.2/raw-fix-null-deref-in-raw_get_next.patch b/queue-6.2/raw-fix-null-deref-in-raw_get_next.patch new file mode 100644 index 00000000000..2282b30d5fc --- /dev/null +++ b/queue-6.2/raw-fix-null-deref-in-raw_get_next.patch @@ -0,0 +1,348 @@ +From 0e7fadba44826431044e2bef8f6858c8e2a15705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:49:58 -0700 +Subject: raw: Fix NULL deref in raw_get_next(). + +From: Kuniyuki Iwashima + +[ Upstream commit 0a78cf7264d29abeca098eae0b188a10aabc8a32 ] + +Dae R. Jeong reported a NULL deref in raw_get_next() [0]. + +It seems that the repro was running these sequences in parallel so +that one thread was iterating on a socket that was being freed in +another netns. + + unshare(0x40060200) + r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00') + socket$inet_icmp_raw(0x2, 0x3, 0x1) + pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f) + +After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we +use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW +sockets. However, we should use spinlock for slow paths to avoid +the NULL deref. + +Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object +is not reused during iteration in the grace period. In fact, the +lockless readers do not check the nulls marker with get_nulls_value(). +So, SOCK_RAW should use hlist instead of hlist_nulls. + +Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(), +let's convert hlist_nulls to hlist and use sk_for_each_rcu() for +fast paths and sk_for_each() and spinlock for /proc/net/raw. + +[0]: +general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] +CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline] +RIP: 0010:sock_net include/net/sock.h:649 [inline] +RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline] +RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline] +RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995 +Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef +RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206 +RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000 +RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338 +RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9 +R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78 +R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030 +FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225 + seq_read+0x224/0x320 fs/seq_file.c:162 + pde_read fs/proc/inode.c:316 [inline] + proc_reg_read+0x23f/0x330 fs/proc/inode.c:328 + vfs_read+0x31e/0xd30 fs/read_write.c:468 + ksys_pread64 fs/read_write.c:665 [inline] + __do_sys_pread64 fs/read_write.c:675 [inline] + __se_sys_pread64 fs/read_write.c:672 [inline] + __x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x478d29 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 +RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29 +RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003 +RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000 +R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740 +R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50 + +Modules linked in: +---[ end trace 0000000000000000 ]--- +RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline] +RIP: 0010:sock_net include/net/sock.h:649 [inline] +RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline] +RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline] +RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995 +Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef +RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206 +RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000 +RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338 +RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9 +R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78 +R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030 +FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f92ff166000 CR3: 000000003c672000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 0daf07e52709 ("raw: convert raw sockets to RCU") +Reported-by: syzbot +Reported-by: Dae R. Jeong +Link: