From: Sasha Levin Date: Sun, 20 Aug 2023 23:42:04 +0000 (-0400) Subject: Fixes for 6.4 X-Git-Tag: v6.4.12~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b59f06f2843b52b26863daa5571c4f7773fbc4ba;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.4 Signed-off-by: Sasha Levin --- diff --git a/queue-6.4/accel-qaic-clean-up-integer-overflow-checking-in-map.patch b/queue-6.4/accel-qaic-clean-up-integer-overflow-checking-in-map.patch new file mode 100644 index 00000000000..d1923431040 --- /dev/null +++ b/queue-6.4/accel-qaic-clean-up-integer-overflow-checking-in-map.patch @@ -0,0 +1,117 @@ +From 16ec45ca09921422aeff25c60b0222cfdfe3814c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 15:23:06 +0300 +Subject: accel/qaic: Clean up integer overflow checking in map_user_pages() + +From: Dan Carpenter + +[ Upstream commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c ] + +The encode_dma() function has some validation on in_trans->size but it +would be more clear to move those checks to find_and_map_user_pages(). + +The encode_dma() had two checks: + + if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size) + return -EINVAL; + +The in_trans->addr variable is the starting address. The in_trans->size +variable is the total size of the transfer. The transfer can occur in +parts and the resources->xferred_dma_size tracks how many bytes we have +already transferred. + +This patch introduces a new variable "remaining" which represents the +amount we want to transfer (in_trans->size) minus the amount we have +already transferred (resources->xferred_dma_size). + +I have modified the check for if in_trans->size is zero to instead check +if in_trans->size is less than resources->xferred_dma_size. If we have +already transferred more bytes than in_trans->size then there are negative +bytes remaining which doesn't make sense. If there are zero bytes +remaining to be copied, just return success. + +The check in encode_dma() checked that "addr + size" could not overflow +and barring a driver bug that should work, but it's easier to check if +we do this in parts. First check that "in_trans->addr + +resources->xferred_dma_size" is safe. Then check that "xfer_start_addr + +remaining" is safe. + +My final concern was that we are dealing with u64 values but on 32bit +systems the kmalloc() function will truncate the sizes to 32 bits. So +I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);" +and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit +systems. + +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Dan Carpenter +Reviewed-by: Jeffrey Hugo +Reviewed-by: Carl Vanderlip +Signed-off-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain +Signed-off-by: Sasha Levin +--- + drivers/accel/qaic/qaic_control.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c +index cfbc92da426fa..388abd40024ba 100644 +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -392,18 +392,31 @@ static int find_and_map_user_pages(struct qaic_device *qdev, + struct qaic_manage_trans_dma_xfer *in_trans, + struct ioctl_resources *resources, struct dma_xfer *xfer) + { ++ u64 xfer_start_addr, remaining, end, total; + unsigned long need_pages; + struct page **page_list; + unsigned long nr_pages; + struct sg_table *sgt; +- u64 xfer_start_addr; + int ret; + int i; + +- xfer_start_addr = in_trans->addr + resources->xferred_dma_size; ++ if (check_add_overflow(in_trans->addr, resources->xferred_dma_size, &xfer_start_addr)) ++ return -EINVAL; + +- need_pages = DIV_ROUND_UP(in_trans->size + offset_in_page(xfer_start_addr) - +- resources->xferred_dma_size, PAGE_SIZE); ++ if (in_trans->size < resources->xferred_dma_size) ++ return -EINVAL; ++ remaining = in_trans->size - resources->xferred_dma_size; ++ if (remaining == 0) ++ return 0; ++ ++ if (check_add_overflow(xfer_start_addr, remaining, &end)) ++ return -EINVAL; ++ ++ total = remaining + offset_in_page(xfer_start_addr); ++ if (total >= SIZE_MAX) ++ return -EINVAL; ++ ++ need_pages = DIV_ROUND_UP(total, PAGE_SIZE); + + nr_pages = need_pages; + +@@ -435,7 +448,7 @@ static int find_and_map_user_pages(struct qaic_device *qdev, + + ret = sg_alloc_table_from_pages(sgt, page_list, nr_pages, + offset_in_page(xfer_start_addr), +- in_trans->size - resources->xferred_dma_size, GFP_KERNEL); ++ remaining, GFP_KERNEL); + if (ret) { + ret = -ENOMEM; + goto free_sgt; +@@ -566,9 +579,6 @@ static int encode_dma(struct qaic_device *qdev, void *trans, struct wrapper_list + QAIC_MANAGE_EXT_MSG_LENGTH) + return -ENOMEM; + +- if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size) +- return -EINVAL; +- + xfer = kmalloc(sizeof(*xfer), GFP_KERNEL); + if (!xfer) + return -ENOMEM; +-- +2.40.1 + diff --git a/queue-6.4/accel-qaic-fix-slicing-memory-leak.patch b/queue-6.4/accel-qaic-fix-slicing-memory-leak.patch new file mode 100644 index 00000000000..dced8ab6296 --- /dev/null +++ b/queue-6.4/accel-qaic-fix-slicing-memory-leak.patch @@ -0,0 +1,38 @@ +From 355f2fa006849116cbe58ee756a336a756d3d654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 08:59:37 -0600 +Subject: accel/qaic: Fix slicing memory leak + +From: Pranjal Ramajor Asha Kanojiya + +[ Upstream commit 2d956177b7c96e62fac762a3b7da4318cde27a73 ] + +The temporary buffer storing slicing configuration data from user is only +freed on error. This is a memory leak. Free the buffer unconditionally. + +Fixes: ff13be830333 ("accel/qaic: Add datapath") +Signed-off-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Carl Vanderlip +Reviewed-by: Jeffrey Hugo +Signed-off-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20230802145937.14827-1-quic_jhugo@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/accel/qaic/qaic_data.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c +index e9a1cb779b305..6b6d981a71be7 100644 +--- a/drivers/accel/qaic/qaic_data.c ++++ b/drivers/accel/qaic/qaic_data.c +@@ -1021,6 +1021,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi + bo->dbc = dbc; + srcu_read_unlock(&dbc->ch_lock, rcu_id); + drm_gem_object_put(obj); ++ kfree(slice_ent); + srcu_read_unlock(&qdev->dev_lock, qdev_rcu_id); + srcu_read_unlock(&usr->qddev_lock, usr_rcu_id); + +-- +2.40.1 + diff --git a/queue-6.4/alsa-hda-realtek-add-quirks-for-hp-g11-laptops.patch b/queue-6.4/alsa-hda-realtek-add-quirks-for-hp-g11-laptops.patch new file mode 100644 index 00000000000..8995296a94a --- /dev/null +++ b/queue-6.4/alsa-hda-realtek-add-quirks-for-hp-g11-laptops.patch @@ -0,0 +1,46 @@ +From 0c8a2e2d357c34b4255c43795ee10e74fec1b891 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 15:29:56 +0100 +Subject: ALSA: hda/realtek: Add quirks for HP G11 Laptops + +From: Stefan Binding + +[ Upstream commit fb8cce69e5e56eedb35fc4d77b2f099860965859 ] + +These HP G11 laptops use Realtek HDA codec combined with +2xCS35L41 Amplifiers using SPI or I2C with External Boost. + +Laptop 103c8c26 has been removed as this has been replaced +by this new series of laptops. + +Fixes: 3e10f6ca76c4 ("ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops") +Signed-off-by: Stefan Binding +Link: https://lore.kernel.org/r/20230809142957.675933-2-sbinding@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 853d1ed21facd..0289d9109bf32 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9606,7 +9606,13 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED), +- SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c46, "HP EliteBook 830 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c47, "HP EliteBook 840 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c48, "HP EliteBook 860 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c49, "HP Elite x360 830 2-in-1 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), +-- +2.40.1 + diff --git a/queue-6.4/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch b/queue-6.4/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch new file mode 100644 index 00000000000..bbe076fdae6 --- /dev/null +++ b/queue-6.4/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch @@ -0,0 +1,63 @@ +From 671f87d34572e88779fade2c40e12a8ec4c0418d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:54:23 +0800 +Subject: ALSA: hda/realtek - Remodified 3k pull low procedure + +From: Kailang Yang + +[ Upstream commit 46cdff2369cbdf8d78081a22526e77bd1323f563 ] + +Set spec->en_3kpull_low default to true. +Then fillback ALC236 and ALC257 to false. + +Additional note: this addresses a regression caused by the previous +fix 69ea4c9d02b7 ("ALSA: hda/realtek - remove 3k pull low procedure"). +The previous workaround was applied too widely without necessity, +which resulted in the pop noise at PM again. This patch corrects the +condition and restores the old behavior for the devices that don't +suffer from the original problem. + +Fixes: 69ea4c9d02b7 ("ALSA: hda/realtek - remove 3k pull low procedure") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217732 +Link: https://lore.kernel.org/r/01e212a538fc407ca6edd10b81ff7b05@realtek.com +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0289d9109bf32..074aa06aa585c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10633,6 +10633,7 @@ static int patch_alc269(struct hda_codec *codec) + spec = codec->spec; + spec->gen.shared_mic_vref_pin = 0x18; + codec->power_save_node = 0; ++ spec->en_3kpull_low = true; + + #ifdef CONFIG_PM + codec->patch_ops.suspend = alc269_suspend; +@@ -10715,14 +10716,16 @@ static int patch_alc269(struct hda_codec *codec) + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ +- if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) +- spec->en_3kpull_low = true; ++ if (codec->core.vendor_id == 0x10ec0236 && ++ codec->bus->pci->vendor != PCI_VENDOR_ID_AMD) ++ spec->en_3kpull_low = false; + break; + case 0x10ec0257: + spec->codec_variant = ALC269_TYPE_ALC257; + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; ++ spec->en_3kpull_low = false; + break; + case 0x10ec0215: + case 0x10ec0245: +-- +2.40.1 + diff --git a/queue-6.4/arm-dts-imx-adjust-dma-apbh-node-name.patch b/queue-6.4/arm-dts-imx-adjust-dma-apbh-node-name.patch new file mode 100644 index 00000000000..23fcd94ab8e --- /dev/null +++ b/queue-6.4/arm-dts-imx-adjust-dma-apbh-node-name.patch @@ -0,0 +1,109 @@ +From aebdbef3ee99674b1671c221d8dc885a3357523e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 11:19:46 +0200 +Subject: ARM: dts: imx: Adjust dma-apbh node name + +From: Stefan Wahren + +[ Upstream commit e9f5cd85f1f931bb7b64031492f7051187ccaac7 ] + +Currently the dtbs_check generates warnings like this: + +$nodename:0: 'dma-apbh@110000' does not match '^dma-controller(@.*)?$' + +So fix all affected dma-apbh node names. + +Signed-off-by: Stefan Wahren +Signed-off-by: Shawn Guo +Stable-dep-of: be18293e47cb ("ARM: dts: imx: Set default tuning step for imx7d usdhc") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx23.dtsi | 2 +- + arch/arm/boot/dts/imx28.dtsi | 2 +- + arch/arm/boot/dts/imx6qdl.dtsi | 2 +- + arch/arm/boot/dts/imx6sx.dtsi | 2 +- + arch/arm/boot/dts/imx6ul.dtsi | 2 +- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/imx23.dtsi b/arch/arm/boot/dts/imx23.dtsi +index d19508c8f9ed6..a3668a0827fc8 100644 +--- a/arch/arm/boot/dts/imx23.dtsi ++++ b/arch/arm/boot/dts/imx23.dtsi +@@ -59,7 +59,7 @@ + reg = <0x80000000 0x2000>; + }; + +- dma_apbh: dma-apbh@80004000 { ++ dma_apbh: dma-controller@80004000 { + compatible = "fsl,imx23-dma-apbh"; + reg = <0x80004000 0x2000>; + interrupts = <0 14 20 0 +diff --git a/arch/arm/boot/dts/imx28.dtsi b/arch/arm/boot/dts/imx28.dtsi +index a8d3c3113e0f6..29e37b1fae66f 100644 +--- a/arch/arm/boot/dts/imx28.dtsi ++++ b/arch/arm/boot/dts/imx28.dtsi +@@ -78,7 +78,7 @@ + status = "disabled"; + }; + +- dma_apbh: dma-apbh@80004000 { ++ dma_apbh: dma-controller@80004000 { + compatible = "fsl,imx28-dma-apbh"; + reg = <0x80004000 0x2000>; + interrupts = <82 83 84 85 +diff --git a/arch/arm/boot/dts/imx6qdl.dtsi b/arch/arm/boot/dts/imx6qdl.dtsi +index b72ec745f6d12..bda182edc5891 100644 +--- a/arch/arm/boot/dts/imx6qdl.dtsi ++++ b/arch/arm/boot/dts/imx6qdl.dtsi +@@ -150,7 +150,7 @@ + interrupt-parent = <&gpc>; + ranges; + +- dma_apbh: dma-apbh@110000 { ++ dma_apbh: dma-controller@110000 { + compatible = "fsl,imx6q-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x00110000 0x2000>; + interrupts = <0 13 IRQ_TYPE_LEVEL_HIGH>, +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 93ac2380ca1ec..4233943a1cca8 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -209,7 +209,7 @@ + power-domains = <&pd_pu>; + }; + +- dma_apbh: dma-apbh@1804000 { ++ dma_apbh: dma-controller@1804000 { + compatible = "fsl,imx6sx-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x01804000 0x2000>; + interrupts = , +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index 3d9d0f8235685..118764c50d921 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -164,7 +164,7 @@ + <0x00a06000 0x2000>; + }; + +- dma_apbh: dma-apbh@1804000 { ++ dma_apbh: dma-controller@1804000 { + compatible = "fsl,imx6q-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x01804000 0x2000>; + interrupts = <0 13 IRQ_TYPE_LEVEL_HIGH>, +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index efe2525b62fa1..54026c2c93fac 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1257,7 +1257,7 @@ + }; + }; + +- dma_apbh: dma-apbh@33000000 { ++ dma_apbh: dma-controller@33000000 { + compatible = "fsl,imx7d-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x33000000 0x2000>; + interrupts = , +-- +2.40.1 + diff --git a/queue-6.4/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch b/queue-6.4/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch new file mode 100644 index 00000000000..9b309818e9a --- /dev/null +++ b/queue-6.4/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch @@ -0,0 +1,63 @@ +From babe6e5903f5aee2724a7c9d7222da2cf9994be2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 15:57:47 +0800 +Subject: ARM: dts: imx: Set default tuning step for imx6sx usdhc + +From: Xiaolei Wang + +[ Upstream commit 0a2b96e42a0284c4fc03022236f656a085ca714a ] + +If the tuning step is not set, the tuning step is set to 1. +For some sd cards, the following Tuning timeout will occur. + +Tuning failed, falling back to fixed sampling clock + +So set the default tuning step. This refers to the NXP vendor's +commit below: + +https://github.com/nxp-imx/linux-imx/blob/lf-6.1.y/ +arch/arm/boot/dts/imx6sx.dtsi#L1108-L1109 + +Fixes: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting") +Signed-off-by: Xiaolei Wang +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sx.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 4233943a1cca8..fc0654e3fe950 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -980,6 +980,8 @@ + <&clks IMX6SX_CLK_USDHC1>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-start-tap = <20>; ++ fsl,tuning-step= <2>; + status = "disabled"; + }; + +@@ -992,6 +994,8 @@ + <&clks IMX6SX_CLK_USDHC2>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-start-tap = <20>; ++ fsl,tuning-step= <2>; + status = "disabled"; + }; + +@@ -1004,6 +1008,8 @@ + <&clks IMX6SX_CLK_USDHC3>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-start-tap = <20>; ++ fsl,tuning-step= <2>; + status = "disabled"; + }; + +-- +2.40.1 + diff --git a/queue-6.4/arm-dts-imx-set-default-tuning-step-for-imx7d-usdhc.patch b/queue-6.4/arm-dts-imx-set-default-tuning-step-for-imx7d-usdhc.patch new file mode 100644 index 00000000000..ba4ff000e81 --- /dev/null +++ b/queue-6.4/arm-dts-imx-set-default-tuning-step-for-imx7d-usdhc.patch @@ -0,0 +1,64 @@ +From 92eb0515a883186d19da8ce5dad818943e438f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 23:45:10 +0800 +Subject: ARM: dts: imx: Set default tuning step for imx7d usdhc + +From: Xiaolei Wang + +[ Upstream commit be18293e47cbca7c6acee9231fc851601d69563a ] + +If the tuning step is not set, the tuning step is set to 1. +For some sd cards, the following Tuning timeout will occur. + +Tuning failed, falling back to fixed sampling clock +mmc0: Tuning failed, falling back to fixed sampling clock + +So set the default tuning step. This refers to the NXP vendor's +commit below: + +https://github.com/nxp-imx/linux-imx/blob/lf-6.1.y/ +arch/arm/boot/dts/imx7s.dtsi#L1216-L1217 + +Fixes: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting") +Signed-off-by: Xiaolei Wang +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 54026c2c93fac..6ffb428dc939c 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1184,6 +1184,8 @@ + <&clks IMX7D_USDHC1_ROOT_CLK>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-step = <2>; ++ fsl,tuning-start-tap = <20>; + status = "disabled"; + }; + +@@ -1196,6 +1198,8 @@ + <&clks IMX7D_USDHC2_ROOT_CLK>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-step = <2>; ++ fsl,tuning-start-tap = <20>; + status = "disabled"; + }; + +@@ -1208,6 +1212,8 @@ + <&clks IMX7D_USDHC3_ROOT_CLK>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-step = <2>; ++ fsl,tuning-start-tap = <20>; + status = "disabled"; + }; + +-- +2.40.1 + diff --git a/queue-6.4/arm-dts-imx6-phytec-fix-rtc-interrupt-level.patch b/queue-6.4/arm-dts-imx6-phytec-fix-rtc-interrupt-level.patch new file mode 100644 index 00000000000..3c82989c670 --- /dev/null +++ b/queue-6.4/arm-dts-imx6-phytec-fix-rtc-interrupt-level.patch @@ -0,0 +1,44 @@ +From 55bd1ba0db2863afc2223293563b67d4d59d7ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 13:43:26 +0200 +Subject: ARM: dts: imx6: phytec: fix RTC interrupt level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrej Picej + +[ Upstream commit 762b700982a1e0f562184363f19860c3b9bdd0bf ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Signed-off-by: Andrej Picej +Reviewed-by: Stefan Riedmüller +Fixes: 800d595151bb ("ARM: dts: imx6: Add initial support for phyBOARD-Mira") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-phytec-mira.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-phytec-mira.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-mira.dtsi +index 1a599c294ab86..1ca4d219609f6 100644 +--- a/arch/arm/boot/dts/imx6qdl-phytec-mira.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-phytec-mira.dtsi +@@ -182,7 +182,7 @@ + pinctrl-0 = <&pinctrl_rtc_int>; + reg = <0x68>; + interrupt-parent = <&gpio7>; +- interrupts = <8 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <8 IRQ_TYPE_LEVEL_LOW>; + status = "disabled"; + }; + }; +-- +2.40.1 + diff --git a/queue-6.4/arm64-dts-imx8mm-drop-csi1-phy-reference-clock-confi.patch b/queue-6.4/arm64-dts-imx8mm-drop-csi1-phy-reference-clock-confi.patch new file mode 100644 index 00000000000..d1d80952dba --- /dev/null +++ b/queue-6.4/arm64-dts-imx8mm-drop-csi1-phy-reference-clock-confi.patch @@ -0,0 +1,53 @@ +From e2ecb20db1d1e093b6b5c055a33dbfca0ed43f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 20:26:28 -0300 +Subject: arm64: dts: imx8mm: Drop CSI1 PHY reference clock configuration + +From: Fabio Estevam + +[ Upstream commit f02b53375e8f14b4c27a14f6e4fb6e89914fdc29 ] + +The CSI1 PHY reference clock is limited to 125 MHz according to: +i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020 +Table 5-1. Clock Root Table (continued) / page 307 +Slice Index n = 123 . + +Currently the IMX8MM_CLK_CSI1_PHY_REF clock is configured to be +fed directly from 1 GHz PLL2 , which overclocks them. Instead, drop +the configuration altogether, which defaults the clock to 24 MHz REF +clock input, which for the PHY reference clock is just fine. + +Based on a patch from Marek Vasut for the imx8mn. + +Fixes: e523b7c54c05 ("arm64: dts: imx8mm: Add CSI nodes") +Signed-off-by: Fabio Estevam +Reviewed-by: Marek Vasut +Reviewed-by: Marco Felsch +Reviewed-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm.dtsi | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm.dtsi b/arch/arm64/boot/dts/freescale/imx8mm.dtsi +index d6b36f04f3dc1..1a647d4072ba0 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi +@@ -1221,10 +1221,9 @@ + compatible = "fsl,imx8mm-mipi-csi2"; + reg = <0x32e30000 0x1000>; + interrupts = ; +- assigned-clocks = <&clk IMX8MM_CLK_CSI1_CORE>, +- <&clk IMX8MM_CLK_CSI1_PHY_REF>; +- assigned-clock-parents = <&clk IMX8MM_SYS_PLL2_1000M>, +- <&clk IMX8MM_SYS_PLL2_1000M>; ++ assigned-clocks = <&clk IMX8MM_CLK_CSI1_CORE>; ++ assigned-clock-parents = <&clk IMX8MM_SYS_PLL2_1000M>; ++ + clock-frequency = <333000000>; + clocks = <&clk IMX8MM_CLK_DISP_APB_ROOT>, + <&clk IMX8MM_CLK_CSI1_ROOT>, +-- +2.40.1 + diff --git a/queue-6.4/arm64-dts-imx93-fix-anatop-node-size.patch b/queue-6.4/arm64-dts-imx93-fix-anatop-node-size.patch new file mode 100644 index 00000000000..f67e70e72c2 --- /dev/null +++ b/queue-6.4/arm64-dts-imx93-fix-anatop-node-size.patch @@ -0,0 +1,43 @@ +From c9c9eef62e03bf0ef893d211720ce1fbe8ca80a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 10:34:35 +0200 +Subject: arm64: dts: imx93: Fix anatop node size + +From: Alexander Stein + +[ Upstream commit 78e869dd8b2ba19765ac9b05cdea3e432d1dc188 ] + +Although the memory map of i.MX93 reference manual rev. 2 claims that +analog top has start address of 0x44480000 and end address of 0x4448ffff, +this overlaps with TMU memory area starting at 0x44482000, as stated in +section 73.6.1. +As PLL configuration registers start at addresses up to 0x44481400, as used +by clk-imx93, reduce the anatop size to 0x2000, so exclude the TMU area +but keep all PLL registers inside. + +Fixes: ec8b5b5058ea ("arm64: dts: freescale: Add i.MX93 dtsi support") +Signed-off-by: Alexander Stein +Reviewed-by: Peng Fan +Reviewed-by: Jacky Bai +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx93.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx93.dtsi b/arch/arm64/boot/dts/freescale/imx93.dtsi +index e8d49660ac85b..c0f49fedaf9ea 100644 +--- a/arch/arm64/boot/dts/freescale/imx93.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx93.dtsi +@@ -306,7 +306,7 @@ + + anatop: anatop@44480000 { + compatible = "fsl,imx93-anatop", "syscon"; +- reg = <0x44480000 0x10000>; ++ reg = <0x44480000 0x2000>; + }; + + adc1: adc@44530000 { +-- +2.40.1 + diff --git a/queue-6.4/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch b/queue-6.4/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch new file mode 100644 index 00000000000..ada67397a17 --- /dev/null +++ b/queue-6.4/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch @@ -0,0 +1,45 @@ +From 9d54a9af3ac6da0a15522a96a089a5c5c33ca7c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:12:24 +0300 +Subject: arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict + +From: Dmitry Baryshkov + +[ Upstream commit 798f1df86e5709b7b6aedf493cc04c7fedbf544a ] + +The commit 3a786086c6f8 ("arm64: dts: qcom: Add missing "-thermal" +suffix for thermal zones") renamed the thermal zone in the pm8150l.dtsi +file to comply with the schema. However this resulted in a clash with +the RB5 board file, which already contained the pm8150l-thermal zone for +the on-board sensor. This resulted in the board file definition +overriding the thermal zone defined in the PMIC include file (and thus +the on-die PMIC temp alarm was not probing at all). + +Rename the thermal zone in qcom/qrb5165-rb5.dts to remove this override. + +Fixes: 3a786086c6f8 ("arm64: dts: qcom: Add missing "-thermal" suffix for thermal zones") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230613131224.666668-1-dmitry.baryshkov@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qrb5165-rb5.