From: Sasha Levin Date: Mon, 26 Jun 2023 04:23:17 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v4.14.320~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c28c55bf1d787370a80f5d04afed093105b2b750;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/alsa-hda-realtek-add-intel-reference-board-and-nuc-1.patch b/queue-6.1/alsa-hda-realtek-add-intel-reference-board-and-nuc-1.patch new file mode 100644 index 00000000000..1a9bc1f5e51 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-intel-reference-board-and-nuc-1.patch @@ -0,0 +1,46 @@ +From d64e0a707d241fc1a171b4c1ddce8887f3af228c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 14:38:12 -0500 +Subject: ALSA: hda/realtek: Add "Intel Reference board" and "NUC 13" SSID in + the ALC256 + +From: Sayed, Karimuddin + +[ Upstream commit 1a93f10c5b12bd766a537b24a50fca5373467303 ] + +Add "Intel Reference boad" and "Intel NUC 13" SSID in the alc256. + Enable jack headset volume buttons + +Reviewed-by: Kai Vehmanen +Signed-off-by: Sayed, Karimuddin +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230602193812.66768-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 920e44ba998a5..eb049014f87ac 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9594,6 +9594,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), ++ SND_PCI_QUIRK(0x10ec, 0x12cc, "Intel Reference board", ALC225_FIXUP_HEADSET_JACK), + SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP), +@@ -9814,6 +9815,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC), + SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), + SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10), ++ SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC225_FIXUP_HEADSET_JACK), + SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 +-- +2.39.2 + diff --git a/queue-6.1/arm-dts-fix-erroneous-ads-touchscreen-polarities.patch b/queue-6.1/arm-dts-fix-erroneous-ads-touchscreen-polarities.patch new file mode 100644 index 00000000000..62f95066e48 --- /dev/null +++ b/queue-6.1/arm-dts-fix-erroneous-ads-touchscreen-polarities.patch @@ -0,0 +1,177 @@ +From cbccce4cd35ce50519a985d52cb67d06a995eddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 12:51:56 +0200 +Subject: ARM: dts: Fix erroneous ADS touchscreen polarities + +From: Linus Walleij + +[ Upstream commit 4a672d500bfd6bb87092c33d5a2572c3d0a1cf83 ] + +Several device tree files get the polarity of the pendown-gpios +wrong: this signal is active low. Fix up all incorrect flags, so +that operating systems can rely on the flag being correctly set. + +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20230510105156.1134320-1-linus.walleij@linaro.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am57xx-cl-som-am57x.dts | 2 +- + arch/arm/boot/dts/at91sam9261ek.dts | 2 +- + arch/arm/boot/dts/imx7d-pico-hobbit.dts | 2 +- + arch/arm/boot/dts/imx7d-sdb.dts | 2 +- + arch/arm/boot/dts/omap3-cm-t3x.dtsi | 2 +- + arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi | 2 +- + arch/arm/boot/dts/omap3-lilly-a83x.dtsi | 2 +- + arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi | 2 +- + arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi | 2 +- + arch/arm/boot/dts/omap3-pandora-common.dtsi | 2 +- + arch/arm/boot/dts/omap5-cm-t54.dts | 2 +- + 11 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/arch/arm/boot/dts/am57xx-cl-som-am57x.dts b/arch/arm/boot/dts/am57xx-cl-som-am57x.dts +index 2fc9a5d5e0c0d..625b9b311b49d 100644 +--- a/arch/arm/boot/dts/am57xx-cl-som-am57x.dts ++++ b/arch/arm/boot/dts/am57xx-cl-som-am57x.dts +@@ -527,7 +527,7 @@ + + interrupt-parent = <&gpio1>; + interrupts = <31 0>; +- pendown-gpio = <&gpio1 31 0>; ++ pendown-gpio = <&gpio1 31 GPIO_ACTIVE_LOW>; + + + ti,x-min = /bits/ 16 <0x0>; +diff --git a/arch/arm/boot/dts/at91sam9261ek.dts b/arch/arm/boot/dts/at91sam9261ek.dts +index 88869ca874d1a..045cb253f23a6 100644 +--- a/arch/arm/boot/dts/at91sam9261ek.dts ++++ b/arch/arm/boot/dts/at91sam9261ek.dts +@@ -156,7 +156,7 @@ + compatible = "ti,ads7843"; + interrupts-extended = <&pioC 2 IRQ_TYPE_EDGE_BOTH>; + spi-max-frequency = <3000000>; +- pendown-gpio = <&pioC 2 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&pioC 2 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <150>; + ti,x-max = /bits/ 16 <3830>; +diff --git a/arch/arm/boot/dts/imx7d-pico-hobbit.dts b/arch/arm/boot/dts/imx7d-pico-hobbit.dts +index d917dc4f2f227..6ad39dca70096 100644 +--- a/arch/arm/boot/dts/imx7d-pico-hobbit.dts ++++ b/arch/arm/boot/dts/imx7d-pico-hobbit.dts +@@ -64,7 +64,7 @@ + interrupt-parent = <&gpio2>; + interrupts = <7 0>; + spi-max-frequency = <1000000>; +- pendown-gpio = <&gpio2 7 0>; ++ pendown-gpio = <&gpio2 7 GPIO_ACTIVE_LOW>; + vcc-supply = <®_3p3v>; + ti,x-min = /bits/ 16 <0>; + ti,x-max = /bits/ 16 <4095>; +diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts +index f483bc0afe5ea..234e5fc647b22 100644 +--- a/arch/arm/boot/dts/imx7d-sdb.dts ++++ b/arch/arm/boot/dts/imx7d-sdb.dts +@@ -205,7 +205,7 @@ + pinctrl-0 = <&pinctrl_tsc2046_pendown>; + interrupt-parent = <&gpio2>; + interrupts = <29 0>; +- pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio2 29 GPIO_ACTIVE_LOW>; + touchscreen-max-pressure = <255>; + wakeup-source; + }; +diff --git a/arch/arm/boot/dts/omap3-cm-t3x.dtsi b/arch/arm/boot/dts/omap3-cm-t3x.dtsi +index e61b8a2bfb7de..51baedf1603bd 100644 +--- a/arch/arm/boot/dts/omap3-cm-t3x.dtsi ++++ b/arch/arm/boot/dts/omap3-cm-t3x.dtsi +@@ -227,7 +227,7 @@ + + interrupt-parent = <&gpio2>; + interrupts = <25 0>; /* gpio_57 */ +- pendown-gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio2 25 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <0x0>; + ti,x-max = /bits/ 16 <0x0fff>; +diff --git a/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi b/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi +index 3decc2d78a6ca..a7f99ae0c1fe9 100644 +--- a/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi ++++ b/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi +@@ -54,7 +54,7 @@ + + interrupt-parent = <&gpio1>; + interrupts = <27 0>; /* gpio_27 */ +- pendown-gpio = <&gpio1 27 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio1 27 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <0x0>; + ti,x-max = /bits/ 16 <0x0fff>; +diff --git a/arch/arm/boot/dts/omap3-lilly-a83x.dtsi b/arch/arm/boot/dts/omap3-lilly-a83x.dtsi +index c595afe4181d7..d310b5c7bac36 100644 +--- a/arch/arm/boot/dts/omap3-lilly-a83x.dtsi ++++ b/arch/arm/boot/dts/omap3-lilly-a83x.dtsi +@@ -311,7 +311,7 @@ + interrupt-parent = <&gpio1>; + interrupts = <8 0>; /* boot6 / gpio_8 */ + spi-max-frequency = <1000000>; +- pendown-gpio = <&gpio1 8 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio1 8 GPIO_ACTIVE_LOW>; + vcc-supply = <®_vcc3>; + pinctrl-names = "default"; + pinctrl-0 = <&tsc2048_pins>; +diff --git a/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi b/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi +index 1d6e88f99eb31..c3570acc35fad 100644 +--- a/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi +@@ -149,7 +149,7 @@ + + interrupt-parent = <&gpio4>; + interrupts = <18 0>; /* gpio_114 */ +- pendown-gpio = <&gpio4 18 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio4 18 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <0x0>; + ti,x-max = /bits/ 16 <0x0fff>; +diff --git a/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi b/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi +index 7e30f9d45790e..d95a0e130058c 100644 +--- a/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi +@@ -160,7 +160,7 @@ + + interrupt-parent = <&gpio4>; + interrupts = <18 0>; /* gpio_114 */ +- pendown-gpio = <&gpio4 18 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio4 18 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <0x0>; + ti,x-max = /bits/ 16 <0x0fff>; +diff --git a/arch/arm/boot/dts/omap3-pandora-common.dtsi b/arch/arm/boot/dts/omap3-pandora-common.dtsi +index 559853764487f..4c3b6bab179cc 100644 +--- a/arch/arm/boot/dts/omap3-pandora-common.dtsi ++++ b/arch/arm/boot/dts/omap3-pandora-common.dtsi +@@ -651,7 +651,7 @@ + pinctrl-0 = <&penirq_pins>; + interrupt-parent = <&gpio3>; + interrupts = <30 IRQ_TYPE_NONE>; /* GPIO_94 */ +- pendown-gpio = <&gpio3 30 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio3 30 GPIO_ACTIVE_LOW>; + vcc-supply = <&vaux4>; + + ti,x-min = /bits/ 16 <0>; +diff --git a/arch/arm/boot/dts/omap5-cm-t54.dts b/arch/arm/boot/dts/omap5-cm-t54.dts +index ca759b7b8a580..e62ea8b6d53fd 100644 +--- a/arch/arm/boot/dts/omap5-cm-t54.dts ++++ b/arch/arm/boot/dts/omap5-cm-t54.dts +@@ -354,7 +354,7 @@ + + interrupt-parent = <&gpio1>; + interrupts = <15 0>; /* gpio1_wk15 */ +- pendown-gpio = <&gpio1 15 GPIO_ACTIVE_HIGH>; ++ pendown-gpio = <&gpio1 15 GPIO_ACTIVE_LOW>; + + + ti,x-min = /bits/ 16 <0x0>; +-- +2.39.2 + diff --git a/queue-6.1/arm64-add-missing-set-way-cmo-encodings.patch b/queue-6.1/arm64-add-missing-set-way-cmo-encodings.patch new file mode 100644 index 00000000000..2a527e6e223 --- /dev/null +++ b/queue-6.1/arm64-add-missing-set-way-cmo-encodings.patch @@ -0,0 +1,43 @@ +From 93c6c7940a07fe6b46fcf8f8dc3bba021955265b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:46:00 +0100 +Subject: arm64: Add missing Set/Way CMO encodings + +From: Marc Zyngier + +[ Upstream commit 8d0f019e4c4f2ee2de81efd9bf1c27e9fb3c0460 ] + +Add the missing Set/Way CMOs that apply to tagged memory. + +Signed-off-by: Marc Zyngier +Reviewed-by: Cornelia Huck +Reviewed-by: Steven Price +Reviewed-by: Oliver Upton +Link: https://lore.kernel.org/r/20230515204601.1270428-2-maz@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/sysreg.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h +index 7d301700d1a93..3a448ab0924b3 100644 +--- a/arch/arm64/include/asm/sysreg.h ++++ b/arch/arm64/include/asm/sysreg.h +@@ -111,8 +111,14 @@ + #define SB_BARRIER_INSN __SYS_BARRIER_INSN(0, 7, 31) + + #define SYS_DC_ISW sys_insn(1, 0, 7, 6, 2) ++#define SYS_DC_IGSW sys_insn(1, 0, 7, 6, 4) ++#define SYS_DC_IGDSW sys_insn(1, 0, 7, 6, 6) + #define SYS_DC_CSW sys_insn(1, 0, 7, 10, 2) ++#define SYS_DC_CGSW sys_insn(1, 0, 7, 10, 4) ++#define SYS_DC_CGDSW sys_insn(1, 0, 7, 10, 6) + #define SYS_DC_CISW sys_insn(1, 0, 7, 14, 2) ++#define SYS_DC_CIGSW sys_insn(1, 0, 7, 14, 4) ++#define SYS_DC_CIGDSW sys_insn(1, 0, 7, 14, 6) + + /* + * Automatically generated definitions for system registers, the +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-qcom-sc7280-idp-drop-incorrect-dai-cells-f.patch b/queue-6.1/arm64-dts-qcom-sc7280-idp-drop-incorrect-dai-cells-f.patch new file mode 100644 index 00000000000..d827e6b30a8 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sc7280-idp-drop-incorrect-dai-cells-f.patch @@ -0,0 +1,48 @@ +From f0ce0d203049aa63f4501ec334158ef38fb5169e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 10:54:00 +0100 +Subject: arm64: dts: qcom: sc7280-idp: drop incorrect dai-cells from WCD938x + SDW + +From: Krzysztof Kozlowski + +[ Upstream commit ca8fc6814844d8787e7fec61b2544a871ea8b675 ] + +The WCD938x audio codec Soundwire interface part is not a DAI and does +not allow sound-dai-cells: + + sc7280-idp.dtb: codec@0,4: '#sound-dai-cells' does not match any of the regexes: 'pinctrl-[0-9]+' + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Douglas Anderson +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230220095401.64196-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7280-idp.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi +index ca50f0ba9b815..1c370dcfe60b9 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi +@@ -488,7 +488,6 @@ + wcd_rx: codec@0,4 { + compatible = "sdw20217010d00"; + reg = <0 4>; +- #sound-dai-cells = <1>; + qcom,rx-port-mapping = <1 2 3 4 5>; + }; + }; +@@ -499,7 +498,6 @@ + wcd_tx: codec@0,3 { + compatible = "sdw20217010d00"; + reg = <0 3>; +- #sound-dai-cells = <1>; + qcom,tx-port-mapping = <1 2 3 4>; + }; + }; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-qcom-sc7280-qcard-drop-incorrect-dai-cells.patch b/queue-6.1/arm64-dts-qcom-sc7280-qcard-drop-incorrect-dai-cells.patch new file mode 100644 index 00000000000..913ede0396f --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sc7280-qcard-drop-incorrect-dai-cells.patch @@ -0,0 +1,48 @@ +From 9d8dedcb55dfa906e1c94e4dcd4a057a40c16612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 10:54:01 +0100 +Subject: arm64: dts: qcom: sc7280-qcard: drop incorrect dai-cells from WCD938x + SDW + +From: Krzysztof Kozlowski + +[ Upstream commit 16bd455d0897d1b8b7a9aee2ed51d75b14a34563 ] + +The WCD938x audio codec Soundwire interface part is not a DAI and does +not allow sound-dai-cells: + + sc7280-herobrine-crd.dtb: codec@0,4: '#sound-dai-cells' does not match any of the regexes: 'pinctrl-[0-9]+' + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Douglas Anderson +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230220095401.64196-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi b/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi +index f7665b3799233..c358abc052eb8 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi +@@ -418,7 +418,6 @@ + wcd_rx: codec@0,4 { + compatible = "sdw20217010d00"; + reg = <0 4>; +- #sound-dai-cells = <1>; + qcom,rx-port-mapping = <1 2 3 4 5>; + }; + }; +@@ -427,7 +426,6 @@ + wcd_tx: codec@0,3 { + compatible = "sdw20217010d00"; + reg = <0 3>; +- #sound-dai-cells = <1>; + qcom,tx-port-mapping = <1 2 3 4>; + }; + }; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-rockchip-enable-gpu-on-soquartz-cm4.patch b/queue-6.1/arm64-dts-rockchip-enable-gpu-on-soquartz-cm4.patch new file mode 100644 index 00000000000..c60ea3cc503 --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-enable-gpu-on-soquartz-cm4.patch @@ -0,0 +1,39 @@ +From ba7387ba86a9f7da2353d1bec8a78ed6e06fc1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:03:58 +0100 +Subject: arm64: dts: rockchip: Enable GPU on SOQuartz CM4 + +From: Nicolas Frattaroli + +[ Upstream commit e48824e8a03e5bc3666e9f5461f68d440d9acba0 ] + +This enables the Mali-G52 GPU on the SOQuartz CM4 module. + +Signed-off-by: Nicolas Frattaroli +Link: https://lore.kernel.org/r/20221112160404.70868-2-frattaroli.nicolas@gmail.com +Signed-off-by: Heiko Stuebner +Stable-dep-of: cf9ae4a00774 ("arm64: dts: rockchip: fix nEXTRST on SOQuartz") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi +index 4d494b53a71ab..4ceb9a979f6ad 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi +@@ -143,6 +143,11 @@ + status = "disabled"; + }; + ++&gpu { ++ mali-supply = <&vdd_gpu>; ++ status = "okay"; ++}; ++ + &i2c0 { + status = "okay"; + +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-rockchip-fix-nextrst-on-soquartz.patch b/queue-6.1/arm64-dts-rockchip-fix-nextrst-on-soquartz.patch new file mode 100644 index 00000000000..db2f42f3970 --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-fix-nextrst-on-soquartz.patch @@ -0,0 +1,126 @@ +From ebbb25a3419fea72b4ef662332b2453e051d0182 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 17:26:10 +0200 +Subject: arm64: dts: rockchip: fix nEXTRST on SOQuartz + +From: Nicolas Frattaroli + +[ Upstream commit cf9ae4a0077496e8224d68fc88e3df13dd7e5f37 ] + +In pre-production prototypes (of which I only know one person +having one, Peter Geis), GPIO0 pin A5 was tied to the SDMMC +power enable pin on the CM4 connector. On all production models, +this is not the case; instead, this pin is used for the nEXTRST +signal, and the SDMMC power enable pin is always pulled high. + +Since everyone currently using the SOQuartz device trees will +want this change, it is made to the tree without splitting the +trees into two separate ones of which users will then inevitably +choose the wrong one. + +This fixes USB and PCIe on a wide variety of CM4IO-compatible +boards which use the nEXTRST signal. + +Fixes: 5859b5a9c3ac ("arm64: dts: rockchip: add SoQuartz CM4IO dts") +Signed-off-by: Nicolas Frattaroli +Link: https://lore.kernel.org/r/20230421152610.21688-1-frattaroli.nicolas@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + .../boot/dts/rockchip/rk3566-soquartz-cm4.dts | 18 +++++++----- + .../boot/dts/rockchip/rk3566-soquartz.dtsi | 29 +++++++++---------- + 2 files changed, 24 insertions(+), 23 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts b/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts +index e00568a6be5cc..6ba562b922e6c 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts +@@ -28,6 +28,16 @@ + regulator-max-microvolt = <5000000>; + vin-supply = <&vcc12v_dcin>; + }; ++ ++ vcc_sd_pwr: vcc-sd-pwr-regulator { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc_sd_pwr"; ++ regulator-always-on; ++ regulator-boot-on; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ vin-supply = <&vcc3v3_sys>; ++ }; + }; + + &gmac1 { +@@ -119,13 +129,7 @@ + }; + + &sdmmc0 { +- vmmc-supply = <&sdmmc_pwr>; +- status = "okay"; +-}; +- +-&sdmmc_pwr { +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; ++ vmmc-supply = <&vcc_sd_pwr>; + status = "okay"; + }; + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi +index 4ceb9a979f6ad..ba56ca2e66c8d 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi +@@ -92,16 +92,6 @@ + regulator-max-microvolt = <3300000>; + vin-supply = <&vcc5v0_sys>; + }; +- +- sdmmc_pwr: sdmmc-pwr-regulator { +- compatible = "regulator-fixed"; +- enable-active-high; +- gpio = <&gpio0 RK_PA5 GPIO_ACTIVE_HIGH>; +- pinctrl-names = "default"; +- pinctrl-0 = <&sdmmc_pwr_h>; +- regulator-name = "sdmmc_pwr"; +- status = "disabled"; +- }; + }; + + &cpu0 { +@@ -143,6 +133,19 @@ + status = "disabled"; + }; + ++&gpio0 { ++ nextrst-hog { ++ gpio-hog; ++ /* ++ * GPIO_ACTIVE_LOW + output-low here means that the pin is set ++ * to high, because output-low decides the value pre-inversion. ++ */ ++ gpios = ; ++ line-name = "nEXTRST"; ++ output-low; ++ }; ++}; ++ + &gpu { + mali-supply = <&vdd_gpu>; + status = "okay"; +@@ -485,12 +488,6 @@ + rockchip,pins = <2 RK_PC2 RK_FUNC_GPIO &pcfg_pull_none>; + }; + }; +- +- sdmmc-pwr { +- sdmmc_pwr_h: sdmmc-pwr-h { +- rockchip,pins = <0 RK_PA5 RK_FUNC_GPIO &pcfg_pull_none>; +- }; +- }; + }; + + &pmu_io_domains { +-- +2.39.2 + diff --git a/queue-6.1/asoc-amd-yc-add-thinkpad-neo14-to-quirks-list-for-ac.patch b/queue-6.1/asoc-amd-yc-add-thinkpad-neo14-to-quirks-list-for-ac.patch new file mode 100644 index 00000000000..34f2c78053f --- /dev/null +++ b/queue-6.1/asoc-amd-yc-add-thinkpad-neo14-to-quirks-list-for-ac.patch @@ -0,0 +1,41 @@ +From 9bf0da4ec8515b74e886a3c8e5dede622a2ec433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 21:06:35 +1200 +Subject: ASoC: amd: yc: Add Thinkpad Neo14 to quirks list for acp6x + +From: Sicong Jiang + +[ Upstream commit 57d1e8900495cf1751cec74db16fe1a0fe47efbb ] + +Thinkpad Neo14 Ryzen Edition uses Ryzen 6800H processor, and adding to +quirks list for acp6x will enable internal mic. + +Signed-off-by: Sicong Jiang +Link: https://lore.kernel.org/r/20230531090635.89565-1-kevin.jiangsc@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 84b401b685f7f..c1ca3ceac5f2f 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -171,6 +171,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "21CL"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21EF"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.39.2 + diff --git a/queue-6.1/asoc-codecs-wcd938x-sdw-do-not-set-can_multi_write-f.patch b/queue-6.1/asoc-codecs-wcd938x-sdw-do-not-set-can_multi_write-f.patch new file mode 100644 index 00000000000..a73a4c7cf6f --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-sdw-do-not-set-can_multi_write-f.patch @@ -0,0 +1,38 @@ +From 1cc72c32860dbdfb61b63976c1fbe018b356f4ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 17:54:14 +0100 +Subject: ASoC: codecs: wcd938x-sdw: do not set can_multi_write flag + +From: Srinivas Kandagatla + +[ Upstream commit 2d7c2f9272de6347a9cec0fc07708913692c0ae3 ] + +regmap-sdw does not support multi register writes, so there is +no point in setting this flag. This also leads to incorrect +programming of WSA codecs with regmap_multi_reg_write() call. + +This invalid configuration should have been rejected by regmap-sdw. + +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230523165414.14560-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x-sdw.