https://lore.kernel.org/netdev/ZCA2mGV_cmq7lIfV@dragonet/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/raw.h | 4 ++-- + net/ipv4/raw.c | 36 +++++++++++++++++++----------------- + net/ipv4/raw_diag.c | 10 ++++------ + net/ipv6/raw.c | 10 ++++------ + 4 files changed, 29 insertions(+), 31 deletions(-) + +diff --git a/include/net/raw.h b/include/net/raw.h +index 2c004c20ed996..3af5289fdead9 100644 +--- a/include/net/raw.h ++++ b/include/net/raw.h +@@ -37,7 +37,7 @@ int raw_rcv(struct sock *, struct sk_buff *); + struct raw_hashinfo { + spinlock_t lock; + +- struct hlist_nulls_head ht[RAW_HTABLE_SIZE] ____cacheline_aligned; ++ struct hlist_head ht[RAW_HTABLE_SIZE] ____cacheline_aligned; + }; + + static inline u32 raw_hashfunc(const struct net *net, u32 proto) +@@ -51,7 +51,7 @@ static inline void raw_hashinfo_init(struct raw_hashinfo *hashinfo) + + spin_lock_init(&hashinfo->lock); + for (i = 0; i < RAW_HTABLE_SIZE; i++) +- INIT_HLIST_NULLS_HEAD(&hashinfo->ht[i], i); ++ INIT_HLIST_HEAD(&hashinfo->ht[i]); + } + + #ifdef CONFIG_PROC_FS +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 2a53a0bf29232..af03aa8a8e513 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -91,12 +91,12 @@ EXPORT_SYMBOL_GPL(raw_v4_hashinfo); + int raw_hash_sk(struct sock *sk) + { + struct raw_hashinfo *h = sk->sk_prot->h.raw_hash; +- struct hlist_nulls_head *hlist; ++ struct hlist_head *hlist; + + hlist = &h->ht[raw_hashfunc(sock_net(sk), inet_sk(sk)->inet_num)]; + + spin_lock(&h->lock); +- __sk_nulls_add_node_rcu(sk, hlist); ++ sk_add_node_rcu(sk, hlist); + sock_set_flag(sk, SOCK_RCU_FREE); + spin_unlock(&h->lock); + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); +@@ -110,7 +110,7 @@ void raw_unhash_sk(struct sock *sk) + struct raw_hashinfo *h = sk->sk_prot->h.raw_hash; + + spin_lock(&h->lock); +- if (__sk_nulls_del_node_init_rcu(sk)) ++ if (sk_del_node_init_rcu(sk)) + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); + spin_unlock(&h->lock); + } +@@ -163,16 +163,15 @@ static int icmp_filter(const struct sock *sk, const struct sk_buff *skb) + static int raw_v4_input(struct net *net, struct sk_buff *skb, + const struct iphdr *iph, int hash) + { +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; + int sdif = inet_sdif(skb); ++ struct hlist_head *hlist; + int dif = inet_iif(skb); + int delivered = 0; + struct sock *sk; + + hlist = &raw_v4_hashinfo.ht[hash]; + rcu_read_lock(); +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each_rcu(sk, hlist) { + if (!raw_v4_match(net, sk, iph->protocol, + iph->saddr, iph->daddr, dif, sdif)) + continue; +@@ -264,10 +263,9 @@ static void raw_err(struct sock *sk, struct sk_buff *skb, u32 info) + void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info) + { + struct net *net = dev_net(skb->dev); +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; + int dif = skb->dev->ifindex; + int sdif = inet_sdif(skb); ++ struct hlist_head *hlist; + const struct iphdr *iph; + struct sock *sk; + int hash; +@@ -276,7 +274,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info) + hlist = &raw_v4_hashinfo.ht[hash]; + + rcu_read_lock(); +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each_rcu(sk, hlist) { + iph = (const struct iphdr *)skb->data; + if (!raw_v4_match(net, sk, iph->protocol, + iph->daddr, iph->saddr, dif, sdif)) +@@ -948,14 +946,13 @@ static struct sock *raw_get_first(struct seq_file *seq, int bucket) + { + struct raw_hashinfo *h = pde_data(file_inode(seq->file)); + struct raw_iter_state *state = raw_seq_private(seq); +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; ++ struct hlist_head *hlist; + struct sock *sk; + + for (state->bucket = bucket; state->bucket < RAW_HTABLE_SIZE; + ++state->bucket) { + hlist = &h->ht[state->bucket]; +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each(sk, hlist) { + if (sock_net(sk) == seq_file_net(seq)) + return sk; + } +@@ -968,7 +965,7 @@ static struct sock *raw_get_next(struct seq_file *seq, struct sock *sk) + struct raw_iter_state *state = raw_seq_private(seq); + + do { +- sk = sk_nulls_next(sk); ++ sk = sk_next(sk); + } while (sk && sock_net(sk) != seq_file_net(seq)); + + if (!sk) +@@ -987,9 +984,12 @@ static struct sock *raw_get_idx(struct seq_file *seq, loff_t pos) + } + + void *raw_seq_start(struct seq_file *seq, loff_t *pos) +- __acquires(RCU) ++ __acquires(&h->lock) + { +- rcu_read_lock(); ++ struct raw_hashinfo *h = pde_data(file_inode(seq->file)); ++ ++ spin_lock(&h->lock); ++ + return *pos ? raw_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; + } + EXPORT_SYMBOL_GPL(raw_seq_start); +@@ -1008,9 +1008,11 @@ void *raw_seq_next(struct seq_file *seq, void *v, loff_t *pos) + EXPORT_SYMBOL_GPL(raw_seq_next); + + void raw_seq_stop(struct seq_file *seq, void *v) +- __releases(RCU) ++ __releases(&h->lock) + { +- rcu_read_unlock(); ++ struct raw_hashinfo *h = pde_data(file_inode(seq->file)); ++ ++ spin_unlock(&h->lock); + } + EXPORT_SYMBOL_GPL(raw_seq_stop); + +diff --git a/net/ipv4/raw_diag.c b/net/ipv4/raw_diag.c +index 999321834b94a..da3591a66a169 100644 +--- a/net/ipv4/raw_diag.c ++++ b/net/ipv4/raw_diag.c +@@ -57,8 +57,7 @@ static bool raw_lookup(struct net *net, struct sock *sk, + static struct sock *raw_sock_get(struct net *net, const struct inet_diag_req_v2 *r) + { + struct raw_hashinfo *hashinfo = raw_get_hashinfo(r); +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; ++ struct hlist_head *hlist; + struct sock *sk; + int slot; + +@@ -68,7 +67,7 @@ static struct sock *raw_sock_get(struct net *net, const struct inet_diag_req_v2 + rcu_read_lock(); + for (slot = 0; slot < RAW_HTABLE_SIZE; slot++) { + hlist = &hashinfo->ht[slot]; +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each_rcu(sk, hlist) { + if (raw_lookup(net, sk, r)) { + /* + * Grab it and keep until we fill +@@ -142,9 +141,8 @@ static void raw_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct raw_hashinfo *hashinfo = raw_get_hashinfo(r); + struct net *net = sock_net(skb->sk); + struct inet_diag_dump_data *cb_data; +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; + int num, s_num, slot, s_slot; ++ struct hlist_head *hlist; + struct sock *sk = NULL; + struct nlattr *bc; + +@@ -161,7 +159,7 @@ static void raw_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num = 0; + + hlist = &hashinfo->ht[slot]; +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each_rcu(sk, hlist) { + struct inet_sock *inet = inet_sk(sk); + + if (!net_eq(sock_net(sk), net)) +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 45b35b5f893c5..4fc511bdf176c 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -141,10 +141,9 @@ EXPORT_SYMBOL(rawv6_mh_filter_unregister); + static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr) + { + struct net *net = dev_net(skb->dev); +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; + const struct in6_addr *saddr; + const struct in6_addr *daddr; ++ struct hlist_head *hlist; + struct sock *sk; + bool delivered = false; + __u8 hash; +@@ -155,7 +154,7 @@ static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr) + hash = raw_hashfunc(net, nexthdr); + hlist = &raw_v6_hashinfo.ht[hash]; + rcu_read_lock(); +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each_rcu(sk, hlist) { + int filtered; + + if (!raw_v6_match(net, sk, nexthdr, daddr, saddr, +@@ -333,15 +332,14 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr, + u8 type, u8 code, int inner_offset, __be32 info) + { + struct net *net = dev_net(skb->dev); +- struct hlist_nulls_head *hlist; +- struct hlist_nulls_node *hnode; ++ struct hlist_head *hlist; + struct sock *sk; + int hash; + + hash = raw_hashfunc(net, nexthdr); + hlist = &raw_v6_hashinfo.ht[hash]; + rcu_read_lock(); +- sk_nulls_for_each(sk, hnode, hlist) { ++ sk_for_each_rcu(sk, hlist) { + /* Note: ipv6_hdr(skb) != skb->data */ + const struct ipv6hdr *ip6h = (const struct ipv6hdr *)skb->data; + +-- +2.39.2 + diff --git a/queue-6.2/raw-use-net_hash_mix-in-hash-function.patch b/queue-6.2/raw-use-net_hash_mix-in-hash-function.patch new file mode 100644 index 00000000000..9d1250fdf28 --- /dev/null +++ b/queue-6.2/raw-use-net_hash_mix-in-hash-function.patch @@ -0,0 +1,139 @@ +From abbcfc27bb03f673b9cd2cbfaab591a409f1d3b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 