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts b/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts +index dd924331b0eea..ec066a89436a8 100644 +--- a/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts ++++ b/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts +@@ -121,7 +121,7 @@ + }; + }; + +- pm8150l-thermal { ++ pm8150l-pcb-thermal { + polling-delay-passive = <0>; + polling-delay = <0>; + thermal-sensors = <&pm8150l_adc_tm 1>; +-- +2.40.1 + diff --git a/queue-6.4/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-4c.patch b/queue-6.4/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-4c.patch new file mode 100644 index 00000000000..350b41d7568 --- /dev/null +++ b/queue-6.4/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-4c.patch @@ -0,0 +1,63 @@ +From 746ae78738306e71f59c9a8b34a1fd4f80322adc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 15:42:55 +0100 +Subject: arm64: dts: rockchip: Disable HS400 for eMMC on ROCK 4C+ + +From: Christopher Obbard + +[ Upstream commit 2bd1d2dd808c60532283e9cf05110bf1bf2f9079 ] + +There is some instablity with some eMMC modules on ROCK Pi 4 SBCs running +in HS400 mode. This ends up resulting in some block errors after a while +or after a "heavy" operation utilising the eMMC (e.g. resizing a +filesystem). An example of these errors is as follows: + + [ 289.171014] mmc1: running CQE recovery + [ 290.048972] mmc1: running CQE recovery + [ 290.054834] mmc1: running CQE recovery + [ 290.060817] mmc1: running CQE recovery + [ 290.061337] blk_update_request: I/O error, dev mmcblk1, sector 1411072 op 0x1:(WRITE) flags 0x800 phys_seg 36 prio class 0 + [ 290.061370] EXT4-fs warning (device mmcblk1p1): ext4_end_bio:348: I/O error 10 writing to inode 29547 starting block 176466) + [ 290.061484] Buffer I/O error on device mmcblk1p1, logical block 172288 + [ 290.061531] Buffer I/O error on device mmcblk1p1, logical block 172289 + [ 290.061551] Buffer I/O error on device mmcblk1p1, logical block 172290 + [ 290.061574] Buffer I/O error on device mmcblk1p1, logical block 172291 + [ 290.061592] Buffer I/O error on device mmcblk1p1, logical block 172292 + [ 290.061615] Buffer I/O error on device mmcblk1p1, logical block 172293 + [ 290.061632] Buffer I/O error on device mmcblk1p1, logical block 172294 + [ 290.061654] Buffer I/O error on device mmcblk1p1, logical block 172295 + [ 290.061673] Buffer I/O error on device mmcblk1p1, logical block 172296 + [ 290.061695] Buffer I/O error on device mmcblk1p1, logical block 172297 + +Disabling the Command Queue seems to stop the CQE recovery from running, +but doesn't seem to improve the I/O errors. Until this can be investigated +further, disable HS400 mode on the ROCK Pi 4 SBCs to at least stop I/O +errors from occurring. + +Fixes: 246450344dad ("arm64: dts: rockchip: rk3399: Radxa ROCK 4C+") +Signed-off-by: Christopher Obbard +Link: https://lore.kernel.org/r/20230705144255.115299-3-chris.obbard@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-rock-4c-plus.dts | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-4c-plus.dts b/arch/arm64/boot/dts/rockchip/rk3399-rock-4c-plus.dts +index 028eb508ae302..8bfd5f88d1ef6 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-4c-plus.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-4c-plus.dts +@@ -548,9 +548,8 @@ + &sdhci { + max-frequency = <150000000>; + bus-width = <8>; +- mmc-hs400-1_8v; ++ mmc-hs200-1_8v; + non-removable; +- mmc-hs400-enhanced-strobe; + status = "okay"; + }; + +-- +2.40.1 + diff --git a/queue-6.4/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch b/queue-6.4/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch new file mode 100644 index 00000000000..3a9377b0f62 --- /dev/null +++ b/queue-6.4/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch @@ -0,0 +1,68 @@ +From 2fd5ac3015b07558e271fb9ca11eb4c7dbf00adf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 15:42:54 +0100 +Subject: arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4 + +From: Christopher Obbard + +[ Upstream commit cee572756aa2cb46e959e9797ad4b730b78a050b ] + +There is some instablity with some eMMC modules on ROCK Pi 4 SBCs running +in HS400 mode. This ends up resulting in some block errors after a while +or after a "heavy" operation utilising the eMMC (e.g. resizing a +filesystem). An example of these errors is as follows: + + [ 289.171014] mmc1: running CQE recovery + [ 290.048972] mmc1: running CQE recovery + [ 290.054834] mmc1: running CQE recovery + [ 290.060817] mmc1: running CQE recovery + [ 290.061337] blk_update_request: I/O error, dev mmcblk1, sector 1411072 op 0x1:(WRITE) flags 0x800 phys_seg 36 prio class 0 + [ 290.061370] EXT4-fs warning (device mmcblk1p1): ext4_end_bio:348: I/O error 10 writing to inode 29547 starting block 176466) + [ 290.061484] Buffer I/O error on device mmcblk1p1, logical block 172288 + [ 290.061531] Buffer I/O error on device mmcblk1p1, logical block 172289 + [ 290.061551] Buffer I/O error on device mmcblk1p1, logical block 172290 + [ 290.061574] Buffer I/O error on device mmcblk1p1, logical block 172291 + [ 290.061592] Buffer I/O error on device mmcblk1p1, logical block 172292 + [ 290.061615] Buffer I/O error on device mmcblk1p1, logical block 172293 + [ 290.061632] Buffer I/O error on device mmcblk1p1, logical block 172294 + [ 290.061654] Buffer I/O error on device mmcblk1p1, logical block 172295 + [ 290.061673] Buffer I/O error on device mmcblk1p1, logical block 172296 + [ 290.061695] Buffer I/O error on device mmcblk1p1, logical block 172297 + +Disabling the Command Queue seems to stop the CQE recovery from running, +but doesn't seem to improve the I/O errors. Until this can be investigated +further, disable HS400 mode on the ROCK Pi 4 SBCs to at least stop I/O +errors from occurring. + +While we are here, set the eMMC maximum clock frequency to 1.5MHz to +follow the ROCK 4C+. + +Fixes: 1b5715c602fd ("arm64: dts: rockchip: add ROCK Pi 4 DTS support") +Signed-off-by: Christopher Obbard +Tested-By: Folker Schwesinger +Link: https://lore.kernel.org/r/20230705144255.115299-2-chris.obbard@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi +index 907071d4fe804..95efee311ece9 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi +@@ -645,9 +645,9 @@ + }; + + &sdhci { ++ max-frequency = <150000000>; + bus-width = <8>; +- mmc-hs400-1_8v; +- mmc-hs400-enhanced-strobe; ++ mmc-hs200-1_8v; + non-removable; + status = "okay"; + }; +-- +2.40.1 + diff --git a/queue-6.4/asoc-max98363-don-t-return-on-success-reading-revisi.patch b/queue-6.4/asoc-max98363-don-t-return-on-success-reading-revisi.patch new file mode 100644 index 00000000000..d09583e44d4 --- /dev/null +++ b/queue-6.4/asoc-max98363-don-t-return-on-success-reading-revisi.patch @@ -0,0 +1,57 @@ +From 2d9f0276eea818cf6ca9663b0b94bbc415e73beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 11:47:34 +0800 +Subject: ASoC: max98363: don't return on success reading revision ID + +From: Bard Liao + +[ Upstream commit 385311101538b071a487a9245e01349e3a68ed2c ] + +max98363_io_init needs to keep going when we read revision ID +successfully. + +Fixes: 18c0af945fa3 ("ASoC: max98363: add soundwire amplifier driver") +Signed-off-by: Bard Liao +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20230804034734.3848227-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/max98363.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/max98363.c b/sound/soc/codecs/max98363.c +index e6b84e222b504..169913ba76dd7 100644 +--- a/sound/soc/codecs/max98363.c ++++ b/sound/soc/codecs/max98363.c +@@ -191,10 +191,10 @@ static int max98363_io_init(struct sdw_slave *slave) + pm_runtime_get_noresume(dev); + + ret = regmap_read(max98363->regmap, MAX98363_R21FF_REV_ID, ®); +- if (!ret) { ++ if (!ret) + dev_info(dev, "Revision ID: %X\n", reg); +- return ret; +- } ++ else ++ goto out; + + if (max98363->first_hw_init) { + regcache_cache_bypass(max98363->regmap, false); +@@ -204,10 +204,11 @@ static int max98363_io_init(struct sdw_slave *slave) + max98363->first_hw_init = true; + max98363->hw_init = true; + ++out: + pm_runtime_mark_last_busy(dev); + pm_runtime_put_autosuspend(dev); + +- return 0; ++ return ret; + } + + #define MAX98363_RATES SNDRV_PCM_RATE_8000_192000 +-- +2.40.1 + diff --git a/queue-6.4/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch b/queue-6.4/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch new file mode 100644 index 00000000000..a94833e3c23 --- /dev/null +++ b/queue-6.4/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch @@ -0,0 +1,110 @@ +From 0c6279025471bf00e6d04f01d06f571fb7201e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 19:19:31 +0200 +Subject: ASoC: meson: axg-tdm-formatter: fix channel slot allocation + +From: Jerome Brunet + +[ Upstream commit c1f848f12103920ca165758aedb1c10904e193e1 ] + +When the tdm lane mask is computed, the driver currently fills the 1st lane +before moving on to the next. If the stream has less channels than the +lanes can accommodate, slots will be disabled on the last lanes. + +Unfortunately, the HW distribute channels in a different way. It distribute +channels in pair on each lanes before moving on the next slots. + +This difference leads to problems if a device has an interface with more +than 1 lane and with more than 2 slots per lane. + +For example: a playback interface with 2 lanes and 4 slots each (total 8 +slots - zero based numbering) +- Playing a 8ch stream: + - All slots activated by the driver + - channel #2 will be played on lane #1 - slot #0 following HW placement +- Playing a 4ch stream: + - Lane #1 disabled by the driver + - channel #2 will be played on lane #0 - slot #2 + +This behaviour is obviously not desirable. + +Change the way slots are activated on the TDM lanes to follow what the HW +does and make sure each channel always get mapped to the same slot/lane. + +Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver") +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230809171931.1244502-1-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm-formatter.c | 42 ++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-formatter.c b/sound/soc/meson/axg-tdm-formatter.c +index 9883dc777f630..63333a2b0a9c3 100644 +--- a/sound/soc/meson/axg-tdm-formatter.c ++++ b/sound/soc/meson/axg-tdm-formatter.c +@@ -30,27 +30,32 @@ int axg_tdm_formatter_set_channel_masks(struct regmap *map, + struct axg_tdm_stream *ts, + unsigned int offset) + { +- unsigned int val, ch = ts->channels; +- unsigned long mask; +- int i, j; ++ unsigned int ch = ts->channels; ++ u32 val[AXG_TDM_NUM_LANES]; ++ int i, j, k; ++ ++ /* ++ * We need to mimick the slot distribution used by the HW to keep the ++ * channel placement consistent regardless of the number of channel ++ * in the stream. This is why the odd algorithm below is used. ++ */ ++ memset(val, 0, sizeof(*val) * AXG_TDM_NUM_LANES); + + /* + * Distribute the channels of the stream over the available slots +- * of each TDM lane ++ * of each TDM lane. We need to go over the 32 slots ... + */ +- for (i = 0; i < AXG_TDM_NUM_LANES; i++) { +- val = 0; +- mask = ts->mask[i]; +- +- for (j = find_first_bit(&mask, 32); +- (j < 32) && ch; +- j = find_next_bit(&mask, 32, j + 1)) { +- val |= 1 << j; +- ch -= 1; ++ for (i = 0; (i < 32) && ch; i += 2) { ++ /* ... of all the lanes ... */ ++ for (j = 0; j < AXG_TDM_NUM_LANES; j++) { ++ /* ... then distribute the channels in pairs */ ++ for (k = 0; k < 2; k++) { ++ if ((BIT(i + k) & ts->mask[j]) && ch) { ++ val[j] |= BIT(i + k); ++ ch -= 1; ++ } ++ } + } +- +- regmap_write(map, offset, val); +- offset += regmap_get_reg_stride(map); + } + + /* +@@ -63,6 +68,11 @@ int axg_tdm_formatter_set_channel_masks(struct regmap *map, + return -EINVAL; + } + ++ for (i = 0; i < AXG_TDM_NUM_LANES; i++) { ++ regmap_write(map, offset, val[i]); ++ offset += regmap_get_reg_stride(map); ++ } ++ + return 0; + } + EXPORT_SYMBOL_GPL(axg_tdm_formatter_set_channel_masks); +-- +2.40.1 + diff --git a/queue-6.4/asoc-rt5665-add-missed-regulator_bulk_disable.patch b/queue-6.4/asoc-rt5665-add-missed-regulator_bulk_disable.patch new file mode 100644 index 00000000000..5e8ed91cb91 --- /dev/null +++ b/queue-6.4/asoc-rt5665-add-missed-regulator_bulk_disable.patch @@ -0,0 +1,38 @@ +From 3c05325ca45a434b5f60818fb6e4f3c4d18e0e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 23:59:11 +0800 +Subject: ASoC: rt5665: add missed regulator_bulk_disable + +From: Zhang Shurong + +[ Upstream commit c163108e706909570f8aa9aa5bcf6806e2b4c98c ] + +The driver forgets to call regulator_bulk_disable() + +Add the missed call to fix it. + +Fixes: 33ada14a26c8 ("ASoC: add rt5665 codec driver") +Signed-off-by: Zhang Shurong +Link: https://lore.kernel.org/r/tencent_A560D01E3E0A00A85A12F137E4B5205B3508@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5665.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5665.c b/sound/soc/codecs/rt5665.c +index 17afaef85c77a..382bdbcf7b59b 100644 +--- a/sound/soc/codecs/rt5665.c ++++ b/sound/soc/codecs/rt5665.c +@@ -4472,6 +4472,8 @@ static void rt5665_remove(struct snd_soc_component *component) + struct rt5665_priv *rt5665 = snd_soc_component_get_drvdata(component); + + regmap_write(rt5665->regmap, RT5665_RESET, 0); ++ ++ regulator_bulk_disable(ARRAY_SIZE(rt5665->supplies), rt5665->supplies); + } + + #ifdef CONFIG_PM +-- +2.40.1 + diff --git a/queue-6.4/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch b/queue-6.4/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch new file mode 100644 index 00000000000..65534b1abb5 --- /dev/null +++ b/queue-6.4/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch @@ -0,0 +1,48 @@ +From abdee485493bce6519035707ca7f149ae8d1fd68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:23 +0300 +Subject: bus: ti-sysc: Flush posted write on enable before reset + +From: Tony Lindgren + +[ Upstream commit 34539b442b3bc7d5bf10164750302b60b91f18a7 ] + +The am335x devices started producing boot errors for resetting musb module +in because of subtle timing changes: + +Unhandled fault: external abort on non-linefetch (0x1008) +... +sysc_poll_reset_sysconfig from sysc_reset+0x109/0x12 +sysc_reset from sysc_probe+0xa99/0xeb0 +... + +The fix is to flush posted write after enable before reset during +probe. Note that some devices also need to specify the delay after enable +with ti,sysc-delay-us, but this is not needed for musb on am335x based on +my tests. + +Reported-by: kernelci.org bot +Closes: https://storage.kernelci.org/next/master/next-20230614/arm/multi_v7_defconfig+CONFIG_THUMB2_KERNEL=y/gcc-10/lab-cip/baseline-beaglebone-black.html +Fixes: 596e7955692b ("bus: ti-sysc: Add support for software reset") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 21fe9854703f9..4cb23b9e06ea4 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -2142,6 +2142,8 @@ static int sysc_reset(struct sysc *ddata) + sysc_val = sysc_read_sysconfig(ddata); + sysc_val |= sysc_mask; + sysc_write(ddata, sysc_offset, sysc_val); ++ /* Flush posted write */ ++ sysc_val = sysc_read_sysconfig(ddata); + } + + if (ddata->cfg.srst_udelay) +-- +2.40.1 + diff --git a/queue-6.4/drm-i915-guc-slpc-restore-efficient-freq-earlier.patch b/queue-6.4/drm-i915-guc-slpc-restore-efficient-freq-earlier.patch new file mode 100644 index 00000000000..51c15bd3996 --- /dev/null +++ b/queue-6.4/drm-i915-guc-slpc-restore-efficient-freq-earlier.patch @@ -0,0 +1,103 @@ +From 1b91d77a6f892a92d3873122063f1fbbe221a6ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 18:00:44 -0700 +Subject: drm/i915/guc/slpc: Restore efficient freq earlier + +From: Vinay Belgaumkar + +[ Upstream commit 5598c9bfdb81f40f2f5d769b342d25bff74b07a6 ] + +This should be done before the soft min/max frequencies are restored. +When we disable the "Ignore efficient frequency" flag, GuC does not +actually bring the requested freq down to RPn. + +Specifically, this scenario- + +- ignore efficient freq set to true +- reduce min to RPn (from efficient) +- suspend +- resume (includes GuC load, restore soft min/max, restore efficient freq) +- validate min freq has been resored to RPn + +This will fail if we didn't first restore(disable, in this case) efficient +freq flag before setting the soft min frequency. + +v2: Bring the min freq down to RPn when we disable efficient freq (Rodrigo) +Also made the change to set the min softlimit to RPn at init. Otherwise, we +were storing RPe there. + +Link: https://gitlab.freedesktop.org/drm/intel/-/issues/8736 +Fixes: 55f9720dbf23 ("drm/i915/guc/slpc: Provide sysfs for efficient freq") +Fixes: 95ccf312a1e4 ("drm/i915/guc/slpc: Allow SLPC to use efficient frequency") +Signed-off-by: Vinay Belgaumkar +Reviewed-by: Rodrigo Vivi +Signed-off-by: John Harrison +Link: https://patchwork.freedesktop.org/patch/msgid/20230726010044.3280402-1-vinay.belgaumkar@intel.com +(cherry picked from commit 28e671114fb0f28f334fac8d0a6b9c395c7b0498) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.c | 22 +++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.c +index cc18e8f664864..78822331f1b7f 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.c +@@ -470,12 +470,19 @@ int intel_guc_slpc_set_ignore_eff_freq(struct intel_guc_slpc *slpc, bool val) + ret = slpc_set_param(slpc, + SLPC_PARAM_IGNORE_EFFICIENT_FREQUENCY, + val); +- if (ret) ++ if (ret) { + guc_probe_error(slpc_to_guc(slpc), "Failed to set efficient freq(%d): %pe\n", + val, ERR_PTR(ret)); +- else ++ } else { + slpc->ignore_eff_freq = val; + ++ /* Set min to RPn when we disable efficient freq */ ++ if (val) ++ ret = slpc_set_param(slpc, ++ SLPC_PARAM_GLOBAL_MIN_GT_UNSLICE_FREQ_MHZ, ++ slpc->min_freq); ++ } ++ + intel_runtime_pm_put(&i915->runtime_pm, wakeref); + mutex_unlock(&slpc->lock); + return ret; +@@ -602,9 +609,8 @@ static int slpc_set_softlimits(struct intel_guc_slpc *slpc) + return ret; + + if (!slpc->min_freq_softlimit) { +- ret = intel_guc_slpc_get_min_freq(slpc, &slpc->min_freq_softlimit); +- if (unlikely(ret)) +- return ret; ++ /* Min softlimit is initialized to RPn */ ++ slpc->min_freq_softlimit = slpc->min_freq; + slpc_to_gt(slpc)->defaults.min_freq = slpc->min_freq_softlimit; + } else { + return intel_guc_slpc_set_min_freq(slpc, +@@ -755,6 +761,9 @@ int intel_guc_slpc_enable(struct intel_guc_slpc *slpc) + return ret; + } + ++ /* Set cached value of ignore efficient freq */ ++ intel_guc_slpc_set_ignore_eff_freq(slpc, slpc->ignore_eff_freq); ++ + /* Revert SLPC min/max to softlimits if necessary */ + ret = slpc_set_softlimits(slpc); + if (unlikely(ret)) { +@@ -765,9 +774,6 @@ int intel_guc_slpc_enable(struct intel_guc_slpc *slpc) + /* Set cached media freq ratio mode */ + intel_guc_slpc_set_media_ratio_mode(slpc, slpc->media_ratio_mode); + +- /* Set cached value of ignore efficient freq */ +- intel_guc_slpc_set_ignore_eff_freq(slpc, slpc->ignore_eff_freq); +- + return 0; + } + +-- +2.40.1 + diff --git a/queue-6.4/drm-nouveau-disp-fix-use-after-free-in-error-handlin.patch b/queue-6.4/drm-nouveau-disp-fix-use-after-free-in-error-handlin.patch new file mode 100644 index 00000000000..2f67ebafbc3 --- /dev/null +++ b/queue-6.4/drm-nouveau-disp-fix-use-after-free-in-error-handlin.patch @@ -0,0 +1,65 @@ +From a1b1334c3d7e4ab4c023ca8b29e5dce45bbb4282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 16:49:32 +0200 +Subject: drm/nouveau/disp: fix use-after-free in error handling of + nouveau_connector_create + +From: Karol Herbst + +[ Upstream commit 1b254b791d7b7dea6e8adc887fbbd51746d8bb27 ] + +We can't simply free the connector after calling drm_connector_init on it. +We need to clean up the drm side first. + +It might not fix all regressions from commit 2b5d1c29f6c4 +("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), +but at least it fixes a memory corruption in error handling related to +that commit. + +Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W@fat_crate.local/ +Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class") +Signed-off-by: Karol Herbst +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230814144933.3956959-1-kherbst@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index a2e0033e8a260..622f6eb9a8bfd 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev, + ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name, nv_connector->index, + &nv_connector->conn); + if (ret) { +- kfree(nv_connector); +- return ERR_PTR(ret); ++ goto drm_conn_err; + } + + ret = nvif_conn_event_ctor(&nv_connector->conn, "kmsHotplug", +@@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev, + if (ret) { + nvif_event_dtor(&nv_connector->hpd); + nvif_conn_dtor(&nv_connector->conn); +- kfree(nv_connector); +- return ERR_PTR(ret); ++ goto drm_conn_err; + } + } + } +@@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev, + + drm_connector_register(connector); + return connector; ++ ++drm_conn_err: ++ drm_connector_cleanup(connector); ++ kfree(nv_connector); ++ return ERR_PTR(ret); + } +-- +2.40.1 + diff --git a/queue-6.4/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch b/queue-6.4/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch new file mode 100644 index 00000000000..3a631e3739f --- /dev/null +++ b/queue-6.4/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch @@ -0,0 +1,78 @@ +From 83f9a59a7e5ca5dc7c211891cb662a1eea442526 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:12:39 +0200 +Subject: drm/panel: simple: Fix AUO G121EAN01 panel timings according to the + docs + +From: Luca Ceresoli + +[ Upstream commit e8470c0a7bcaa82f78ad34282d662dd7bd9630c2 ] + +Commit 03e909acd95a ("drm/panel: simple: Add support for AUO G121EAN01.4 +panel") added support for this panel model, but the timings it implements +are very different from what the datasheet describes. I checked both the +G121EAN01.0 datasheet from [0] and the G121EAN01.4 one from [1] and they +all have the same timings: for example the LVDS clock typical value is 74.4 +MHz, not 66.7 MHz as implemented. + +Replace the timings with the ones from the documentation. These timings +have been tested and the clock frequencies verified with an oscilloscope to +ensure they are correct. + +Also use struct display_timing instead of struct drm_display_mode in order +to also specify the minimum and maximum values. + +[0] https://embedded.avnet.com/product/g121ean01-0/ +[1] https://embedded.avnet.com/product/g121ean01-4/ + +Fixes: 03e909acd95a ("drm/panel: simple: Add support for AUO G121EAN01.4 panel") +Signed-off-by: Luca Ceresoli +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230804151239.835216-1-luca.ceresoli@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index e02249b212c2a..cf6b146acc323 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -969,21 +969,21 @@ static const struct panel_desc auo_g104sn02 = { + .