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd938x-sdw.c b/sound/soc/codecs/wcd938x-sdw.c +index 402286dfaea44..9c10200ff34b2 100644 +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -1190,7 +1190,6 @@ static const struct regmap_config wcd938x_regmap_config = { + .readable_reg = wcd938x_readable_register, + .writeable_reg = wcd938x_writeable_register, + .volatile_reg = wcd938x_volatile_register, +- .can_multi_write = true, + }; + + static const struct sdw_slave_ops wcd9380_slave_ops = { +-- +2.39.2 + diff --git a/queue-6.1/asoc-fsl_sai-enable-bci-bit-if-sai-works-on-synchron.patch b/queue-6.1/asoc-fsl_sai-enable-bci-bit-if-sai-works-on-synchron.patch new file mode 100644 index 00000000000..a3c3fe4ef1c --- /dev/null +++ b/queue-6.1/asoc-fsl_sai-enable-bci-bit-if-sai-works-on-synchron.patch @@ -0,0 +1,73 @@ +From 723a3049c4583baa6816c171193dcf68ae48de11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 18:30:12 +0800 +Subject: ASoC: fsl_sai: Enable BCI bit if SAI works on synchronous mode with + BYP asserted + +From: Chancel Liu + +[ Upstream commit 32cf0046a652116d6a216d575f3049a9ff9dd80d ] + +There's an issue on SAI synchronous mode that TX/RX side can't get BCLK +from RX/TX it sync with if BYP bit is asserted. It's a workaround to +fix it that enable SION of IOMUX pad control and assert BCI. + +For example if TX sync with RX which means both TX and RX are using clk +form RX and BYP=1. TX can get BCLK only if the following two conditions +are valid: +1. SION of RX BCLK IOMUX pad is set to 1 +2. BCI of TX is set to 1 + +Signed-off-by: Chancel Liu +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230530103012.3448838-1-chancel.liu@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 11 +++++++++-- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 6d88af5b287fe..b33104715c7ba 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -491,14 +491,21 @@ static int fsl_sai_set_bclk(struct snd_soc_dai *dai, bool tx, u32 freq) + regmap_update_bits(sai->regmap, reg, FSL_SAI_CR2_MSEL_MASK, + FSL_SAI_CR2_MSEL(sai->mclk_id[tx])); + +- if (savediv == 1) ++ if (savediv == 1) { + regmap_update_bits(sai->regmap, reg, + FSL_SAI_CR2_DIV_MASK | FSL_SAI_CR2_BYP, + FSL_SAI_CR2_BYP); +- else ++ if (fsl_sai_dir_is_synced(sai, adir)) ++ regmap_update_bits(sai->regmap, FSL_SAI_xCR2(tx, ofs), ++ FSL_SAI_CR2_BCI, FSL_SAI_CR2_BCI); ++ else ++ regmap_update_bits(sai->regmap, FSL_SAI_xCR2(tx, ofs), ++ FSL_SAI_CR2_BCI, 0); ++ } else { + regmap_update_bits(sai->regmap, reg, + FSL_SAI_CR2_DIV_MASK | FSL_SAI_CR2_BYP, + savediv / 2 - 1); ++ } + + if (sai->soc_data->max_register >= FSL_SAI_MCTL) { + /* SAI is in master mode at this point, so enable MCLK */ +diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h +index 697f6690068c8..c5423f81e4560 100644 +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -116,6 +116,7 @@ + + /* SAI Transmit and Receive Configuration 2 Register */ + #define FSL_SAI_CR2_SYNC BIT(30) ++#define FSL_SAI_CR2_BCI BIT(28) + #define FSL_SAI_CR2_MSEL_MASK (0x3 << 26) + #define FSL_SAI_CR2_MSEL_BUS 0 + #define FSL_SAI_CR2_MSEL_MCLK1 BIT(26) +-- +2.39.2 + diff --git a/queue-6.1/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch b/queue-6.1/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch new file mode 100644 index 00000000000..19ad6d12d26 --- /dev/null +++ b/queue-6.1/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch @@ -0,0 +1,59 @@ +From 86dd395509bc056460fddeb89c8463da3474f5d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 15:19:11 -0300 +Subject: ASoC: nau8824: Add quirk to active-high jack-detect + +From: Edson Juliano Drosdeck + +[ Upstream commit e384dba03e3294ce7ea69e4da558e9bf8f0e8946 ] + +Add entries for Positivo laptops: CW14Q01P, K1424G, N14ZP74G to the +DMI table, so that active-high jack-detect will work properly on +these laptops. + +Signed-off-by: Edson Juliano Drosdeck +Link: https://lore.kernel.org/r/20230529181911.632851-1-edson.drosdeck@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/nau8824.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c +index 4f19fd9b65d11..5a4db8944d06a 100644 +--- a/sound/soc/codecs/nau8824.c ++++ b/sound/soc/codecs/nau8824.c +@@ -1903,6 +1903,30 @@ static const struct dmi_system_id nau8824_quirk_table[] = { + }, + .driver_data = (void *)(NAU8824_MONO_SPEAKER), + }, ++ { ++ /* Positivo CW14Q01P */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_BOARD_NAME, "CW14Q01P"), ++ }, ++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), ++ }, ++ { ++ /* Positivo K1424G */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_BOARD_NAME, "K1424G"), ++ }, ++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), ++ }, ++ { ++ /* Positivo N14ZP74G */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_BOARD_NAME, "N14ZP74G"), ++ }, ++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), ++ }, + {} + }; + +-- +2.39.2 + diff --git a/queue-6.1/asoc-simple-card-add-missing-of_node_put-in-case-of-.patch b/queue-6.1/asoc-simple-card-add-missing-of_node_put-in-case-of-.patch new file mode 100644 index 00000000000..aa1d6d75cb4 --- /dev/null +++ b/queue-6.1/asoc-simple-card-add-missing-of_node_put-in-case-of-.patch @@ -0,0 +1,36 @@ +From 47dd2dc1c29ef56c1aca41562dde08792e6893bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 17:12:22 +0200 +Subject: ASoC: simple-card: Add missing of_node_put() in case of error + +From: Herve Codina + +[ Upstream commit 8938f75a5e35c597a647c28984a0304da7a33d63 ] + +In the error path, a of_node_put() for platform is missing. +Just add it. + +Signed-off-by: Herve Codina +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20230523151223.109551-9-herve.codina@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c +index feb55b66239b8..fbb682747f598 100644 +--- a/sound/soc/generic/simple-card.c ++++ b/sound/soc/generic/simple-card.c +@@ -416,6 +416,7 @@ static int __simple_for_each_link(struct asoc_simple_priv *priv, + + if (ret < 0) { + of_node_put(codec); ++ of_node_put(plat); + of_node_put(np); + goto error; + } +-- +2.39.2 + diff --git a/queue-6.1/be2net-extend-xmit-workaround-to-be3-chip.patch b/queue-6.1/be2net-extend-xmit-workaround-to-be3-chip.patch new file mode 100644 index 00000000000..4b558ea715c --- /dev/null +++ b/queue-6.1/be2net-extend-xmit-workaround-to-be3-chip.patch @@ -0,0 +1,48 @@ +From 2bb4da26eab494cb16502a4679fea3c9289ef68c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 17:45:49 +0100 +Subject: be2net: Extend xmit workaround to BE3 chip + +From: Ross Lagerwall + +[ Upstream commit 7580e0a78eb29e7bb1a772eba4088250bbb70d41 ] + +We have seen a bug where the NIC incorrectly changes the length in the +IP header of a padded packet to include the padding bytes. The driver +already has a workaround for this so do the workaround for this NIC too. +This resolves the issue. + +The NIC in question identifies itself as follows: + +[ 8.828494] be2net 0000:02:00.0: FW version is 10.7.110.31 +[ 8.834759] be2net 0000:02:00.0: Emulex OneConnect(be3): PF FLEX10 port 1 + +02:00.0 Ethernet controller: Emulex Corporation OneConnect 10Gb NIC (be3) (rev 01) + +Fixes: ca34fe38f06d ("be2net: fix wrong usage of adapter->generation") +Signed-off-by: Ross Lagerwall +Link: https://lore.kernel.org/r/20230616164549.2863037-1-ross.lagerwall@citrix.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index a92a747615466..5d39df8452653 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1136,8 +1136,8 @@ static struct sk_buff *be_lancer_xmit_workarounds(struct be_adapter *adapter, + eth_hdr_len = ntohs(skb->protocol) == ETH_P_8021Q ? + VLAN_ETH_HLEN : ETH_HLEN; + if (skb->len <= 60 && +- (lancer_chip(adapter) || skb_vlan_tag_present(skb)) && +- is_ipv4_pkt(skb)) { ++ (lancer_chip(adapter) || BE3_chip(adapter) || ++ skb_vlan_tag_present(skb)) && is_ipv4_pkt(skb)) { + ip = (struct iphdr *)ip_hdr(skb); + pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len)); + } +-- +2.39.2 + diff --git a/queue-6.1/bpf-btf-accept-function-names-that-contain-dots.patch b/queue-6.1/bpf-btf-accept-function-names-that-contain-dots.patch new file mode 100644 index 00000000000..b565787ad6a --- /dev/null +++ b/queue-6.1/bpf-btf-accept-function-names-that-contain-dots.patch @@ -0,0 +1,120 @@ +From 8b7d51610788b7a052718806517b2de217f845d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 16:56:07 +0200 +Subject: bpf/btf: Accept function names that contain dots + +From: Florent Revest + +[ Upstream commit 9724160b3942b0a967b91a59f81da5593f28b8ba ] + +When building a kernel with LLVM=1, LLVM_IAS=0 and CONFIG_KASAN=y, LLVM +leaves DWARF tags for the "asan.module_ctor" & co symbols. In turn, +pahole creates BTF_KIND_FUNC entries for these and this makes the BTF +metadata validation fail because they contain a dot. + +In a dramatic turn of event, this BTF verification failure can cause +the netfilter_bpf initialization to fail, causing netfilter_core to +free the netfilter_helper hashmap and netfilter_ftp to trigger a +use-after-free. The risk of u-a-f in netfilter will be addressed +separately but the existence of "asan.module_ctor" debug info under some +build conditions sounds like a good enough reason to accept functions +that contain dots in BTF. + +Although using only LLVM=1 is the recommended way to compile clang-based +kernels, users can certainly do LLVM=1, LLVM_IAS=0 as well and we still +try to support that combination according to Nick. To clarify: + + - > v5.10 kernel, LLVM=1 (LLVM_IAS=0 is not the default) is recommended, + but user can still have LLVM=1, LLVM_IAS=0 to trigger the issue + + - <= 5.10 kernel, LLVM=1 (LLVM_IAS=0 is the default) is recommended in + which case GNU as will be used + +Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec") +Signed-off-by: Florent Revest +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Cc: Yonghong Song +Cc: Nick Desaulniers +Link: https://lore.kernel.org/bpf/20230615145607.3469985-1-revest@chromium.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index a8838a32f750e..8220caa488c54 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -735,13 +735,12 @@ static bool btf_name_offset_valid(const struct btf *btf, u32 offset) + return offset < btf->hdr.str_len; + } + +-static bool __btf_name_char_ok(char c, bool first, bool dot_ok) ++static bool __btf_name_char_ok(char c, bool first) + { + if ((first ? !isalpha(c) : + !isalnum(c)) && + c != '_' && +- ((c == '.' && !dot_ok) || +- c != '.')) ++ c != '.') + return false; + return true; + } +@@ -758,20 +757,20 @@ static const char *btf_str_by_offset(const struct btf *btf, u32 offset) + return NULL; + } + +-static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok) ++static bool __btf_name_valid(const struct btf *btf, u32 offset) + { + /* offset must be valid */ + const char *src = btf_str_by_offset(btf, offset); + const char *src_limit; + +- if (!__btf_name_char_ok(*src, true, dot_ok)) ++ if (!__btf_name_char_ok(*src, true)) + return false; + + /* set a limit on identifier length */ + src_limit = src + KSYM_NAME_LEN; + src++; + while (*src && src < src_limit) { +- if (!__btf_name_char_ok(*src, false, dot_ok)) ++ if (!__btf_name_char_ok(*src, false)) + return false; + src++; + } +@@ -779,17 +778,14 @@ static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok) + return !*src; + } + +-/* Only C-style identifier is permitted. This can be relaxed if +- * necessary. +- */ + static bool btf_name_valid_identifier(const struct btf *btf, u32 offset) + { +- return __btf_name_valid(btf, offset, false); ++ return __btf_name_valid(btf, offset); + } + + static bool btf_name_valid_section(const struct btf *btf, u32 offset) + { +- return __btf_name_valid(btf, offset, true); ++ return __btf_name_valid(btf, offset); + } + + static const char *__btf_name_by_offset(const struct btf *btf, u32 offset) +@@ -4044,7 +4040,7 @@ static s32 btf_var_check_meta(struct btf_verifier_env *env, + } + + if (!t->name_off || +- !__btf_name_valid(env->btf, t->name_off, true)) { ++ !__btf_name_valid(env->btf, t->name_off)) { + btf_verifier_log_type(env, t, "Invalid name"); + return -EINVAL; + } +-- +2.39.2 + diff --git a/queue-6.1/bpf-fix-a-bpf_jit_dump-issue-for-x86_64-with-sysctl-.patch b/queue-6.1/bpf-fix-a-bpf_jit_dump-issue-for-x86_64-with-sysctl-.patch new file mode 100644 index 00000000000..6a49a832108 --- /dev/null +++ b/queue-6.1/bpf-fix-a-bpf_jit_dump-issue-for-x86_64-with-sysctl-.patch @@ -0,0 +1,62 @@ +From b0e8271347c4c226dbe37282e0af73053b17c108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 17:54:39 -0700 +Subject: bpf: Fix a bpf_jit_dump issue for x86_64 with sysctl bpf_jit_enable. + +From: Yonghong Song + +[ Upstream commit ad96f1c9138e0897bee7f7c5e54b3e24f8b62f57 ] + +The sysctl net/core/bpf_jit_enable does not work now due to commit +1022a5498f6f ("bpf, x86_64: Use bpf_jit_binary_pack_alloc"). The +commit saved the jitted insns into 'rw_image' instead of 'image' +which caused bpf_jit_dump not dumping proper content. + +With 'echo 2 > /proc/sys/net/core/bpf_jit_enable', run +'./test_progs -t fentry_test'. Without this patch, one of jitted +image for one particular prog is: + + flen=17 proglen=92 pass=4 image=0000000014c64883 from=test_progs pid=1807 + 00000000: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc + 00000010: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc + 00000020: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc + 00000030: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc + 00000040: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc + 00000050: cc cc cc cc cc cc cc cc cc cc cc cc + +With this patch, the jitte image for the same prog is: + + flen=17 proglen=92 pass=4 image=00000000b90254b7 from=test_progs pid=1809 + 00000000: f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 + 00000010: 0f 1e fa 31 f6 48 8b 57 00 48 83 fa 07 75 2b 48 + 00000020: 8b 57 10 83 fa 09 75 22 48 8b 57 08 48 81 e2 ff + 00000030: 00 00 00 48 83 fa 08 75 11 48 8b 7f 18 be 01 00 + 00000040: 00 00 48 83 ff 0a 74 02 31 f6 48 bf 18 d0 14 00 + 00000050: 00 c9 ff ff 48 89 77 00 31 c0 c9 c3 + +Fixes: 1022a5498f6f ("bpf, x86_64: Use bpf_jit_binary_pack_alloc") +Signed-off-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20230609005439.3173569-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 99620428ad785..db6053a22e866 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -2478,7 +2478,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + } + + if (bpf_jit_enable > 1) +- bpf_jit_dump(prog->len, proglen, pass + 1, image); ++ bpf_jit_dump(prog->len, proglen, pass + 1, rw_image); + + if (image) { + if (!prog->is_func || extra_pass) { +-- +2.39.2 + diff --git a/queue-6.1/bpf-fix-verifier-id-tracking-of-scalars-on-spill.patch b/queue-6.1/bpf-fix-verifier-id-tracking-of-scalars-on-spill.patch new file mode 100644 index 00000000000..8b8ba4edd49 --- /dev/null +++ b/queue-6.1/bpf-fix-verifier-id-tracking-of-scalars-on-spill.patch @@ -0,0 +1,71 @@ +From fde311dc5c543a54e2587f8e63004e28cd5dcfef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 15:39:50 +0300 +Subject: bpf: Fix verifier id tracking of scalars on spill + +From: Maxim Mikityanskiy + +[ Upstream commit 713274f1f2c896d37017efee333fd44149710119 ] + +The following scenario describes a bug in the verifier where it +incorrectly concludes about equivalent scalar IDs which could lead to +verifier bypass in privileged mode: + +1. Prepare a 32-bit rogue number. +2. Put the rogue number into the upper half of a 64-bit register, and + roll a random (unknown to the verifier) bit in the lower half. The + rest of the bits should be zero (although variations