09:41:00 +0000 +Subject: raw: use net_hash_mix() in hash function + +From: Eric Dumazet + +[ Upstream commit 6579f5bacc2c4cbc5ef6abb45352416939d1f844 ] + +Some applications seem to rely on RAW sockets. + +If they use private netns, we can avoid piling all RAW +sockets bound to a given protocol into a single bucket. + +Also place (struct raw_hashinfo).lock into its own +cache line to limit false sharing. + +Alternative would be to have per-netns hashtables, +but this seems too expensive for most netns +where RAW sockets are not used. + +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Stable-dep-of: 0a78cf7264d2 ("raw: Fix NULL deref in raw_get_next().") +Signed-off-by: Sasha Levin +--- + include/net/raw.h | 13 +++++++++++-- + net/ipv4/raw.c | 13 +++++++------ + net/ipv6/raw.c | 4 ++-- + 3 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/include/net/raw.h b/include/net/raw.h +index 5e665934ebc7c..2c004c20ed996 100644 +--- a/include/net/raw.h ++++ b/include/net/raw.h +@@ -15,6 +15,8 @@ + + #include + #include ++#include ++#include + #include + + extern struct proto raw_prot; +@@ -29,13 +31,20 @@ int raw_local_deliver(struct sk_buff *, int); + + int raw_rcv(struct sock *, struct sk_buff *); + +-#define RAW_HTABLE_SIZE MAX_INET_PROTOS ++#define RAW_HTABLE_LOG 8 ++#define RAW_HTABLE_SIZE (1U << RAW_HTABLE_LOG) + + struct raw_hashinfo { + spinlock_t lock; +- struct hlist_nulls_head ht[RAW_HTABLE_SIZE]; ++ ++ struct hlist_nulls_head ht[RAW_HTABLE_SIZE] ____cacheline_aligned; + }; + ++static inline u32 raw_hashfunc(const struct net *net, u32 proto) ++{ ++ return hash_32(net_hash_mix(net) ^ proto, RAW_HTABLE_LOG); ++} ++ + static inline void raw_hashinfo_init(struct raw_hashinfo *hashinfo) + { + int i; +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 006c1f0ed8b47..2a53a0bf29232 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -93,7 +93,7 @@ int raw_hash_sk(struct sock *sk) + struct raw_hashinfo *h = sk->sk_prot->h.raw_hash; + struct hlist_nulls_head *hlist; + +- hlist = &h->ht[inet_sk(sk)->inet_num & (RAW_HTABLE_SIZE - 1)]; ++ hlist = &h->ht[raw_hashfunc(sock_net(sk), inet_sk(sk)->inet_num)]; + + spin_lock(&h->lock); + __sk_nulls_add_node_rcu(sk, hlist); +@@ -160,9 +160,9 @@ static int icmp_filter(const struct sock *sk, const struct sk_buff *skb) + * RFC 1122: SHOULD pass TOS value up to the transport layer. + * -> It does. And not only TOS, but all IP header. + */ +-static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) ++static int raw_v4_input(struct net *net, struct sk_buff *skb, ++ const struct iphdr *iph, int hash) + { +- struct net *net = dev_net(skb->dev); + struct hlist_nulls_head *hlist; + struct hlist_nulls_node *hnode; + int sdif = inet_sdif(skb); +@@ -193,9 +193,10 @@ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + + int raw_local_deliver(struct sk_buff *skb, int protocol) + { +- int hash = protocol & (RAW_HTABLE_SIZE - 1); ++ struct net *net = dev_net(skb->dev); + +- return raw_v4_input(skb, ip_hdr(skb), hash); ++ return raw_v4_input(net, skb, ip_hdr(skb), ++ raw_hashfunc(net, protocol)); + } + + static void raw_err(struct sock *sk, struct sk_buff *skb, u32 info) +@@ -271,7 +272,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info) + struct sock *sk; + int hash; + +- hash = protocol & (RAW_HTABLE_SIZE - 1); ++ hash = raw_hashfunc(net, protocol); + hlist = &raw_v4_hashinfo.ht[hash]; + + rcu_read_lock(); +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index ada087b50541a..45b35b5f893c5 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -152,7 +152,7 @@ static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr) + saddr = &ipv6_hdr(skb)->saddr; + daddr = saddr + 1; + +- hash = nexthdr & (RAW_HTABLE_SIZE - 1); ++ hash = raw_hashfunc(net, nexthdr); + hlist = &raw_v6_hashinfo.ht[hash]; + rcu_read_lock(); + sk_nulls_for_each(sk, hnode, hlist) { +@@ -338,7 +338,7 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr, + struct sock *sk; + int hash; + +- hash = nexthdr & (RAW_HTABLE_SIZE - 1); ++ hash = raw_hashfunc(net, nexthdr); + hlist = &raw_v6_hashinfo.ht[hash]; + rcu_read_lock(); + sk_nulls_for_each(sk, hnode, hlist) { +-- +2.39.2 + diff --git a/queue-6.2/sctp-check-send-stream-number-after-wait_for_sndbuf.patch b/queue-6.2/sctp-check-send-stream-number-after-wait_for_sndbuf.patch new file mode 100644 index 00000000000..88cc98ae02f --- /dev/null +++ b/queue-6.2/sctp-check-send-stream-number-after-wait_for_sndbuf.patch @@ -0,0 +1,66 @@ +From 1ea2f3e37129bf694069123188ca5164b8021365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 19:09:57 -0400 +Subject: sctp: check send stream number after wait_for_sndbuf + +From: Xin Long + +[ Upstream commit 2584024b23552c00d95b50255e47bd18d306d31a ] + +This patch fixes a corner case where the asoc out stream count may change +after wait_for_sndbuf. + +When the main thread in the client starts a connection, if its out stream +count is set to N while the in stream count in the server is set to N - 2, +another thread in the client keeps sending the msgs with stream number +N - 1, and waits for sndbuf before processing INIT_ACK. + +However, after processing INIT_ACK, the out stream count in the client is +shrunk to N - 2, the same to the in stream count in the server. The crash +occurs when the thread waiting for sndbuf is awake and sends the msg in a +non-existing stream(N - 1), the call trace is as below: + + KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] + Call Trace: + + sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline] + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] + sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170 + sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163 + sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868 + sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026 + inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825 + sock_sendmsg_nosec net/socket.c:722 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:745 + +The fix is to add an unlikely check for the send stream number after the +thread wakes up from the wait_for_sndbuf. + +Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") +Reported-by: syzbot+47c24ca20a2fa01f082e@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 84021a6c4f9da..ec7d1a89efbbd 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1829,6 +1829,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc, + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) + goto err; ++ if (unlikely(sinfo->sinfo_stream >= asoc->stream.outcnt)) { ++ err = -EINVAL; ++ goto err; ++ } + } + + if (sctp_state(asoc, CLOSED)) { +-- +2.39.2 + diff --git a/queue-6.2/series b/queue-6.2/series index 909329c2388..2798d997dee 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -4,3 +4,51 @@ dm-change-unsigned-to-unsigned-int.patch dm-fix-improper-splitting-for-abnormal-bios.patch drm-i915-move-the-dsb-setup-cleaup-into-the-color-co.patch drm-i915-add-a-.color_post_update-hook.patch +gpio-gpio_regmap-select-regmap-instead-of-depending-.patch +drivers-vmbus-check-for-channel-allocation-before-lo.patch +asoc-sof-ipc4-ensure-dsp-is-in-d0i0-during-sof_ipc4_.patch +pwm-hibvt-explicitly-set-.polarity-in-.get_state.patch +pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch +pwm-iqs620a-explicitly-set-.polarity-in-.get_state.patch +pwm-sprd-explicitly-set-.polarity-in-.get_state.patch +pwm-meson-explicitly-set-.polarity-in-.get_state.patch +asoc-codecs-lpass-fix-the-order-or-clks-turn-off-dur.patch +kvm-s390-pv-fix-external-interruption-loop-not-alway.patch +wifi-mac80211-fix-the-size-calculation-of-ieee80211_.patch +wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch +net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch +net-phylink-add-phylink_expects_phy-method.patch +net-stmmac-check-if-mac-needs-to-attach-to-a-phy.patch +net-stmmac-remove-redundant-fixup-to-support-fixed-l.patch +l2tp-generate-correct-module-alias-strings.patch +wifi-brcmfmac-fix-sdio-suspend-resume-regression.patch +nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch +nfsd-call-op_release-even-when-op_func-returns-an-er.patch +icmp-guard-against-too-small-mtu.patch +alsa-hda-hdmi-preserve-the-previous-pcm-device-upon-.patch +net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch +net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch +net-ethernet-mtk_eth_soc-fix-remaining-throughput-re.patch +sctp-check-send-stream-number-after-wait_for_sndbuf.patch +drm-i915-huc-cancel-huc-delayed-load-timer-on-reset.patch +net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch +ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch +platform-x86-think-lmi-fix-memory-leak-when-showing-.patch +platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch +platform-x86-think-lmi-clean-up-display-of-current_v.patch +gpio-davinci-do-not-clear-the-bank-intr-enable-bit-i.patch +gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch +net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch +net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch +sunrpc-only-free-unix-grouplist-after-rcu-settles.patch +nfsd-callback-request-does-not-use-correct-credentia.patch +ice-fix-wrong-fallback-logic-for-fdir.patch +ice-reset-fdir-counter-in-fdir-init-stage.patch +raw-use-net_hash_mix-in-hash-function.patch +raw-fix-null-deref-in-raw_get_next.patch +ping-fix-potentail-null-deref-for-proc-net-icmp.patch +ethtool-reset-lanes-when-lanes-is-omitted.patch +netlink-annotate-lockless-accesses-to-nlk-max_recvms.patch +gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch +arm64-compat-work-around-uninitialized-variable-warn.patch +net-stmmac-check-fwnode-for-phy-device-before-scanni.patch diff --git a/queue-6.2/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch b/queue-6.2/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch new file mode 100644 index 00000000000..fe18e4298ed --- /dev/null +++ b/queue-6.2/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch @@ -0,0 +1,58 @@ +From 90d57fd07f22590021c44cb3005cd02d3cf78f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 14:24:27 -0400 +Subject: sunrpc: only free unix grouplist after RCU settles + +From: Jeff Layton + +[ Upstream commit 5085e41f9e83a1bec51da1f20b54f2ec3a13a3fe ] + +While the unix_gid object is rcu-freed, the group_info list that it +contains is not. Ensure that we only put the group list reference once +we are really freeing the unix_gid object. + +Reported-by: Zhi Li +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2183056 +Signed-off-by: Jeff Layton +Fixes: fd5d2f78261b ("SUNRPC: Make server side AUTH_UNIX use lockless lookups") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svcauth_unix.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c +index b1efc34db6ed8..609ade4fb49ed 100644 +--- a/net/sunrpc/svcauth_unix.c ++++ b/net/sunrpc/svcauth_unix.c +@@ -416,14 +416,23 @@ static int unix_gid_hash(kuid_t uid) + return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS); + } + +-static void unix_gid_put(struct kref *kref) ++static void unix_gid_free(struct rcu_head *rcu) + { +- struct cache_head *item = container_of(kref, struct cache_head, ref); +- struct unix_gid *ug = container_of(item, struct unix_gid, h); ++ struct unix_gid *ug = container_of(rcu, struct unix_gid, rcu); ++ struct cache_head *item = &ug->h; ++ + if (test_bit(CACHE_VALID, &item->flags) && + !test_bit(CACHE_NEGATIVE, &item->flags)) + put_group_info(ug->gi); +- kfree_rcu(ug, rcu); ++ kfree(ug); ++} ++ ++static void unix_gid_put(struct kref *kref) ++{ ++ struct cache_head *item = container_of(kref, struct cache_head, ref); ++ struct unix_gid *ug = container_of(item, struct unix_gid, h); ++ ++ call_rcu(&ug->rcu, unix_gid_free); + } + + static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew) +-- +2.39.2 + diff --git a/queue-6.2/wifi-brcmfmac-fix-sdio-suspend-resume-regression.patch b/queue-6.2/wifi-brcmfmac-fix-sdio-suspend-resume-regression.patch new file mode 100644 index 00000000000..857b116bb9d --- /dev/null +++ b/queue-6.2/wifi-brcmfmac-fix-sdio-suspend-resume-regression.patch @@ -0,0 +1,162 @@ +From 82763bf81d0c4b7ac70bd882f2496c91b7dcd59e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 13:22:52 +0100 +Subject: wifi: brcmfmac: Fix SDIO suspend/resume regression + +From: Hans de Goede + +[ Upstream