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + +-static const struct drm_display_mode auo_g121ean01_mode = { +- .clock = 66700, +- .hdisplay = 1280, +- .hsync_start = 1280 + 58, +- .hsync_end = 1280 + 58 + 8, +- .htotal = 1280 + 58 + 8 + 70, +- .vdisplay = 800, +- .vsync_start = 800 + 6, +- .vsync_end = 800 + 6 + 4, +- .vtotal = 800 + 6 + 4 + 10, ++static const struct display_timing auo_g121ean01_timing = { ++ .pixelclock = { 60000000, 74400000, 90000000 }, ++ .hactive = { 1280, 1280, 1280 }, ++ .hfront_porch = { 20, 50, 100 }, ++ .hback_porch = { 20, 50, 100 }, ++ .hsync_len = { 30, 100, 200 }, ++ .vactive = { 800, 800, 800 }, ++ .vfront_porch = { 2, 10, 25 }, ++ .vback_porch = { 2, 10, 25 }, ++ .vsync_len = { 4, 18, 50 }, + }; + + static const struct panel_desc auo_g121ean01 = { +- .modes = &auo_g121ean01_mode, +- .num_modes = 1, ++ .timings = &auo_g121ean01_timing, ++ .num_timings = 1, + .bpc = 8, + .size = { + .width = 261, +-- +2.40.1 + diff --git a/queue-6.4/i40e-fix-misleading-debug-logs.patch b/queue-6.4/i40e-fix-misleading-debug-logs.patch new file mode 100644 index 00000000000..fe08d8f414b --- /dev/null +++ b/queue-6.4/i40e-fix-misleading-debug-logs.patch @@ -0,0 +1,67 @@ +From 00aae75df7ad83ad23345fb3daec62aea89b967e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 09:47:32 +0200 +Subject: i40e: fix misleading debug logs + +From: Andrii Staikov + +[ Upstream commit 2f2beb8874cb0844e84ad26e990f05f4f13ff63f ] + +Change "write" into the actual "read" word. +Change parameters description. + +Fixes: 7073f46e443e ("i40e: Add AQ commands for NVM Update for X722") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Andrii Staikov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_nvm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +index 9da0c87f03288..f99c1f7fec406 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +@@ -210,11 +210,11 @@ static int i40e_read_nvm_word_srctl(struct i40e_hw *hw, u16 offset, + * @hw: pointer to the HW structure. + * @module_pointer: module pointer location in words from the NVM beginning + * @offset: offset in words from module start +- * @words: number of words to write +- * @data: buffer with words to write to the Shadow RAM ++ * @words: number of words to read ++ * @data: buffer with words to read to the Shadow RAM + * @last_command: tells the AdminQ that this is the last command + * +- * Writes a 16 bit words buffer to the Shadow RAM using the admin command. ++ * Reads a 16 bit words buffer to the Shadow RAM using the admin command. + **/ + static int i40e_read_nvm_aq(struct i40e_hw *hw, + u8 module_pointer, u32 offset, +@@ -234,18 +234,18 @@ static int i40e_read_nvm_aq(struct i40e_hw *hw, + */ + if ((offset + words) > hw->nvm.sr_size) + i40e_debug(hw, I40E_DEBUG_NVM, +- "NVM write error: offset %d beyond Shadow RAM limit %d\n", ++ "NVM read error: offset %d beyond Shadow RAM limit %d\n", + (offset + words), hw->nvm.sr_size); + else if (words > I40E_SR_SECTOR_SIZE_IN_WORDS) +- /* We can write only up to 4KB (one sector), in one AQ write */ ++ /* We can read only up to 4KB (one sector), in one AQ write */ + i40e_debug(hw, I40E_DEBUG_NVM, +- "NVM write fail error: tried to write %d words, limit is %d.\n", ++ "NVM read fail error: tried to read %d words, limit is %d.\n", + words, I40E_SR_SECTOR_SIZE_IN_WORDS); + else if (((offset + (words - 1)) / I40E_SR_SECTOR_SIZE_IN_WORDS) + != (offset / I40E_SR_SECTOR_SIZE_IN_WORDS)) +- /* A single write cannot spread over two sectors */ ++ /* A single read cannot spread over two sectors */ + i40e_debug(hw, I40E_DEBUG_NVM, +- "NVM write error: cannot spread over two sectors in a single write offset=%d words=%d\n", ++ "NVM read error: cannot spread over two sectors in a single read offset=%d words=%d\n", + offset, words); + else + ret_code = i40e_aq_read_nvm(hw, module_pointer, +-- +2.40.1 + diff --git a/queue-6.4/iavf-fix-fdir-rule-fields-masks-validation.patch b/queue-6.4/iavf-fix-fdir-rule-fields-masks-validation.patch new file mode 100644 index 00000000000..8ed67ced0d9 --- /dev/null +++ b/queue-6.4/iavf-fix-fdir-rule-fields-masks-validation.patch @@ -0,0 +1,209 @@ +From 2c6d68c37cdc3358314ea5f457e172d4a293c1eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 16:46:04 +0200 +Subject: iavf: fix FDIR rule fields masks validation + +From: Piotr Gardocki + +[ Upstream commit 751969e5b1196821ef78f0aa664a8a97c92c9057 ] + +Return an error if a field's mask is neither full nor empty. When a mask +is only partial the field is not being used for rule programming but it +gives a wrong impression it is used. Fix by returning an error on any +partial mask to make it clear they are not supported. +The ip_ver assignment is moved earlier in code to allow using it in +iavf_validate_fdir_fltr_masks. + +Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters") +Fixes: e90cbc257a6f ("iavf: Support IPv6 Flow Director filters") +Signed-off-by: Piotr Gardocki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 10 +++ + drivers/net/ethernet/intel/iavf/iavf_fdir.c | 77 ++++++++++++++++++- + drivers/net/ethernet/intel/iavf/iavf_fdir.h | 2 + + 3 files changed, 85 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 460ca561819a9..a34303ad057d0 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1289,6 +1289,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.src_port = fsp->m_u.tcp_ip4_spec.psrc; + fltr->ip_mask.dst_port = fsp->m_u.tcp_ip4_spec.pdst; + fltr->ip_mask.tos = fsp->m_u.tcp_ip4_spec.tos; ++ fltr->ip_ver = 4; + break; + case AH_V4_FLOW: + case ESP_V4_FLOW: +@@ -1300,6 +1301,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.v4_addrs.dst_ip = fsp->m_u.ah_ip4_spec.ip4dst; + fltr->ip_mask.spi = fsp->m_u.ah_ip4_spec.spi; + fltr->ip_mask.tos = fsp->m_u.ah_ip4_spec.tos; ++ fltr->ip_ver = 4; + break; + case IPV4_USER_FLOW: + fltr->ip_data.v4_addrs.src_ip = fsp->h_u.usr_ip4_spec.ip4src; +@@ -1312,6 +1314,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.l4_header = fsp->m_u.usr_ip4_spec.l4_4_bytes; + fltr->ip_mask.tos = fsp->m_u.usr_ip4_spec.tos; + fltr->ip_mask.proto = fsp->m_u.usr_ip4_spec.proto; ++ fltr->ip_ver = 4; + break; + case TCP_V6_FLOW: + case UDP_V6_FLOW: +@@ -1330,6 +1333,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.src_port = fsp->m_u.tcp_ip6_spec.psrc; + fltr->ip_mask.dst_port = fsp->m_u.tcp_ip6_spec.pdst; + fltr->ip_mask.tclass = fsp->m_u.tcp_ip6_spec.tclass; ++ fltr->ip_ver = 6; + break; + case AH_V6_FLOW: + case ESP_V6_FLOW: +@@ -1345,6 +1349,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + sizeof(struct in6_addr)); + fltr->ip_mask.spi = fsp->m_u.ah_ip6_spec.spi; + fltr->ip_mask.tclass = fsp->m_u.ah_ip6_spec.tclass; ++ fltr->ip_ver = 6; + break; + case IPV6_USER_FLOW: + memcpy(&fltr->ip_data.v6_addrs.src_ip, fsp->h_u.usr_ip6_spec.ip6src, +@@ -1361,6 +1366,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.l4_header = fsp->m_u.usr_ip6_spec.l4_4_bytes; + fltr->ip_mask.tclass = fsp->m_u.usr_ip6_spec.tclass; + fltr->ip_mask.proto = fsp->m_u.usr_ip6_spec.l4_proto; ++ fltr->ip_ver = 6; + break; + case ETHER_FLOW: + fltr->eth_data.etype = fsp->h_u.ether_spec.h_proto; +@@ -1371,6 +1377,10 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + return -EINVAL; + } + ++ err = iavf_validate_fdir_fltr_masks(adapter, fltr); ++ if (err) ++ return err; ++ + if (iavf_fdir_is_dup_fltr(adapter, fltr)) + return -EEXIST; + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_fdir.c b/drivers/net/ethernet/intel/iavf/iavf_fdir.c +index 505e82ebafe47..03e774bd2a5b4 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c +@@ -18,6 +18,79 @@ static const struct in6_addr ipv6_addr_full_mask = { + } + }; + ++static const struct in6_addr ipv6_addr_zero_mask = { ++ .in6_u = { ++ .u6_addr8 = { ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ } ++ } ++}; ++ ++/** ++ * iavf_validate_fdir_fltr_masks - validate Flow Director filter fields masks ++ * @adapter: pointer to the VF adapter structure ++ * @fltr: Flow Director filter data structure ++ * ++ * Returns 0 if all masks of packet fields are either full or empty. Returns ++ * error on at least one partial mask. ++ */ ++int iavf_validate_fdir_fltr_masks(struct iavf_adapter *adapter, ++ struct iavf_fdir_fltr *fltr) ++{ ++ if (fltr->eth_mask.etype && fltr->eth_mask.etype != htons(U16_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_ver == 4) { ++ if (fltr->ip_mask.v4_addrs.src_ip && ++ fltr->ip_mask.v4_addrs.src_ip != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.v4_addrs.dst_ip && ++ fltr->ip_mask.v4_addrs.dst_ip != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.tos && fltr->ip_mask.tos != U8_MAX) ++ goto partial_mask; ++ } else if (fltr->ip_ver == 6) { ++ if (memcmp(&fltr->ip_mask.v6_addrs.src_ip, &ipv6_addr_zero_mask, ++ sizeof(struct in6_addr)) && ++ memcmp(&fltr->ip_mask.v6_addrs.src_ip, &ipv6_addr_full_mask, ++ sizeof(struct in6_addr))) ++ goto partial_mask; ++ ++ if (memcmp(&fltr->ip_mask.v6_addrs.dst_ip, &ipv6_addr_zero_mask, ++ sizeof(struct in6_addr)) && ++ memcmp(&fltr->ip_mask.v6_addrs.dst_ip, &ipv6_addr_full_mask, ++ sizeof(struct in6_addr))) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.tclass && fltr->ip_mask.tclass != U8_MAX) ++ goto partial_mask; ++ } ++ ++ if (fltr->ip_mask.proto && fltr->ip_mask.proto != U8_MAX) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.src_port && fltr->ip_mask.src_port != htons(U16_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.dst_port && fltr->ip_mask.dst_port != htons(U16_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.spi && fltr->ip_mask.spi != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.l4_header && ++ fltr->ip_mask.l4_header != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ return 0; ++ ++partial_mask: ++ dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, partial masks are not supported\n"); ++ return -EOPNOTSUPP; ++} ++ + /** + * iavf_pkt_udp_no_pay_len - the length of UDP packet without payload + * @fltr: Flow Director filter data structure +@@ -263,8 +336,6 @@ iavf_fill_fdir_ip4_hdr(struct iavf_fdir_fltr *fltr, + VIRTCHNL_ADD_PROTO_HDR_FIELD_BIT(hdr, IPV4, DST); + } + +- fltr->ip_ver = 4; +- + return 0; + } + +@@ -309,8 +380,6 @@ iavf_fill_fdir_ip6_hdr(struct iavf_fdir_fltr *fltr, + VIRTCHNL_ADD_PROTO_HDR_FIELD_BIT(hdr, IPV6, DST); + } + +- fltr->ip_ver = 6; +- + return 0; + } + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_fdir.h b/drivers/net/ethernet/intel/iavf/iavf_fdir.h +index 33c55c366315b..9eb9f73f6adf3 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.h +@@ -110,6 +110,8 @@ struct iavf_fdir_fltr { + struct virtchnl_fdir_add vc_add_msg; + }; + ++int iavf_validate_fdir_fltr_masks(struct iavf_adapter *adapter, ++ struct iavf_fdir_fltr *fltr); + int iavf_fill_fdir_add_msg(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr); + void iavf_print_fdir_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr); + bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr); +-- +2.40.1 + diff --git a/queue-6.4/ice-block-switchdev-mode-when-adq-is-active-and-vice.patch b/queue-6.4/ice-block-switchdev-mode-when-adq-is-active-and-vice.patch new file mode 100644 index 00000000000..8a41e06f3fa --- /dev/null +++ b/queue-6.4/ice-block-switchdev-mode-when-adq-is-active-and-vice.patch @@ -0,0 +1,65 @@ +From b9f6f1daa42f238b6bba31cdde4cf85848fc2c3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 12:34:05 -0700 +Subject: ice: Block switchdev mode when ADQ is active and vice versa + +From: Marcin Szycik + +[ Upstream commit 43d00e102d9ecbe2635d7e3f2e14d2e90183d6af ] + +ADQ and switchdev are not supported simultaneously. Enabling both at the +same time can result in nullptr dereference. + +To prevent this, check if ADQ is active when changing devlink mode to +switchdev mode, and check if switchdev is active when enabling ADQ. + +Fixes: fbc7b27af0f9 ("ice: enable ndo_setup_tc support for mqprio_qdisc") +Signed-off-by: Marcin Szycik +Reviewed-by: Przemek Kitszel +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230816193405.1307580-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_eswitch.c | 6 ++++++ + drivers/net/ethernet/intel/ice/ice_main.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c +index f6dd3f8fd936e..03e5139849462 100644 +--- a/drivers/net/ethernet/intel/ice/ice_eswitch.c ++++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c +@@ -568,6 +568,12 @@ ice_eswitch_mode_set(struct devlink *devlink, u16 mode, + break; + case DEVLINK_ESWITCH_MODE_SWITCHDEV: + { ++ if (ice_is_adq_active(pf)) { ++ dev_err(ice_pf_to_dev(pf), "Couldn't change eswitch mode to switchdev - ADQ is active. Delete ADQ configs and try again, e.g. tc qdisc del dev $PF root"); ++ NL_SET_ERR_MSG_MOD(extack, "Couldn't change eswitch mode to switchdev - ADQ is active. Delete ADQ configs and try again, e.g. tc qdisc del dev $PF root"); ++ return -EOPNOTSUPP; ++ } ++ + dev_info(ice_pf_to_dev(pf), "PF %d changed eswitch mode to switchdev", + pf->hw.pf_id); + NL_SET_ERR_MSG_MOD(extack, "Changed eswitch mode to switchdev"); +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 34e8e7cb1bc54..cfb76612bd2f9 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -9065,6 +9065,11 @@ ice_setup_tc(struct net_device *netdev, enum tc_setup_type type, + ice_setup_tc_block_cb, + np, np, true); + case TC_SETUP_QDISC_MQPRIO: ++ if (ice_is_eswitch_mode_switchdev(pf)) { ++ netdev_err(netdev, "TC MQPRIO offload not supported, switchdev is enabled\n"); ++ return -EOPNOTSUPP; ++ } ++ + if (pf->adev) { + mutex_lock(&pf->adev_mutex); + device_lock(&pf->adev->dev); +-- +2.40.1 + diff --git a/queue-6.4/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch b/queue-6.4/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch new file mode 100644 index 00000000000..364cf588f3c --- /dev/null +++ b/queue-6.4/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch @@ -0,0 +1,117 @@ +From 66f4bf5350ded14bb3352b81b53e02b9b82bdd98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:40:52 +0800 +Subject: ip6_vti: fix slab-use-after-free in decode_session6 + +From: Zhengchao Shao + +[ Upstream commit 9fd41f1ba638938c9a1195d09bc6fa3be2712f25 ] + +When ipv6_vti device is set to the qdisc of the sfb type, the cb field +of the sent skb may be modified during enqueuing. Then, +slab-use-after-free may occur when ipv6_vti device sends IPv6 packets. + +The stack information is as follows: +BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 +Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 +Call Trace: + +dump_stack_lvl+0xd9/0x150 +print_address_description.constprop.0+0x2c/0x3c0 +kasan_report+0x11d/0x130 +decode_session6+0x103f/0x1890 +__xfrm_decode_session+0x54/0xb0 +vti6_tnl_xmit+0x3e6/0x1ee0 +dev_hard_start_xmit+0x187/0x700 +sch_direct_xmit+0x1a3/0xc30 +__qdisc_run+0x510/0x17a0 +__dev_queue_xmit+0x2215/0x3b10 +neigh_connected_output+0x3c2/0x550 +ip6_finish_output2+0x55a/0x1550 +ip6_finish_output+0x6b9/0x1270 +ip6_output+0x1f1/0x540 +ndisc_send_skb+0xa63/0x1890 +ndisc_send_rs+0x132/0x6f0 +addrconf_rs_timer+0x3f1/0x870 +call_timer_fn+0x1a0/0x580 +expire_timers+0x29b/0x4b0 +run_timer_softirq+0x326/0x910 +__do_softirq+0x1d4/0x905 +irq_exit_rcu+0xb7/0x120 +sysvec_apic_timer_interrupt+0x97/0xc0 + +Allocated by task 9176: +kasan_save_stack+0x22/0x40 +kasan_set_track+0x25/0x30 +__kasan_slab_alloc+0x7f/0x90 +kmem_cache_alloc_node+0x1cd/0x410 +kmalloc_reserve+0x165/0x270 +__alloc_skb+0x129/0x330 +netlink_sendmsg+0x9b1/0xe30 +sock_sendmsg+0xde/0x190 +____sys_sendmsg+0x739/0x920 +___sys_sendmsg+0x110/0x1b0 +__sys_sendmsg+0xf7/0x1c0 +do_syscall_64+0x39/0xb0 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +Freed by task 9176: +kasan_save_stack+0x22/0x40 +kasan_set_track+0x25/0x30 +kasan_save_free_info+0x2b/0x40 +____kasan_slab_free+0x160/0x1c0 +slab_free_freelist_hook+0x11b/0x220 +kmem_cache_free+0xf0/0x490 +skb_free_head+0x17f/0x1b0 +skb_release_data+0x59c/0x850 +consume_skb+0xd2/0x170 +netlink_unicast+0x54f/0x7f0 +netlink_sendmsg+0x926/0xe30 +sock_sendmsg+0xde/0x190 +____sys_sendmsg+0x739/0x920 +___sys_sendmsg+0x110/0x1b0 +__sys_sendmsg+0xf7/0x1c0 +do_syscall_64+0x39/0xb0 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +The buggy address belongs to the object at ffff88802e08ed00 +which belongs to the cache skbuff_small_head of size 640 +The buggy address is located 194 bytes inside of +freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80) + +As commit f855691975bb ("xfrm6: Fix the nexthdr offset in +_decode_session6.") showed, xfrm_decode_session was originally intended +only for the receive path. IP6CB(skb)->nhoff is not set during +transmission. Therefore, set the cb field in the skb to 0 before +sending packets. + +Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") +Signed-off-by: Zhengchao Shao +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 10b222865d46a..73c85d4e0e9cd 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -568,12 +568,12 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + vti6_addr_conflict(t, ipv6_hdr(skb))) + goto tx_err; + +- xfrm_decode_session(skb, &fl, AF_INET6); + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET6); + break; + case htons(ETH_P_IP): +- xfrm_decode_session(skb, &fl, AF_INET); + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET); + break; + default: + goto tx_err; +-- +2.40.1 + diff --git a/queue-6.4/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch b/queue-6.4/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch new file mode 100644 index 00000000000..34bb188deea --- /dev/null +++ b/queue-6.4/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch @@ -0,0 +1,48 @@ +From 08319a5fe495f4d6de0f14ce8003bfae3bedc53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:40:53 +0800 +Subject: ip_vti: fix potential slab-use-after-free in decode_session6 + +From: Zhengchao Shao + +[ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ] + +When ip_vti device is set to the qdisc of the sfb type, the cb field +of the sent skb may be modified during enqueuing. Then, +slab-use-after-free may occur when ip_vti device sends IPv6 packets. +As commit f855691975bb ("xfrm6: Fix the nexthdr offset in +_decode_session6.") showed, xfrm_decode_session was originally intended +only for the receive path. IP6CB(skb)->nhoff is not set during +transmission. Therefore, set the cb field in the skb to 0 before +sending packets. + +Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") +Signed-off-by: Zhengchao Shao +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_vti.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index 53bfd8af69203..d1e7d0ceb7edd 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -287,12 +287,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) + + switch (skb->protocol) { + case htons(ETH_P_IP): +- xfrm_decode_session(skb, &fl, AF_INET); + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET); + break; + case htons(ETH_P_IPV6): +- xfrm_decode_session(skb, &fl, AF_INET6); + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET6); + break; + default: + goto tx_err; +-- +2.40.1 + diff --git a/queue-6.4/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch b/queue-6.4/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch new file mode 100644 index 00000000000..81d3d87c41c --- /dev/null +++ b/queue-6.4/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch @@ -0,0 +1,69 @@ +From a73dd66428f74c50074c696579724365ee4cf1ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 15:12:42 -0400 +Subject: ipvs: fix racy memcpy in proc_do_sync_threshold + +From: Sishuai Gong + +[ Upstream commit 5310760af1d4fbea1452bfc77db5f9a680f7ae47 ] + +When two threads run proc_do_sync_threshold() in parallel, +data races could happen between the two memcpy(): + +Thread-1 Thread-2 +memcpy(val, valp, sizeof(val)); + memcpy(valp, val, sizeof(val)); + +This race might mess up the (struct ctl_table *) table->data, +so we add a mutex lock to serialize them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/netdev/B6988E90-0A1E-4B85-BF26-2DAF6D482433@gmail.com/ +Signed-off-by: Sishuai Gong +Acked-by: Simon Horman +Acked-by: Julian Anastasov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 62606fb44d027..4bb0d90eca1cd 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1876,6 +1876,7 @@ static int + proc_do_sync_threshold(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { ++ struct netns_ipvs *ipvs = table->extra2; + int *valp = table->data; + int val[2]; + int rc; +@@ -1885,6 +1886,7 @@ proc_do_sync_threshold(struct ctl_table *table, int write, + .mode = table->mode, + }; + ++ mutex_lock(&ipvs->sync_mutex); + memcpy(val, valp, sizeof(val)); + rc = proc_dointvec(&tmp, write, buffer, lenp, ppos); + if (write) { +@@ -1894,6 +1896,7 @@ proc_do_sync_threshold(struct ctl_table *table, int write, + else + memcpy(valp, val, sizeof(val)); + } ++ mutex_unlock(&ipvs->sync_mutex); + return rc; + } + +@@ -4321,6 +4324,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) + ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD; + ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD; + tbl[idx].data = &ipvs->sysctl_sync_threshold; ++ tbl[idx].extra2 = ipvs; + tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold); + ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD; + tbl[idx++].data = &ipvs->sysctl_sync_refresh_period; +-- +2.40.1 + diff --git a/queue-6.4/net-af_key-fix-sadb_x_filter-validation.patch b/queue-6.4/net-af_key-fix-sadb_x_filter-validation.patch new file mode 100644 index 00000000000..16b810d206c --- /dev/null +++ b/queue-6.4/net-af_key-fix-sadb_x_filter-validation.patch @@ -0,0 +1,41 @@ +From f82b3f78b41eb4bc4492d5b9c481d3fbc46ec08e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 11:39:54 +0800 +Subject: net: af_key: fix sadb_x_filter validation + +From: Lin Ma + +[ Upstream commit 75065a8929069bc93181848818e23f147a73f83a ] + +When running xfrm_state_walk_init(), the xfrm_address_filter being used +is okay to have a splen/dplen that equals to sizeof(xfrm_address_t)<<3. +This commit replaces >= to > to make sure the boundary checking is +correct. + +Fixes: 37bd22420f85 ("af_key: pfkey_dump needs parameter validation") +Signed-off-by: Lin Ma +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 31ab12fd720ae..203131ad0dfe1 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1848,9 +1848,9 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms + if (ext_hdrs[SADB_X_EXT_FILTER - 1]) { + struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1]; + +- if ((xfilter->sadb_x_filter_splen >= ++ if ((xfilter->sadb_x_filter_splen > + (sizeof(xfrm_address_t) << 3)) || +- (xfilter->sadb_x_filter_dplen >= ++ (xfilter->sadb_x_filter_dplen > + (sizeof(xfrm_address_t) << 3))) { + mutex_unlock(&pfk->dump_lock); + return -EINVAL; +-- +2.40.1 + diff --git a/queue-6.4/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch b/queue-6.4/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch new file