are possible). +3. Assign an ID to the register by MOVing it to another arbitrary + register. +4. Perform a 32-bit spill of the register, then perform a 32-bit fill to + another register. Due to a bug in the verifier, the ID will be + preserved, although the new register will contain only the lower 32 + bits, i.e. all zeros except one random bit. + +At this point there are two registers with different values but the same +ID, which means the integrity of the verifier state has been corrupted. + +5. Compare the new 32-bit register with 0. In the branch where it's + equal to 0, the verifier will believe that the original 64-bit + register is also 0, because it has the same ID, but its actual value + still contains the rogue number in the upper half. + Some optimizations of the verifier prevent the actual bypass, so + extra care is needed: the comparison must be between two registers, + and both branches must be reachable (this is why one random bit is + needed). Both branches are still suitable for the bypass. +6. Right shift the original register by 32 bits to pop the rogue number. +7. Use the rogue number as an offset with any pointer. The verifier will + believe that the offset is 0, while in reality it's the given number. + +The fix is similar to the 32-bit BPF_MOV handling in check_alu_op for +SCALAR_VALUE. If the spill is narrowing the actual register value, don't +keep the ID, make sure it's reset to 0. + +Fixes: 354e8f1970f8 ("bpf: Support <8-byte scalar spill and refill") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Daniel Borkmann +Tested-by: Andrii Nakryiko # Checked veristat delta +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20230607123951.558971-2-maxtram95@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index c4ceb4166528b..49c6b5e0855cd 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3128,6 +3128,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + return err; + } + save_register_state(state, spi, reg, size); ++ /* Break the relation on a narrowing spill. */ ++ if (fls64(reg->umax_value) > BITS_PER_BYTE * size) ++ state->stack[spi].spilled_ptr.id = 0; + } else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) && + insn->imm != 0 && env->bpf_capable) { + struct bpf_reg_state fake_reg = {}; +-- +2.39.2 + diff --git a/queue-6.1/bpf-force-kprobe-multi-expected_attach_type-for-kpro.patch b/queue-6.1/bpf-force-kprobe-multi-expected_attach_type-for-kpro.patch new file mode 100644 index 00000000000..65bf28eb386 --- /dev/null +++ b/queue-6.1/bpf-force-kprobe-multi-expected_attach_type-for-kpro.patch @@ -0,0 +1,49 @@ +From 80c6e2aafdb6fd420074c30c9107cda9317d9c39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 15:14:14 +0200 +Subject: bpf: Force kprobe multi expected_attach_type for kprobe_multi link + +From: Jiri Olsa + +[ Upstream commit db8eae6bc5c702d8e3ab2d0c6bb5976c131576eb ] + +We currently allow to create perf link for program with +expected_attach_type == BPF_TRACE_KPROBE_MULTI. + +This will cause crash when we call helpers like get_attach_cookie or +get_func_ip in such program, because it will call the kprobe_multi's +version (current->bpf_ctx context setup) of those helpers while it +expects perf_link's current->bpf_ctx context setup. + +Making sure that we use BPF_TRACE_KPROBE_MULTI expected_attach_type +only for programs attaching through kprobe_multi link. + +Fixes: ca74823c6e16 ("bpf: Add cookie support to programs attached with kprobe multi link") +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230618131414.75649-1-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 6c61dba26f4d9..8633ec4f92df3 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3383,6 +3383,11 @@ static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog, + return prog->enforce_expected_attach_type && + prog->expected_attach_type != attach_type ? + -EINVAL : 0; ++ case BPF_PROG_TYPE_KPROBE: ++ if (prog->expected_attach_type == BPF_TRACE_KPROBE_MULTI && ++ attach_type != BPF_TRACE_KPROBE_MULTI) ++ return -EINVAL; ++ return 0; + default: + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/bpf-track-immediate-values-written-to-stack-by-bpf_s.patch b/queue-6.1/bpf-track-immediate-values-written-to-stack-by-bpf_s.patch new file mode 100644 index 00000000000..3a0276ae423 --- /dev/null +++ b/queue-6.1/bpf-track-immediate-values-written-to-stack-by-bpf_s.patch @@ -0,0 +1,484 @@ +From 3dc565c6c11ec9c349011a8dfe44fa27da6a44d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 01:20:27 +0200 +Subject: bpf: track immediate values written to stack by BPF_ST instruction + +From: Eduard Zingerman + +[ Upstream commit ecdf985d7615356b78241fdb159c091830ed0380 ] + +For aligned stack writes using BPF_ST instruction track stored values +in a same way BPF_STX is handled, e.g. make sure that the following +commands produce similar verifier knowledge: + + fp[-8] = 42; r1 = 42; + fp[-8] = r1; + +This covers two cases: + - non-null values written to stack are stored as spill of fake + registers; + - null values written to stack are stored as STACK_ZERO marks. + +Previously both cases above used STACK_MISC marks instead. + +Some verifier test cases relied on the old logic to obtain STACK_MISC +marks for some stack values. These test cases are updated in the same +commit to avoid failures during bisect. + +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20230214232030.1502829-2-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 713274f1f2c8 ("bpf: Fix verifier id tracking of scalars on spill") +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 18 ++- + .../bpf/verifier/bounds_mix_sign_unsign.c | 110 ++++++++++-------- + 2 files changed, 80 insertions(+), 48 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index a0e573c08f79f..c4ceb4166528b 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3061,6 +3061,11 @@ static void save_register_state(struct bpf_func_state *state, + scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]); + } + ++static bool is_bpf_st_mem(struct bpf_insn *insn) ++{ ++ return BPF_CLASS(insn->code) == BPF_ST && BPF_MODE(insn->code) == BPF_MEM; ++} ++ + /* check_stack_{read,write}_fixed_off functions track spill/fill of registers, + * stack boundary and alignment are checked in check_mem_access() + */ +@@ -3072,8 +3077,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + { + struct bpf_func_state *cur; /* state of the current function */ + int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; +- u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg; ++ struct bpf_insn *insn = &env->prog->insnsi[insn_idx]; + struct bpf_reg_state *reg = NULL; ++ u32 dst_reg = insn->dst_reg; + + err = grow_stack_state(state, round_up(slot + 1, BPF_REG_SIZE)); + if (err) +@@ -3122,6 +3128,13 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + return err; + } + save_register_state(state, spi, reg, size); ++ } else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) && ++ insn->imm != 0 && env->bpf_capable) { ++ struct bpf_reg_state fake_reg = {}; ++ ++ __mark_reg_known(&fake_reg, (u32)insn->imm); ++ fake_reg.type = SCALAR_VALUE; ++ save_register_state(state, spi, &fake_reg, size); + } else if (reg && is_spillable_regtype(reg->type)) { + /* register containing pointer is being spilled into stack */ + if (size != BPF_REG_SIZE) { +@@ -3156,7 +3169,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + + /* when we zero initialize stack slots mark them as such */ +- if (reg && register_is_null(reg)) { ++ if ((reg && register_is_null(reg)) || ++ (!reg && is_bpf_st_mem(insn) && insn->imm == 0)) { + /* backtracking doesn't work for STACK_ZERO yet. */ + err = mark_chain_precision(env, value_regno); + if (err) +diff --git a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c +index c2aa6f26738b4..bf82b923c5fe5 100644 +--- a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c ++++ b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c +@@ -1,13 +1,14 @@ + { + "bounds checks mixing signed and unsigned, positive bounds", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, 2), + BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3), +@@ -17,20 +18,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), +@@ -40,20 +42,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 2", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), +@@ -65,20 +68,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 3", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4), +@@ -89,20 +93,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 4", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, 1), + BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2), +@@ -112,19 +117,20 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .result = ACCEPT, + }, + { + "bounds checks mixing signed and unsigned, variant 5", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), +@@ -135,17 +141,20 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 6", + .insns = { ++ BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), + BPF_MOV64_IMM(BPF_REG_2, 0), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_6, -1), + BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5), +@@ -163,13 +172,14 @@ + { + "bounds checks mixing signed and unsigned, variant 7", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024), + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), +@@ -179,19 +189,20 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .result = ACCEPT, + }, + { + "bounds checks mixing signed and unsigned, variant 8", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), +@@ -203,20 +214,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 9", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL), + BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), +@@ -228,19 +240,20 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .result = ACCEPT, + }, + { + "bounds checks mixing signed and unsigned, variant 10", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, 0), + BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), +@@ -252,20 +265,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 11", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), +@@ -278,20 +292,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 12", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -6), + BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), +@@ -303,20 +318,21 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 13", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, 2), + BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), +@@ -331,7 +347,7 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, +@@ -340,13 +356,14 @@ + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, + offsetof(struct __sk_buff, mark)), ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -1), + BPF_MOV64_IMM(BPF_REG_8, 2), +@@ -360,20 +377,21 @@ + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3), + BPF_JMP_IMM(BPF_JA, 0, 0, -7), + }, +- .fixup_map_hash_8b = { 4 }, ++ .fixup_map_hash_8b = { 6 }, + .errstr = "unbounded min value", + .result = REJECT, + }, + { + "bounds checks mixing signed and unsigned, variant 15", + .insns = { ++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), +- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + BPF_MOV64_IMM(BPF_REG_2, -6), + BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), +@@ -387,7 +405,7 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_8b = { 3 }, ++ .fixup_map_hash_8b = { 5 }, + .errstr = "unbounded min value", + .result = REJECT, + }, +-- +2.39.2 + diff --git a/queue-6.1/btrfs-fix-an-uninitialized-variable-warning-in-btrfs.patch b/queue-6.1/btrfs-fix-an-uninitialized-variable-warning-in-btrfs.patch new file mode 100644 index 00000000000..1f17117224d --- /dev/null +++ b/queue-6.1/btrfs-fix-an-uninitialized-variable-warning-in-btrfs.patch @@ -0,0 +1,53 @@ +From 51e6dfc51c4642fd416fb5423e42b264dea50ac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 09:34:30 +0800 +Subject: btrfs: fix an uninitialized variable warning in btrfs_log_inode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shida Zhang + +[ Upstream commit 8fd9f4232d8152c650fd15127f533a0f6d0a4b2b ] + +This fixes the following warning reported by gcc 10.2.1 under x86_64: + +../fs/btrfs/tree-log.c: In function ‘btrfs_log_inode’: +../fs/btrfs/tree-log.c:6211:9: error: ‘last_range_start’ may be used uninitialized in this function [-Werror=maybe-uninitialized] + 6211 | ret = insert_dir_log_key(trans, log, path, key.objectid, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 6212 | first_dir_index, last_dir_index); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../fs/btrfs/tree-log.c:6161:6: note: ‘last_range_start’ was declared here + 6161 | u64 last_range_start; + | ^~~~~~~~~~~~~~~~ + +This might be a false positive fixed in later compiler versions but we +want to have it fixed. + +Reported-by: k2ci +Reviewed-by: Anand Jain +Signed-off-by: Shida Zhang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index e71464c0e4667..00be69ce7b90f 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6205,7 +6205,7 @@ static int log_delayed_deletions_incremental(struct btrfs_trans_handle *trans, + { + struct btrfs_root *log = inode->root->log_root; + const struct btrfs_delayed_item *curr; +- u64 last_range_start; ++ u64 last_range_start = 0; + u64 last_range_end = 0; + struct btrfs_key key; + +-- +2.39.2 + diff --git a/queue-6.1/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch b/queue-6.1/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch new file mode 100644 index 00000000000..3c25a27cdd3 --- /dev/null +++ b/queue-6.1/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch @@ -0,0 +1,37 @@ +From 53f9ed44ffa58a470370a7bd22c3b24aa2ad1f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 21:01:31 +0800 +Subject: drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl + +From: Min Li + +[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ] + +If it is async, runqueue_node is freed in g2d_runqueue_worker on another +worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and +then executes the following if statement, there will be use-after-free. + +Signed-off-by: Min Li +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +index 471fd6c8135f2..27613abeed961 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -1335,7 +1335,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data, + /* Let the runqueue know that there is work to do. */ + queue_work(g2d->g2d_workq, &g2d->runqueue_work); + +- if (runqueue_node->async) ++ if (req->async) + goto out; + + wait_for_completion(&runqueue_node->complete); +-- +2.39.2 + diff --git a/queue-6.1/drm-exynos-vidi-fix-a-wrong-error-return.patch b/queue-6.1/drm-exynos-vidi-fix-a-wrong-error-return.patch new file mode 100644 index 00000000000..e66b024b91b --- /dev/null +++ b/queue-6.1/drm-exynos-vidi-fix-a-wrong-error-return.patch @@ -0,0 +1,38 @@ +From b516068558a039800328bac9d02960f92395e4b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:55:05 +0900 +Subject: drm/exynos: vidi: fix a wrong error return + +From: Inki Dae + +[ Upstream commit 4a059559809fd1ddbf16f847c4d2237309c08edf ] + +Fix a wrong error return by dropping an error return. + +When vidi driver is remvoed, if ctx->raw_edid isn't same as fake_edid_info +then only what we have to is to free ctx->raw_edid so that driver removing +can work correctly - it's not an error case. + +Signed-off-by: Inki Dae +Reviewed-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +index 4d56c8c799c5a..f5e1adfcaa514 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -469,8 +469,6 @@ static int vidi_remove(struct platform_device *pdev) + if (ctx->raw_edid != (struct edid *)fake_edid_info) { + kfree(ctx->raw_edid); + ctx->raw_edid = NULL; +- +- return -EINVAL; + } + + component_del(&pdev->dev, &vidi_component_ops); +-- +2.39.2 + diff --git a/queue-6.1/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch b/queue-6.1/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch new file mode 100644 index 00000000000..88551776d58 --- /dev/null +++ b/queue-6.1/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch @@ -0,0 +1,54 @@ +From 895676b3362670df6d659cc34bfff0cbabe3ad94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jun 2023 15:43:45 +0800 +Subject: drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Min Li + +[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ] + +Userspace can race to free the gobj(robj converted from), robj should not +be accessed again after drm_gem_object_put, otherwith it will result in +use-after-free. + +Reviewed-by: Christian König +Signed-off-by: Min Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_gem.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c +index 261fcbae88d78..75d79c3110389 100644 +--- a/drivers/gpu/drm/radeon/radeon_gem.c ++++ b/drivers/gpu/drm/radeon/radeon_gem.c +@@ -459,7 +459,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data, + struct radeon_device *rdev = dev->dev_private; + struct drm_radeon_gem_set_domain *args = data; + struct drm_gem_object *gobj; +- struct radeon_bo *robj; + int r; + + /* for now if someone requests domain CPU - +@@ -472,13 +471,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data, + up_read(&rdev->exclusive_lock); + return -ENOENT; + } +- robj = gem_to_radeon_bo(gobj); + + r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain); + + drm_gem_object_put(gobj); + up_read(&rdev->exclusive_lock); +- r = radeon_gem_handle_lockup(robj->rdev, r); ++ r = radeon_gem_handle_lockup(rdev, r); + return r; + } + +-- +2.39.2 + diff --git a/queue-6.1/gfs2-don-t-get-stuck-writing-page-onto-itself-under-.patch b/queue-6.1/gfs2-don-t-get-stuck-writing-page-onto-itself-under-.patch new file mode 100644 index 00000000000..06ffd4c4ef9 --- /dev/null +++ b/queue-6.1/gfs2-don-t-get-stuck-writing-page-onto-itself-under-.patch @@ -0,0 +1,81 @@ +From c842f1c756fb1c815967ec3eb4ad3a934f2ef8a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 21:08:26 +0200 +Subject: gfs2: Don't get stuck writing page onto itself under direct I/O + +From: Andreas Gruenbacher + +[ Upstream commit fa58cc888d67e640e354d8b3ceef877ea167b0cf ] + +When a direct I/O write is performed, iomap_dio_rw() invalidates the +part of the page cache which the write is going to before carrying out +the write. In the odd case, the direct I/O write will be reading from +the same page it is writing to. gfs2 carries out writes with page +faults disabled, so it should have been obvious that this page +invalidation can cause iomap_dio_rw() to never make any progress. +Currently, gfs2 will end up in an endless retry loop in +gfs2_file_direct_write() instead, though. + +Break this endless loop by limiting the number of retries and falling +back to buffered I/O after that. + +Also simplify should_fault_in_pages() sightly and add a comment to make +the above case easier to understand. + +Reported-by: Jan Kara +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/file.