commit e4efa515d58f1363d8a27e548f9c5769d3121e03 ] + +After commit 92cadedd9d5f ("brcmfmac: Avoid keeping power to SDIO card +unless WOWL is used"), the wifi adapter by default is turned off on suspend +and then re-probed on resume. + +In at least 2 model x86/acpi tablets with brcmfmac43430a1 wifi adapters, +the newly added re-probe on resume fails like this: + + brcmfmac: brcmf_sdio_bus_rxctl: resumed on timeout + ieee80211 phy1: brcmf_bus_started: failed: -110 + ieee80211 phy1: brcmf_attach: dongle is not responding: err=-110 + brcmfmac: brcmf_sdio_firmware_callback: brcmf_attach failed + +It seems this specific brcmfmac model does not like being reprobed without +it actually being turned off first. + +And the adapter is not being turned off during suspend because of +commit f0992ace680c ("brcmfmac: prohibit ACPI power management for brcmfmac +driver"). + +Now that the driver is being reprobed on resume, the disabling of ACPI +pm is no longer necessary, except when WOWL is used (in which case there +is no-reprobe). + +Move the dis-/en-abling of ACPI pm to brcmf_sdio_wowl_config(), this fixes +the brcmfmac43430a1 suspend/resume regression and should help save some +power when suspended. + +This change means that the code now also may re-enable ACPI pm when WOWL +gets disabled. ACPI pm should only be re-enabled if it was enabled by +the ACPI core originally. Add a brcmf_sdiod_acpi_save_power_manageable() +to save the original state for this. + +This has been tested on the following devices: + +Asus T100TA brcmfmac43241b4-sdio +Acer Iconia One 7 B1-750 brcmfmac43340-sdio +Chuwi Hi8 brcmfmac43430a0-sdio +Chuwi Hi8 brcmfmac43430a1-sdio + +(the Asus T100TA is the device for which the prohibiting of ACPI pm + was originally added) + +Fixes: 92cadedd9d5f ("brcmfmac: Avoid keeping power to SDIO card unless WOWL is used") +Cc: Ulf Hansson +Signed-off-by: Hans de Goede +Reviewed-by: Ulf Hansson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230320122252.240070-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmfmac/bcmsdh.c | 36 +++++++++++++------ + .../broadcom/brcm80211/brcmfmac/sdio.h | 2 ++ + 2 files changed, 28 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +index b7c918f241c91..65d4799a56584 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -994,15 +994,34 @@ static const struct sdio_device_id brcmf_sdmmc_ids[] = { + MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids); + + +-static void brcmf_sdiod_acpi_set_power_manageable(struct device *dev, +- int val) ++static void brcmf_sdiod_acpi_save_power_manageable(struct brcmf_sdio_dev *sdiodev) + { + #if IS_ENABLED(CONFIG_ACPI) + struct acpi_device *adev; + +- adev = ACPI_COMPANION(dev); ++ adev = ACPI_COMPANION(&sdiodev->func1->dev); + if (adev) +- adev->flags.power_manageable = 0; ++ sdiodev->func1_power_manageable = adev->flags.power_manageable; ++ ++ adev = ACPI_COMPANION(&sdiodev->func2->dev); ++ if (adev) ++ sdiodev->func2_power_manageable = adev->flags.power_manageable; ++#endif ++} ++ ++static void brcmf_sdiod_acpi_set_power_manageable(struct brcmf_sdio_dev *sdiodev, ++ int enable) ++{ ++#if IS_ENABLED(CONFIG_ACPI) ++ struct acpi_device *adev; ++ ++ adev = ACPI_COMPANION(&sdiodev->func1->dev); ++ if (adev) ++ adev->flags.power_manageable = enable ? sdiodev->func1_power_manageable : 0; ++ ++ adev = ACPI_COMPANION(&sdiodev->func2->dev); ++ if (adev) ++ adev->flags.power_manageable = enable ? sdiodev->func2_power_manageable : 0; + #endif + } + +@@ -1012,7 +1031,6 @@ static int brcmf_ops_sdio_probe(struct sdio_func *func, + int err; + struct brcmf_sdio_dev *sdiodev; + struct brcmf_bus *bus_if; +- struct device *dev; + + brcmf_dbg(SDIO, "Enter\n"); + brcmf_dbg(SDIO, "Class=%x\n", func->class); +@@ -1020,14 +1038,9 @@ static int brcmf_ops_sdio_probe(struct sdio_func *func, + brcmf_dbg(SDIO, "sdio device ID: 0x%04x\n", func->device); + brcmf_dbg(SDIO, "Function#: %d\n", func->num); + +- dev = &func->dev; +- + /* Set MMC_QUIRK_LENIENT_FN0 for this card */ + func->card->quirks |= MMC_QUIRK_LENIENT_FN0; + +- /* prohibit ACPI power management for this device */ +- brcmf_sdiod_acpi_set_power_manageable(dev, 0); +- + /* Consume func num 1 but dont do anything with it. */ + if (func->num == 1) + return 0; +@@ -1059,6 +1072,7 @@ static int brcmf_ops_sdio_probe(struct sdio_func *func, + dev_set_drvdata(&sdiodev->func1->dev, bus_if); + sdiodev->dev = &sdiodev->func1->dev; + ++ brcmf_sdiod_acpi_save_power_manageable(sdiodev); + brcmf_sdiod_change_state(sdiodev, BRCMF_SDIOD_DOWN); + + brcmf_dbg(SDIO, "F2 found, calling brcmf_sdiod_probe...