mode 100644 index 00000000000..a3e104f12a7 --- /dev/null +++ b/queue-6.4/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch @@ -0,0 +1,90 @@ +From 161848f2c9a25f2191f52e33511d36cd34635e45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 14:21:58 +0000 +Subject: net: do not allow gso_size to be set to GSO_BY_FRAGS + +From: Eric Dumazet + +[ Upstream commit b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 ] + +One missing check in virtio_net_hdr_to_skb() allowed +syzbot to crash kernels again [1] + +Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), +because this magic value is used by the kernel. + +[1] +general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 +Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 +RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 +RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 +RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff +R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 +R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff +FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 +ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 +skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 +__skb_gso_segment+0x339/0x710 net/core/gso.c:124 +skb_gso_segment include/net/gso.h:83 [inline] +validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 +__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +packet_xmit+0x257/0x380 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3087 [inline] +packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 +sock_sendmsg_nosec net/socket.c:727 [inline] +sock_sendmsg+0xd9/0x180 net/socket.c:750 +____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 +___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 +__sys_sendmsg+0x117/0x1e0 net/socket.c:2579 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7ff27cdb34d9 + +Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Xin Long +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Reviewed-by: Willem de Bruijn +Reviewed-by: Marcelo Ricardo Leitner +Reviewed-by: Xuan Zhuo +Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index bdf8de2cdd935..7b4dd69555e49 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -155,6 +155,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, + if (gso_type & SKB_GSO_UDP) + nh_off -= thlen; + ++ /* Kernel has a special handling for GSO_BY_FRAGS. */ ++ if (gso_size == GSO_BY_FRAGS) ++ return -EINVAL; ++ + /* Too small packets are not really GSO ones. */ + if (skb->len - nh_off > gso_size) { + shinfo->gso_size = gso_size; +-- +2.40.1 + diff --git a/queue-6.4/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch b/queue-6.4/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch new file mode 100644 index 00000000000..fe54808bf09 --- /dev/null +++ b/queue-6.4/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch @@ -0,0 +1,49 @@ +From b7a893bfef5085958d95e7bbdb23a5615eb402ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 17:13:23 -0700 +Subject: net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset + +From: Alfred Lee + +[ Upstream commit 23d775f12dcd23d052a4927195f15e970e27ab26 ] + +If the switch is reset during active EEPROM transactions, as in +just after an SoC reset after power up, the I2C bus transaction +may be cut short leaving the EEPROM internal I2C state machine +in the wrong state. When the switch is reset again, the bad +state machine state may result in data being read from the wrong +memory location causing the switch to enter unexpected mode +rendering it inoperational. + +Fixes: a3dcb3e7e70c ("net: dsa: mv88e6xxx: Wait for EEPROM done after HW reset") +Signed-off-by: Alfred Lee +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230815001323.24739-1-l00g33k@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 642e93e8623eb..8c9d05a1fe667 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3006,6 +3006,14 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + + /* If there is a GPIO connected to the reset pin, toggle it */ + if (gpiod) { ++ /* If the switch has just been reset and not yet completed ++ * loading EEPROM, the reset may interrupt the I2C transaction ++ * mid-byte, causing the first EEPROM read after the reset ++ * from the wrong location resulting in the switch booting ++ * to wrong mode and inoperable. ++ */ ++ mv88e6xxx_g1_wait_eeprom_done(chip); ++ + gpiod_set_value_cansleep(gpiod, 1); + usleep_range(10000, 20000); + gpiod_set_value_cansleep(gpiod, 0); +-- +2.40.1 + diff --git a/queue-6.4/net-macb-in-zynqmp-resume-always-configure-ps-gtr-fo.patch b/queue-6.4/net-macb-in-zynqmp-resume-always-configure-ps-gtr-fo.patch new file mode 100644 index 00000000000..eb7923439ca --- /dev/null +++ b/queue-6.4/net-macb-in-zynqmp-resume-always-configure-ps-gtr-fo.patch @@ -0,0 +1,101 @@ +From 32b991ca511a5e6376698a53ffa58e0d0e97c248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 18:44:51 +0530 +Subject: net: macb: In ZynqMP resume always configure PS GTR for non-wakeup + source + +From: Radhey Shyam Pandey + +[ Upstream commit 6c461e394d11a981c662cc16cebfb05b602e23ba ] + +On Zynq UltraScale+ MPSoC ubuntu platform when systemctl issues suspend, +network manager bring down the interface and goes into suspend. When it +wakes up it again enables the interface. + +This leads to xilinx-psgtr "PLL lock timeout" on interface bringup, as +the power management controller power down the entire FPD (including +SERDES) if none of the FPD devices are in use and serdes is not +initialized on resume. + +$ sudo rtcwake -m no -s 120 -v +$ sudo systemctl suspend +$ ifconfig eth1 up +xilinx-psgtr fd400000.phy: lane 0 (type 10, protocol 5): PLL lock timeout +phy phy-fd400000.phy.0: phy poweron failed --> -110 + +macb driver is called in this way: +1. macb_close: Stop network interface. In this function, it + reset MACB IP and disables PHY and network interface. + +2. macb_suspend: It is called in kernel suspend flow. But because + network interface has been disabled(netif_running(ndev) is + false), it does nothing and returns directly; + +3. System goes into suspend state. Some time later, system is + waken up by RTC wakeup device; + +4. macb_resume: It does nothing because network interface has + been disabled; + +5. macb_open: It is called to enable network interface again. ethernet + interface is initialized in this API but serdes which is power-off + by PMUFW during FPD-off suspend is not initialized again and so + we hit GT PLL lock issue on open. + +To resolve this PLL timeout issue always do PS GTR initialization +when ethernet device is configured as non-wakeup source. + +Fixes: f22bd29ba19a ("net: macb: Fix ZynqMP SGMII non-wakeup source resume failure") +Fixes: 8b73fa3ae02b ("net: macb: Added ZynqMP-specific initialization") +Signed-off-by: Radhey Shyam Pandey +Link: https://lore.kernel.org/r/1691414091-2260697-1-git-send-email-radhey.shyam.pandey@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 29a1199dad146..3fbe15b3ac627 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -5159,6 +5159,9 @@ static int __maybe_unused macb_suspend(struct device *dev) + unsigned int q; + int err; + ++ if (!device_may_wakeup(&bp->dev->dev)) ++ phy_exit(bp->sgmii_phy); ++ + if (!netif_running(netdev)) + return 0; + +@@ -5219,7 +5222,6 @@ static int __maybe_unused macb_suspend(struct device *dev) + if (!(bp->wol & MACB_WOL_ENABLED)) { + rtnl_lock(); + phylink_stop(bp->phylink); +- phy_exit(bp->sgmii_phy); + rtnl_unlock(); + spin_lock_irqsave(&bp->lock, flags); + macb_reset_hw(bp); +@@ -5249,6 +5251,9 @@ static int __maybe_unused macb_resume(struct device *dev) + unsigned int q; + int err; + ++ if (!device_may_wakeup(&bp->dev->dev)) ++ phy_init(bp->sgmii_phy); ++ + if (!netif_running(netdev)) + return 0; + +@@ -5309,8 +5314,6 @@ static int __maybe_unused macb_resume(struct device *dev) + macb_set_rx_mode(netdev); + macb_restore_features(bp); + rtnl_lock(); +- if (!device_may_wakeup(&bp->dev->dev)) +- phy_init(bp->sgmii_phy); + + phylink_start(bp->phylink); + rtnl_unlock(); +-- +2.40.1 + diff --git a/queue-6.4/net-mlx5e-xdp-fix-fifo-overrun-on-xdp_redirect.patch b/queue-6.4/net-mlx5e-xdp-fix-fifo-overrun-on-xdp_redirect.patch new file mode 100644 index 00000000000..bac276c954f --- /dev/null +++ b/queue-6.4/net-mlx5e-xdp-fix-fifo-overrun-on-xdp_redirect.patch @@ -0,0 +1,70 @@ +From 5a962683d8d34beb4c0540a39c4f5de0868497f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 20:41:03 +0300 +Subject: net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT + +From: Dragos Tatulea + +[ Upstream commit 34a79876d9f77e971115236bcf7b5d14a8ecf542 ] + +Before this fix, running high rate traffic through XDP_REDIRECT +with multibuf could overrun the fifo used to release the +xdp frames after tx completion. This resulted in corrupted data +being consumed on the free side. + +The culplirt was a miscalculation of the fifo size: the maximum ratio +between fifo entries / data segments was incorrect. This ratio serves to +calculate the max fifo size for a full sq where each packet uses the +worst case number of entries in the fifo. + +This patch fixes the formula and names the constant. It also makes sure +that future values will use a power of 2 number of entries for the fifo +mask to work. + +Signed-off-by: Dragos Tatulea +Fixes: 3f734b8c594b ("net/mlx5e: XDP, Use multiple single-entry objects in xdpi_fifo") +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h | 2 ++ + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 +++++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h +index 9e8e6184f9e43..ecfe93a479da8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h +@@ -84,6 +84,8 @@ enum mlx5e_xdp_xmit_mode { + * MLX5E_XDP_XMIT_MODE_XSK: + * none. + */ ++#define MLX5E_XDP_FIFO_ENTRIES2DS_MAX_RATIO 4 ++ + union mlx5e_xdp_info { + enum mlx5e_xdp_xmit_mode mode; + union { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 7e6d0489854e3..975c82df345cd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -1298,11 +1298,13 @@ static int mlx5e_alloc_xdpsq_fifo(struct mlx5e_xdpsq *sq, int numa) + { + struct mlx5e_xdp_info_fifo *xdpi_fifo = &sq->db.xdpi_fifo; + int wq_sz = mlx5_wq_cyc_get_size(&sq->wq); +- int entries = wq_sz * MLX5_SEND_WQEBB_NUM_DS * 2; /* upper bound for maximum num of +- * entries of all xmit_modes. +- */ ++ int entries; + size_t size; + ++ /* upper bound for maximum num of entries of all xmit_modes. */ ++ entries = roundup_pow_of_two(wq_sz * MLX5_SEND_WQEBB_NUM_DS * ++ MLX5E_XDP_FIFO_ENTRIES2DS_MAX_RATIO); ++ + size = array_size(sizeof(*xdpi_fifo->xi), entries); + xdpi_fifo->xi = kvzalloc_node(size, GFP_KERNEL, numa); + if (!xdpi_fifo->xi) +-- +2.40.1 + diff --git a/queue-6.4/net-openvswitch-reject-negative-ifindex.patch b/queue-6.4/net-openvswitch-reject-negative-ifindex.patch new file mode 100644 index 00000000000..2aa063457ae --- /dev/null +++ b/queue-6.4/net-openvswitch-reject-negative-ifindex.patch @@ -0,0 +1,93 @@ +From 726f2f53f19e684d96f7e9e0779d07bfeba66f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 13:38:40 -0700 +Subject: net: openvswitch: reject negative ifindex + +From: Jakub Kicinski + +[ Upstream commit a552bfa16bab4ce901ee721346a28c4e483f4066 ] + +Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs +in an xarray")) refactored the handling of pre-assigned ifindexes +and let syzbot surface a latent problem in ovs. ovs does not validate +ifindex, making it possible to create netdev ports with negative +ifindex values. It's easy to repro with YNL: + +$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \ + --do new \ + --json '{"upcall-pid": 1, "name":"my-dp"}' +$ ./cli.py --spec netlink/specs/ovs_vport.yaml \ + --do new \ + --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' + +$ ip link show +-65536: some-port0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff +... + +Validate the inputs. Now the second command correctly returns: + +$ ./cli.py --spec netlink/specs/ovs_vport.yaml \ + --do new \ + --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' + +lib.ynl.NlError: Netlink error: Numerical result out of range +nl_len = 108 (92) nl_flags = 0x300 nl_type = 2 + error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'} + +Accept 0 since it used to be silently ignored. + +Fixes: 54c4ef34c4b6 ("openvswitch: allow specifying ifindex of new interfaces") +Reported-by: syzbot+7456b5dcf65111553320@syzkaller.appspotmail.com +Reviewed-by: Leon Romanovsky +Reviewed-by: Aaron Conole +Link: https://lore.kernel.org/r/20230814203840.2908710-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index a6d2a0b1aa21e..3d7a91e64c88f 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1829,7 +1829,7 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info) + parms.port_no = OVSP_LOCAL; + parms.upcall_portids = a[OVS_DP_ATTR_UPCALL_PID]; + parms.desired_ifindex = a[OVS_DP_ATTR_IFINDEX] +- ? nla_get_u32(a[OVS_DP_ATTR_IFINDEX]) : 0; ++ ? nla_get_s32(a[OVS_DP_ATTR_IFINDEX]) : 0; + + /* So far only local changes have been made, now need the lock. */ + ovs_lock(); +@@ -2049,7 +2049,7 @@ static const struct nla_policy datapath_policy[OVS_DP_ATTR_MAX + 1] = { + [OVS_DP_ATTR_USER_FEATURES] = { .type = NLA_U32 }, + [OVS_DP_ATTR_MASKS_CACHE_SIZE] = NLA_POLICY_RANGE(NLA_U32, 0, + PCPU_MIN_UNIT_SIZE / sizeof(struct mask_cache_entry)), +- [OVS_DP_ATTR_IFINDEX] = {.type = NLA_U32 }, ++ [OVS_DP_ATTR_IFINDEX] = NLA_POLICY_MIN(NLA_S32, 0), + }; + + static const struct genl_small_ops dp_datapath_genl_ops[] = { +@@ -2302,7 +2302,7 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info) + parms.port_no = port_no; + parms.upcall_portids = a[OVS_VPORT_ATTR_UPCALL_PID]; + parms.desired_ifindex = a[OVS_VPORT_ATTR_IFINDEX] +- ? nla_get_u32(a[OVS_VPORT_ATTR_IFINDEX]) : 0; ++ ? nla_get_s32(a[OVS_VPORT_ATTR_IFINDEX]) : 0; + + vport = new_vport(&parms); + err = PTR_ERR(vport); +@@ -2539,7 +2539,7 @@ static const struct nla_policy vport_policy[OVS_VPORT_ATTR_MAX + 1] = { + [OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 }, + [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC }, + [OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED }, +- [OVS_VPORT_ATTR_IFINDEX] = { .type = NLA_U32 }, ++ [OVS_VPORT_ATTR_IFINDEX] = NLA_POLICY_MIN(NLA_S32, 0), + [OVS_VPORT_ATTR_NETNSID] = { .type = NLA_S32 }, + [OVS_VPORT_ATTR_UPCALL_STATS] = { .type = NLA_NESTED }, + }; +-- +2.40.1 + diff --git a/queue-6.4/net-pcs-add-missing-put_device-call-in-miic_create.patch b/queue-6.4/net-pcs-add-missing-put_device-call-in-miic_create.patch new file mode 100644 index 00000000000..44909e7025a --- /dev/null +++ b/queue-6.4/net-pcs-add-missing-put_device-call-in-miic_create.patch @@ -0,0 +1,52 @@ +From c406f6af5b416e6d9f6d810e2ca6066522ecf7ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 22:06:39 +0800 +Subject: net: pcs: Add missing put_device call in miic_create + +From: Xiang Yang + +[ Upstream commit 829c6524d6729d05a82575dbcc16f99be5ee843d ] + +The reference of pdev->dev is taken by of_find_device_by_node, so +it should be released when not need anymore. + +Fixes: 7dc54d3b8d91 ("net: pcs: add Renesas MII converter driver") +Signed-off-by: Xiang Yang +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/pcs/pcs-rzn1-miic.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/pcs/pcs-rzn1-miic.c b/drivers/net/pcs/pcs-rzn1-miic.c +index 323bec5e57f83..3560991690038 100644 +--- a/drivers/net/pcs/pcs-rzn1-miic.c ++++ b/drivers/net/pcs/pcs-rzn1-miic.c +@@ -313,15 +313,21 @@ struct phylink_pcs *miic_create(struct device *dev, struct device_node *np) + + pdev = of_find_device_by_node(pcs_np); + of_node_put(pcs_np); +- if (!pdev || !platform_get_drvdata(pdev)) ++ if (!pdev || !platform_get_drvdata(pdev)) { ++ if (pdev) ++ put_device(&pdev->dev); + return ERR_PTR(-EPROBE_DEFER); ++ } + + miic_port = kzalloc(sizeof(*miic_port), GFP_KERNEL); +- if (!miic_port) ++ if (!miic_port) { ++ put_device(&pdev->dev); + return ERR_PTR(-ENOMEM); ++ } + + miic = platform_get_drvdata(pdev); + device_link_add(dev, miic->dev, DL_FLAG_AUTOREMOVE_CONSUMER); ++ put_device(&pdev->dev); + + miic_port->miic = miic; + miic_port->port = port - 1; +-- +2.40.1 + diff --git a/queue-6.4/net-phy-broadcom-stub-c45-read-write-for-54810.patch b/queue-6.4/net-phy-broadcom-stub-c45-read-write-for-54810.patch new file mode 100644 index 00000000000..1d8bf268da3 --- /dev/null +++ b/queue-6.4/net-phy-broadcom-stub-c45-read-write-for-54810.patch @@ -0,0 +1,58 @@ +From 314e96e918c1834ea64c007c86caefe5544ad1b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 21:41:47 -0700 +Subject: net: phy: broadcom: stub c45 read/write for 54810 + +From: Justin Chen + +[ Upstream commit 096516d092d54604d590827d05b1022c8f326639 ] + +The 54810 does not support c45. The mmd_phy_indirect accesses return +arbirtary values leading to odd behavior like saying it supports EEE +when it doesn't. We also see that reading/writing these non-existent +MMD registers leads to phy instability in some cases. + +Fixes: b14995ac2527 ("net: phy: broadcom: Add BCM54810 PHY entry") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/1691901708-28650-1-git-send-email-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index ad71c88c87e78..f9ad8902100f3 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -486,6 +486,17 @@ static int bcm54xx_resume(struct phy_device *phydev) + return bcm54xx_config_init(phydev); + } + ++static int bcm54810_read_mmd(struct phy_device *phydev, int devnum, u16 regnum) ++{ ++ return -EOPNOTSUPP; ++} ++ ++static int bcm54810_write_mmd(struct phy_device *phydev, int devnum, u16 regnum, ++ u16 val) ++{ ++ return -EOPNOTSUPP; ++} ++ + static int bcm54811_config_init(struct phy_device *phydev) + { + int err, reg; +@@ -981,6 +992,8 @@ static struct phy_driver broadcom_drivers[] = { + .get_strings = bcm_phy_get_strings, + .get_stats = bcm54xx_get_stats, + .probe = bcm54xx_phy_probe, ++ .read_mmd = bcm54810_read_mmd, ++ .write_mmd = bcm54810_write_mmd, + .config_init = bcm54xx_config_init, + .config_aneg = bcm5481_config_aneg, + .config_intr = bcm_phy_config_intr, +-- +2.40.1 + diff --git a/queue-6.4/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch b/queue-6.4/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch new file mode 100644 index 00000000000..bb6eac631a1 --- /dev/null +++ b/queue-6.4/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch @@ -0,0 +1,92 @@ +From c6cb48aebf5b6632f7836794d348b1067d6a135c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 11:26:30 +0100 +Subject: net: phy: fix IRQ-based wake-on-lan over hibernate / power off +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Russell King (Oracle) + +[ Upstream commit cc941e548bffc01b5816b4edc5cb432a137a58b3 ] + +Uwe reports: +"Most PHYs signal WoL using an interrupt. So disabling interrupts [at +shutdown] breaks WoL at least on PHYs covered by the marvell driver." + +Discussing with Ioana, the problem which was trying to be solved was: +"The board in question is a LS1021ATSN which has two AR8031 PHYs that +share an interrupt line. In case only one of the PHYs is probed and +there are pending interrupts on the PHY#2 an IRQ storm will happen +since there is no entity to clear the interrupt from PHY#2's registers. +PHY#1's driver will get stuck in .handle_interrupt() indefinitely." + +Further confirmation that "the two AR8031 PHYs are on the same MDIO +bus." + +With WoL using interrupts to wake the system, in such a case, the +system will begin booting with an asserted interrupt. Thus, we need to +cope with an interrupt asserted during boot. + +Solve this instead by disabling interrupts during PHY probe. This will +ensure in Ioana's situation that both PHYs of the same type sharing an +interrupt line on a common MDIO bus will have their interrupt outputs +disabled when the driver probes the device, but before we hook in any +interrupt handlers - thus avoiding the interrupt storm. + +A better fix would be for platform firmware to disable the interrupting +devices at source during boot, before control is handed to the kernel. + +Fixes: e2f016cf7751 ("net: phy: add a shutdown procedure") +Link: 20230804071757.383971-1-u.kleine-koenig@pengutronix.de +Reported-by: Uwe Kleine-König +Signed-off-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 2c4e6de8f4d9f..7958ea0e8714a 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3217,6 +3217,8 @@ static int phy_probe(struct device *dev) + goto out; + } + ++ phy_disable_interrupts(phydev); ++ + /* Start out supporting everything. Eventually, + * a controller will attach, and may modify one + * or both of these values +@@ -3334,16 +3336,6 @@ static int phy_remove(struct device *dev) + return 0; + } + +-static void phy_shutdown(struct device *dev) +-{ +- struct phy_device *phydev = to_phy_device(dev); +- +- if (phydev->state == PHY_READY || !phydev->attached_dev) +- return; +- +- phy_disable_interrupts(phydev); +-} +- + /** + * phy_driver_register - register a phy_driver with the PHY layer + * @new_driver: new phy_driver to register +@@ -3377,7 +3369,6 @@ int phy_driver_register(struct phy_driver *new_driver, struct module *owner) + new_driver->mdiodrv.driver.bus = &mdio_bus_type; + new_driver->mdiodrv.driver.probe = phy_probe; + new_driver->mdiodrv.driver.remove = phy_remove; +- new_driver->mdiodrv.driver.shutdown = phy_shutdown; + new_driver->mdiodrv.driver.owner = owner; + new_driver->mdiodrv.driver.probe_type = PROBE_FORCE_SYNCHRONOUS; + +-- +2.40.1 + diff --git a/queue-6.4/net-veth-page-pool-creation-error-handling-for-exist.patch b/queue-6.4/net-veth-page-pool-creation-error-handling-for-exist.patch new file mode 100644 index 00000000000..9e0e7aea236 --- /dev/null +++ b/queue-6.4/net-veth-page-pool-creation-error-handling-for-exist.patch @@ -0,0 +1,42 @@ +From f6201ef7806d9e360090c0ca9d40a4cb07517ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 10:30:16 +0800 +Subject: net: veth: Page pool creation error handling for existing pools only + +From: Liang Chen + +[ Upstream commit 8a519a572598b7c0c07b02f69bf5b4e8dd4b2d7d ] + +The failure handling procedure destroys page pools for all queues, +including those that haven't had their page pool created yet. this patch +introduces necessary adjustments to prevent potential risks and +inconsistency with the error handling behavior. + +Fixes: 0ebab78cbcbf ("net: veth: add page_pool for page recycling") +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Liang Chen +Link: https://lore.kernel.org/r/20230812023016.10553-1-liangchen.linux@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index dce9f9d63e04e..76019949e3fe9 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -1071,8 +1071,9 @@ static int __veth_napi_enable_range(struct net_device *dev, int start, int end) + err_xdp_ring: + for (i--; i >= start; i--) + ptr_ring_cleanup(&priv->rq[i].xdp_ring, veth_ptr_free); ++ i = end; + err_page_pool: +- for (i = start; i < end; i++) { ++ for (i--; i >= start; i--) { + page_pool_destroy(priv->rq[i].page_pool); + priv->rq[i].page_pool = NULL; + } +-- +2.40.1 + diff --git a/queue-6.4/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch b/queue-6.4/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch new file mode 100644 index 00000000000..f4ba2eb394b --- /dev/null +++ b/queue-6.4/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch @@ -0,0 +1,62 @@ +From 13f477b854f62476795e229b62aee359f49b227a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 16:19:11 +0800 +Subject: net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure + +From: Lin Ma + +[ Upstream commit d1e0e61d617ba17aa516db707aa871387566bbf7 ] + +According to all consumers code of attrs[XFRMA_SEC_CTX], like + +* verify_sec_ctx_len(), convert to xfrm_user_sec_ctx* +* xfrm_state_construct(), call security_xfrm_state_alloc whose prototype +is int security_xfrm_state_alloc(.., struct xfrm_user_sec_ctx *sec_ctx); +* copy_from_user_sec_ctx(), convert to xfrm_user_sec_ctx * +... + +It seems that the expected parsing result for XFRMA_SEC_CTX should be +structure xfrm_user_sec_ctx, and the current xfrm_sec_ctx is confusing +and misleading (Luckily, they happen to have same size 8 bytes). + +This commit amend the policy structure to xfrm_user_sec_ctx to avoid +ambiguity. + +Fixes: cf5cb79f6946 ("[XFRM] netlink: Establish an attribute policy") +Signed-off-by: Lin Ma +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_compat.c | 2 +- + net/xfrm/xfrm_user.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c +index 8cbf45a8bcdc2..655fe4ff86212 100644 +--- a/net/xfrm/xfrm_compat.c ++++ b/net/xfrm/xfrm_compat.c +@@ -108,7 +108,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = { + [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, + [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, + [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, +- [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, ++ [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, + [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, + [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, + [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 7c91deadc36e5..fdc0c17122b69 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3024,7 +3024,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { + [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, + [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, + [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, +- [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, ++ [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, + [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, + [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, + [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, +-- +2.40.1 + diff --git a/queue-6.4/net-xfrm-fix-xfrm_address_filter-oob-read.patch b/queue-6.4/net-xfrm-fix-xfrm_address_filter-oob-read.patch new file mode 100644 index 00000000000..00194684fb7 --- /dev/null +++ b/queue-6.4/net-xfrm-fix-xfrm_address_filter-oob-read.patch @@ -0,0 +1,202 @@ +From 6993d0aae527d46825e86552e370a0e43716d25f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 11:31:38 +0800 +Subject: net: xfrm: Fix xfrm_address_filter OOB read + +From: Lin Ma + +[ Upstream commit dfa73c17d55b921e1d4e154976de35317e43a93a ] + +We found below OOB crash: + +[ 44.211730] ================================================================== +[ 44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0 +[ 44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97 +[ 44.212045] +[ 44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4 +[ 44.212045] Call Trace: +[ 44.212045] +[ 44.212045] dump_stack_lvl+0x37/0x50 +[ 44.212045] print_report+0xcc/0x620 +[ 44.212045] ? __virt_addr_valid+0xf3/0x170 +[ 44.212045] ? memcmp+0x8b/0xb0 +[ 44.212045] kasan_report+0xb2/0xe0 +[ 44.212045] ? memcmp+0x8b/0xb0 +[ 44.212045] kasan_check_range+0x39/0x1c0 +[ 44.212045] memcmp+0x8b/0xb0 +[ 44.212045] xfrm_state_walk+0x21c/0x420 +[ 44.212045] ? __pfx_dump_one_state+0x10/0x10 +[ 44.212045] xfrm_dump_sa+0x1e2/0x290 +[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10 +[ 44.212045] ? __kernel_text_address+0xd/0x40 +[ 44.212045] ? kasan_unpoison+0x27/0x60 +[ 44.212045] ? mutex_lock+0x60/0xe0 +[ 44.212045] ? __pfx_mutex_lock+0x10/0x10 +[ 44.212045] ? kasan_save_stack+0x22/0x50 +[ 44.212045] netlink_dump+0x322/0x6c0 +[ 44.212045] ? __pfx_netlink_dump+0x10/0x10 +[ 44.212045] ? mutex_unlock+0x7f/0xd0 +[ 44.212045] ? __pfx_mutex_unlock+0x10/0x10 +[ 44.212045] __netlink_dump_start+0x353/0x430 +[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410 +[ 44.212045] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 +[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10 +[ 44.212045] ? __pfx_xfrm_dump_sa_done+0x10/0x10 +[ 44.212045] ? __stack_depot_save+0x382/0x4e0 +[ 44.212045] ? filter_irq_stacks+0x1c/0x70 +[ 44.212045] ? kasan_save_stack+0x32/0x50 +[ 44.212045] ? kasan_save_stack+0x22/0x50 +[ 44.212045] ? kasan_set_track+0x25/0x30 +[ 44.212045] ? __kasan_slab_alloc+0x59/0x70 +[ 44.212045] ? kmem_cache_alloc_node+0xf7/0x260 +[ 44.212045] ? kmalloc_reserve+0xab/0x120 +[ 44.212045] ? __alloc_skb+0xcf/0x210 +[ 44.212045] ? netlink_sendmsg+0x509/0x700 +[ 44.212045] ? sock_sendmsg+0xde/0xe0 +[ 44.212045] ? __sys_sendto+0x18d/0x230 +[ 44.212045] ? __x64_sys_sendto+0x71/0x90 +[ 44.212045] ? do_syscall_64+0x3f/0x90 +[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] ? netlink_sendmsg+0x509/0x700 +[ 44.212045] ? sock_sendmsg+0xde/0xe0 +[ 44.212045] ? __sys_sendto+0x18d/0x230 +[ 44.212045] ? __x64_sys_sendto+0x71/0x90 +[ 44.212045] ? do_syscall_64+0x3f/0x90 +[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] ? kasan_save_stack+0x22/0x50 +[ 44.212045] ? kasan_set_track+0x25/0x30 +[ 44.212045] ? kasan_save_free_info+0x2e/0x50 +[ 44.212045] ? __kasan_slab_free+0x10a/0x190 +[ 44.212045] ? kmem_cache_free+0x9c/0x340 +[ 44.212045] ? netlink_recvmsg+0x23c/0x660 +[ 44.212045] ? sock_recvmsg+0xeb/0xf0 +[ 44.212045] ? __sys_recvfrom+0x13c/0x1f0 +[ 44.212045] ? __x64_sys_recvfrom+0x71/0x90 +[ 44.212045] ? do_syscall_64+0x3f/0x90 +[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] ? copyout+0x3e/0x50 +[ 44.212045] netlink_rcv_skb+0xd6/0x210 +[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 +[ 44.212045] ? __pfx_netlink_rcv_skb+0x10/0x10 +[ 44.212045] ? __pfx_sock_has_perm+0x10/0x10 +[ 44.212045] ? mutex_lock+0x8d/0xe0 +[ 44.212045] ? __pfx_mutex_lock+0x10/0x10 +[ 44.212045] xfrm_netlink_rcv+0x44/0x50 +[ 44.212045] netlink_unicast+0x36f/0x4c0 +[ 44.212045] ? __pfx_netlink_unicast+0x10/0x10 +[ 44.212045] ? netlink_recvmsg+0x500/0x660 +[ 44.212045] netlink_sendmsg+0x3b7/0x700 +[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10 +[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10 +[ 44.212045] sock_sendmsg+0xde/0xe0 +[ 44.212045] __sys_sendto+0x18d/0x230 +[ 44.212045] ? __pfx___sys_sendto+0x10/0x10 +[ 44.212045] ? rcu_core+0x44a/0xe10 +[ 44.212045] ? __rseq_handle_notify_resume+0x45b/0x740 +[ 44.212045] ? _raw_spin_lock_irq+0x81/0xe0 +[ 44.212045] ? __pfx___rseq_handle_notify_resume+0x10/0x10 +[ 44.212045] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10 +[ 44.212045] ? __pfx_blkcg_maybe_throttle_current+0x10/0x10 +[ 44.212045] ? __pfx_task_work_run+0x10/0x10 +[ 44.212045] __x64_sys_sendto+0x71/0x90 +[ 44.212045] do_syscall_64+0x3f/0x90 +[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] RIP: 0033:0x44b7da +[ 44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da +[ 44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003 +[ 44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c +[ 44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +[ 44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001 +[ 44.212045] +[ 44.212045] +[ 44.212045] Allocated by task 97: +[ 44.212045] kasan_save_stack+0x22/0x50 +[ 44.212045] kasan_set_track+0x25/0x30 +[ 44.212045] __kasan_kmalloc+0x7f/0x90 +[ 44.212045] __kmalloc_node_track_caller+0x5b/0x140 +[ 44.212045] kmemdup+0x21/0x50 +[ 44.212045] xfrm_dump_sa+0x17d/0x290 +[ 44.212045] netlink_dump+0x322/0x6c0 +[ 44.212045] __netlink_dump_start+0x353/0x430 +[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410 +[ 44.212045] netlink_rcv_skb+0xd6/0x210 +[ 44.212045] xfrm_netlink_rcv+0x44/0x50 +[ 44.212045] netlink_unicast+0x36f/0x4c0 +[ 44.212045] netlink_sendmsg+0x3b7/0x700 +[ 44.212045] sock_sendmsg+0xde/0xe0 +[ 44.212045] __sys_sendto+0x18d/0x230 +[ 44.212045] __x64_sys_sendto+0x71/0x90 +[ 44.212045] do_syscall_64+0x3f/0x90 +[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] +[ 44.212045] The buggy address belongs to the object at ffff88800870f300 +[ 44.212045] which belongs to the cache kmalloc-64 of size 64 +[ 44.212045] The buggy address is located 32 bytes inside of +[ 44.212045] allocated 36-byte region [ffff88800870f300, ffff88800870f324) +[ 44.212045] +[ 44.212045] The buggy address belongs to the physical page: +[ 44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ... +[ 44.212045] flags: 0x100000000000200(slab|node=0|zone=1) +[ 44.212045] page_type: 0xffffffff() +[ 44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000 +[ 44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +[ 44.212045] page dumped because: kasan: bad access detected +[ 44.212045] +[ 44.212045] Memory state around the buggy address: +[ 44.212045] ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 44.212045] ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] ^ +[ 44.212045] ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] ================================================================== + +By investigating the code, we find the root cause of this OOB is the lack +of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass +arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states, +the attacker can achieve 8 bytes heap OOB read, which causes info leak. + + if (attrs[XFRMA_ADDRESS_FILTER]) { + filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), + sizeof(*filter), GFP_KERNEL); + if (filter == NULL) + return -ENOMEM; + // NO MORE CHECKS HERE !!! + } + +This patch fixes the OOB by adding necessary boundary checks, just like +the code in pfkey_dump() function. + +Fixes: d3623099d350 ("ipsec: add support of limited SA dump") +Signed-off-by: Lin Ma +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index c34a2a06ca940..7c91deadc36e5 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1267,6 +1267,15 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) + sizeof(*filter), GFP_KERNEL); + if (filter == NULL) + return -ENOMEM; ++ ++ /* see addr_match(), (prefix length >> 5) << 2 ++ * will be used to compare xfrm_address_t ++ */ ++ if (filter->splen > (sizeof(xfrm_address_t) << 3) || ++ filter->dplen > (sizeof(xfrm_address_t) << 3)) { ++ kfree(filter); ++ return -EINVAL; ++ } + } + + if (attrs[XFRMA_PROTO]) +-- +2.40.1 + diff --git a/queue-6.4/netfilter-nf_tables-deactivate-catchall-elements-in-.patch b/queue-6.4/netfilter-nf_tables-deactivate-catchall-elements-in-.patch new file mode 100644 index 00000000000..c6c35f74fa4 --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-deactivate-catchall-elements-in-.patch @@ -0,0 +1,48 @@ +From 8eafc3db137df2ba0865c6c70b0e9679daf56829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 13:05:16 +0200 +Subject: netfilter: nf_tables: deactivate catchall elements in next generation + +From: Florian Westphal + +[ Upstream commit 90e5b3462efa37b8bba82d7c4e63683856e188af ] + +When flushing, individual set elements are disabled in the next +generation via the ->flush callback. + +Catchall elements are not disabled. This is incorrect and may lead to +double-deactivations of catchall elements which then results in memory +leaks: + +WARNING: CPU: 1 PID: 3300 at include/net/netfilter/nf_tables.h:1172 nft_map_deactivate+0x549/0x730 +CPU: 1 PID: 3300 Comm: nft Not tainted 6.5.0-rc5+ #60 +RIP: 0010:nft_map_deactivate+0x549/0x730 + [..] + ? nft_map_deactivate+0x549/0x730 + nf_tables_delset+0xb66/0xeb0 + +(the warn is due to nft_use_dec() detecting underflow). + +Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +Reported-by: lonial con +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c6de10f458fa4..803b24eb9da99 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7088,6 +7088,7 @@ static int nft_set_catchall_flush(const struct nft_ctx *ctx, + ret = __nft_set_catchall_flush(ctx, set, &elem); + if (ret < 0) + break; ++ nft_set_elem_change_active(ctx->net, set, ext); + } + + return ret; +-- +2.40.1 + diff --git a/queue-6.4/netfilter-nf_tables-don-t-fail-inserts-if-duplicate-.patch b/queue-6.4/netfilter-nf_tables-don-t-fail-inserts-if-duplicate-.patch new file mode 100644 index 00000000000..6beecb41dee --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-don-t-fail-inserts-if-duplicate-.patch @@ -0,0 +1,102 @@ +From 6b3a696e5c90640cd09a4fa9c183eea198937609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 20:03:57 +0200 +Subject: netfilter: nf_tables: don't fail inserts if duplicate has expired + +From: Florian Westphal + +[ Upstream commit 7845914f45f066497ac75b30c50dbc735e84e884 ] + +nftables selftests fail: +run-tests.sh testcases/sets/0044interval_overlap_0 +Expected: 0-2 . 0-3, got: +W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 + +Insertion must ignore duplicate but expired entries. + +Moreover, there is a strange asymmetry in nft_pipapo_activate: + +It refetches the current element, whereas the other ->activate callbacks +(bitmap, hash, rhash, rbtree) use elem->priv. +Same for .remove: other set implementations take elem->priv, +nft_pipapo_remove fetches elem->priv, then does a relookup, +remove this. + +I suspect this was the reason for the change that prompted the +removal of the expired check in pipapo_get() in the first place, +but skipping exired elements there makes no sense to me, this helper +is used for normal get requests, insertions (duplicate check) +and deactivate callback. + +In first two cases expired elements must be skipped. + +For ->deactivate(), this gets called for DELSETELEM, so it +seems to me that expired elements should be skipped as well, i.e. +delete request should fail with -ENOENT error. + +Fixes: 24138933b97b ("netfilter: nf_tables: don't skip expired elements during walk") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 23 ++++------------------- + 1 file changed, 4 insertions(+), 19 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 3b5c3919fff9c..352180b123fc7 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -566,6 +566,8 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, + goto out; + + if (last) { ++ if (nft_set_elem_expired(&f->mt[b].e->ext)) ++ goto next_match; + if ((genmask && + !nft_set_elem_active(&f->mt[b].e->ext, genmask))) + goto next_match; +@@ -600,17 +602,8 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, + static void *nft_pipapo_get(const struct net *net, const struct nft_set *set, + const struct nft_set_elem *elem, unsigned int flags) + { +- struct nft_pipapo_elem *ret; +- +- ret = pipapo_get(net, set, (const u8 *)elem->key.val.data, ++ return pipapo_get(net, set, (const u8 *)elem->key.val.data, + nft_genmask_cur(net)); +- if (IS_ERR(ret)) +- return ret; +- +- if (nft_set_elem_expired(&ret->ext)) +- return ERR_PTR(-ENOENT); +- +- return ret; + } + + /** +@@ -1744,11 +1737,7 @@ static void nft_pipapo_activate(const struct net *net, + const struct nft_set *set, + const struct nft_set_elem *elem) + { +- struct nft_pipapo_elem *e; +- +- e = pipapo_get(net, set, (const u8 *)elem->key.val.data, 0); +- if (IS_ERR(e)) +- return; ++ struct nft_pipapo_elem *e = elem->priv; + + nft_set_elem_change_active(net, set, &e->ext); + } +@@ -1962,10 +1951,6 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + + data = (const u8 *)nft_set_ext_key(&e->ext); + +- e = pipapo_get(net, set, data, 0); +- if (IS_ERR(e)) +- return; +- + while ((rules_f0 = pipapo_rules_same_key(m->f, first_rule))) { + union nft_pipapo_map_bucket rulemap[NFT_PIPAPO_MAX_FIELDS]; + const u8 *match_start, *match_end; +-- +2.40.1 + diff --git a/queue-6.4/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch b/queue-6.4/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch new file mode 100644 index 00000000000..b6df86ed12d --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch @@ -0,0 +1,70 @@ +From 18e91b6b9cec2b4f4b54784e6562ce0a349fd085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 20:40:17 +0200 +Subject: netfilter: nf_tables: fix false-positive lockdep splat + +From: Florian Westphal + +[ Upstream commit b9f052dc68f69dac89fe1e24693354c033daa091 ] + +->abort invocation may cause splat on debug kernels: + +WARNING: suspicious RCU usage +net/netfilter/nft_set_pipapo.c:1697 suspicious rcu_dereference_check() usage! +[..] +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by nft/133554: [..] (nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid +[..] + lockdep_rcu_suspicious+0x1ad/0x260 + nft_pipapo_abort+0x145/0x180 + __nf_tables_abort+0x5359/0x63d0 + nf_tables_abort+0x24/0x40 + nfnetlink_rcv+0x1a0a/0x22c0 + netlink_unicast+0x73c/0x900 + netlink_sendmsg+0x7f0/0xc20 + ____sys_sendmsg+0x48d/0x760 + +Transaction mutex is held, so parallel updates are not possible. +Switch to _protected and check mutex is held for lockdep enabled builds. + +Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 92b108e3000eb..3b5c3919fff9c 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1698,6 +1698,17 @@ static void nft_pipapo_commit(const struct nft_set *set) + priv->clone = new_clone; + } + ++static bool nft_pipapo_transaction_mutex_held(const struct nft_set *set) ++{ ++#ifdef CONFIG_PROVE_LOCKING ++ const struct net *net = read_pnet(&set->net); ++ ++ return lockdep_is_held(&nft_pernet(net)->commit_mutex); ++#else ++ return true; ++#endif ++} ++ + static void nft_pipapo_abort(const struct nft_set *set) + { + struct nft_pipapo *priv = nft_set_priv(set); +@@ -1706,7 +1717,7 @@ static void nft_pipapo_abort(const struct nft_set *set) + if (!priv->dirty) + return; + +- m = rcu_dereference(priv->match); ++ m = rcu_dereference_protected(priv->match, nft_pipapo_transaction_mutex_held(set)); + + new_clone = pipapo_clone(m); + if (IS_ERR(new_clone)) +-- +2.40.1 + diff --git a/queue-6.4/netfilter-nf_tables-fix-gc-transaction-races-with-ne.patch b/queue-6.4/netfilter-nf_tables-fix-gc-transaction-races-with-ne.patch new file mode 100644 index 00000000000..0a59fd55314 --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-fix-gc-transaction-races-with-ne.patch @@ -0,0 +1,120 @@ +From 6764520f26123326af93e3288160365743577ba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:39:00 +0200 +Subject: netfilter: nf_tables: fix GC transaction races with netns and netlink + event exit path + +From: Pablo Neira Ayuso + +[ Upstream commit 6a33d8b73dfac0a41f3877894b38082bd0c9a5bc ] + +Netlink event path is missing a synchronization point with GC +transactions. Add GC sequence number update to netns release path and +netlink event path, any GC transaction losing race will be discarded. + +Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 36 +++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 803b24eb9da99..dcf3ed3d5af9d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9753,6 +9753,22 @@ static void nft_set_commit_update(struct list_head *set_update_list) + } + } + ++static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net) ++{ ++ unsigned int gc_seq; ++ ++ /* Bump gc counter, it becomes odd, this is the busy mark. */ ++ gc_seq = READ_ONCE(nft_net->gc_seq); ++ WRITE_ONCE(nft_net->gc_seq, ++gc_seq); ++ ++ return gc_seq; ++} ++ ++static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq) ++{ ++ WRITE_ONCE(nft_net->gc_seq, ++gc_seq); ++} ++ + static int nf_tables_commit(struct net *net, struct sk_buff *skb) + { + struct nftables_pernet *nft_net = nft_pernet(net); +@@ -9838,9 +9854,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + + WRITE_ONCE(nft_net->base_seq, base_seq); + +- /* Bump gc counter, it becomes odd, this is the busy mark. */ +- gc_seq = READ_ONCE(nft_net->gc_seq); +- WRITE_ONCE(nft_net->gc_seq, ++gc_seq); ++ gc_seq = nft_gc_seq_begin(nft_net); + + /* step 3. Start new generation, rules_gen_X now in use. */ + net->nft.gencursor = nft_gencursor_next(net); +@@ -10050,7 +10064,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); + nf_tables_commit_audit_log(&adl, nft_net->base_seq); + +- WRITE_ONCE(nft_net->gc_seq, ++gc_seq); ++ nft_gc_seq_end(nft_net, gc_seq); + nf_tables_commit_release(net); + + return 0; +@@ -11051,6 +11065,7 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, + struct net *net = n->net; + unsigned int deleted; + bool restart = false; ++ unsigned int gc_seq; + + if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) + return NOTIFY_DONE; +@@ -11058,6 +11073,9 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, + nft_net = nft_pernet(net); + deleted = 0; + mutex_lock(&nft_net->commit_mutex); ++ ++ gc_seq = nft_gc_seq_begin(nft_net); ++ + if (!list_empty(&nf_tables_destroy_list)) + rcu_barrier(); + again: +@@ -11080,6 +11098,8 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, + if (restart) + goto again; + } ++ nft_gc_seq_end(nft_net, gc_seq); ++ + mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; +@@ -11117,12 +11137,20 @@ static void __net_exit nf_tables_pre_exit_net(struct net *net) + static void __net_exit nf_tables_exit_net(struct net *net) + { + struct nftables_pernet *nft_net = nft_pernet(net); ++ unsigned int gc_seq; + + mutex_lock(&nft_net->commit_mutex); ++ ++ gc_seq = nft_gc_seq_begin(nft_net); ++ + if (!list_empty(&nft_net->commit_list) || + !list_empty(&nft_net->module_list)) + __nf_tables_abort(net, NFNL_ABORT_NONE); ++ + __nft_release_tables(net); ++ ++ nft_gc_seq_end(nft_net, gc_seq); ++ + mutex_unlock(&nft_net->commit_mutex); + WARN_ON_ONCE(!list_empty(&nft_net->tables)); + WARN_ON_ONCE(!list_empty(&nft_net->module_list)); +-- +2.40.1 + diff --git a/queue-6.4/netfilter-nf_tables-gc-transaction-race-with-netns-d.patch b/queue-6.4/netfilter-nf_tables-gc-transaction-race-with-netns-d.patch new file mode 100644 index 00000000000..086d7958511 --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-gc-transaction-race-with-netns-d.patch @@ -0,0 +1,42 @@ +From 4ced338d182cbe566d7c72e28cb44c8634b4a2ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:39:01 +0200 +Subject: netfilter: nf_tables: GC transaction race with netns dismantle + +From: Pablo Neira Ayuso + +[ Upstream commit 02c6c24402bf1c1e986899c14ba22a10b510916b ] + +Use maybe_get_net() since GC workqueue might race with netns exit path. + +Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index dcf3ed3d5af9d..b280b151a9e98 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9495,9 +9495,14 @@ struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set, + if (!trans) + return NULL; + ++ trans->net = maybe_get_net(net); ++ if (!trans->net) { ++ kfree(trans); ++ return NULL; ++ } ++ + refcount_inc(&set->refs); + trans->set = set; +- trans->net = get_net(net); + trans->seq = gc_seq; + + return trans; +-- +2.40.1 + diff --git a/queue-6.4/netfilter-nft_dynset-disallow-object-maps.patch b/queue-6.4/netfilter-nft_dynset-disallow-object-maps.patch new file mode 100644 index 00000000000..5d54b934de8 --- /dev/null +++ b/queue-6.4/netfilter-nft_dynset-disallow-object-maps.patch @@ -0,0 +1,36 @@ +From 156c1e0d4e26a7c55a71210812d65da8b59e86b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:39:02 +0200 +Subject: netfilter: nft_dynset: disallow object maps + +From: Pablo Neira Ayuso + +[ Upstream commit 23185c6aed1ffb8fc44087880ba2767aba493779 ] + +Do not allow to insert elements from datapath to objects maps. + +Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_dynset.