\n"); +@@ -1124,6 +1138,8 @@ void brcmf_sdio_wowl_config(struct device *dev, bool enabled) + + if (sdiodev->settings->bus.sdio.oob_irq_supported || + pm_caps & MMC_PM_WAKE_SDIO_IRQ) { ++ /* Stop ACPI from turning off the device when wowl is enabled */ ++ brcmf_sdiod_acpi_set_power_manageable(sdiodev, !enabled); + sdiodev->wowl_enabled = enabled; + brcmf_dbg(SDIO, "Configuring WOWL, enabled=%d\n", enabled); + return; +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h +index b76d34d36bde6..0d18ed15b4032 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h +@@ -188,6 +188,8 @@ struct brcmf_sdio_dev { + char nvram_name[BRCMF_FW_NAME_LEN]; + char clm_name[BRCMF_FW_NAME_LEN]; + bool wowl_enabled; ++ bool func1_power_manageable; ++ bool func2_power_manageable; + enum brcmf_sdiod_state state; + struct brcmf_sdiod_freezer *freezer; + const struct firmware *clm_fw; +-- +2.39.2 + diff --git a/queue-6.2/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch b/queue-6.2/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch new file mode 100644 index 00000000000..e0e6773f04a --- /dev/null +++ b/queue-6.2/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch @@ -0,0 +1,40 @@ +From d4981ed95cc6cbb10cf4cba66d21094acafdeda3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 13:09:24 +0100 +Subject: wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for + non-uploaded sta + +From: Felix Fietkau + +[ Upstream commit 12b220a6171faf10638ab683a975cadcf1a352d6 ] + +Avoid potential data corruption issues caused by uninitialized driver +private data structures. + +Reported-by: Brian Coverstone +Fixes: 6a9d1b91f34d ("mac80211: add pre-RCU-sync sta removal driver operation") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230324120924.38412-3-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 34cb833db25f5..39731ef51e03a 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1261,7 +1261,8 @@ static int __must_check __sta_info_destroy_part1(struct sta_info *sta) + list_del_rcu(&sta->list); + sta->removed = true; + +- drv_sta_pre_rcu_remove(local, sta->sdata, sta); ++ if (sta->uploaded) ++ drv_sta_pre_rcu_remove(local, sta->sdata, sta); + + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN && + rcu_access_pointer(sdata->u.vlan.sta) == sta) +-- +2.39.2 + diff --git a/queue-6.2/wifi-mac80211-fix-the-size-calculation-of-ieee80211_.patch b/queue-6.2/wifi-mac80211-fix-the-size-calculation-of-ieee80211_.patch new file mode 100644 index 00000000000..38e1b86d364 --- /dev/null +++ b/queue-6.2/wifi-mac80211-fix-the-size-calculation-of-ieee80211_.patch @@ -0,0 +1,37 @@ +From acd81c814ddf8fd52d749e0d2447b3769db25bcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 01:07:41 +0800 +Subject: wifi: mac80211: fix the size calculation of + ieee80211_ie_len_eht_cap() + +From: Ryder Lee + +[ Upstream commit dd01579e5ed922dcfcb8fec53fa03b81c7649a04 ] + +Here should return the size of ieee80211_eht_cap_elem_fixed, so fix it. + +Fixes: 820acc810fb6 ("mac80211: Add EHT capabilities to association/probe request") +Signed-off-by: Ryder Lee +Link: https://lore.kernel.org/r/06c13635fc03bcff58a647b8e03e9f01a74294bd.1679935259.git.ryder.lee@mediatek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 9c219e525eded..ed9e659f49f63 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -4906,7 +4906,7 @@ u8 ieee80211_ie_len_eht_cap(struct ieee80211_sub_if_data *sdata, u8 iftype) + &eht_cap->eht_cap_elem, + is_ap); + return 2 + 1 + +- sizeof(he_cap->he_cap_elem) + n + ++ sizeof(eht_cap->eht_cap_elem) + n + + ieee80211_eht_ppe_size(eht_cap->eht_ppe_thres[0], + eht_cap->eht_cap_elem.phy_cap_info); + return 0; +-- +2.39.2 +