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index bd19c7aec92ee..c98a273c3006d 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -191,6 +191,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + if (IS_ERR(set)) + return PTR_ERR(set); + ++ if (set->flags & NFT_SET_OBJECT) ++ return -EOPNOTSUPP; ++ + if (set->ops->update == NULL) + return -EOPNOTSUPP; + +-- +2.40.1 + diff --git a/queue-6.4/netfilter-set-default-timeout-to-3-secs-for-sctp-shu.patch b/queue-6.4/netfilter-set-default-timeout-to-3-secs-for-sctp-shu.patch new file mode 100644 index 00000000000..38d9322c70b --- /dev/null +++ b/queue-6.4/netfilter-set-default-timeout-to-3-secs-for-sctp-shu.patch @@ -0,0 +1,92 @@ +From 59e4ce3e3da8660869b6048534425e635dae4455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 14:08:47 -0400 +Subject: netfilter: set default timeout to 3 secs for sctp shutdown send and + recv state + +From: Xin Long + +[ Upstream commit 9bfab6d23a2865966a4f89a96536fbf23f83bc8c ] + +In SCTP protocol, it is using the same timer (T2 timer) for SHUTDOWN and +SHUTDOWN_ACK retransmission. However in sctp conntrack the default timeout +value for SCTP_CONNTRACK_SHUTDOWN_ACK_SENT state is 3 secs while it's 300 +msecs for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV state. + +As Paolo Valerio noticed, this might cause unwanted expiration of the ct +entry. In my test, with 1s tc netem delay set on the NAT path, after the +SHUTDOWN is sent, the sctp ct entry enters SCTP_CONNTRACK_SHUTDOWN_SEND +state. However, due to 300ms (too short) delay, when the SHUTDOWN_ACK is +sent back from the peer, the sctp ct entry has expired and been deleted, +and then the SHUTDOWN_ACK has to be dropped. + +Also, it is confusing these two sysctl options always show 0 due to all +timeout values using sec as unit: + + net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0 + net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0 + +This patch fixes it by also using 3 secs for sctp shutdown send and recv +state in sctp conntrack, which is also RTO.initial value in SCTP protocol. + +Note that the very short time value for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV +was probably used for a rare scenario where SHUTDOWN is sent on 1st path +but SHUTDOWN_ACK is replied on 2nd path, then a new connection started +immediately on 1st path. So this patch also moves from SHUTDOWN_SEND/RECV +to CLOSE when receiving INIT in the ORIGINAL direction. + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Reported-by: Paolo Valerio +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + Documentation/networking/nf_conntrack-sysctl.rst | 4 ++-- + net/netfilter/nf_conntrack_proto_sctp.c | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst +index 8b1045c3b59e0..c383a394c6656 100644 +--- a/Documentation/networking/nf_conntrack-sysctl.rst ++++ b/Documentation/networking/nf_conntrack-sysctl.rst +@@ -178,10 +178,10 @@ nf_conntrack_sctp_timeout_established - INTEGER (seconds) + Default is set to (hb_interval * path_max_retrans + rto_max) + + nf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds) +- default 0.3 ++ default 3 + + nf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds) +- default 0.3 ++ default 3 + + nf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds) + default 3 +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index 91eacc9b0b987..b6bcc8f2f46b7 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -49,8 +49,8 @@ static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { + [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, + [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, + [SCTP_CONNTRACK_ESTABLISHED] = 210 SECS, +- [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, +- [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, ++ [SCTP_CONNTRACK_SHUTDOWN_SENT] = 3 SECS, ++ [SCTP_CONNTRACK_SHUTDOWN_RECD] = 3 SECS, + [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, + [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, + }; +@@ -105,7 +105,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { + { + /* ORIGINAL */ + /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ +-/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW}, ++/* init */ {sCL, sCL, sCW, sCE, sES, sCL, sCL, sSA, sCW}, + /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL}, + /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, + /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL}, +-- +2.40.1 + diff --git a/queue-6.4/octeon_ep-cancel-ctrl_mbox_task-after-intr_poll_task.patch b/queue-6.4/octeon_ep-cancel-ctrl_mbox_task-after-intr_poll_task.patch new file mode 100644 index 00000000000..b4157641228 --- /dev/null +++ b/queue-6.4/octeon_ep-cancel-ctrl_mbox_task-after-intr_poll_task.patch @@ -0,0 +1,47 @@ +From 3f4948507b601a19a377367189e4efadb35ad7bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 17:01:13 +0200 +Subject: octeon_ep: cancel ctrl_mbox_task after intr_poll_task + +From: Michal Schmidt + +[ Upstream commit 607a7a45cdf38c1901e0d81e4e00a2a88786330a ] + +intr_poll_task may queue ctrl_mbox_task. The function +octep_poll_non_ioq_interrupts_cn93_pf does this. + +When removing the driver and canceling these two works, cancel +ctrl_mbox_task last to guarantee it does not run anymore. + +Fixes: 24d4333233b3 ("octeon_ep: poll for control messages") +Signed-off-by: Michal Schmidt +Link: https://lore.kernel.org/r/20230810150114.107765-4-mschmidt@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index d8066bff5f7b1..ab69b6d625094 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -1200,7 +1200,6 @@ static void octep_remove(struct pci_dev *pdev) + if (!oct) + return; + +- cancel_work_sync(&oct->ctrl_mbox_task); + netdev = oct->netdev; + if (netdev->reg_state == NETREG_REGISTERED) + unregister_netdev(netdev); +@@ -1208,6 +1207,7 @@ static void octep_remove(struct pci_dev *pdev) + cancel_work_sync(&oct->tx_timeout_task); + oct->poll_non_ioq_intr = false; + cancel_delayed_work_sync(&oct->intr_poll_task); ++ cancel_work_sync(&oct->ctrl_mbox_task); + octep_device_cleanup(oct); + pci_release_mem_regions(pdev); + free_netdev(netdev); +-- +2.40.1 + diff --git a/queue-6.4/octeon_ep-cancel-queued-works-in-probe-error-path.patch b/queue-6.4/octeon_ep-cancel-queued-works-in-probe-error-path.patch new file mode 100644 index 00000000000..bb7c2fad190 --- /dev/null +++ b/queue-6.4/octeon_ep-cancel-queued-works-in-probe-error-path.patch @@ -0,0 +1,59 @@ +From 4f44d2594c05cc546f8f5b96f194635dd818295c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 17:01:14 +0200 +Subject: octeon_ep: cancel queued works in probe error path + +From: Michal Schmidt + +[ Upstream commit 758c91078165ae641b698750a72eafe7968b3756 ] + +If it fails to get the devices's MAC address, octep_probe exits while +leaving the delayed work intr_poll_task queued. When the work later +runs, it's a use after free. + +Move the cancelation of intr_poll_task from octep_remove into +octep_device_cleanup. This does not change anything in the octep_remove +flow, but octep_device_cleanup is called also in the octep_probe error +path, where the cancelation is needed. + +Note that the cancelation of ctrl_mbox_task has to follow +intr_poll_task's, because the ctrl_mbox_task may be queued by +intr_poll_task. + +Fixes: 24d4333233b3 ("octeon_ep: poll for control messages") +Signed-off-by: Michal Schmidt +Link: https://lore.kernel.org/r/20230810150114.107765-5-mschmidt@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index ab69b6d625094..4424de2ffd70c 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -1038,6 +1038,10 @@ static void octep_device_cleanup(struct octep_device *oct) + { + int i; + ++ oct->poll_non_ioq_intr = false; ++ cancel_delayed_work_sync(&oct->intr_poll_task); ++ cancel_work_sync(&oct->ctrl_mbox_task); ++ + dev_info(&oct->pdev->dev, "Cleaning up Octeon Device ...\n"); + + for (i = 0; i < OCTEP_MAX_VF; i++) { +@@ -1205,9 +1209,6 @@ static void octep_remove(struct pci_dev *pdev) + unregister_netdev(netdev); + + cancel_work_sync(&oct->tx_timeout_task); +- oct->poll_non_ioq_intr = false; +- cancel_delayed_work_sync(&oct->intr_poll_task); +- cancel_work_sync(&oct->ctrl_mbox_task); + octep_device_cleanup(oct); + pci_release_mem_regions(pdev); + free_netdev(netdev); +-- +2.40.1 + diff --git a/queue-6.4/octeon_ep-cancel-tx_timeout_task-later-in-remove-seq.patch b/queue-6.4/octeon_ep-cancel-tx_timeout_task-later-in-remove-seq.patch new file mode 100644 index 00000000000..d844b6953cb --- /dev/null +++ b/queue-6.4/octeon_ep-cancel-tx_timeout_task-later-in-remove-seq.patch @@ -0,0 +1,46 @@ +From a2c1722be731225564a3d1db45e042e50c3c61c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 17:01:12 +0200 +Subject: octeon_ep: cancel tx_timeout_task later in remove sequence + +From: Michal Schmidt + +[ Upstream commit 28458c80006bb4e993a09fc094094a8578cad292 ] + +tx_timeout_task is canceled too early when removing the driver. Nothing +prevents .ndo_tx_timeout from triggering and queuing the work again. + +Better cancel it after the netdev is unregistered. +It's harmless for octep_tx_timeout_task to run in the window between the +unregistration and cancelation, because it checks netif_running. + +Fixes: 862cd659a6fb ("octeon_ep: Add driver framework and device initialization") +Signed-off-by: Michal Schmidt +Link: https://lore.kernel.org/r/20230810150114.107765-3-mschmidt@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index 43eb6e8713511..d8066bff5f7b1 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -1200,12 +1200,12 @@ static void octep_remove(struct pci_dev *pdev) + if (!oct) + return; + +- cancel_work_sync(&oct->tx_timeout_task); + cancel_work_sync(&oct->ctrl_mbox_task); + netdev = oct->netdev; + if (netdev->reg_state == NETREG_REGISTERED) + unregister_netdev(netdev); + ++ cancel_work_sync(&oct->tx_timeout_task); + oct->poll_non_ioq_intr = false; + cancel_delayed_work_sync(&oct->intr_poll_task); + octep_device_cleanup(oct); +-- +2.40.1 + diff --git a/queue-6.4/octeon_ep-fix-timeout-value-for-waiting-on-mbox-resp.patch b/queue-6.4/octeon_ep-fix-timeout-value-for-waiting-on-mbox-resp.patch new file mode 100644 index 00000000000..a75edd5e144 --- /dev/null +++ b/queue-6.4/octeon_ep-fix-timeout-value-for-waiting-on-mbox-resp.patch @@ -0,0 +1,40 @@ +From b21d68bbfc9c10c04fdd930d7e7ae42a94f67202 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 17:01:11 +0200 +Subject: octeon_ep: fix timeout value for waiting on mbox response + +From: Michal Schmidt + +[ Upstream commit 519b227904f0e70d4a1d6cf41daa5392715f2d2f ] + +The intention was to wait up to 500 ms for the mbox response. +The third argument to wait_event_interruptible_timeout() is supposed to +be the timeout duration. The driver mistakenly passed absolute time +instead. + +Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues") +Signed-off-by: Michal Schmidt +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230810150114.107765-2-mschmidt@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_ctrl_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_ctrl_net.c b/drivers/net/ethernet/marvell/octeon_ep/octep_ctrl_net.c +index 1cc6af2feb38a..565320ec24f81 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_ctrl_net.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_ctrl_net.c +@@ -55,7 +55,7 @@ static int octep_send_mbox_req(struct octep_device *oct, + list_add_tail(&d->list, &oct->ctrl_req_wait_list); + ret = wait_event_interruptible_timeout(oct->ctrl_req_wait_q, + (d->done != 0), +- jiffies + msecs_to_jiffies(500)); ++ msecs_to_jiffies(500)); + list_del(&d->list); + if (ret == 0 || ret == 1) + return -EAGAIN; +-- +2.40.1 + diff --git a/queue-6.4/pinctrl-qcom-add-intr_target_width-field-to-support-.patch b/queue-6.4/pinctrl-qcom-add-intr_target_width-field-to-support-.patch new file mode 100644 index 00000000000..83aacd2230e --- /dev/null +++ b/queue-6.4/pinctrl-qcom-add-intr_target_width-field-to-support-.patch @@ -0,0 +1,110 @@ +From 0987852fe27d626b2e9650a212e4a8f3775c6693 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 15:36:34 +0530 +Subject: pinctrl: qcom: Add intr_target_width field to support increased + number of interrupt targets + +From: Ninad Naik + +[ Upstream commit 9757300d2750ef76f139aa6f5f7eadd61a0de0d3 ] + +SA8775 and newer target have added support for an increased number of +interrupt targets. To implement this change, the intr_target field, which +is used to configure the interrupt target in the interrupt configuration +register is increased from 3 bits to 4 bits. + +In accordance to these updates, a new intr_target_width member is +introduced in msm_pingroup structure. This member stores the value of +width of intr_target field in the interrupt configuration register. This +value is used to dynamically calculate and generate mask for setting the +intr_target field. By default, this mask is set to 3 bit wide, to ensure +backward compatibility with the older targets. + +Fixes: 4b6b18559927 ("pinctrl: qcom: add the tlmm driver sa8775p platforms") +Tested-by: Andrew Halaney # sa8775p-ride +Signed-off-by: Ninad Naik +Reviewed-by: Konrad Dybcio +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230809100634.3961-1-quic_ninanaik@quicinc.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 9 ++++++--- + drivers/pinctrl/qcom/pinctrl-msm.h | 2 ++ + drivers/pinctrl/qcom/pinctrl-sa8775p.c | 1 + + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c +index c5f52d4f7781b..1fb0a24356bf5 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -1039,6 +1039,7 @@ static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type) + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct msm_pinctrl *pctrl = gpiochip_get_data(gc); + const struct msm_pingroup *g; ++ u32 intr_target_mask = GENMASK(2, 0); + unsigned long flags; + bool was_enabled; + u32 val; +@@ -1075,13 +1076,15 @@ static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type) + * With intr_target_use_scm interrupts are routed to + * application cpu using scm calls. + */ ++ if (g->intr_target_width) ++ intr_target_mask = GENMASK(g->intr_target_width - 1, 0); ++ + if (pctrl->intr_target_use_scm) { + u32 addr = pctrl->phys_base[0] + g->intr_target_reg; + int ret; + + qcom_scm_io_readl(addr, &val); +- +- val &= ~(7 << g->intr_target_bit); ++ val &= ~(intr_target_mask << g->intr_target_bit); + val |= g->intr_target_kpss_val << g->intr_target_bit; + + ret = qcom_scm_io_writel(addr, val); +@@ -1091,7 +1094,7 @@ static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type) + d->hwirq); + } else { + val = msm_readl_intr_target(pctrl, g); +- val &= ~(7 << g->intr_target_bit); ++ val &= ~(intr_target_mask << g->intr_target_bit); + val |= g->intr_target_kpss_val << g->intr_target_bit; + msm_writel_intr_target(val, pctrl, g); + } +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.h b/drivers/pinctrl/qcom/pinctrl-msm.h +index 985eceda25173..7f30416be127b 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.h ++++ b/drivers/pinctrl/qcom/pinctrl-msm.h +@@ -51,6 +51,7 @@ struct msm_function { + * @intr_status_bit: Offset in @intr_status_reg for reading and acking the interrupt + * status. + * @intr_target_bit: Offset in @intr_target_reg for configuring the interrupt routing. ++ * @intr_target_width: Number of bits used for specifying interrupt routing target. + * @intr_target_kpss_val: Value in @intr_target_bit for specifying that the interrupt from + * this gpio should get routed to the KPSS processor. + * @intr_raw_status_bit: Offset in @intr_cfg_reg for the raw status bit. +@@ -94,6 +95,7 @@ struct msm_pingroup { + unsigned intr_ack_high:1; + + unsigned intr_target_bit:5; ++ unsigned intr_target_width:5; + unsigned intr_target_kpss_val:5; + unsigned intr_raw_status_bit:5; + unsigned intr_polarity_bit:5; +diff --git a/drivers/pinctrl/qcom/pinctrl-sa8775p.c b/drivers/pinctrl/qcom/pinctrl-sa8775p.c +index 2ae7cdca65d3e..62f7a36d290cb 100644 +--- a/drivers/pinctrl/qcom/pinctrl-sa8775p.c ++++ b/drivers/pinctrl/qcom/pinctrl-sa8775p.c +@@ -54,6 +54,7 @@ + .intr_enable_bit = 0, \ + .intr_status_bit = 0, \ + .intr_target_bit = 5, \ ++ .intr_target_width = 4, \ + .intr_target_kpss_val = 3, \ + .intr_raw_status_bit = 4, \ + .intr_polarity_bit = 1, \ +-- +2.40.1 + diff --git a/queue-6.4/qede-fix-firmware-halt-over-suspend-and-resume.patch b/queue-6.4/qede-fix-firmware-halt-over-suspend-and-resume.patch new file mode 100644 index 00000000000..be2ff0ba06c --- /dev/null +++ b/queue-6.4/qede-fix-firmware-halt-over-suspend-and-resume.patch @@ -0,0 +1,67 @@ +From 5cd45f8093cd5090f4b38a97169245111577c0d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 20:37:11 +0530 +Subject: qede: fix firmware halt over suspend and resume + +From: Manish Chopra + +[ Upstream commit 2eb9625a3a32251ecea470cd576659a3a03b4e59 ] + +While performing certain power-off sequences, PCI drivers are +called to suspend and resume their underlying devices through +PCI PM (power management) interface. However this NIC hardware +does not support PCI PM suspend/resume operations so system wide +suspend/resume leads to bad MFW (management firmware) state which +causes various follow-up errors in driver when communicating with +the device/firmware afterwards. + +To fix this driver implements PCI PM suspend handler to indicate +unsupported operation to the PCI subsystem explicitly, thus avoiding +system to go into suspended/standby mode. + +Without this fix device/firmware does not recover unless system +is power cycled. + +Fixes: 2950219d87b0 ("qede: Add basic network device support") +Signed-off-by: Manish Chopra +Signed-off-by: Alok Prasad +Reviewed-by: John Meneghini +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230816150711.59035-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 4b004a7281903..99df00c30b8c6 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -176,6 +176,15 @@ static int qede_sriov_configure(struct pci_dev *pdev, int num_vfs_param) + } + #endif + ++static int __maybe_unused qede_suspend(struct device *dev) ++{ ++ dev_info(dev, "Device does not support suspend operation\n"); ++ ++ return -EOPNOTSUPP; ++} ++ ++static DEFINE_SIMPLE_DEV_PM_OPS(qede_pm_ops, qede_suspend, NULL); ++ + static const struct pci_error_handlers qede_err_handler = { + .error_detected = qede_io_error_detected, + }; +@@ -190,6 +199,7 @@ static struct pci_driver qede_pci_driver = { + .sriov_configure = qede_sriov_configure, + #endif + .err_handler = &qede_err_handler, ++ .driver.pm = &qede_pm_ops, + }; + + static struct qed_eth_cb_ops qede_ll_ops = { +-- +2.40.1 + diff --git a/queue-6.4/riscv-correct-riscv_insn_is_c_jr-and-riscv_insn_is_c.patch b/queue-6.4/riscv-correct-riscv_insn_is_c_jr-and-riscv_insn_is_c.patch new file mode 100644 index 00000000000..a5ec7a99ed4 --- /dev/null +++ b/queue-6.4/riscv-correct-riscv_insn_is_c_jr-and-riscv_insn_is_c.patch @@ -0,0 +1,69 @@ +From 733d6fd8e6bdca054ebef2bc6bd75b08d5c2f66f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 20:39:25 +0200 +Subject: riscv: correct riscv_insn_is_c_jr() and riscv_insn_is_c_jalr() + +From: Nam Cao + +[ Upstream commit 79bc3f85c51fc352f8e684ba6b626f677a3aa230 ] + +The instructions c.jr and c.jalr must have rs1 != 0, but +riscv_insn_is_c_jr() and riscv_insn_is_c_jalr() do not check for this. So, +riscv_insn_is_c_jr() can match a reserved encoding, while +riscv_insn_is_c_jalr() can match the c.ebreak instruction. + +Rewrite them with check for rs1 != 0. + +Signed-off-by: Nam Cao +Reviewed-by: Charlie Jenkins +Fixes: ec5f90877516 ("RISC-V: Move riscv_insn_is_* macros into a common header") +Link: https://lore.kernel.org/r/20230731183925.152145-1-namcaov@gmail.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/insn.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/insn.h b/arch/riscv/include/asm/insn.h +index 8d5c84f2d5ef7..603095c913e37 100644 +--- a/arch/riscv/include/asm/insn.h ++++ b/arch/riscv/include/asm/insn.h +@@ -110,6 +110,7 @@ + #define RVC_INSN_FUNCT4_OPOFF 12 + #define RVC_INSN_FUNCT3_MASK GENMASK(15, 13) + #define RVC_INSN_FUNCT3_OPOFF 13 ++#define RVC_INSN_J_RS1_MASK GENMASK(11, 7) + #define RVC_INSN_J_RS2_MASK GENMASK(6, 2) + #define RVC_INSN_OPCODE_MASK GENMASK(1, 0) + #define RVC_ENCODE_FUNCT3(f_) (RVC_FUNCT3_##f_ << RVC_INSN_FUNCT3_OPOFF) +@@ -225,8 +226,6 @@ __RISCV_INSN_FUNCS(c_jal, RVC_MASK_C_JAL, RVC_MATCH_C_JAL) + __RISCV_INSN_FUNCS(auipc, RVG_MASK_AUIPC, RVG_MATCH_AUIPC) + __RISCV_INSN_FUNCS(jalr, RVG_MASK_JALR, RVG_MATCH_JALR) + __RISCV_INSN_FUNCS(jal, RVG_MASK_JAL, RVG_MATCH_JAL) +-__RISCV_INSN_FUNCS(c_jr, RVC_MASK_C_JR, RVC_MATCH_C_JR) +-__RISCV_INSN_FUNCS(c_jalr, RVC_MASK_C_JALR, RVC_MATCH_C_JALR) + __RISCV_INSN_FUNCS(c_j, RVC_MASK_C_J, RVC_MATCH_C_J) + __RISCV_INSN_FUNCS(beq, RVG_MASK_BEQ, RVG_MATCH_BEQ) + __RISCV_INSN_FUNCS(bne, RVG_MASK_BNE, RVG_MATCH_BNE) +@@ -253,6 +252,18 @@ static __always_inline bool riscv_insn_is_branch(u32 code) + return (code & RV_INSN_OPCODE_MASK) == RVG_OPCODE_BRANCH; + } + ++static __always_inline bool riscv_insn_is_c_jr(u32 code) ++{ ++ return (code & RVC_MASK_C_JR) == RVC_MATCH_C_JR && ++ (code & RVC_INSN_J_RS1_MASK) != 0; ++} ++ ++static __always_inline bool riscv_insn_is_c_jalr(u32 code) ++{ ++ return (code & RVC_MASK_C_JALR) == RVC_MATCH_C_JALR && ++ (code & RVC_INSN_J_RS1_MASK) != 0; ++} ++ + #define RV_IMM_SIGN(x) (-(((x) >> 31) & 1)) + #define RVC_IMM_SIGN(x) (-(((x) >> 12) & 1)) + #define RV_X(X, s, mask) (((X) >> (s)) & (mask)) +-- +2.40.1 + diff --git a/queue-6.4/riscv-entry-set-a0-enosys-only-when-syscall-1.patch b/queue-6.4/riscv-entry-set-a0-enosys-only-when-syscall-1.patch new file mode 100644 index 00000000000..eee86dc761f --- /dev/null +++ b/queue-6.4/riscv-entry-set-a0-enosys-only-when-syscall-1.patch @@ -0,0 +1,72 @@ +From ab988a11a08e33b2e3a8c0efc8381c2923e37dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 22:15:16 +0800 +Subject: riscv: entry: set a0 = -ENOSYS only when syscall != -1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Celeste Liu + +[ Upstream commit 52449c17bdd1540940e21511612b58acebc49c06 ] + +When we test seccomp with 6.4 kernel, we found errno has wrong value. +If we deny NETLINK_AUDIT with EAFNOSUPPORT, after f0bddf50586d, we will +get ENOSYS instead. We got same result with commit 9c2598d43510 ("riscv: +entry: Save a0 prior syscall_enter_from_user_mode()"). + +After analysing code, we think that regs->a0 = -ENOSYS should only be +executed when syscall != -1. In __seccomp_filter, when seccomp rejected +this syscall with specified errno, they will set a0 to return number as +syscall ABI, and then return -1. This return number is finally pass as +return number of syscall_enter_from_user_mode, and then is compared with +NR_syscalls after converted to ulong (so it will be ULONG_MAX). The +condition syscall < NR_syscalls will always be false, so regs->a0 = -ENOSYS +is always executed. It covered a0 set by seccomp, so we always get +ENOSYS when match seccomp RET_ERRNO rule. + +Fixes: f0bddf50586d ("riscv: entry: Convert to generic entry") +Reported-by: Felix Yan +Co-developed-by: Ruizhe Pan +Signed-off-by: Ruizhe Pan +Co-developed-by: Shiqi Zhang +Signed-off-by: Shiqi Zhang +Signed-off-by: Celeste Liu +Tested-by: Felix Yan +Tested-by: Emil Renner Berthing +Reviewed-by: Björn Töpel +Reviewed-by: Guo Ren +Link: https://lore.kernel.org/r/20230801141607.435192-1-CoelacanthusHex@gmail.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c +index 8c258b78c925c..bd19e885dcec1 100644 +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -268,16 +268,16 @@ asmlinkage __visible __trap_section void do_trap_break(struct pt_regs *regs) + asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs) + { + if (user_mode(regs)) { +- ulong syscall = regs->a7; ++ long syscall = regs->a7; + + regs->epc += 4; + regs->orig_a0 = regs->a0; + + syscall = syscall_enter_from_user_mode(regs, syscall); + +- if (syscall < NR_syscalls) ++ if (syscall >= 0 && syscall < NR_syscalls) + syscall_handler(regs, syscall); +- else ++ else if (syscall != -1) + regs->a0 = -ENOSYS; + + syscall_exit_to_user_mode(regs); +-- +2.40.1 + diff --git a/queue-6.4/riscv-uaccess-return-the-number-of-bytes-effectively.patch b/queue-6.4/riscv-uaccess-return-the-number-of-bytes-effectively.patch new file mode 100644 index 00000000000..5acafe8fed3 --- /dev/null +++ b/queue-6.4/riscv-uaccess-return-the-number-of-bytes-effectively.patch @@ -0,0 +1,91 @@ +From 94f79f15ec26bab0853f1348e694948a88b4a9e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:06:04 +0200 +Subject: riscv: uaccess: Return the number of bytes effectively not copied +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +[ Upstream commit 4b05b993900dd3eba0fc83ef5c5ddc7d65d786c6 ] + +It was reported that the riscv kernel hangs while executing the test +in [1]. + +Indeed, the test hangs when trying to write a buffer to a file. The +problem is that the riscv implementation of raw_copy_from_user() does not +return the correct number of bytes not written when an exception happens +and is fixed up, instead it always returns the initial size to copy, +even if some bytes were actually copied. + +generic_perform_write() pre-faults the user pages and bails out if nothing +can be written, otherwise it will access the userspace buffer: here the +riscv implementation keeps returning it was not able to copy any byte +though the pre-faulting indicates otherwise. So generic_perform_write() +keeps retrying to access the user memory and ends up in an infinite +loop. + +Note that before the commit mentioned in [1] that introduced this +regression, it worked because generic_perform_write() would bail out if +only one byte could not be written. + +So fix this by returning the number of bytes effectively not written in +__asm_copy_[to|from]_user() and __clear_user(), as it is expected. + +Link: https://lore.kernel.org/linux-riscv/20230309151841.bomov6hq3ybyp42a@debian/ [1] +Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code") +Reported-by: Bo YU +Closes: https://lore.kernel.org/linux-riscv/20230309151841.bomov6hq3ybyp42a@debian/#t +Reported-by: Aurelien Jarno +Closes: https://lore.kernel.org/linux-riscv/ZNOnCakhwIeue3yr@aurel32.net/ +Signed-off-by: Alexandre Ghiti +Reviewed-by: Björn Töpel +Tested-by: Aurelien Jarno +Reviewed-by: Aurelien Jarno +Link: https://lore.kernel.org/r/20230811150604.1621784-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/lib/uaccess.S | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S +index ec486e5369d9b..09b47ebacf2e8 100644 +--- a/arch/riscv/lib/uaccess.S ++++ b/arch/riscv/lib/uaccess.S +@@ -17,8 +17,11 @@ ENTRY(__asm_copy_from_user) + li t6, SR_SUM + csrs CSR_STATUS, t6 + +- /* Save for return value */ +- mv t5, a2 ++ /* ++ * Save the terminal address which will be used to compute the number ++ * of bytes copied in case of a fixup exception. ++ */ ++ add t5, a0, a2 + + /* + * Register allocation for code below: +@@ -176,7 +179,7 @@ ENTRY(__asm_copy_from_user) + 10: + /* Disable access to user memory */ + csrc CSR_STATUS, t6 +- mv a0, t5 ++ sub a0, t5, a0 + ret + ENDPROC(__asm_copy_to_user) + ENDPROC(__asm_copy_from_user) +@@ -228,7 +231,7 @@ ENTRY(__clear_user) + 11: + /* Disable access to user memory */ + csrc CSR_STATUS, t6 +- mv a0, a1 ++ sub a0, a3, a0 + ret + ENDPROC(__clear_user) + EXPORT_SYMBOL(__clear_user) +-- +2.40.1 + diff --git a/queue-6.4/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch b/queue-6.4/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch new file mode 100644 index 00000000000..f9f7c7b4804 --- /dev/null +++ b/queue-6.4/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch @@ -0,0 +1,48 @@ +From ce3455abfa6688b6747a6fea9564775d0360bf91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:59:27 +0200 +Subject: selftests: mirror_gre_changes: Tighten up the TTL test match + +From: Petr Machata + +[ Upstream commit 855067defa36b1f9effad8c219d9a85b655cf500 ] + +This test verifies whether the encapsulated packets have the correct +configured TTL. It does so by sending ICMP packets through the test +topology and mirroring them to a gretap netdevice. On a busy host +however, more than just the test ICMP packets may end up flowing +through the topology, get mirrored, and counted. This leads to +potential spurious failures as the test observes much more mirrored +packets than the sent test packets, and assumes a bug. + +Fix this by tightening up the mirror action match. Change it from +matchall to a flower classifier matching on ICMP packets specifically. + +Fixes: 45315673e0c5 ("selftests: forwarding: Test changes in mirror-to-gretap") +Signed-off-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/mirror_gre_changes.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh b/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh +index aff88f78e3391..5ea9d63915f77 100755 +--- a/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh +@@ -72,7 +72,8 @@ test_span_gre_ttl() + + RET=0 + +- mirror_install $swp1 ingress $tundev "matchall $tcflags" ++ mirror_install $swp1 ingress $tundev \ ++ "prot ip flower $tcflags ip_prot icmp" + tc filter add dev $h3 ingress pref 77 prot $prot \ + flower skip_hw ip_ttl 50 action pass + +-- +2.40.1 + diff --git a/queue-6.4/series b/queue-6.4/series index cedbf950f19..3b8546c1db1 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -133,3 +133,72 @@ x86-srso-disable-the-mitigation-on-unaffected-configurations.patch x86-retpoline-kprobes-fix-position-of-thunk-sections-with-config_lto_clang.patch x86-retpoline-kprobes-skip-optprobe-check-for-indirect-jumps-with-retpolines-and-ibt.patch x86-srso-correct-the-mitigation-status-when-smt-is-disabled.patch +net-xfrm-fix-xfrm_address_filter-oob-read.patch +net-af_key-fix-sadb_x_filter-validation.patch +net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch +xfrm-silence-warnings-triggerable-by-bad-packets.patch +xfrm-fix-slab-use-after-free-in-decode_session6.patch +ip6_vti-fix-slab-use-after-free-in-decode_session6.patch +ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch +xfrm-add-null-check-in-xfrm_update_ae_params.patch +xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch +xfrm-delete-offloaded-policy.patch +xfrm-don-t-skip-free-of-empty-state-in-acquire-polic.patch +virtio-net-set-queues-after-driver_ok.patch +net-pcs-add-missing-put_device-call-in-miic_create.patch +net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch +selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch +drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch +drm-i915-guc-slpc-restore-efficient-freq-earlier.patch +net-macb-in-zynqmp-resume-always-configure-ps-gtr-fo.patch +octeon_ep-fix-timeout-value-for-waiting-on-mbox-resp.patch +octeon_ep-cancel-tx_timeout_task-later-in-remove-seq.patch +octeon_ep-cancel-ctrl_mbox_task-after-intr_poll_task.patch +octeon_ep-cancel-queued-works-in-probe-error-path.patch +net-veth-page-pool-creation-error-handling-for-exist.patch +accel-qaic-fix-slicing-memory-leak.patch +accel-qaic-clean-up-integer-overflow-checking-in-map.patch +netfilter-nf_tables-fix-false-positive-lockdep-splat.patch +netfilter-nf_tables-deactivate-catchall-elements-in-.patch +netfilter-nf_tables-don-t-fail-inserts-if-duplicate-.patch +netfilter-set-default-timeout-to-3-secs-for-sctp-shu.patch +ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch +netfilter-nf_tables-fix-gc-transaction-races-with-ne.patch +netfilter-nf_tables-gc-transaction-race-with-netns-d.patch +netfilter-nft_dynset-disallow-object-maps.patch +net-phy-broadcom-stub-c45-read-write-for-54810.patch +team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch +net-openvswitch-reject-negative-ifindex.patch +iavf-fix-fdir-rule-fields-masks-validation.patch +i40e-fix-misleading-debug-logs.patch +net-mlx5e-xdp-fix-fifo-overrun-on-xdp_redirect.patch +drm-nouveau-disp-fix-use-after-free-in-error-handlin.patch +net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch +sfc-add-fallback-action-set-lists-for-tc-offload.patch +sfc-don-t-unregister-flow_indr-if-it-was-never-regis.patch +sfc-don-t-fail-probe-if-mae-tc-setup-fails.patch +sock-fix-misuse-of-sk_under_memory_pressure.patch +net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch +qede-fix-firmware-halt-over-suspend-and-resume.patch +ice-block-switchdev-mode-when-adq-is-active-and-vice.patch +bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch +arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch +arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch +arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-4c.patch +arm-dts-imx6-phytec-fix-rtc-interrupt-level.patch +arm-dts-imx-adjust-dma-apbh-node-name.patch +arm-dts-imx-set-default-tuning-step-for-imx7d-usdhc.patch +arm64-dts-imx8mm-drop-csi1-phy-reference-clock-confi.patch +arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch +asoc-max98363-don-t-return-on-success-reading-revisi.patch +arm64-dts-imx93-fix-anatop-node-size.patch +asoc-rt5665-add-missed-regulator_bulk_disable.patch +asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch +alsa-hda-realtek-add-quirks-for-hp-g11-laptops.patch +pinctrl-qcom-add-intr_target_width-field-to-support-.patch +soc-aspeed-uart-routing-use-__sysfs_match_string.patch +soc-aspeed-socinfo-add-kfree-for-kstrdup.patch +alsa-hda-realtek-remodified-3k-pull-low-procedure.patch +riscv-entry-set-a0-enosys-only-when-syscall-1.patch +riscv-correct-riscv_insn_is_c_jr-and-riscv_insn_is_c.patch +riscv-uaccess-return-the-number-of-bytes-effectively.patch diff --git a/queue-6.4/sfc-add-fallback-action-set-lists-for-tc-offload.patch b/queue-6.4/sfc-add-fallback-action-set-lists-for-tc-offload.patch new file mode 100644 index 00000000000..2c4dc3eaf2d --- /dev/null +++ b/queue-6.4/sfc-add-fallback-action-set-lists-for-tc-offload.patch @@ -0,0 +1,170 @@ +From c609396474cf9c014c846c645816146e1ad88786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 17:42:30 +0100 +Subject: sfc: add fallback action-set-lists for TC offload + +From: Edward Cree + +[ Upstream commit e16ca7fb9ffb0d51ddf01e450a1043ea65b5be3f ] + +When offloading a TC encap action, the action information for the + hardware might not be "ready": if there's currently no neighbour entry + available for the destination address, we can't construct the Ethernet + header to prepend to the packet. In this case, we still offload the + flow rule, but with its action-set-list ID pointing at a "fallback" + action which simply delivers the packet to its default destination (as + though no flow rule had matched), thus allowing software TC to handle + it. Later, when we receive a neighbouring update that allows us to + construct the encap header, the rule will become "ready" and we will + update its action-set-list ID in hardware to point at the actual + offloaded actions. +This patch sets up these fallback ASLs, but does not yet use them. + +Reviewed-by: Pieter Jansen van Vuuren +Signed-off-by: Edward Cree +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Stable-dep-of: fa165e194997 ("sfc: don't unregister flow_indr if it was never registered") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/tc.c | 68 +++++++++++++++++++++++++++++++++++ + drivers/net/ethernet/sfc/tc.h | 9 +++++ + 2 files changed, 77 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/tc.c b/drivers/net/ethernet/sfc/tc.c +index d7827ab3761f9..54c5719031f9e 100644 +--- a/drivers/net/ethernet/sfc/tc.c ++++ b/drivers/net/ethernet/sfc/tc.c +@@ -1310,6 +1310,58 @@ void efx_tc_deconfigure_default_rule(struct efx_nic *efx, + rule->fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL; + } + ++static int efx_tc_configure_fallback_acts(struct efx_nic *efx, u32 eg_port, ++ struct efx_tc_action_set_list *acts) ++{ ++ struct efx_tc_action_set *act; ++ int rc; ++ ++ act = kzalloc(sizeof(*act), GFP_KERNEL); ++ if (!act) ++ return -ENOMEM; ++ act->deliver = 1; ++ act->dest_mport = eg_port; ++ rc = efx_mae_alloc_action_set(efx, act); ++ if (rc) ++ goto fail1; ++ EFX_WARN_ON_PARANOID(!list_empty(&acts->list)); ++ list_add_tail(&act->list, &acts->list); ++ rc = efx_mae_alloc_action_set_list(efx, acts); ++ if (rc) ++ goto fail2; ++ return 0; ++fail2: ++ list_del(&act->list); ++ efx_mae_free_action_set(efx, act->fw_id); ++fail1: ++ kfree(act); ++ return rc; ++} ++ ++static int efx_tc_configure_fallback_acts_pf(struct efx_nic *efx) ++{ ++ struct efx_tc_action_set_list *acts = &efx->tc->facts.pf; ++ u32 eg_port; ++ ++ efx_mae_mport_uplink(efx, &eg_port); ++ return efx_tc_configure_fallback_acts(efx, eg_port, acts); ++} ++ ++static int efx_tc_configure_fallback_acts_reps(struct efx_nic *efx) ++{ ++ struct efx_tc_action_set_list *acts = &efx->tc->facts.reps; ++ u32 eg_port; ++ ++ efx_mae_mport_mport(efx, efx->tc->reps_mport_id, &eg_port); ++ return efx_tc_configure_fallback_acts(efx, eg_port, acts); ++} ++ ++static void efx_tc_deconfigure_fallback_acts(struct efx_nic *efx, ++ struct efx_tc_action_set_list *acts) ++{ ++ efx_tc_free_action_set_list(efx, acts, true); ++} ++ + static int efx_tc_configure_rep_mport(struct efx_nic *efx) + { + u32 rep_mport_label; +@@ -1400,6 +1452,12 @@ int efx_init_tc(struct efx_nic *efx) + if (rc) + return rc; + rc = efx_tc_configure_rep_mport(efx); ++ if (rc) ++ return rc; ++ rc = efx_tc_configure_fallback_acts_pf(efx); ++ if (rc) ++ return rc; ++ rc = efx_tc_configure_fallback_acts_reps(efx); + if (rc) + return rc; + efx->tc->up = true; +@@ -1419,6 +1477,8 @@ void efx_fini_tc(struct efx_nic *efx) + efx_tc_deconfigure_rep_mport(efx); + efx_tc_deconfigure_default_rule(efx, &efx->tc->dflt.pf); + efx_tc_deconfigure_default_rule(efx, &efx->tc->dflt.wire); ++ efx_tc_deconfigure_fallback_acts(efx, &efx->tc->facts.pf); ++ efx_tc_deconfigure_fallback_acts(efx, &efx->tc->facts.reps); + efx->tc->up = false; + } + +@@ -1483,6 +1543,10 @@ int efx_init_struct_tc(struct efx_nic *efx) + efx->tc->dflt.pf.fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL; + INIT_LIST_HEAD(&efx->tc->dflt.wire.acts.list); + efx->tc->dflt.wire.fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL; ++ INIT_LIST_HEAD(&efx->tc->facts.pf.list); ++ efx->tc->facts.pf.fw_id = MC_CMD_MAE_ACTION_SET_ALLOC_OUT_ACTION_SET_ID_NULL; ++ INIT_LIST_HEAD(&efx->tc->facts.reps.list); ++ efx->tc->facts.reps.fw_id = MC_CMD_MAE_ACTION_SET_ALLOC_OUT_ACTION_SET_ID_NULL; + efx->extra_channel_type[EFX_EXTRA_CHANNEL_TC] = &efx_tc_channel_type; + return 0; + fail_match_action_ht: +@@ -1508,6 +1572,10 @@ void efx_fini_struct_tc(struct efx_nic *efx) + MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL); + EFX_WARN_ON_PARANOID(efx->tc->dflt.wire.fw_id != + MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL); ++ EFX_WARN_ON_PARANOID(efx->tc->facts.pf.fw_id != ++ MC_CMD_MAE_ACTION_SET_LIST_ALLOC_OUT_ACTION_SET_LIST_ID_NULL); ++ EFX_WARN_ON_PARANOID(efx->tc->facts.reps.fw_id != ++ MC_CMD_MAE_ACTION_SET_LIST_ALLOC_OUT_ACTION_SET_LIST_ID_NULL); + rhashtable_free_and_destroy(&efx->tc->match_action_ht, efx_tc_flow_free, + efx); + rhashtable_free_and_destroy(&efx->tc->encap_match_ht, +diff --git a/drivers/net/ethernet/sfc/tc.h b/drivers/net/ethernet/sfc/tc.h +index 04cced6a2d39f..2b6782e9c7226 100644 +--- a/drivers/net/ethernet/sfc/tc.h ++++ b/drivers/net/ethernet/sfc/tc.h +@@ -133,6 +133,11 @@ enum efx_tc_rule_prios { + * %EFX_TC_PRIO_DFLT. Named by *ingress* port + * @dflt.pf: rule for traffic ingressing from PF (egresses to wire) + * @dflt.wire: rule for traffic ingressing from wire (egresses to PF) ++ * @facts: Fallback action-set-lists for unready rules. Named by *egress* port ++ * @facts.pf: action-set-list for unready rules on PF netdev, hence applying to ++ * traffic from wire, and egressing to PF ++ * @facts.reps: action-set-list for unready rules on representors, hence ++ * applying to traffic from representees, and egressing to the reps mport + * @up: have TC datastructures been set up? + */ + struct efx_tc_state { +@@ -153,6 +158,10 @@ struct efx_tc_state { + struct efx_tc_flow_rule pf; + struct efx_tc_flow_rule wire; + } dflt; ++ struct { ++ struct efx_tc_action_set_list pf; ++ struct efx_tc_action_set_list reps; ++ } facts; + bool up; + }; + +-- +2.40.1 + diff --git a/queue-6.4/sfc-don-t-fail-probe-if-mae-tc-setup-fails.patch b/queue-6.4/sfc-don-t-fail-probe-if-mae-tc-setup-fails.patch new file mode 100644 index 00000000000..2aaf3d5a8bb --- /dev/null +++ b/queue-6.4/sfc-don-t-fail-probe-if-mae-tc-setup-fails.patch @@ -0,0 +1,39 @@ +From ceeee5af6801be912f393f18b055a86527bd5028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 16:57:28 +0100 +Subject: sfc: don't fail probe if MAE/TC setup fails + +From: Edward Cree + +[ Upstream commit 54c9016eb8eda55952a195b071359cd13f50ed9b ] + +Existing comment in the source explains why we don't want efx_init_tc() + failure to be fatal. Cited commit erroneously consolidated failure + paths causing the probe to be failed in this case. + +Fixes: 7e056e2360d9 ("sfc: obtain device mac address based on firmware handle for ef100") +Reviewed-by: Martin Habets +Signed-off-by: Edward Cree +Link: https://lore.kernel.org/r/aa7f589dd6028bd1ad49f0a85f37ab33c09b2b45.1692114888.git.ecree.xilinx@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef100_nic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c +index 7adde9639c8ab..35d8e9811998d 100644 +--- a/drivers/net/ethernet/sfc/ef100_nic.c ++++ b/drivers/net/ethernet/sfc/ef100_nic.c +@@ -1194,7 +1194,7 @@ int ef100_probe_netdev_pf(struct efx_nic *efx) + net_dev->features |= NETIF_F_HW_TC; + efx->fixed_features |= NETIF_F_HW_TC; + } +- return rc; ++ return 0; + } + + int ef100_probe_vf(struct efx_nic *efx) +-- +2.40.1 + diff --git a/queue-6.4/sfc-don-t-unregister-flow_indr-if-it-was-never-regis.patch b/queue-6.4/sfc-don-t-unregister-flow_indr-if-it-was-never-regis.patch new file mode 100644 index 00000000000..6dc28d88f97 --- /dev/null +++ b/queue-6.4/sfc-don-t-unregister-flow_indr-if-it-was-never-regis.patch @@ -0,0 +1,43 @@ +From ac76619f1a997118a9284151bb077ded3a215b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 16:57:27 +0100 +Subject: sfc: don't unregister flow_indr if it was never registered + +From: Edward Cree + +[ Upstream commit fa165e1949976704500a442faeef8d9596faee76 ] + +In efx_init_tc(), move the setting of efx->tc->up after the + flow_indr_dev_register() call, so that if it fails, efx_fini_tc() + won't call flow_indr_dev_unregister(). + +Fixes: 5b2e12d51bd8 ("sfc: bind indirect blocks for TC offload on EF100") +Suggested-by: Pieter Jansen van Vuuren +Reviewed-by: Martin Habets +Signed-off-by: Edward Cree +Link: https://lore.kernel.org/r/a81284d7013aba74005277bd81104e4cfbea3f6f.1692114888.git.ecree.xilinx@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/tc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/tc.c b/drivers/net/ethernet/sfc/tc.c +index 54c5719031f9e..6c8dfe0a64824 100644 +--- a/drivers/net/ethernet/sfc/tc.c ++++ b/drivers/net/ethernet/sfc/tc.c +@@ -1460,10 +1460,10 @@ int efx_init_tc(struct efx_nic *efx) + rc = efx_tc_configure_fallback_acts_reps(efx); + if (rc) + return rc; +- efx->tc->up = true; + rc = flow_indr_dev_register(efx_tc_indr_setup_cb, efx); + if (rc) + return rc; ++ efx->tc->up = true; + return 0; + } + +-- +2.40.1 + diff --git a/queue-6.4/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch b/queue-6.4/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch new file mode 100644 index 00000000000..3d354ca1f78 --- /dev/null +++ b/queue-6.4/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch @@ -0,0 +1,37 @@ +From af4391ec49abe40320883b83251dfbf09d435971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 22:01:04 +0930 +Subject: soc: aspeed: socinfo: Add kfree for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit 6e6d847a8ce18ab2fbec4f579f682486a82d2c6b ] + +Add kfree() in the later error handling in order to avoid memory leak. + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230707021625.7727-1-jiasheng@iscas.ac.cn +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20230810123104.231167-1-joel@jms.id.au +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 1ca140356a084..3f759121dc00a 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -137,6 +137,7 @@ static int __init aspeed_socinfo_init(void) + + soc_dev = soc_device_register(attrs); + if (IS_ERR(soc_dev)) { ++ kfree(attrs->machine); + kfree(attrs->soc_id); + kfree(attrs->serial_number); + kfree(attrs); +-- +2.40.1 + diff --git a/queue-6.4/soc-aspeed-uart-routing-use-__sysfs_match_string.patch b/queue-6.4/soc-aspeed-uart-routing-use-__sysfs_match_string.patch new file mode 100644 index 00000000000..02561c2aebe --- /dev/null +++ b/queue-6.4/soc-aspeed-uart-routing-use-__sysfs_match_string.patch @@ -0,0 +1,43 @@ +From bbbf967c63e66e594c5a194590a1c6586079119d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 21:59:41 +0930 +Subject: soc: aspeed: uart-routing: Use __sysfs_match_string + +From: Zev Weiss + +[ Upstream commit e4ad279ae345413d900d791f2f618d0a1cd0d791 ] + +The existing use of match_string() caused it to reject 'echo foo' due +to the implicitly appended newline, which was somewhat ergonomically +awkward and inconsistent with typical sysfs behavior. Using the +__sysfs_* variant instead provides more convenient and consistent +linefeed-agnostic behavior. + +Signed-off-by: Zev Weiss +Fixes: c6807970c3bc ("soc: aspeed: Add UART routing support") +Reviewed-by: Joel Stanley +Link: https://lore.kernel.org/r/20230628083735.19946-2-zev@bewilderbeest.net +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20230810122941.231085-1-joel@jms.id.au +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-uart-routing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-uart-routing.c b/drivers/soc/aspeed/aspeed-uart-routing.c +index ef8b24fd18518..59123e1f27acb 100644 +--- a/drivers/soc/aspeed/aspeed-uart-routing.c ++++ b/drivers/soc/aspeed/aspeed-uart-routing.c +@@ -524,7 +524,7 @@ static ssize_t aspeed_uart_routing_store(struct device *dev, + struct aspeed_uart_routing_selector *sel = to_routing_selector(attr); + int val; + +- val = match_string(sel->options, -1, buf); ++ val = __sysfs_match_string(sel->options, -1, buf); + if (val < 0) { + dev_err(dev, "invalid value \"%s\"\n", buf); + return -EINVAL; +-- +2.40.1 + diff --git a/queue-6.4/sock-fix-misuse-of-sk_under_memory_pressure.patch b/queue-6.4/sock-fix-misuse-of-sk_under_memory_pressure.patch new file mode 100644 index 00000000000..105a232ecae --- /dev/null +++ b/queue-6.4/sock-fix-misuse-of-sk_under_memory_pressure.patch @@ -0,0 +1,74 @@ +From 13c039d7fcc2a09f77c0d16bc08dde7669d15328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 17:12:22 +0800 +Subject: sock: Fix misuse of sk_under_memory_pressure() + +From: Abel Wu + +[ Upstream commit 2d0c88e84e483982067a82073f6125490ddf3614 ] + +The status of global socket memory pressure is updated when: + + a) __sk_mem_raise_allocated(): + + enter: sk_memory_allocated(sk) > sysctl_mem[1] + leave: sk_memory_allocated(sk) <= sysctl_mem[0] + + b) __sk_mem_reduce_allocated(): + + leave: sk_under_memory_pressure(sk) && + sk_memory_allocated(sk) < sysctl_mem[0] + +So the conditions of leaving global pressure are inconstant, which +may lead to the situation that one pressured net-memcg prevents the +global pressure from being cleared when there is indeed no global +pressure, thus the global constrains are still in effect unexpectedly +on the other sockets. + +This patch fixes this by ignoring the net-memcg's pressure when +deciding whether should leave global memory pressure. + +Fixes: e1aab161e013 ("socket: initial cgroup code.") +Signed-off-by: Abel Wu +Acked-by: Shakeel Butt +Link: https://lore.kernel.org/r/20230816091226.1542-1-wuyun.abel@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 6 ++++++ + net/core/sock.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index ad468fe71413a..415f3840a26aa 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1421,6 +1421,12 @@ static inline bool sk_has_memory_pressure(const struct sock *sk) + return sk->sk_prot->memory_pressure != NULL; + } + ++static inline bool sk_under_global_memory_pressure(const struct sock *sk) ++{ ++ return sk->sk_prot->memory_pressure && ++ !!*sk->sk_prot->memory_pressure; ++} ++ + static inline bool sk_under_memory_pressure(const struct sock *sk) + { + if (!sk->sk_prot->memory_pressure) +diff --git a/net/core/sock.c b/net/core/sock.c +index 1f31a97100d4f..8451a95266bf0 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3107,7 +3107,7 @@ void __sk_mem_reduce_allocated(struct sock *sk, int amount) + if (mem_cgroup_sockets_enabled && sk->sk_memcg) + mem_cgroup_uncharge_skmem(sk->sk_memcg, amount); + +- if (sk_under_memory_pressure(sk) && ++ if (sk_under_global_memory_pressure(sk) && + (sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0))) + sk_leave_memory_pressure(sk); + } +-- +2.40.1 + diff --git a/queue-6.4/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch b/queue-6.4/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch new file mode 100644 index 00000000000..bf057d9f7f5 --- /dev/null +++ b/queue-6.4/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch @@ -0,0 +1,54 @@ +From 698555c59dfa255abaf02c1d0cdbb4008805bcb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 11:23:01 +0800 +Subject: team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves + +From: Ziyang Xuan + +[ Upstream commit dafcbce07136d799edc4c67f04f9fd69ff1eac1f ] + +Similar to commit 01f4fd270870 ("bonding: Fix incorrect deletion of +ETH_P_8021AD protocol vid from slaves"), we can trigger BUG_ON(!vlan_info) +in unregister_vlan_dev() with the following testcase: + + # ip netns add ns1 + # ip netns exec ns1 ip link add team1 type team + # ip netns exec ns1 ip link add team_slave type veth peer veth2 + # ip netns exec ns1 ip link set team_slave master team1 + # ip netns exec ns1 ip link add link team_slave name team_slave.10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link add link team1 name team1.10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link set team_slave nomaster + # ip netns del ns1 + +Add S-VLAN tag related features support to team driver. So the team driver +will always propagate the VLAN info to its slaves. + +Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support") +Suggested-by: Ido Schimmel +Signed-off-by: Ziyang Xuan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230814032301.2804971-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index d3dc22509ea58..382756c3fb837 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2200,7 +2200,9 @@ static void team_setup(struct net_device *dev) + + dev->hw_features = TEAM_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | +- NETIF_F_HW_VLAN_CTAG_FILTER; ++ NETIF_F_HW_VLAN_CTAG_FILTER | ++ NETIF_F_HW_VLAN_STAG_RX | ++ NETIF_F_HW_VLAN_STAG_FILTER; + + dev->hw_features |= NETIF_F_GSO_ENCAP_ALL; + dev->features |= dev->hw_features; +-- +2.40.1 + diff --git a/queue-6.4/virtio-net-set-queues-after-driver_ok.patch b/queue-6.4/virtio-net-set-queues-after-driver_ok.patch new file mode 100644 index 00000000000..572c20e60ca --- /dev/null +++ b/queue-6.4/virtio-net-set-queues-after-driver_ok.patch @@ -0,0 +1,52 @@ +From dfb8ebb0a10791599a3293ef1c46edf34fdb4cb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 23:12:56 -0400 +Subject: virtio-net: set queues after driver_ok + +From: Jason Wang + +[ Upstream commit 51b813176f098ff61bd2833f627f5319ead098a5 ] + +Commit 25266128fe16 ("virtio-net: fix race between set queues and +probe") tries to fix the race between set queues and probe by calling +_virtnet_set_queues() before DRIVER_OK is set. This violates virtio +spec. Fixing this by setting queues after virtio_device_ready(). + +Note that rtnl needs to be held for userspace requests to change the +number of queues. So we are serialized in this way. + +Fixes: 25266128fe16 ("virtio-net: fix race between set queues and probe") +Reported-by: Dragos Tatulea +Acked-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 2336a0e4befa5..f61f351fa96ce 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -4110,8 +4110,6 @@ static int virtnet_probe(struct virtio_device *vdev) + if (vi->has_rss || vi->has_rss_hash_report) + virtnet_init_default_rss(vi); + +- _virtnet_set_queues(vi, vi->curr_queue_pairs); +- + /* serialize netdev register + virtio_device_ready() with ndo_open() */ + rtnl_lock(); + +@@ -4124,6 +4122,8 @@ static int virtnet_probe(struct virtio_device *vdev) + + virtio_device_ready(vdev); + ++ _virtnet_set_queues(vi, vi->curr_queue_pairs); ++ + /* a random MAC address has been assigned, notify the device. + * We don't fail probe if VIRTIO_NET_F_CTRL_MAC_ADDR is not there + * because many devices work fine without getting MAC explicitly +-- +2.40.1 + diff --git a/queue-6.4/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch b/queue-6.4/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch new file mode 100644 index 00000000000..aa22eab140f --- /dev/null +++ b/queue-6.4/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch @@ -0,0 +1,54 @@ +From 49565dbc18078aac75dbafa5531092927600b9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:41:10 +0800 +Subject: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH + +From: Lin Ma + +[ Upstream commit 5e2424708da7207087934c5c75211e8584d553a0 ] + +The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change +message to user space") added one additional attribute named +XFRMA_MTIMER_THRESH and described its type at compat_policy +(net/xfrm/xfrm_compat.c). + +However, the author forgot to also describe the nla_policy at +xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4 +bytes) value can be faked as empty (0 bytes) by a malicious user, which +leads to 4 bytes overflow read and heap information leak when parsing +nlattrs. + +To exploit this, one malicious user can spray the SLUB objects and then +leverage this 4 bytes OOB read to leak the heap data into +x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to +userspace via copy_to_user_state_extra(...). + +The above bug is assigned CVE-2023-3773. To fix it, this commit just +completes the nla_policy description for XFRMA_MTIMER_THRESH, which +enforces the length check and avoids such OOB read. + +Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 8f74dde4a55f6..f06d6deb58dd4 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3044,6 +3044,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { + [XFRMA_SET_MARK] = { .type = NLA_U32 }, + [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, + [XFRMA_IF_ID] = { .type = NLA_U32 }, ++ [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, + }; + EXPORT_SYMBOL_GPL(xfrma_policy); + +-- +2.40.1 + diff --git a/queue-6.4/xfrm-add-null-check-in-xfrm_update_ae_params.patch b/queue-6.4/xfrm-add-null-check-in-xfrm_update_ae_params.patch new file mode 100644 index 00000000000..7b91bb9d4ba --- /dev/null +++ b/queue-6.4/xfrm-add-null-check-in-xfrm_update_ae_params.patch @@ -0,0 +1,104 @@ +From 004dcba14d9f9c873141adfdc64c4250c0a10f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 22:51:03 +0800 +Subject: xfrm: add NULL check in xfrm_update_ae_params + +From: Lin Ma + +[ Upstream commit 00374d9b6d9f932802b55181be9831aa948e5b7c ] + +Normally, x->replay_esn and x->preplay_esn should be allocated at +xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the +xfrm_update_ae_params(...) is okay to update them. However, the current +implementation of xfrm_new_ae(...) allows a malicious user to directly +dereference a NULL pointer and crash the kernel like below. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 +Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI +CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 +RIP: 0010:memcpy_orig+0xad/0x140 +Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c +RSP: 0018:ffff888008f57658 EFLAGS: 00000202 +RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 +RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 +R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 +FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 +Call Trace: + + ? __die+0x1f/0x70 + ? page_fault_oops+0x1e8/0x500 + ? __pfx_is_prefetch.constprop.0+0x10/0x10 + ? __pfx_page_fault_oops+0x10/0x10 + ? _raw_spin_unlock_irqrestore+0x11/0x40 + ? fixup_exception+0x36/0x460 + ? _raw_spin_unlock_irqrestore+0x11/0x40 + ? exc_page_fault+0x5e/0xc0 + ? asm_exc_page_fault+0x26/0x30 + ? xfrm_update_ae_params+0xd1/0x260 + ? memcpy_orig+0xad/0x140 + ? __pfx__raw_spin_lock_bh+0x10/0x10 + xfrm_update_ae_params+0xe7/0x260 + xfrm_new_ae+0x298/0x4e0 + ? __pfx_xfrm_new_ae+0x10/0x10 + ? __pfx_xfrm_new_ae+0x10/0x10 + xfrm_user_rcv_msg+0x25a/0x410 + ? __pfx_xfrm_user_rcv_msg+0x10/0x10 + ? __alloc_skb+0xcf/0x210 + ? stack_trace_save+0x90/0xd0 + ? filter_irq_stacks+0x1c/0x70 + ? __stack_depot_save+0x39/0x4e0 + ? __kasan_slab_free+0x10a/0x190 + ? kmem_cache_free+0x9c/0x340 + ? netlink_recvmsg+0x23c/0x660 + ? sock_recvmsg+0xeb/0xf0 + ? __sys_recvfrom+0x13c/0x1f0 + ? __x64_sys_recvfrom+0x71/0x90 + ? do_syscall_64+0x3f/0x90 + ? entry_SYSCALL_64_after_hwframe+0x72/0xdc + ? copyout+0x3e/0x50 + netlink_rcv_skb+0xd6/0x210 + ? __pfx_xfrm_user_rcv_msg+0x10/0x10 + ? __pfx_netlink_rcv_skb+0x10/0x10 + ? __pfx_sock_has_perm+0x10/0x10 + ? mutex_lock+0x8d/0xe0 + ? __pfx_mutex_lock+0x10/0x10 + xfrm_netlink_rcv+0x44/0x50 + netlink_unicast+0x36f/0x4c0 + ? __pfx_netlink_unicast+0x10/0x10 + ? netlink_recvmsg+0x500/0x660 + netlink_sendmsg+0x3b7/0x700 + +This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit +adds additional NULL check in xfrm_update_ae_params to fix the NPD. + +Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows") +Signed-off-by: Lin Ma +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index fdc0c17122b69..8f74dde4a55f6 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -628,7 +628,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, + struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; + struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; + +- if (re) { ++ if (re && x->replay_esn && x->preplay_esn) { + struct xfrm_replay_state_esn *replay_esn; + replay_esn = nla_data(re); + memcpy(x->replay_esn, replay_esn, +-- +2.40.1 + diff --git a/queue-6.4/xfrm-delete-offloaded-policy.patch b/queue-6.4/xfrm-delete-offloaded-policy.patch new file mode 100644 index 00000000000..eb204d08b22 --- /dev/null +++ b/queue-6.4/xfrm-delete-offloaded-policy.patch @@ -0,0 +1,36 @@ +From e6c2f71afb6865da980c630ab0d71418ace6ec0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 14:38:26 +0300 +Subject: xfrm: delete offloaded policy + +From: Leon Romanovsky + +[ Upstream commit 982c3aca8bac8ae38acdc940e4f1ecec3bffc623 ] + +The policy memory was released but not HW driver data. Add +call to xfrm_dev_policy_delete(), so drivers will have a chance +to release their resources. + +Fixes: 919e43fad516 ("xfrm: add an interface to offload policy") +Signed-off-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index f06d6deb58dd4..ad01997c3aa9d 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2345,6 +2345,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, + NETLINK_CB(skb).portid); + } + } else { ++ xfrm_dev_policy_delete(xp); + xfrm_audit_policy_delete(xp, err ? 0 : 1, true); + + if (err != 0) +-- +2.40.1 + diff --git a/queue-6.4/xfrm-don-t-skip-free-of-empty-state-in-acquire-polic.patch b/queue-6.4/xfrm-don-t-skip-free-of-empty-state-in-acquire-polic.patch new file mode 100644 index 00000000000..e31650d7242 --- /dev/null +++ b/queue-6.4/xfrm-don-t-skip-free-of-empty-state-in-acquire-polic.patch @@ -0,0 +1,59 @@ +From 0eaef408c6094d9c78b7b7898947b15355dd1a68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 14:38:27 +0300 +Subject: xfrm: don't skip free of empty state in acquire policy + +From: Leon Romanovsky + +[ Upstream commit f3ec2b5d879ef5bbcb24678914641343cb6399a2 ] + +In destruction flow, the assignment of NULL to xso->dev +caused to skip of xfrm_dev_state_free() call, which was +called in xfrm_state_put(to_put) routine. + +Instead of open-coded variant of xfrm_dev_state_delete() and +xfrm_dev_state_free(), let's use them directly. + +Fixes: f8a70afafc17 ("xfrm: add TX datapath support for IPsec packet offload mode") +Signed-off-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 1 + + net/xfrm/xfrm_state.c | 8 ++------ + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 151ca95dd08db..363c7d5105542 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1984,6 +1984,7 @@ static inline void xfrm_dev_state_free(struct xfrm_state *x) + if (dev->xfrmdev_ops->xdo_dev_state_free) + dev->xfrmdev_ops->xdo_dev_state_free(x); + xso->dev = NULL; ++ xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; + netdev_put(dev, &xso->dev_tracker); + } + } +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 49e63eea841dd..bda5327bf34df 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1324,12 +1324,8 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + struct xfrm_dev_offload *xso = &x->xso; + + if (xso->type == XFRM_DEV_OFFLOAD_PACKET) { +- xso->dev->xfrmdev_ops->xdo_dev_state_delete(x); +- xso->dir = 0; +- netdev_put(xso->dev, &xso->dev_tracker); +- xso->dev = NULL; +- xso->real_dev = NULL; +- xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; ++ xfrm_dev_state_delete(x); ++ xfrm_dev_state_free(x); + } + #endif + x->km.state = XFRM_STATE_DEAD; +-- +2.40.1 + diff --git a/queue-6.4/xfrm-fix-slab-use-after-free-in-decode_session6.patch b/queue-6.4/xfrm-fix-slab-use-after-free-in-decode_session6.patch new file mode 100644 index 00000000000..1708db25968 --- /dev/null +++ b/queue-6.4/xfrm-fix-slab-use-after-free-in-decode_session6.patch @@ -0,0 +1,122 @@ +From 6837879d191babf89b5da185d4c5c98e5e0b152b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:40:51 +0800 +Subject: xfrm: fix slab-use-after-free in decode_session6 + +From: Zhengchao Shao + +[ Upstream commit 53223f2ed1ef5c90dad814daaaefea4e68a933c8 ] + +When the xfrm device is set to the qdisc of the sfb type, the cb field +of the sent skb may be modified during enqueuing. Then, +slab-use-after-free may occur when the xfrm device sends IPv6 packets. + +The stack information is as follows: +BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 +Read of size 1 at addr ffff8881111458ef by task swapper/3/0 +CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 +Call Trace: + +dump_stack_lvl+0xd9/0x150 +print_address_description.constprop.0+0x2c/0x3c0 +kasan_report+0x11d/0x130 +decode_session6+0x103f/0x1890 +__xfrm_decode_session+0x54/0xb0 +xfrmi_xmit+0x173/0x1ca0 +dev_hard_start_xmit+0x187/0x700 +sch_direct_xmit+0x1a3/0xc30 +__qdisc_run+0x510/0x17a0 +__dev_queue_xmit+0x2215/0x3b10 +neigh_connected_output+0x3c2/0x550 +ip6_finish_output2+0x55a/0x1550 +ip6_finish_output+0x6b9/0x1270 +ip6_output+0x1f1/0x540 +ndisc_send_skb+0xa63/0x1890 +ndisc_send_rs+0x132/0x6f0 +addrconf_rs_timer+0x3f1/0x870 +call_timer_fn+0x1a0/0x580 +expire_timers+0x29b/0x4b0 +run_timer_softirq+0x326/0x910 +__do_softirq+0x1d4/0x905 +irq_exit_rcu+0xb7/0x120 +sysvec_apic_timer_interrupt+0x97/0xc0 + + +asm_sysvec_apic_timer_interrupt+0x1a/0x20 +RIP: 0010:intel_idle_hlt+0x23/0x30 +Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4 +RSP: 0018:ffffc90000197d78 EFLAGS: 00000246 +RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5 +RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50 +RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d +R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001 +R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000 +cpuidle_enter_state+0xd3/0x6f0 +cpuidle_enter+0x4e/0xa0 +do_idle+0x2fe/0x3c0 +cpu_startup_entry+0x18/0x20 +start_secondary+0x200/0x290 +secondary_startup_64_no_verify+0x167/0x16b + +Allocated by task 939: +kasan_save_stack+0x22/0x40 +kasan_set_track+0x25/0x30 +__kasan_slab_alloc+0x7f/0x90 +kmem_cache_alloc_node+0x1cd/0x410 +kmalloc_reserve+0x165/0x270 +__alloc_skb+0x129/0x330 +inet6_ifa_notify+0x118/0x230 +__ipv6_ifa_notify+0x177/0xbe0 +addrconf_dad_completed+0x133/0xe00 +addrconf_dad_work+0x764/0x1390 +process_one_work+0xa32/0x16f0 +worker_thread+0x67d/0x10c0 +kthread+0x344/0x440 +ret_from_fork+0x1f/0x30 +The buggy address belongs to the object at ffff888111145800 +which belongs to the cache skbuff_small_head of size 640 +The buggy address is located 239 bytes inside of +freed 640-byte region [ffff888111145800, ffff888111145a80) + +As commit f855691975bb ("xfrm6: Fix the nexthdr offset in +_decode_session6.") showed, xfrm_decode_session was originally intended +only for the receive path. IP6CB(skb)->nhoff is not set during +transmission. Therefore, set the cb field in the skb to 0 before +sending packets. + +Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") +Signed-off-by: Zhengchao Shao +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c +index a3319965470a7..b864740846902 100644 +--- a/net/xfrm/xfrm_interface_core.c ++++ b/net/xfrm/xfrm_interface_core.c +@@ -537,8 +537,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) + + switch (skb->protocol) { + case htons(ETH_P_IPV6): +- xfrm_decode_session(skb, &fl, AF_INET6); + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET6); + if (!dst) { + fl.u.ip6.flowi6_oif = dev->ifindex; + fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC; +@@ -552,8 +552,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) + } + break; + case htons(ETH_P_IP): +- xfrm_decode_session(skb, &fl, AF_INET); + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET); + if (!dst) { + struct rtable *rt; + +-- +2.40.1 + diff --git a/queue-6.4/xfrm-silence-warnings-triggerable-by-bad-packets.patch b/queue-6.4/xfrm-silence-warnings-triggerable-by-bad-packets.patch new file mode 100644 index 00000000000..e44f79ce0fd --- /dev/null +++ b/queue-6.4/xfrm-silence-warnings-triggerable-by-bad-packets.patch @@ -0,0 +1,102 @@ +From 389eec031506ee82caba8dd0e2ffc85e5cc7cd1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 08:53:49 +0800 +Subject: xfrm: Silence warnings triggerable by bad packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Herbert Xu + +[ Upstream commit 57010b8ece2821a1fdfdba2197d14a022f3769db ] + +After the elimination of inner modes, a couple of warnings that +were previously unreachable can now be triggered by malformed +inbound packets. + +Fix this by: + +1. Moving the setting of skb->protocol into the decap functions. +2. Returning -EINVAL when unexpected protocol is seen. + +Reported-by: Maciej Å»enczykowski +Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path") +Signed-off-by: Herbert Xu +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_input.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index 815b380804011..d5ee96789d4bf 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -180,6 +180,8 @@ static int xfrm4_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb) + int optlen = 0; + int err = -EINVAL; + ++ skb->protocol = htons(ETH_P_IP); ++ + if (unlikely(XFRM_MODE_SKB_CB(skb)->protocol == IPPROTO_BEETPH)) { + struct ip_beet_phdr *ph; + int phlen; +@@ -232,6 +234,8 @@ static int xfrm4_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb) + { + int err = -EINVAL; + ++ skb->protocol = htons(ETH_P_IP); ++ + if (!pskb_may_pull(skb, sizeof(struct iphdr))) + goto out; + +@@ -267,6 +271,8 @@ static int xfrm6_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb) + { + int err = -EINVAL; + ++ skb->protocol = htons(ETH_P_IPV6); ++ + if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) + goto out; + +@@ -296,6 +302,8 @@ static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb) + int size = sizeof(struct ipv6hdr); + int err; + ++ skb->protocol = htons(ETH_P_IPV6); ++ + err = skb_cow_head(skb, size + skb->mac_len); + if (err) + goto out; +@@ -346,6 +354,7 @@ xfrm_inner_mode_encap_remove(struct xfrm_state *x, + return xfrm6_remove_tunnel_encap(x, skb); + break; + } ++ return -EINVAL; + } + + WARN_ON_ONCE(1); +@@ -366,19 +375,6 @@ static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb) + return -EAFNOSUPPORT; + } + +- switch (XFRM_MODE_SKB_CB(skb)->protocol) { +- case IPPROTO_IPIP: +- case IPPROTO_BEETPH: +- skb->protocol = htons(ETH_P_IP); +- break; +- case IPPROTO_IPV6: +- skb->protocol = htons(ETH_P_IPV6); +- break; +- default: +- WARN_ON_ONCE(1); +- break; +- } +- + return xfrm_inner_mode_encap_remove(x, skb); + } + +-- +2.40.1 +