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c +index 60c6fb91fb589..bc6cd5f4b1077 100644 +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -783,9 +783,13 @@ static inline bool should_fault_in_pages(struct iov_iter *i, + if (!user_backed_iter(i)) + return false; + ++ /* ++ * Try to fault in multiple pages initially. When that doesn't result ++ * in any progress, fall back to a single page. ++ */ + size = PAGE_SIZE; + offs = offset_in_page(iocb->ki_pos); +- if (*prev_count != count || !*window_size) { ++ if (*prev_count != count) { + size_t nr_dirtied; + + nr_dirtied = max(current->nr_dirtied_pause - +@@ -869,6 +873,7 @@ static ssize_t gfs2_file_direct_write(struct kiocb *iocb, struct iov_iter *from, + struct gfs2_inode *ip = GFS2_I(inode); + size_t prev_count = 0, window_size = 0; + size_t written = 0; ++ bool enough_retries; + ssize_t ret; + + /* +@@ -912,11 +917,17 @@ static ssize_t gfs2_file_direct_write(struct kiocb *iocb, struct iov_iter *from, + if (ret > 0) + written = ret; + ++ enough_retries = prev_count == iov_iter_count(from) && ++ window_size <= PAGE_SIZE; + if (should_fault_in_pages(from, iocb, &prev_count, &window_size)) { + gfs2_glock_dq(gh); + window_size -= fault_in_iov_iter_readable(from, window_size); +- if (window_size) +- goto retry; ++ if (window_size) { ++ if (!enough_retries) ++ goto retry; ++ /* fall back to buffered I/O */ ++ ret = 0; ++ } + } + out_unlock: + if (gfs2_holder_queued(gh)) +-- +2.39.2 + diff --git a/queue-6.1/gpio-sifive-add-missing-check-for-platform_get_irq.patch b/queue-6.1/gpio-sifive-add-missing-check-for-platform_get_irq.patch new file mode 100644 index 00000000000..9bc62c76c0e --- /dev/null +++ b/queue-6.1/gpio-sifive-add-missing-check-for-platform_get_irq.patch @@ -0,0 +1,46 @@ +From e6ca00c1069a681ae169c22a4cf22322d213de8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 11:11:59 +0800 +Subject: gpio: sifive: add missing check for platform_get_irq + +From: Jiasheng Jiang + +[ Upstream commit c1bcb976d8feb107ff2c12caaf12ac5e70f44d5f ] + +Add the missing check for platform_get_irq() and return error code +if it fails. + +The returned error code will be dealed with in +builtin_platform_driver(sifive_gpio_driver) and the driver will not +be registered. + +Fixes: f52d6d8b43e5 ("gpio: sifive: To get gpio irq offset from device tree data") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-sifive.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-sifive.c b/drivers/gpio/gpio-sifive.c +index bc5660f61c570..0f1e1226ebbe8 100644 +--- a/drivers/gpio/gpio-sifive.c ++++ b/drivers/gpio/gpio-sifive.c +@@ -221,8 +221,12 @@ static int sifive_gpio_probe(struct platform_device *pdev) + return -ENODEV; + } + +- for (i = 0; i < ngpio; i++) +- chip->irq_number[i] = platform_get_irq(pdev, i); ++ for (i = 0; i < ngpio; i++) { ++ ret = platform_get_irq(pdev, i); ++ if (ret < 0) ++ return ret; ++ chip->irq_number[i] = ret; ++ } + + ret = bgpio_init(&chip->gc, dev, 4, + chip->base + SIFIVE_GPIO_INPUT_VAL, +-- +2.39.2 + diff --git a/queue-6.1/gpiolib-fix-gpio-chip-irq-initialization-restriction.patch b/queue-6.1/gpiolib-fix-gpio-chip-irq-initialization-restriction.patch new file mode 100644 index 00000000000..81a91829786 --- /dev/null +++ b/queue-6.1/gpiolib-fix-gpio-chip-irq-initialization-restriction.patch @@ -0,0 +1,46 @@ +From 327b7060d2574b93518dd786478580d2112e7ae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 16:18:03 +0800 +Subject: gpiolib: Fix GPIO chip IRQ initialization restriction + +From: Jiawen Wu + +[ Upstream commit 8c00914e5438e3636f26b4f814b3297ae2a1b9ee ] + +In case of gpio-regmap, IRQ chip is added by regmap-irq and associated with +GPIO chip by gpiochip_irqchip_add_domain(). The initialization flag was not +added in gpiochip_irqchip_add_domain(), causing gpiochip_to_irq() to return +-EPROBE_DEFER. + +Fixes: 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members before initialization") +Signed-off-by: Jiawen Wu +Reviewed-by: Andy Shevchenko +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 5974cfc61b417..f2cb070931850 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1697,6 +1697,14 @@ int gpiochip_irqchip_add_domain(struct gpio_chip *gc, + gc->to_irq = gpiochip_to_irq; + gc->irq.domain = domain; + ++ /* ++ * Using barrier() here to prevent compiler from reordering ++ * gc->irq.initialized before adding irqdomain. ++ */ ++ barrier(); ++ ++ gc->irq.initialized = true; ++ + return 0; + } + EXPORT_SYMBOL_GPL(gpiochip_irqchip_add_domain); +-- +2.39.2 + diff --git a/queue-6.1/gpiolib-fix-irq_domain-resource-tracking-for-gpiochi.patch b/queue-6.1/gpiolib-fix-irq_domain-resource-tracking-for-gpiochi.patch new file mode 100644 index 00000000000..9ef081470c1 --- /dev/null +++ b/queue-6.1/gpiolib-fix-irq_domain-resource-tracking-for-gpiochi.patch @@ -0,0 +1,73 @@ +From 9b2a59ca5e56de111a22c959b4b3181d061bc0cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 10:56:07 +0200 +Subject: gpiolib: Fix irq_domain resource tracking for + gpiochip_irqchip_add_domain() + +From: Michael Walle + +[ Upstream commit ff7a1790fbf92f1bdd0966d3f0da3ea808ede876 ] + +Up until commit 6a45b0e2589f ("gpiolib: Introduce +gpiochip_irqchip_add_domain()") all irq_domains were allocated +by gpiolib itself and thus gpiolib also takes care of freeing it. + +With gpiochip_irqchip_add_domain() a user of gpiolib can associate an +irq_domain with the gpio_chip. This irq_domain is not managed by +gpiolib and therefore must not be freed by gpiolib. + +Fixes: 6a45b0e2589f ("gpiolib: Introduce gpiochip_irqchip_add_domain()") +Reported-by: Jiawen Wu +Signed-off-by: Michael Walle +Reviewed-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 3 ++- + include/linux/gpio/driver.h | 8 ++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index f2cb070931850..6d3e3454a6ed6 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1650,7 +1650,7 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gc) + } + + /* Remove all IRQ mappings and delete the domain */ +- if (gc->irq.domain) { ++ if (!gc->irq.domain_is_allocated_externally && gc->irq.domain) { + unsigned int irq; + + for (offset = 0; offset < gc->ngpio; offset++) { +@@ -1696,6 +1696,7 @@ int gpiochip_irqchip_add_domain(struct gpio_chip *gc, + + gc->to_irq = gpiochip_to_irq; + gc->irq.domain = domain; ++ gc->irq.domain_is_allocated_externally = true; + + /* + * Using barrier() here to prevent compiler from reordering +diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h +index 6aeea1071b1b2..78bcb1639999e 100644 +--- a/include/linux/gpio/driver.h ++++ b/include/linux/gpio/driver.h +@@ -244,6 +244,14 @@ struct gpio_irq_chip { + */ + bool initialized; + ++ /** ++ * @domain_is_allocated_externally: ++ * ++ * True it the irq_domain was allocated outside of gpiolib, in which ++ * case gpiolib won't free the irq_domain itself. ++ */ ++ bool domain_is_allocated_externally; ++ + /** + * @init_hw: optional routine to initialize hardware before + * an IRQ chip will be added. This is quite useful when +-- +2.39.2 + diff --git a/queue-6.1/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch b/queue-6.1/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch new file mode 100644 index 00000000000..67765cabc9e --- /dev/null +++ b/queue-6.1/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch @@ -0,0 +1,44 @@ +From 849714e19d02f4bb0f6768fbae63a8f0c884d437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 14:47:45 +0300 +Subject: HID: wacom: Add error check to wacom_parse_and_register() + +From: Denis Arefev + +[ Upstream commit 16a9c24f24fbe4564284eb575b18cc20586b9270 ] + + Added a variable check and + transition in case of an error + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Denis Arefev +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_sys.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c +index fb538a6c4add8..aff4a21a46b6a 100644 +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2417,8 +2417,13 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) + goto fail_quirks; + } + +- if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) ++ if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) { + error = hid_hw_open(hdev); ++ if (error) { ++ hid_err(hdev, "hw open failed\n"); ++ goto fail_quirks; ++ } ++ } + + wacom_set_shared_values(wacom_wac); + devres_close_group(&hdev->dev, wacom); +-- +2.39.2 + diff --git a/queue-6.1/i2c-mchp-pci1xxxx-avoid-cast-to-incompatible-functio.patch b/queue-6.1/i2c-mchp-pci1xxxx-avoid-cast-to-incompatible-functio.patch new file mode 100644 index 00000000000..776cede76e8 --- /dev/null +++ b/queue-6.1/i2c-mchp-pci1xxxx-avoid-cast-to-incompatible-functio.patch @@ -0,0 +1,62 @@ +From 598bc5e3653b287f4151dd85ab093c1bd830ad07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 14:32:17 +0200 +Subject: i2c: mchp-pci1xxxx: Avoid cast to incompatible function type + +From: Simon Horman + +[ Upstream commit 7ebfd881abe9e0ea9557b29dab6aa28d294fabb4 ] + +Rather than casting pci1xxxx_i2c_shutdown to an incompatible function type, +update the type to match that expected by __devm_add_action. + +Reported by clang-16 with W-1: + + .../i2c-mchp-pci1xxxx.c:1159:29: error: cast from 'void (*)(struct pci1xxxx_i2c *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + ret = devm_add_action(dev, (void (*)(void *))pci1xxxx_i2c_shutdown, i2c); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ./include/linux/device.h:251:29: note: expanded from macro 'devm_add_action' + __devm_add_action(release, action, data, #action) + ^~~~~~ + +No functional change intended. +Compile tested only. + +Signed-off-by: Simon Horman +Reviewed-by: Horatiu Vultur +Reviewed-by: Andi Shyti +Reviewed-by: Tharun Kumar P +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mchp-pci1xxxx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c +index b21ffd6df9276..5ef136c3ecb12 100644 +--- a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c ++++ b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c +@@ -1118,8 +1118,10 @@ static int pci1xxxx_i2c_resume(struct device *dev) + static DEFINE_SIMPLE_DEV_PM_OPS(pci1xxxx_i2c_pm_ops, pci1xxxx_i2c_suspend, + pci1xxxx_i2c_resume); + +-static void pci1xxxx_i2c_shutdown(struct pci1xxxx_i2c *i2c) ++static void pci1xxxx_i2c_shutdown(void *data) + { ++ struct pci1xxxx_i2c *i2c = data; ++ + pci1xxxx_i2c_config_padctrl(i2c, false); + pci1xxxx_i2c_configure_core_reg(i2c, false); + } +@@ -1156,7 +1158,7 @@ static int pci1xxxx_i2c_probe_pci(struct pci_dev *pdev, + init_completion(&i2c->i2c_xfer_done); + pci1xxxx_i2c_init(i2c); + +- ret = devm_add_action(dev, (void (*)(void *))pci1xxxx_i2c_shutdown, i2c); ++ ret = devm_add_action(dev, pci1xxxx_i2c_shutdown, i2c); + if (ret) + return ret; + +-- +2.39.2 + diff --git a/queue-6.1/ieee802154-hwsim-fix-possible-memory-leaks.patch b/queue-6.1/ieee802154-hwsim-fix-possible-memory-leaks.patch new file mode 100644 index 00000000000..738fa33a586 --- /dev/null +++ b/queue-6.1/ieee802154-hwsim-fix-possible-memory-leaks.patch @@ -0,0 +1,50 @@ +From 775d30d5415df39a2de9d07694c2eebf9d03ef71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Apr 2023 10:20:48 +0800 +Subject: ieee802154: hwsim: Fix possible memory leaks + +From: Chen Aotian + +[ Upstream commit a61675294735570daca3779bd1dbb3715f7232bd ] + +After replacing e->info, it is necessary to free the old einfo. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Reviewed-by: Miquel Raynal +Reviewed-by: Alexander Aring +Signed-off-by: Chen Aotian +Link: https://lore.kernel.org/r/20230409022048.61223-1-chenaotian2@163.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index 2f0544dd7c2ad..9b3da61840a8f 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -522,7 +522,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info) + static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info) + { + struct nlattr *edge_attrs[MAC802154_HWSIM_EDGE_ATTR_MAX + 1]; +- struct hwsim_edge_info *einfo; ++ struct hwsim_edge_info *einfo, *einfo_old; + struct hwsim_phy *phy_v0; + struct hwsim_edge *e; + u32 v0, v1; +@@ -560,8 +560,10 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info) + list_for_each_entry_rcu(e, &phy_v0->edges, list) { + if (e->endpoint->idx == v1) { + einfo->lqi = lqi; +- rcu_assign_pointer(e->info, einfo); ++ einfo_old = rcu_replace_pointer(e->info, einfo, ++ lockdep_is_held(&hwsim_phys_lock)); + rcu_read_unlock(); ++ kfree_rcu(einfo_old, rcu); + mutex_unlock(&hwsim_phys_lock); + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/input-soc_button_array-add-invalid-acpi_index-dmi-qu.patch b/queue-6.1/input-soc_button_array-add-invalid-acpi_index-dmi-qu.patch new file mode 100644 index 00000000000..b2f048a3d08 --- /dev/null +++ b/queue-6.1/input-soc_button_array-add-invalid-acpi_index-dmi-qu.patch @@ -0,0 +1,91 @@ +From 74665faf41f9f69916f2154c05082171c8729c82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 11:57:04 -0700 +Subject: Input: soc_button_array - add invalid acpi_index DMI quirk handling + +From: Hans de Goede + +[ Upstream commit 20a99a291d564a559cc2fd013b4824a3bb3f1db7 ] + +Some devices have a wrong entry in their button array which points to +a GPIO which is required in another driver, so soc_button_array must +not claim it. + +A specific example of this is the Lenovo Yoga Book X90F / X90L, +where the PNP0C40 home button entry points to a GPIO which is not +a home button and which is required by the lenovo-yogabook driver. + +Add a DMI quirk table which can specify an ACPI GPIO resource index which +should be skipped; and add an entry for the Lenovo Yoga Book X90F / X90L +to this new DMI quirk table. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230414072116.4497-1-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/soc_button_array.c | 30 +++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/drivers/input/misc/soc_button_array.c b/drivers/input/misc/soc_button_array.c +index 09489380afda7..e79f5497948b8 100644 +--- a/drivers/input/misc/soc_button_array.c ++++ b/drivers/input/misc/soc_button_array.c +@@ -108,6 +108,27 @@ static const struct dmi_system_id dmi_use_low_level_irq[] = { + {} /* Terminating entry */ + }; + ++/* ++ * Some devices have a wrong entry which points to a GPIO which is ++ * required in another driver, so this driver must not claim it. ++ */ ++static const struct dmi_system_id dmi_invalid_acpi_index[] = { ++ { ++ /* ++ * Lenovo Yoga Book X90F / X90L, the PNP0C40 home button entry ++ * points to a GPIO which is not a home button and which is ++ * required by the lenovo-yogabook driver. ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ }, ++ .driver_data = (void *)1l, ++ }, ++ {} /* Terminating entry */ ++}; ++ + /* + * Get the Nth GPIO number from the ACPI object. + */ +@@ -137,6 +158,8 @@ soc_button_device_create(struct platform_device *pdev, + struct platform_device *pd; + struct gpio_keys_button *gpio_keys; + struct gpio_keys_platform_data *gpio_keys_pdata; ++ const struct dmi_system_id *dmi_id; ++ int invalid_acpi_index = -1; + int error, gpio, irq; + int n_buttons = 0; + +@@ -154,10 +177,17 @@ soc_button_device_create(struct platform_device *pdev, + gpio_keys = (void *)(gpio_keys_pdata + 1); + n_buttons = 0; + ++ dmi_id = dmi_first_match(dmi_invalid_acpi_index); ++ if (dmi_id) ++ invalid_acpi_index = (long)dmi_id->driver_data; ++ + for (info = button_info; info->name; info++) { + if (info->autorepeat != autorepeat) + continue; + ++ if (info->acpi_index == invalid_acpi_index) ++ continue; ++ + error = soc_button_lookup_gpio(&pdev->dev, info->acpi_index, &gpio, &irq); + if (error || irq < 0) { + /* +-- +2.39.2 + diff --git a/queue-6.1/io_uring-net-use-the-correct-msghdr-union-member-in-.patch b/queue-6.1/io_uring-net-use-the-correct-msghdr-union-member-in-.patch new file mode 100644 index 00000000000..447134b6c41 --- /dev/null +++ b/queue-6.1/io_uring-net-use-the-correct-msghdr-union-member-in-.patch @@ -0,0 +1,50 @@ +From e0fd31e57ec9674b4e3c75f964bbf627477ab6f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 16:11:51 -0600 +Subject: io_uring/net: use the correct msghdr union member in + io_sendmsg_copy_hdr + +From: Jens Axboe + +[ Upstream commit 26fed83653d0154704cadb7afc418f315c7ac1f0 ] + +Rather than assign the user pointer to msghdr->msg_control, assign it +to msghdr->msg_control_user to make sparse happy. They are in a union +so the end result is the same, but let's avoid new sparse warnings and +squash this one. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202306210654.mDMcyMuB-lkp@intel.com/ +Fixes: cac9e4418f4c ("io_uring/net: save msghdr->msg_control for retries") +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io_uring/net.c b/io_uring/net.c +index 41f828d93c899..2b44126a876ef 100644 +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -190,7 +190,7 @@ static int io_sendmsg_copy_hdr(struct io_kiocb *req, + ret = sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags, + &iomsg->free_iov); + /* save msg_control as sys_sendmsg() overwrites it */ +- sr->msg_control = iomsg->msg.msg_control; ++ sr->msg_control = iomsg->msg.msg_control_user; + return ret; + } + +@@ -289,7 +289,7 @@ int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags) + + if (req_has_async_data(req)) { + kmsg = req->async_data; +- kmsg->msg.msg_control = sr->msg_control; ++ kmsg->msg.msg_control_user = sr->msg_control; + } else { + ret = io_sendmsg_copy_hdr(req, &iomsg); + if (ret) +-- +2.39.2 + diff --git a/queue-6.1/ipvs-align-inner_mac_header-for-encapsulation.patch b/queue-6.1/ipvs-align-inner_mac_header-for-encapsulation.patch new file mode 100644 index 00000000000..26e6f06f3f3 --- /dev/null +++ b/queue-6.1/ipvs-align-inner_mac_header-for-encapsulation.patch @@ -0,0 +1,82 @@ +From f08fe44df16a580088ed937a7dd4cee1b1d28f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 22:58:42 +0200 +Subject: ipvs: align inner_mac_header for encapsulation + +From: Terin Stock + +[ Upstream commit d7fce52fdf96663ddc2eb21afecff3775588612a ] + +When using encapsulation the original packet's headers are copied to the +inner headers. This preserves the space for an inner mac header, which +is not used by the inner payloads for the encapsulation types supported +by IPVS. If a packet is using GUE or GRE encapsulation and needs to be +segmented, flow can be passed to __skb_udp_tunnel_segment() which +calculates a negative tunnel header length. A negative tunnel header +length causes pskb_may_pull() to fail, dropping the packet. + +This can be observed by attaching probes to ip_vs_in_hook(), +__dev_queue_xmit(), and __skb_udp_tunnel_segment(): + + perf probe --add '__dev_queue_xmit skb->inner_mac_header \ + skb->inner_network_header skb->mac_header skb->network_header' + perf probe --add '__skb_udp_tunnel_segment:7 tnl_hlen' + perf probe -m ip_vs --add 'ip_vs_in_hook skb->inner_mac_header \ + skb->inner_network_header skb->mac_header skb->network_header' + +These probes the headers and tunnel header length for packets which +traverse the IPVS encapsulation path. A TCP packet can be forced into +the segmentation path by being smaller than a calculated clamped MSS, +but larger than the advertised MSS. + + probe:ip_vs_in_hook: inner_mac_header=0x0 inner_network_header=0x0 mac_header=0x44 network_header=0x52 + probe:ip_vs_in_hook: inner_mac_header=0x44 inner_network_header=0x52 mac_header=0x44 network_header=0x32 + probe:dev_queue_xmit: inner_mac_header=0x44 inner_network_header=0x52 mac_header=0x44 network_header=0x32 + probe:__skb_udp_tunnel_segment_L7: tnl_hlen=-2 + +When using veth-based encapsulation, the interfaces are set to be +mac-less, which does not preserve space for an inner mac header. This +prevents this issue from occurring. + +In our real-world testing of sending a 32KB file we observed operation +time increasing from ~75ms for veth-based encapsulation to over 1.5s +using IPVS encapsulation due to retries from dropped packets. + +This changeset modifies the packet on the encapsulation path in +ip_vs_tunnel_xmit() and ip_vs_tunnel_xmit_v6() to remove the inner mac +header offset. This fixes UDP segmentation for both encapsulation types, +and corrects the inner headers for any IPIP flows that may use it. + +Fixes: 84c0d5e96f3a ("ipvs: allow tunneling with gue encapsulation") +Signed-off-by: Terin Stock +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_xmit.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c +index 0291713798842..7243079ef3546 100644 +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -1225,6 +1225,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + skb->transport_header = skb->network_header; + + skb_set_inner_ipproto(skb, next_protocol); ++ skb_set_inner_mac_header(skb, skb_inner_network_offset(skb)); + + if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) { + bool check = false; +@@ -1373,6 +1374,7 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, + skb->transport_header = skb->network_header; + + skb_set_inner_ipproto(skb, next_protocol); ++ skb_set_inner_mac_header(skb, skb_inner_network_offset(skb)); + + if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) { + bool check = false; +-- +2.39.2 + diff --git a/queue-6.1/kvm-arm64-pmu-restore-the-host-s-pmuserenr_el0.patch b/queue-6.1/kvm-arm64-pmu-restore-the-host-s-pmuserenr_el0.patch new file mode 100644 index 00000000000..c1d3fbd0af0 --- /dev/null +++ b/queue-6.1/kvm-arm64-pmu-restore-the-host-s-pmuserenr_el0.patch @@ -0,0 +1,58 @@ +From f39899708cd7e980bcfd95cbb25b4e7da7a73e17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:50:34 -0700 +Subject: KVM: arm64: PMU: Restore the host's PMUSERENR_EL0 + +From: Reiji Watanabe + +[ Upstream commit 8681f71759010503892f9e3ddb05f65c0f21b690 ] + +Restore the host's PMUSERENR_EL0 value instead of clearing it, +before returning back to userspace, as the host's EL0 might have +a direct access to PMU registers (some bits of PMUSERENR_EL0 for +might not be zero for the host EL0). + +Fixes: 83a7a4d643d3 ("arm64: perf: Enable PMU counter userspace access for perf event") +Signed-off-by: Reiji Watanabe +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230603025035.3781797-2-reijiw@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/hyp/include/hyp/switch.h | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h +index 2208d79b18dea..081aca8f432ef 100644 +--- a/arch/arm64/kvm/hyp/include/hyp/switch.h ++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h +@@ -81,7 +81,12 @@ static inline void __activate_traps_common(struct kvm_vcpu *vcpu) + * EL1 instead of being trapped to EL2. + */ + if (kvm_arm_support_pmu_v3()) { ++ struct kvm_cpu_context *hctxt; ++ + write_sysreg(0, pmselr_el0); ++ ++ hctxt = &this_cpu_ptr(&kvm_host_data)->host_ctxt; ++ ctxt_sys_reg(hctxt, PMUSERENR_EL0) = read_sysreg(pmuserenr_el0); + write_sysreg(ARMV8_PMU_USERENR_MASK, pmuserenr_el0); + } + +@@ -105,8 +110,12 @@ static inline void __deactivate_traps_common(struct kvm_vcpu *vcpu) + write_sysreg(vcpu->arch.mdcr_el2_host, mdcr_el2); + + write_sysreg(0, hstr_el2); +- if (kvm_arm_support_pmu_v3()) +- write_sysreg(0, pmuserenr_el0); ++ if (kvm_arm_support_pmu_v3()) { ++ struct kvm_cpu_context *hctxt; ++ ++ hctxt = &this_cpu_ptr(&kvm_host_data)->host_ctxt; ++ write_sysreg(ctxt_sys_reg(hctxt, PMUSERENR_EL0), pmuserenr_el0); ++ } + + if (cpus_have_final_cap(ARM64_SME)) { + sysreg_clear_set_s(SYS_HFGRTR_EL2, 0, +-- +2.39.2 + diff --git a/queue-6.1/media-cec-core-disable-adapter-in-cec_devnode_unregi.patch b/queue-6.1/media-cec-core-disable-adapter-in-cec_devnode_unregi.patch new file mode 100644 index 00000000000..53c88fc3116 --- /dev/null +++ b/queue-6.1/media-cec-core-disable-adapter-in-cec_devnode_unregi.patch @@ -0,0 +1,76 @@ +From 874f0c09453b57677848cbe6f877a45d66ca1bd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 08:26:53 +0100 +Subject: media: cec: core: disable adapter in cec_devnode_unregister + +From: Hans Verkuil + +[ Upstream commit fe4526d99e2e06b08bb80316c3a596ea6a807b75 ] + +Explicitly disable the CEC adapter in cec_devnode_unregister() + +Usually this does not really do anything important, but for drivers +that use the CEC pin framework this is needed to properly stop the +hrtimer. Without this a crash would happen when such a driver is +unloaded with rmmod. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/core/cec-adap.c | 5 ++++- + drivers/media/cec/core/cec-core.c | 2 ++ + drivers/media/cec/core/cec-priv.h | 1 + + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c +index 4f5ab3cae8a71..ac18707fddcd2 100644 +--- a/drivers/media/cec/core/cec-adap.c ++++ b/drivers/media/cec/core/cec-adap.c +@@ -1582,7 +1582,7 @@ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block) + * + * This function is called with adap->lock held. + */ +-static int cec_adap_enable(struct cec_adapter *adap) ++int cec_adap_enable(struct cec_adapter *adap) + { + bool enable; + int ret = 0; +@@ -1592,6 +1592,9 @@ static int cec_adap_enable(struct cec_adapter *adap) + if (adap->needs_hpd) + enable = enable && adap->phys_addr != CEC_PHYS_ADDR_INVALID; + ++ if (adap->devnode.unregistered) ++ enable = false; ++ + if (enable == adap->is_enabled) + return 0; + +diff --git a/drivers/media/cec/core/cec-core.c b/drivers/media/cec/core/cec-core.c +index af358e901b5f3..7e153c5cad04f 100644 +--- a/drivers/media/cec/core/cec-core.c ++++ b/drivers/media/cec/core/cec-core.c +@@ -191,6 +191,8 @@ static void cec_devnode_unregister(struct cec_adapter *adap) + mutex_lock(&adap->lock); + __cec_s_phys_addr(adap, CEC_PHYS_ADDR_INVALID, false); + __cec_s_log_addrs(adap, NULL, false); ++ // Disable the adapter (since adap->devnode.unregistered is true) ++ cec_adap_enable(adap); + mutex_unlock(&adap->lock); + + cdev_device_del(&devnode->cdev, &devnode->dev); +diff --git a/drivers/media/cec/core/cec-priv.h b/drivers/media/cec/core/cec-priv.h +index b78df931aa74b..ed1f8c67626bf 100644 +--- a/drivers/media/cec/core/cec-priv.h ++++ b/drivers/media/cec/core/cec-priv.h +@@ -47,6 +47,7 @@ int cec_monitor_pin_cnt_inc(struct cec_adapter *adap); + void cec_monitor_pin_cnt_dec(struct cec_adapter *adap); + int cec_adap_status(struct seq_file *file, void *priv); + int cec_thread_func(void *_adap); ++int cec_adap_enable(struct cec_adapter *adap); + void __cec_s_phys_addr(struct cec_adapter *adap, u16 phys_addr, bool block); + int __cec_s_log_addrs(struct cec_adapter *adap, + struct cec_log_addrs *log_addrs, bool block); +-- +2.39.2 + diff --git a/queue-6.1/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch b/queue-6.1/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch new file mode 100644 index 00000000000..0b5f079011c --- /dev/null +++ b/queue-6.1/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch @@ -0,0 +1,41 @@ +From 97d2e5d5ef602a1137151114c136e8612e369ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 16:07:28 +0100 +Subject: media: cec: core: don't set last_initiator if tx in progress + +From: Hans Verkuil + +[ Upstream commit 73af6c7511038249cad3d5f3b44bf8d78ac0f499 ] + +When a message was received the last_initiator is set to 0xff. +This will force the signal free time for the next transmit +to that for a new initiator. However, if a new transmit is +already in progress, then don't set last_initiator, since +that's the initiator of the current transmit. Overwriting +this would cause the signal free time of a following transmit +to be that of the new initiator instead of a next transmit. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/core/cec-adap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c +index ac18707fddcd2..b1512f9c5895c 100644 +--- a/drivers/media/cec/core/cec-adap.c ++++ b/drivers/media/cec/core/cec-adap.c +@@ -1090,7 +1090,8 @@ void cec_received_msg_ts(struct cec_adapter *adap, + mutex_lock(&adap->lock); + dprintk(2, "%s: %*ph\n", __func__, msg->len, msg->msg); + +- adap->last_initiator = 0xff; ++ if (!adap->transmit_in_progress) ++ adap->last_initiator = 0xff; + + /* Check if this message was for us (directed or broadcast). */ + if (!cec_msg_is_broadcast(msg)) +-- +2.39.2 + diff --git a/queue-6.1/memfd-check-for-non-null-file_seals-in-memfd_create-.patch b/queue-6.1/memfd-check-for-non-null-file_seals-in-memfd_create-.patch new file mode 100644 index 00000000000..f5fc42eb037 --- /dev/null +++ b/queue-6.1/memfd-check-for-non-null-file_seals-in-memfd_create-.patch @@ -0,0 +1,42 @@ +From 4f3e1e129fdff5c828147eedc709ecd8457160ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 15:24:27 +0200 +Subject: memfd: check for non-NULL file_seals in memfd_create() syscall + +From: Roberto Sassu + +[ Upstream commit 935d44acf621aa0688fef8312dec3e5940f38f4e ] + +Ensure that file_seals is non-NULL before using it in the memfd_create() +syscall. One situation in which memfd_file_seals_ptr() could return a +NULL pointer when CONFIG_SHMEM=n, oopsing the kernel. + +Link: https://lkml.kernel.org/r/20230607132427.2867435-1-roberto.sassu@huaweicloud.com +Fixes: 47b9012ecdc7 ("shmem: add sealing support to hugetlb-backed memfd") +Signed-off-by: Roberto Sassu +Cc: Marc-Andr Lureau +Cc: Mike Kravetz +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/memfd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/memfd.c b/mm/memfd.c +index 08f5f8304746f..b0104b49bf82c 100644 +--- a/mm/memfd.c ++++ b/mm/memfd.c +@@ -328,7 +328,8 @@ SYSCALL_DEFINE2(memfd_create, + + if (flags & MFD_ALLOW_SEALING) { + file_seals = memfd_file_seals_ptr(file); +- *file_seals &= ~F_SEAL_SEAL; ++ if (file_seals) ++ *file_seals &= ~F_SEAL_SEAL; + } + + fd_install(fd, file); +-- +2.39.2 + diff --git a/queue-6.1/mmc-meson-gx-fix-deferred-probing.patch b/queue-6.1/mmc-meson-gx-fix-deferred-probing.patch new file mode 100644 index 00000000000..172a008a10d --- /dev/null +++ b/queue-6.1/mmc-meson-gx-fix-deferred-probing.patch @@ -0,0 +1,45 @@ +From 3c5ababe94cb2bf78cb092a02aff3667eab7a370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:12 +0300 +Subject: mmc: meson-gx: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit b8ada54fa1b83f3b6480d4cced71354301750153 ] + +The driver overrides the error codes and IRQ0 returned by platform_get_irq() +to -EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the error +codes upstream. Since commit ce753ad1549c ("platform: finally disallow IRQ0 +in platform_get_irq() and its ilk") IRQ0 is no longer returned by those APIs, +so we now can safely ignore it... + +Fixes: cbcaac6d7dd2 ("mmc: meson-gx-mmc: Fix platform_get_irq's error checking") +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Sergey Shtylyov +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230617203622.6812-3-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/meson-gx-mmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c +index 5fb18be6f8660..0f39f86bd0c26 100644 +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -1227,8 +1227,8 @@ static int meson_mmc_probe(struct platform_device *pdev) + } + + host->irq = platform_get_irq(pdev, 0); +- if (host->irq <= 0) { +- ret = -EINVAL; ++ if (host->irq < 0) { ++ ret = host->irq; + goto free_host; + } + +-- +2.39.2 + diff --git a/queue-6.1/mmc-mtk-sd-fix-deferred-probing.patch b/queue-6.1/mmc-mtk-sd-fix-deferred-probing.patch new file mode 100644 index 00000000000..bd1b6c4d0fb --- /dev/null +++ b/queue-6.1/mmc-mtk-sd-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From b3c0e643cca51e74fa4e11f5307f2b2096e0640c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:13 +0300 +Subject: mmc: mtk-sd: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 0c4dc0f054891a2cbde0426b0c0fdf232d89f47f ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-4-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mtk-sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c +index 26bc59b5a7ccf..425efb3fba048 100644 +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -2658,7 +2658,7 @@ static int msdc_drv_probe(struct platform_device *pdev) + + host->irq = platform_get_irq(pdev, 0); + if (host->irq < 0) { +- ret = -EINVAL; ++ ret = host->irq; + goto host_free; + } + +-- +2.39.2 + diff --git a/queue-6.1/mmc-mvsdio-fix-deferred-probing.patch b/queue-6.1/mmc-mvsdio-fix-deferred-probing.patch new file mode 100644 index 00000000000..f616008653d --- /dev/null +++ b/queue-6.1/mmc-mvsdio-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From 9682cfa60a6eb912f6ae26458e88a5e7822217cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:14 +0300 +Subject: mmc: mvsdio: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 8d84064da0d4672e74f984e8710f27881137472c ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-5-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mvsdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mvsdio.c b/drivers/mmc/host/mvsdio.c +index 629efbe639c4f..b4f6a0a2fcb51 100644 +--- a/drivers/mmc/host/mvsdio.c ++++ b/drivers/mmc/host/mvsdio.c +@@ -704,7 +704,7 @@ static int mvsd_probe(struct platform_device *pdev) + } + irq = platform_get_irq(pdev, 0); + if (irq < 0) +- return -ENXIO; ++ return irq; + + mmc = mmc_alloc_host(sizeof(struct mvsd_host), &pdev->dev); + if (!mmc) { +-- +2.39.2 + diff --git a/queue-6.1/mmc-omap-fix-deferred-probing.patch b/queue-6.1/mmc-omap-fix-deferred-probing.patch new file mode 100644 index 00000000000..e1c8d92b1e5 --- /dev/null +++ b/queue-6.1/mmc-omap-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From 300c960770400d919e115da9c6e2e2245c1fcada Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:15 +0300 +Subject: mmc: omap: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit aedf4ba1ad00aaa94c1b66c73ecaae95e2564b95 ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-6-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index 57d39283924da..cc2213ea324f1 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -1343,7 +1343,7 @@ static int mmc_omap_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) +- return -ENXIO; ++ return irq; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + host->virt_base = devm_ioremap_resource(&pdev->dev, res); +-- +2.39.2 + diff --git a/queue-6.1/mmc-omap_hsmmc-fix-deferred-probing.patch b/queue-6.1/mmc-omap_hsmmc-fix-deferred-probing.patch new file mode 100644 index 00000000000..9eaa83a0182 --- /dev/null +++ b/queue-6.1/mmc-omap_hsmmc-fix-deferred-probing.patch @@ -0,0 +1,44 @@ +From a807855910236b3a848bc30c003dc8b917516bc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:16 +0300 +Subject: mmc: omap_hsmmc: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit fb51b74a57859b707c3e8055ed0c25a7ca4f6a29 ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-7-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap_hsmmc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index 4bd7447552055..2db3a16e63c48 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1791,9 +1791,11 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- irq = platform_get_irq(pdev, 0); +- if (res == NULL || irq < 0) ++ if (!res) + return -ENXIO; ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) ++ return irq; + + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) +-- +2.39.2 + diff --git a/queue-6.1/mmc-owl-fix-deferred-probing.patch b/queue-6.1/mmc-owl-fix-deferred-probing.patch new file mode 100644 index 00000000000..8fe4347449e --- /dev/null +++ b/queue-6.1/mmc-owl-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From 7cbfbc5a8aad6620e2593e632ea23b042b2b3494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:17 +0300 +Subject: mmc: owl: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 3c482e1e830d79b9be8afb900a965135c01f7893 ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: ff65ffe46d28 ("mmc: Add Actions Semi Owl SoCs SD/MMC driver") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-8-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/owl-mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/owl-mmc.c b/drivers/mmc/host/owl-mmc.c +index 3dc143b039397..679b8b0b310e5 100644 +--- a/drivers/mmc/host/owl-mmc.c ++++ b/drivers/mmc/host/owl-mmc.c +@@ -638,7 +638,7 @@ static int owl_mmc_probe(struct platform_device *pdev) + + owl_host->irq = platform_get_irq(pdev, 0); + if (owl_host->irq < 0) { +- ret = -EINVAL; ++ ret = owl_host->irq; + goto err_release_channel; + } + +-- +2.39.2 + diff --git a/queue-6.1/mmc-sdhci-acpi-fix-deferred-probing.patch b/queue-6.1/mmc-sdhci-acpi-fix-deferred-probing.patch new file mode 100644 index 00000000000..22d86f20f51 --- /dev/null +++ b/queue-6.1/mmc-sdhci-acpi-fix-deferred-probing.patch @@ -0,0 +1,40 @@ +From 7708fd69f539147bd1d5ab9c23485adf6cf26996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:18 +0300 +Subject: mmc: sdhci-acpi: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit b465dea5e1540c7d7b5211adaf94926980d3014b ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 1b7ba57ecc86 ("mmc: sdhci-acpi: Handle return value of platform_get_irq") +Signed-off-by: Sergey Shtylyov +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20230617203622.6812-9-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c +index 4cca4c90769bc..b917060a258a4 100644 +--- a/drivers/mmc/host/sdhci-acpi.c ++++ b/drivers/mmc/host/sdhci-acpi.c +@@ -829,7 +829,7 @@ static int sdhci_acpi_probe(struct platform_device *pdev) + host->ops = &sdhci_acpi_ops_dflt; + host->irq = platform_get_irq(pdev, 0); + if (host->irq < 0) { +- err = -EINVAL; ++ err = host->irq; + goto err_free; + } + +-- +2.39.2 + diff --git a/queue-6.1/mmc-sh_mmcif-fix-deferred-probing.patch b/queue-6.1/mmc-sh_mmcif-fix-deferred-probing.patch new file mode 100644 index 00000000000..2bab10c081e --- /dev/null +++ b/queue-6.1/mmc-sh_mmcif-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From eb93f92ef516213b042f55aef456afd56d605aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:20 +0300 +Subject: mmc: sh_mmcif: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 5b067d7f855c61df7f8e2e8ccbcee133c282415e ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-11-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sh_mmcif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c +index 0fd4c9d644dd5..5cf53348372a4 100644 +--- a/drivers/mmc/host/sh_mmcif.c ++++ b/drivers/mmc/host/sh_mmcif.c +@@ -1400,7 +1400,7 @@ static int sh_mmcif_probe(struct platform_device *pdev) + irq[0] = platform_get_irq(pdev, 0); + irq[1] = platform_get_irq_optional(pdev, 1); + if (irq[0] < 0) +- return -ENXIO; ++ return irq[0]; + + reg = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(reg)) +-- +2.39.2 + diff --git a/queue-6.1/mmc-usdhi60rol0-fix-deferred-probing.patch b/queue-6.1/mmc-usdhi60rol0-fix-deferred-probing.patch new file mode 100644 index 00000000000..6d3be630121 --- /dev/null +++ b/queue-6.1/mmc-usdhi60rol0-fix-deferred-probing.patch @@ -0,0 +1,43 @@ +From 4c4d8cc3fa7d83b4b21a89e7cbd3317b3b3b1064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:22 +0300 +Subject: mmc: usdhi60rol0: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 413db499730248431c1005b392e8ed82c4fa19bf ] + +The driver overrides the error codes returned by platform_get_irq_byname() +to -ENODEV, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating error +codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-13-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index 99515be6e5e57..2032e4e1ee68b 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1757,8 +1757,10 @@ static int usdhi6_probe(struct platform_device *pdev) + irq_cd = platform_get_irq_byname(pdev, "card detect"); + irq_sd = platform_get_irq_byname(pdev, "data"); + irq_sdio = platform_get_irq_byname(pdev, "SDIO"); +- if (irq_sd < 0 || irq_sdio < 0) +- return -ENODEV; ++ if (irq_sd < 0) ++ return irq_sd; ++ if (irq_sdio < 0) ++ return irq_sdio; + + mmc = mmc_alloc_host(sizeof(struct usdhi6_host), dev); + if (!mmc) +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-mt7530-fix-handling-of-bpdus-on-mt7530-switc.patch b/queue-6.1/net-dsa-mt7530-fix-handling-of-bpdus-on-mt7530-switc.patch new file mode 100644 index 00000000000..6201c612272 --- /dev/null +++ b/queue-6.1/net-dsa-mt7530-fix-handling-of-bpdus-on-mt7530-switc.patch @@ -0,0 +1,71 @@ +From 795428f5a724d0792f1b5de222f98397596aa32f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 09:26:46 +0300 +Subject: net: dsa: mt7530: fix handling of BPDUs on MT7530 switch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit d7c66073559386b836bded7cdc8b66ee5c049129 ] + +BPDUs are link-local frames, therefore they must be trapped to the CPU +port. Currently, the MT7530 switch treats BPDUs as regular multicast +frames, therefore flooding them to user ports. To fix this, set BPDUs to be +trapped to the CPU port. Group this on mt7530_setup() and +mt7531_setup_common() into mt753x_trap_frames() and call that. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Signed-off-by: Arınç ÜNAL +Reviewed-by: Vladimir Oltean +Reviewed-by: Russell King (Oracle) +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 886dc7d3d85d3..ec43edcaa7d9f 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -998,6 +998,14 @@ static void mt7530_setup_port5(struct dsa_switch *ds, phy_interface_t interface) + mutex_unlock(&priv->reg_mutex); + } + ++static void ++mt753x_trap_frames(struct mt7530_priv *priv) ++{ ++ /* Trap BPDUs to the CPU port(s) */ ++ mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK, ++ MT753X_BPDU_CPU_ONLY); ++} ++ + static int + mt753x_cpu_port_enable(struct dsa_switch *ds, int port) + { +@@ -2219,6 +2227,8 @@ mt7530_setup(struct dsa_switch *ds) + + priv->p6_interface = PHY_INTERFACE_MODE_NA; + ++ mt753x_trap_frames(priv); ++ + /* Enable and reset MIB counters */ + mt7530_mib_reset(ds); + +@@ -2325,8 +2335,8 @@ mt7531_setup_common(struct dsa_switch *ds) + BIT(cpu_dp->index)); + break; + } +- mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK, +- MT753X_BPDU_CPU_ONLY); ++ ++ mt753x_trap_frames(priv); + + /* Enable and reset MIB counters */ + mt7530_mib_reset(ds); +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-mt7530-fix-handling-of-lldp-frames.patch b/queue-6.1/net-dsa-mt7530-fix-handling-of-lldp-frames.patch new file mode 100644 index 00000000000..1ef0ba9b4a4 --- /dev/null +++ b/queue-6.1/net-dsa-mt7530-fix-handling-of-lldp-frames.patch @@ -0,0 +1,63 @@ +From a28a6e0db6eb71a55b2172da42caab72289aebe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 09:26:47 +0300 +Subject: net: dsa: mt7530: fix handling of LLDP frames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 8332cf6fd7c7087dbc2067115b33979c9851bbc4 ] + +LLDP frames are link-local frames, therefore they must be trapped to the +CPU port. Currently, the MT753X switches treat LLDP frames as regular +multicast frames, therefore flooding them to user ports. To fix this, set +LLDP frames to be trapped to the CPU port(s). + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Signed-off-by: Arınç ÜNAL +Reviewed-by: Vladimir Oltean +Reviewed-by: Russell King (Oracle) +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 4 ++++ + drivers/net/dsa/mt7530.h | 5 +++++ + 2 files changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index ec43edcaa7d9f..51d2ef0dc835c 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1004,6 +1004,10 @@ mt753x_trap_frames(struct mt7530_priv *priv) + /* Trap BPDUs to the CPU port(s) */ + mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK, + MT753X_BPDU_CPU_ONLY); ++ ++ /* Trap LLDP frames with :0E MAC DA to the CPU port(s) */ ++ mt7530_rmw(priv, MT753X_RGAC2, MT753X_R0E_PORT_FW_MASK, ++ MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY)); + } + + static int +diff --git a/drivers/net/dsa/mt7530.h b/drivers/net/dsa/mt7530.h +index e8d9664353504..9a45663d8b4ef 100644 +--- a/drivers/net/dsa/mt7530.h ++++ b/drivers/net/dsa/mt7530.h +@@ -65,6 +65,11 @@ enum mt753x_id { + #define MT753X_BPC 0x24 + #define MT753X_BPDU_PORT_FW_MASK GENMASK(2, 0) + ++/* Register for :03 and :0E MAC DA frame control */ ++#define MT753X_RGAC2 0x2c ++#define MT753X_R0E_PORT_FW_MASK GENMASK(18, 16) ++#define MT753X_R0E_PORT_FW(x) FIELD_PREP(MT753X_R0E_PORT_FW_MASK, x) ++ + enum mt753x_bpdu_port_fw { + MT753X_BPDU_FOLLOW_MFC, + MT753X_BPDU_CPU_EXCLUDE = 4, +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-mt7530-fix-trapping-frames-on-non-mt7621-soc.patch b/queue-6.1/net-dsa-mt7530-fix-trapping-frames-on-non-mt7621-soc.patch new file mode 100644 index 00000000000..10358c567ec --- /dev/null +++ b/queue-6.1/net-dsa-mt7530-fix-trapping-frames-on-non-mt7621-soc.patch @@ -0,0 +1,44 @@ +From 632c1a6a5718c1a23396297100ce8c46915999b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 09:26:45 +0300 +Subject: net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 4ae90f90e4909e3014e2dc6a0627964617a7b824 ] + +All MT7530 switch IP variants share the MT7530_MFC register, but the +current driver only writes it for the switch variant that is integrated in +the MT7621 SoC. Modify the code to include all MT7530 derivatives. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Suggested-by: Vladimir Oltean +Signed-off-by: Arınç ÜNAL +Reviewed-by: Vladimir Oltean +Reviewed-by: Russell King (Oracle) +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 855220c5ce339..886dc7d3d85d3 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1020,7 +1020,7 @@ mt753x_cpu_port_enable(struct dsa_switch *ds, int port) + UNU_FFP(BIT(port))); + + /* Set CPU port number */ +- if (priv->id == ID_MT7621) ++ if (priv->id == ID_MT7530 || priv->id == ID_MT7621) + mt7530_rmw(priv, MT7530_MFC, CPU_MASK, CPU_EN | CPU_PORT(port)); + + /* CPU port gets connected to all user ports of +-- +2.39.2 + diff --git a/queue-6.1/net-mlx5-dr-fix-wrong-action-data-allocation-in-deca.patch b/queue-6.1/net-mlx5-dr-fix-wrong-action-data-allocation-in-deca.patch new file mode 100644 index 00000000000..58c00a30f21 --- /dev/null +++ b/queue-6.1/net-mlx5-dr-fix-wrong-action-data-allocation-in-deca.patch @@ -0,0 +1,70 @@ +From 6144e12d5aaf7b157cdcf000a5a2ceb53227bfc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 21:07:04 +0300 +Subject: net/mlx5: DR, Fix wrong action data allocation in decap action + +From: Yevgeny Kliteynik + +[ Upstream commit ef4c5afc783dc3d47640270a9b94713229c697e8 ] + +When TUNNEL_L3_TO_L2 decap action was created, a pointer to a local +variable was passed as its HW action data, resulting in attempt to +free invalid address: + + BUG: KASAN: invalid-free in mlx5dr_action_destroy+0x318/0x410 [mlx5_core] + +Fixes: 4781df92f4da ("net/mlx5: DR, Move STEv0 modify header logic") +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index b1dfad274a39e..a3e7602b044e5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -1200,9 +1200,13 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn, + } + case DR_ACTION_TYP_TNL_L3_TO_L2: + { +- u8 hw_actions[ACTION_CACHE_LINE_SIZE] = {}; ++ u8 *hw_actions; + int ret; + ++ hw_actions = kzalloc(ACTION_CACHE_LINE_SIZE, GFP_KERNEL); ++ if (!hw_actions) ++ return -ENOMEM; ++ + ret = mlx5dr_ste_set_action_decap_l3_list(dmn->ste_ctx, + data, data_sz, + hw_actions, +@@ -1210,6 +1214,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn, + &action->rewrite->num_of_actions); + if (ret) { + mlx5dr_dbg(dmn, "Failed creating decap l3 action list\n"); ++ kfree(hw_actions); + return ret; + } + +@@ -1217,6 +1222,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn, + DR_CHUNK_SIZE_8); + if (!action->rewrite->chunk) { + mlx5dr_dbg(dmn, "Failed allocating modify header chunk\n"); ++ kfree(hw_actions); + return -ENOMEM; + } + +@@ -1230,6 +1236,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn, + if (ret) { + mlx5dr_dbg(dmn, "Writing decap l3 actions to ICM failed\n"); + mlx5dr_icm_free_chunk(action->rewrite->chunk); ++ kfree(hw_actions); + return ret; + } + return 0; +-- +2.39.2 + diff --git a/queue-6.1/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch b/queue-6.1/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch new file mode 100644 index 00000000000..adb46cd9b0d --- /dev/null +++ b/queue-6.1/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch @@ -0,0 +1,40 @@ +From 12e4f3414b18dd7053a69429f082178e2fb7b060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 23:06:56 +0200 +Subject: net: qca_spi: Avoid high load if QCA7000 is not available + +From: Stefan Wahren + +[ Upstream commit 92717c2356cb62c89e8a3dc37cbbab2502562524 ] + +In case the QCA7000 is not available via SPI (e.g. in reset), +the driver will cause a high load. The reason for this is +that the synchronization is never finished and schedule() +is never called. Since the synchronization is not timing +critical, it's safe to drop this from the scheduling condition. + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index c865a4be05eec..4a1b94e5a8ea9 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -582,8 +582,7 @@ qcaspi_spi_thread(void *data) + while (!kthread_should_stop()) { + set_current_state(TASK_INTERRUPTIBLE); + if ((qca->intr_req == qca->intr_svc) && +- (qca->txr.skb[qca->txr.head] == NULL) && +- (qca->sync == QCASPI_SYNC_READY)) ++ !qca->txr.skb[qca->txr.head]) + schedule(); + + set_current_state(TASK_RUNNING); +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-add-nft_trans_prepare_error-to-d.patch b/queue-6.1/netfilter-nf_tables-add-nft_trans_prepare_error-to-d.patch new file mode 100644 index 00000000000..f6ffb27b466 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-add-nft_trans_prepare_error-to-d.patch @@ -0,0 +1,177 @@ +From 5bdd3bb1525ba32a01cc656b63804c77aedfbcc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 14:45:26 +0200 +Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound + set/chain + +From: Pablo Neira Ayuso + +[ Upstream commit 26b5a5712eb85e253724e56a54c17f8519bd8e4e ] + +Add a new state to deal with rule expressions deactivation from the +newrule error path, otherwise the anonymous set remains in the list in +inactive state for the next generation. Mark the set/chain transaction +as unbound so the abort path releases this object, set it as inactive in +the next generation so it is not reachable anymore from this transaction +and reference counter is dropped. + +Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nf_tables_api.c | 45 ++++++++++++++++++++++++++----- + net/netfilter/nft_immediate.c | 3 +++ + 3 files changed, 43 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index c13a84c0b4965..984f7d3087735 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -895,6 +895,7 @@ struct nft_expr_type { + + enum nft_trans_phase { + NFT_TRANS_PREPARE, ++ NFT_TRANS_PREPARE_ERROR, + NFT_TRANS_ABORT, + NFT_TRANS_COMMIT, + NFT_TRANS_RELEASE +@@ -1089,6 +1090,7 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_elem *elem); + int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set); + int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); ++void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); + + enum nft_chain_types { + NFT_CHAIN_T_DEFAULT = 0, +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8f8e315691dde..72bb2b3977480 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -171,7 +171,8 @@ static void nft_trans_destroy(struct nft_trans *trans) + kfree(trans); + } + +-static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, ++ bool bind) + { + struct nftables_pernet *nft_net; + struct net *net = ctx->net; +@@ -185,17 +186,28 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +- nft_trans_set_bound(trans) = true; ++ nft_trans_set_bound(trans) = bind; + break; + case NFT_MSG_NEWSETELEM: + if (nft_trans_elem_set(trans) == set) +- nft_trans_elem_set_bound(trans) = true; ++ nft_trans_elem_set_bound(trans) = bind; + break; + } + } + } + +-static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *chain) ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, true); ++} ++ ++static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, false); ++} ++ ++static void __nft_chain_trans_bind(const struct nft_ctx *ctx, ++ struct nft_chain *chain, bool bind) + { + struct nftables_pernet *nft_net; + struct net *net = ctx->net; +@@ -209,16 +221,22 @@ static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *ch + switch (trans->msg_type) { + case NFT_MSG_NEWCHAIN: + if (nft_trans_chain(trans) == chain) +- nft_trans_chain_bound(trans) = true; ++ nft_trans_chain_bound(trans) = bind; + break; + case NFT_MSG_NEWRULE: + if (trans->ctx.chain == chain) +- nft_trans_rule_bound(trans) = true; ++ nft_trans_rule_bound(trans) = bind; + break; + } + } + } + ++static void nft_chain_trans_bind(const struct nft_ctx *ctx, ++ struct nft_chain *chain) ++{ ++ __nft_chain_trans_bind(ctx, chain, true); ++} ++ + int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) + { + if (!nft_chain_binding(chain)) +@@ -237,6 +255,11 @@ int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) + return 0; + } + ++void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) ++{ ++ __nft_chain_trans_bind(ctx, chain, false); ++} ++ + static int nft_netdev_register_hooks(struct net *net, + struct list_head *hook_list) + { +@@ -3709,7 +3732,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + if (flow) + nft_flow_rule_destroy(flow); + err_release_rule: +- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); + nf_tables_rule_destroy(&ctx, rule); + err_release_expr: + for (i = 0; i < n; i++) { +@@ -4990,6 +5013,13 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nft_set_trans_unbind(ctx, set); ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ ++ set->use--; ++ break; + case NFT_TRANS_PREPARE: + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); +@@ -7494,6 +7524,7 @@ void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: + case NFT_TRANS_PREPARE: + case NFT_TRANS_ABORT: + case NFT_TRANS_RELEASE: +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c +index 457fc1e218410..900e75e8c3465 100644 +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -150,6 +150,9 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx, + nft_rule_expr_deactivate(&chain_ctx, rule, phase); + + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nf_tables_unbind_chain(ctx, chain); ++ fallthrough; + case NFT_TRANS_PREPARE: + nft_deactivate_next(ctx->net, chain); + break; +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-disallow-element-updates-of-boun.patch b/queue-6.1/netfilter-nf_tables-disallow-element-updates-of-boun.patch new file mode 100644 index 00000000000..88bed2b5c29 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-disallow-element-updates-of-boun.patch @@ -0,0 +1,49 @@ +From 6de2410ae5d9862f640c007839d0c5e4f54454a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:20:16 +0200 +Subject: netfilter: nf_tables: disallow element updates of bound anonymous + sets + +From: Pablo Neira Ayuso + +[ Upstream commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b ] + +Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API +allows to create anonymous sets without NFT_SET_CONSTANT, it makes no +sense to allow to add and to delete elements for bound anonymous sets. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 337bab663540a..2cd83d09f4192 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6590,7 +6590,8 @@ static int nf_tables_newsetelem(struct sk_buff *skb, + if (IS_ERR(set)) + return PTR_ERR(set); + +- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) ++ if (!list_empty(&set->bindings) && ++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) + return -EBUSY; + + nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); +@@ -6864,7 +6865,9 @@ static int nf_tables_delsetelem(struct sk_buff *skb, + set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); + if (IS_ERR(set)) + return PTR_ERR(set); +- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) ++ ++ if (!list_empty(&set->bindings) && ++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) + return -EBUSY; + + nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-disallow-updates-of-anonymous-se.patch b/queue-6.1/netfilter-nf_tables-disallow-updates-of-anonymous-se.patch new file mode 100644 index 00000000000..986c60ec467 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-disallow-updates-of-anonymous-se.patch @@ -0,0 +1,36 @@ +From fbb3f4e93cf7d776976b7d2bc7491f0178d02701 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:22:01 +0200 +Subject: netfilter: nf_tables: disallow updates of anonymous sets + +From: Pablo Neira Ayuso + +[ Upstream commit b770283c98e0eee9133c47bc03b6cc625dc94723 ] + +Disallow updates of set timeout and garbage collection parameters for +anonymous sets. + +Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 984720964a498..7f71bdbc82672 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4774,6 +4774,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) + return -EOPNOTSUPP; + ++ if (nft_set_is_anonymous(set)) ++ return -EOPNOTSUPP; ++ + err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags); + if (err < 0) + return err; +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-drop-map-element-references-from.patch b/queue-6.1/netfilter-nf_tables-drop-map-element-references-from.patch new file mode 100644 index 00000000000..e21919d036e --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-drop-map-element-references-from.patch @@ -0,0 +1,468 @@ +From a81853f7cd81790ba3be1f39db126a6ad72aa893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 14:51:49 +0200 +Subject: netfilter: nf_tables: drop map element references from preparation + phase + +From: Pablo Neira Ayuso + +[ Upstream commit 628bd3e49cba1c066228e23d71a852c23e26da73 ] + +set .destroy callback releases the references to other objects in maps. +This is very late and it results in spurious EBUSY errors. Drop refcount +from the preparation phase instead, update set backend not to drop +reference counter from set .destroy path. + +Exceptions: NFT_TRANS_PREPARE_ERROR does not require to drop the +reference counter because the transaction abort path releases the map +references for each element since the set is unbound. The abort path +also deals with releasing reference counter for new elements added to +unbound sets. + +Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 5 +- + net/netfilter/nf_tables_api.c | 147 ++++++++++++++++++++++++++---- + net/netfilter/nft_set_bitmap.c | 5 +- + net/netfilter/nft_set_hash.c | 23 ++++- + net/netfilter/nft_set_pipapo.c | 14 ++- + net/netfilter/nft_set_rbtree.c | 5 +- + 6 files changed, 167 insertions(+), 32 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 984f7d3087735..bbcd558f19344 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -467,7 +467,8 @@ struct nft_set_ops { + int (*init)(const struct nft_set *set, + const struct nft_set_desc *desc, + const struct nlattr * const nla[]); +- void (*destroy)(const struct nft_set *set); ++ void (*destroy)(const struct nft_ctx *ctx, ++ const struct nft_set *set); + void (*gc_init)(const struct nft_set *set); + + unsigned int elemsize; +@@ -804,6 +805,8 @@ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_expr *expr_array[]); + void nft_set_elem_destroy(const struct nft_set *set, void *elem, + bool destroy_expr); ++void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set, void *elem); + + /** + * struct nft_set_gc_batch_head - nf_tables set garbage collection batch +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 72bb2b3977480..337bab663540a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -561,6 +561,58 @@ static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, + return __nft_trans_set_add(ctx, msg_type, set, NULL); + } + ++static void nft_setelem_data_deactivate(const struct net *net, ++ const struct nft_set *set, ++ struct nft_set_elem *elem); ++ ++static int nft_mapelem_deactivate(const struct nft_ctx *ctx, ++ struct nft_set *set, ++ const struct nft_set_iter *iter, ++ struct nft_set_elem *elem) ++{ ++ nft_setelem_data_deactivate(ctx->net, set, elem); ++ ++ return 0; ++} ++ ++struct nft_set_elem_catchall { ++ struct list_head list; ++ struct rcu_head rcu; ++ void *elem; ++}; ++ ++static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, ++ struct nft_set *set) ++{ ++ u8 genmask = nft_genmask_next(ctx->net); ++ struct nft_set_elem_catchall *catchall; ++ struct nft_set_elem elem; ++ struct nft_set_ext *ext; ++ ++ list_for_each_entry(catchall, &set->catchall_list, list) { ++ ext = nft_set_elem_ext(set, catchall->elem); ++ if (!nft_set_elem_active(ext, genmask)) ++ continue; ++ ++ elem.priv = catchall->elem; ++ nft_setelem_data_deactivate(ctx->net, set, &elem); ++ break; ++ } ++} ++ ++static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ struct nft_set_iter iter = { ++ .genmask = nft_genmask_next(ctx->net), ++ .fn = nft_mapelem_deactivate, ++ }; ++ ++ set->ops->walk(ctx, set, &iter); ++ WARN_ON_ONCE(iter.err); ++ ++ nft_map_catchall_deactivate(ctx, set); ++} ++ + static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) + { + int err; +@@ -569,6 +621,9 @@ static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) + if (err < 0) + return err; + ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(ctx, set); ++ + nft_deactivate_next(ctx->net, set); + ctx->table->use--; + +@@ -3484,12 +3539,6 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, + return 0; + } + +-struct nft_set_elem_catchall { +- struct list_head list; +- struct rcu_head rcu; +- void *elem; +-}; +- + int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) + { + u8 genmask = nft_genmask_next(ctx->net); +@@ -4808,7 +4857,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, + for (i = 0; i < set->num_exprs; i++) + nft_expr_destroy(&ctx, set->exprs[i]); + err_set_destroy: +- ops->destroy(set); ++ ops->destroy(&ctx, set); + err_set_init: + kfree(set->name); + err_set_name: +@@ -4823,7 +4872,7 @@ static void nft_set_catchall_destroy(const struct nft_ctx *ctx, + + list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { + list_del_rcu(&catchall->list); +- nft_set_elem_destroy(set, catchall->elem, true); ++ nf_tables_set_elem_destroy(ctx, set, catchall->elem); + kfree_rcu(catchall, rcu); + } + } +@@ -4838,7 +4887,7 @@ static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) + for (i = 0; i < set->num_exprs; i++) + nft_expr_destroy(ctx, set->exprs[i]); + +- set->ops->destroy(set); ++ set->ops->destroy(ctx, set); + nft_set_catchall_destroy(ctx, set); + kfree(set->name); + kvfree(set); +@@ -4999,10 +5048,60 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, + } + } + ++static void nft_setelem_data_activate(const struct net *net, ++ const struct nft_set *set, ++ struct nft_set_elem *elem); ++ ++static int nft_mapelem_activate(const struct nft_ctx *ctx, ++ struct nft_set *set, ++ const struct nft_set_iter *iter, ++ struct nft_set_elem *elem) ++{ ++ nft_setelem_data_activate(ctx->net, set, elem); ++ ++ return 0; ++} ++ ++static void nft_map_catchall_activate(const struct nft_ctx *ctx, ++ struct nft_set *set) ++{ ++ u8 genmask = nft_genmask_next(ctx->net); ++ struct nft_set_elem_catchall *catchall; ++ struct nft_set_elem elem; ++ struct nft_set_ext *ext; ++ ++ list_for_each_entry(catchall, &set->catchall_list, list) { ++ ext = nft_set_elem_ext(set, catchall->elem); ++ if (!nft_set_elem_active(ext, genmask)) ++ continue; ++ ++ elem.priv = catchall->elem; ++ nft_setelem_data_activate(ctx->net, set, &elem); ++ break; ++ } ++} ++ ++static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ struct nft_set_iter iter = { ++ .genmask = nft_genmask_next(ctx->net), ++ .fn = nft_mapelem_activate, ++ }; ++ ++ set->ops->walk(ctx, set, &iter); ++ WARN_ON_ONCE(iter.err); ++ ++ nft_map_catchall_activate(ctx, set); ++} ++ + void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) + { +- if (nft_set_is_anonymous(set)) ++ if (nft_set_is_anonymous(set)) { ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_activate(ctx, set); ++ + nft_clear(ctx->net, set); ++ } + + set->use++; + } +@@ -5021,13 +5120,20 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + set->use--; + break; + case NFT_TRANS_PREPARE: +- if (nft_set_is_anonymous(set)) +- nft_deactivate_next(ctx->net, set); ++ if (nft_set_is_anonymous(set)) { ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(ctx, set); + ++ nft_deactivate_next(ctx->net, set); ++ } + set->use--; + return; + case NFT_TRANS_ABORT: + case NFT_TRANS_RELEASE: ++ if (nft_set_is_anonymous(set) && ++ set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(ctx, set); ++ + set->use--; + fallthrough; + default: +@@ -5780,6 +5886,7 @@ static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, + __nft_set_elem_expr_destroy(ctx, expr); + } + ++/* Drop references and destroy. Called from gc, dynset and abort path. */ + void nft_set_elem_destroy(const struct nft_set *set, void *elem, + bool destroy_expr) + { +@@ -5801,11 +5908,11 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem, + } + EXPORT_SYMBOL_GPL(nft_set_elem_destroy); + +-/* Only called from commit path, nft_setelem_data_deactivate() already deals +- * with the refcounting from the preparation phase. ++/* Destroy element. References have been already dropped in the preparation ++ * path via nft_setelem_data_deactivate(). + */ +-static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, +- const struct nft_set *set, void *elem) ++void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set, void *elem) + { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + +@@ -6438,7 +6545,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (obj) + obj->use--; + err_elem_userdata: +- nf_tables_set_elem_destroy(ctx, set, elem.priv); ++ nft_set_elem_destroy(set, elem.priv, true); + err_parse_data: + if (nla[NFTA_SET_ELEM_DATA] != NULL) + nft_data_release(&elem.data.val, desc.type); +@@ -9482,6 +9589,9 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + case NFT_MSG_DELSET: + trans->ctx.table->use++; + nft_clear(trans->ctx.net, nft_trans_set(trans)); ++ if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_activate(&trans->ctx, nft_trans_set(trans)); ++ + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWSETELEM: +@@ -10248,6 +10358,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + list_for_each_entry_safe(set, ns, &table->sets, list) { + list_del(&set->list); + table->use--; ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(&ctx, set); ++ + nft_set_destroy(&ctx, set); + } + list_for_each_entry_safe(obj, ne, &table->objects, list) { +diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c +index 96081ac8d2b4c..1e5e7a181e0bc 100644 +--- a/net/netfilter/nft_set_bitmap.c ++++ b/net/netfilter/nft_set_bitmap.c +@@ -271,13 +271,14 @@ static int nft_bitmap_init(const struct nft_set *set, + return 0; + } + +-static void nft_bitmap_destroy(const struct nft_set *set) ++static void nft_bitmap_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_bitmap *priv = nft_set_priv(set); + struct nft_bitmap_elem *be, *n; + + list_for_each_entry_safe(be, n, &priv->list, head) +- nft_set_elem_destroy(set, be, true); ++ nf_tables_set_elem_destroy(ctx, set, be); + } + + static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features, +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index 76de6c8d98655..0b73cb0e752f7 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -400,19 +400,31 @@ static int nft_rhash_init(const struct nft_set *set, + return 0; + } + ++struct nft_rhash_ctx { ++ const struct nft_ctx ctx; ++ const struct nft_set *set; ++}; ++ + static void nft_rhash_elem_destroy(void *ptr, void *arg) + { +- nft_set_elem_destroy(arg, ptr, true); ++ struct nft_rhash_ctx *rhash_ctx = arg; ++ ++ nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, ptr); + } + +-static void nft_rhash_destroy(const struct nft_set *set) ++static void nft_rhash_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_rhash *priv = nft_set_priv(set); ++ struct nft_rhash_ctx rhash_ctx = { ++ .ctx = *ctx, ++ .set = set, ++ }; + + cancel_delayed_work_sync(&priv->gc_work); + rcu_barrier(); + rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy, +- (void *)set); ++ (void *)&rhash_ctx); + } + + /* Number of buckets is stored in u32, so cap our result to 1U<<31 */ +@@ -643,7 +655,8 @@ static int nft_hash_init(const struct nft_set *set, + return 0; + } + +-static void nft_hash_destroy(const struct nft_set *set) ++static void nft_hash_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_hash *priv = nft_set_priv(set); + struct nft_hash_elem *he; +@@ -653,7 +666,7 @@ static void nft_hash_destroy(const struct nft_set *set) + for (i = 0; i < priv->buckets; i++) { + hlist_for_each_entry_safe(he, next, &priv->table[i], node) { + hlist_del_rcu(&he->node); +- nft_set_elem_destroy(set, he, true); ++ nf_tables_set_elem_destroy(ctx, set, he); + } + } + } +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 15e451dc3fc46..c867b5b772e86 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -2148,10 +2148,12 @@ static int nft_pipapo_init(const struct nft_set *set, + + /** + * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array ++ * @ctx: context + * @set: nftables API set representation + * @m: matching data pointing to key mapping array + */ +-static void nft_set_pipapo_match_destroy(const struct nft_set *set, ++static void nft_set_pipapo_match_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set, + struct nft_pipapo_match *m) + { + struct nft_pipapo_field *f; +@@ -2168,15 +2170,17 @@ static void nft_set_pipapo_match_destroy(const struct nft_set *set, + + e = f->mt[r].e; + +- nft_set_elem_destroy(set, e, true); ++ nf_tables_set_elem_destroy(ctx, set, e); + } + } + + /** + * nft_pipapo_destroy() - Free private data for set and all committed elements ++ * @ctx: context + * @set: nftables API set representation + */ +-static void nft_pipapo_destroy(const struct nft_set *set) ++static void nft_pipapo_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_pipapo *priv = nft_set_priv(set); + struct nft_pipapo_match *m; +@@ -2186,7 +2190,7 @@ static void nft_pipapo_destroy(const struct nft_set *set) + if (m) { + rcu_barrier(); + +- nft_set_pipapo_match_destroy(set, m); ++ nft_set_pipapo_match_destroy(ctx, set, m); + + #ifdef NFT_PIPAPO_ALIGN + free_percpu(m->scratch_aligned); +@@ -2203,7 +2207,7 @@ static void nft_pipapo_destroy(const struct nft_set *set) + m = priv->clone; + + if (priv->dirty) +- nft_set_pipapo_match_destroy(set, m); ++ nft_set_pipapo_match_destroy(ctx, set, m); + + #ifdef NFT_PIPAPO_ALIGN + free_percpu(priv->clone->scratch_aligned); +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 2f114aa10f1a7..5c05c9b990fba 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -664,7 +664,8 @@ static int nft_rbtree_init(const struct nft_set *set, + return 0; + } + +-static void nft_rbtree_destroy(const struct nft_set *set) ++static void nft_rbtree_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_rbtree *priv = nft_set_priv(set); + struct nft_rbtree_elem *rbe; +@@ -675,7 +676,7 @@ static void nft_rbtree_destroy(const struct nft_set *set) + while ((node = priv->root.rb_node) != NULL) { + rb_erase(node, &priv->root); + rbe = rb_entry(node, struct nft_rbtree_elem, node); +- nft_set_elem_destroy(set, rbe, true); ++ nf_tables_set_elem_destroy(ctx, set, rbe); + } + } + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-fix-chain-binding-transaction-lo.patch b/queue-6.1/netfilter-nf_tables-fix-chain-binding-transaction-lo.patch new file mode 100644 index 00000000000..0db73886e52 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-chain-binding-transaction-lo.patch @@ -0,0 +1,438 @@ +From 3c2ed1034dac36b7de5d9d528edc8d2417105269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 14:45:22 +0200 +Subject: netfilter: nf_tables: fix chain binding transaction logic + +From: Pablo Neira Ayuso + +[ Upstream commit 4bedf9eee016286c835e3d8fa981ddece5338795 ] + +Add bound flag to rule and chain transactions as in 6a0a8d10a366 +("netfilter: nf_tables: use-after-free in failing rule with bound set") +to skip them in case that the chain is already bound from the abort +path. + +This patch fixes an imbalance in the chain use refcnt that triggers a +WARN_ON on the table and chain destroy path. + +This patch also disallows nested chain bindings, which is not +supported from userspace. + +The logic to deal with chain binding in nft_data_hold() and +nft_data_release() is not correct. The NFT_TRANS_PREPARE state needs a +special handling in case a chain is bound but next expressions in the +same rule fail to initialize as described by 1240eb93f061 ("netfilter: +nf_tables: incorrect error path handling with NFT_MSG_NEWRULE"). + +The chain is left bound if rule construction fails, so the objects +stored in this chain (and the chain itself) are released by the +transaction records from the abort path, follow up patch ("netfilter: +nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") +completes this error handling. + +When deleting an existing rule, chain bound flag is set off so the +rule expression .destroy path releases the objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 21 +++++++- + net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- + net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- + 3 files changed, 153 insertions(+), 41 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 22e96b7e1b44a..c13a84c0b4965 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1002,7 +1002,10 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule) + return (void *)&rule->data[rule->dlen]; + } + +-void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule); ++void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule); ++void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, ++ enum nft_trans_phase phase); ++void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule); + + static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext, + struct nft_regs *regs, +@@ -1085,6 +1088,7 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, + const struct nft_set_iter *iter, + struct nft_set_elem *elem); + int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set); ++int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); + + enum nft_chain_types { + NFT_CHAIN_T_DEFAULT = 0, +@@ -1121,11 +1125,17 @@ int nft_chain_validate_dependency(const struct nft_chain *chain, + int nft_chain_validate_hooks(const struct nft_chain *chain, + unsigned int hook_flags); + ++static inline bool nft_chain_binding(const struct nft_chain *chain) ++{ ++ return chain->flags & NFT_CHAIN_BINDING; ++} ++ + static inline bool nft_chain_is_bound(struct nft_chain *chain) + { + return (chain->flags & NFT_CHAIN_BINDING) && chain->bound; + } + ++int nft_chain_add(struct nft_table *table, struct nft_chain *chain); + void nft_chain_del(struct nft_chain *chain); + void nf_tables_chain_destroy(struct nft_ctx *ctx); + +@@ -1560,6 +1570,7 @@ struct nft_trans_rule { + struct nft_rule *rule; + struct nft_flow_rule *flow; + u32 rule_id; ++ bool bound; + }; + + #define nft_trans_rule(trans) \ +@@ -1568,6 +1579,8 @@ struct nft_trans_rule { + (((struct nft_trans_rule *)trans->data)->flow) + #define nft_trans_rule_id(trans) \ + (((struct nft_trans_rule *)trans->data)->rule_id) ++#define nft_trans_rule_bound(trans) \ ++ (((struct nft_trans_rule *)trans->data)->bound) + + struct nft_trans_set { + struct nft_set *set; +@@ -1592,13 +1605,17 @@ struct nft_trans_set { + (((struct nft_trans_set *)trans->data)->gc_int) + + struct nft_trans_chain { ++ struct nft_chain *chain; + bool update; + char *name; + struct nft_stats __percpu *stats; + u8 policy; ++ bool bound; + u32 chain_id; + }; + ++#define nft_trans_chain(trans) \ ++ (((struct nft_trans_chain *)trans->data)->chain) + #define nft_trans_chain_update(trans) \ + (((struct nft_trans_chain *)trans->data)->update) + #define nft_trans_chain_name(trans) \ +@@ -1607,6 +1624,8 @@ struct nft_trans_chain { + (((struct nft_trans_chain *)trans->data)->stats) + #define nft_trans_chain_policy(trans) \ + (((struct nft_trans_chain *)trans->data)->policy) ++#define nft_trans_chain_bound(trans) \ ++ (((struct nft_trans_chain *)trans->data)->bound) + #define nft_trans_chain_id(trans) \ + (((struct nft_trans_chain *)trans->data)->chain_id) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 13d4913266b4d..8f8e315691dde 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -195,6 +195,48 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + } + } + ++static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *chain) ++{ ++ struct nftables_pernet *nft_net; ++ struct net *net = ctx->net; ++ struct nft_trans *trans; ++ ++ if (!nft_chain_binding(chain)) ++ return; ++ ++ nft_net = nft_pernet(net); ++ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWCHAIN: ++ if (nft_trans_chain(trans) == chain) ++ nft_trans_chain_bound(trans) = true; ++ break; ++ case NFT_MSG_NEWRULE: ++ if (trans->ctx.chain == chain) ++ nft_trans_rule_bound(trans) = true; ++ break; ++ } ++ } ++} ++ ++int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) ++{ ++ if (!nft_chain_binding(chain)) ++ return 0; ++ ++ if (nft_chain_binding(ctx->chain)) ++ return -EOPNOTSUPP; ++ ++ if (chain->bound) ++ return -EBUSY; ++ ++ chain->bound = true; ++ chain->use++; ++ nft_chain_trans_bind(ctx, chain); ++ ++ return 0; ++} ++ + static int nft_netdev_register_hooks(struct net *net, + struct list_head *hook_list) + { +@@ -340,8 +382,9 @@ static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) + ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); + } + } +- ++ nft_trans_chain(trans) = ctx->chain; + nft_trans_commit_list_add_tail(ctx->net, trans); ++ + return trans; + } + +@@ -359,8 +402,7 @@ static int nft_delchain(struct nft_ctx *ctx) + return 0; + } + +-static void nft_rule_expr_activate(const struct nft_ctx *ctx, +- struct nft_rule *rule) ++void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule) + { + struct nft_expr *expr; + +@@ -373,9 +415,8 @@ static void nft_rule_expr_activate(const struct nft_ctx *ctx, + } + } + +-static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, +- struct nft_rule *rule, +- enum nft_trans_phase phase) ++void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, ++ enum nft_trans_phase phase) + { + struct nft_expr *expr; + +@@ -2188,7 +2229,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, + return 0; + } + +-static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) ++int nft_chain_add(struct nft_table *table, struct nft_chain *chain) + { + int err; + +@@ -3315,8 +3356,7 @@ static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, + return err; + } + +-static void nf_tables_rule_destroy(const struct nft_ctx *ctx, +- struct nft_rule *rule) ++void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) + { + struct nft_expr *expr, *next; + +@@ -3333,7 +3373,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + kfree(rule); + } + +-void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) ++static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) + { + nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); + nf_tables_rule_destroy(ctx, rule); +@@ -6446,7 +6486,6 @@ static int nf_tables_newsetelem(struct sk_buff *skb, + void nft_data_hold(const struct nft_data *data, enum nft_data_types type) + { + struct nft_chain *chain; +- struct nft_rule *rule; + + if (type == NFT_DATA_VERDICT) { + switch (data->verdict.code) { +@@ -6454,15 +6493,6 @@ void nft_data_hold(const struct nft_data *data, enum nft_data_types type) + case NFT_GOTO: + chain = data->verdict.chain; + chain->use++; +- +- if (!nft_chain_is_bound(chain)) +- break; +- +- chain->table->use++; +- list_for_each_entry(rule, &chain->rules, list) +- chain->use++; +- +- nft_chain_add(chain->table, chain); + break; + } + } +@@ -9368,7 +9398,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + kfree(nft_trans_chain_name(trans)); + nft_trans_destroy(trans); + } else { +- if (nft_chain_is_bound(trans->ctx.chain)) { ++ if (nft_trans_chain_bound(trans)) { + nft_trans_destroy(trans); + break; + } +@@ -9385,6 +9415,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWRULE: ++ if (nft_trans_rule_bound(trans)) { ++ nft_trans_destroy(trans); ++ break; ++ } + trans->ctx.chain->use--; + list_del_rcu(&nft_trans_rule(trans)->list); + nft_rule_expr_deactivate(&trans->ctx, +@@ -9943,22 +9977,12 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + static void nft_verdict_uninit(const struct nft_data *data) + { + struct nft_chain *chain; +- struct nft_rule *rule; + + switch (data->verdict.code) { + case NFT_JUMP: + case NFT_GOTO: + chain = data->verdict.chain; + chain->use--; +- +- if (!nft_chain_is_bound(chain)) +- break; +- +- chain->table->use--; +- list_for_each_entry(rule, &chain->rules, list) +- chain->use--; +- +- nft_chain_del(chain); + break; + } + } +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c +index 5f28b21abc7df..457fc1e218410 100644 +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -76,11 +76,9 @@ static int nft_immediate_init(const struct nft_ctx *ctx, + switch (priv->data.verdict.code) { + case NFT_JUMP: + case NFT_GOTO: +- if (nft_chain_is_bound(chain)) { +- err = -EBUSY; +- goto err1; +- } +- chain->bound = true; ++ err = nf_tables_bind_chain(ctx, chain); ++ if (err < 0) ++ return err; + break; + default: + break; +@@ -98,6 +96,31 @@ static void nft_immediate_activate(const struct nft_ctx *ctx, + const struct nft_expr *expr) + { + const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ const struct nft_data *data = &priv->data; ++ struct nft_ctx chain_ctx; ++ struct nft_chain *chain; ++ struct nft_rule *rule; ++ ++ if (priv->dreg == NFT_REG_VERDICT) { ++ switch (data->verdict.code) { ++ case NFT_JUMP: ++ case NFT_GOTO: ++ chain = data->verdict.chain; ++ if (!nft_chain_binding(chain)) ++ break; ++ ++ chain_ctx = *ctx; ++ chain_ctx.chain = chain; ++ ++ list_for_each_entry(rule, &chain->rules, list) ++ nft_rule_expr_activate(&chain_ctx, rule); ++ ++ nft_clear(ctx->net, chain); ++ break; ++ default: ++ break; ++ } ++ } + + return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg)); + } +@@ -107,6 +130,40 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx, + enum nft_trans_phase phase) + { + const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ const struct nft_data *data = &priv->data; ++ struct nft_ctx chain_ctx; ++ struct nft_chain *chain; ++ struct nft_rule *rule; ++ ++ if (priv->dreg == NFT_REG_VERDICT) { ++ switch (data->verdict.code) { ++ case NFT_JUMP: ++ case NFT_GOTO: ++ chain = data->verdict.chain; ++ if (!nft_chain_binding(chain)) ++ break; ++ ++ chain_ctx = *ctx; ++ chain_ctx.chain = chain; ++ ++ list_for_each_entry(rule, &chain->rules, list) ++ nft_rule_expr_deactivate(&chain_ctx, rule, phase); ++ ++ switch (phase) { ++ case NFT_TRANS_PREPARE: ++ nft_deactivate_next(ctx->net, chain); ++ break; ++ default: ++ nft_chain_del(chain); ++ chain->bound = false; ++ chain->table->use--; ++ break; ++ } ++ break; ++ default: ++ break; ++ } ++ } + + if (phase == NFT_TRANS_COMMIT) + return; +@@ -131,15 +188,27 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx, + case NFT_GOTO: + chain = data->verdict.chain; + +- if (!nft_chain_is_bound(chain)) ++ if (!nft_chain_binding(chain)) ++ break; ++ ++ /* Rule construction failed, but chain is already bound: ++ * let the transaction records release this chain and its rules. ++ */ ++ if (chain->bound) { ++ chain->use--; + break; ++ } + ++ /* Rule has been deleted, release chain and its rules. */ + chain_ctx = *ctx; + chain_ctx.chain = chain; + +- list_for_each_entry_safe(rule, n, &chain->rules, list) +- nf_tables_rule_release(&chain_ctx, rule); +- ++ chain->use--; ++ list_for_each_entry_safe(rule, n, &chain->rules, list) { ++ chain->use--; ++ list_del(&rule->list); ++ nf_tables_rule_destroy(&chain_ctx, rule); ++ } + nf_tables_chain_destroy(&chain_ctx); + break; + default: +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-reject-unbound-anonymous-set-bef.patch b/queue-6.1/netfilter-nf_tables-reject-unbound-anonymous-set-bef.patch new file mode 100644 index 00000000000..ab2578e39ac --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-reject-unbound-anonymous-set-bef.patch @@ -0,0 +1,145 @@ +From c9e2638d19f739caf68dd84d89fc90381e769acc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:21:33 +0200 +Subject: netfilter: nf_tables: reject unbound anonymous set before commit + phase + +From: Pablo Neira Ayuso + +[ Upstream commit 938154b93be8cd611ddfd7bafc1849f3c4355201 ] + +Add a new list to track set transaction and to check for unbound +anonymous sets before entering the commit phase. + +Bail out at the end of the transaction handling if an anonymous set +remains unbound. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 3 +++ + net/netfilter/nf_tables_api.c | 35 ++++++++++++++++++++++++++++--- + 2 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index bbcd558f19344..f3a37cacb32c3 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1558,6 +1558,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) + * struct nft_trans - nf_tables object update in transaction + * + * @list: used internally ++ * @binding_list: list of objects with possible bindings + * @msg_type: message type + * @put_net: ctx->net needs to be put + * @ctx: transaction context +@@ -1565,6 +1566,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) + */ + struct nft_trans { + struct list_head list; ++ struct list_head binding_list; + int msg_type; + bool put_net; + struct nft_ctx ctx; +@@ -1703,6 +1705,7 @@ static inline int nft_request_module(struct net *net, const char *fmt, ...) { re + struct nftables_pernet { + struct list_head tables; + struct list_head commit_list; ++ struct list_head binding_list; + struct list_head module_list; + struct list_head notify_list; + struct mutex commit_mutex; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2cd83d09f4192..c0126aac035f8 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, + return NULL; + + INIT_LIST_HEAD(&trans->list); ++ INIT_LIST_HEAD(&trans->binding_list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + +@@ -165,9 +166,15 @@ static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, + return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); + } + +-static void nft_trans_destroy(struct nft_trans *trans) ++static void nft_trans_list_del(struct nft_trans *trans) + { + list_del(&trans->list); ++ list_del(&trans->binding_list); ++} ++ ++static void nft_trans_destroy(struct nft_trans *trans) ++{ ++ nft_trans_list_del(trans); + kfree(trans); + } + +@@ -359,6 +366,14 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr + { + struct nftables_pernet *nft_net = nft_pernet(net); + ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (!nft_trans_set_update(trans) && ++ nft_set_is_anonymous(nft_trans_set(trans))) ++ list_add_tail(&trans->binding_list, &nft_net->binding_list); ++ break; ++ } ++ + list_add_tail(&trans->list, &nft_net->commit_list); + } + +@@ -8829,7 +8844,7 @@ static void nf_tables_trans_destroy_work(struct work_struct *w) + synchronize_rcu(); + + list_for_each_entry_safe(trans, next, &head, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nft_commit_release(trans); + } + } +@@ -9196,6 +9211,19 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + return 0; + } + ++ list_for_each_entry(trans, &nft_net->binding_list, binding_list) { ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (!nft_trans_set_update(trans) && ++ nft_set_is_anonymous(nft_trans_set(trans)) && ++ !nft_trans_set_bound(trans)) { ++ pr_warn_once("nftables ruleset with unbound set\n"); ++ return -EINVAL; ++ } ++ break; ++ } ++ } ++ + /* 0. Validate ruleset, otherwise roll back for error reporting. */ + if (nf_tables_validate(net) < 0) + return -EAGAIN; +@@ -9672,7 +9700,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + + list_for_each_entry_safe_reverse(trans, next, + &nft_net->commit_list, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nf_tables_abort_release(trans); + } + +@@ -10448,6 +10476,7 @@ static int __net_init nf_tables_init_net(struct net *net) + + INIT_LIST_HEAD(&nft_net->tables); + INIT_LIST_HEAD(&nft_net->commit_list); ++ INIT_LIST_HEAD(&nft_net->binding_list); + INIT_LIST_HEAD(&nft_net->module_list); + INIT_LIST_HEAD(&nft_net->notify_list); + mutex_init(&nft_net->commit_mutex); +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-reject-unbound-chain-set-before-.patch b/queue-6.1/netfilter-nf_tables-reject-unbound-chain-set-before-.patch new file mode 100644 index 00000000000..2ceebad524a --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-reject-unbound-chain-set-before-.patch @@ -0,0 +1,56 @@ +From ce64d0dc6fb01dbafd6e44b1ef4f073c7ff7b440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:21:39 +0200 +Subject: netfilter: nf_tables: reject unbound chain set before commit phase + +From: Pablo Neira Ayuso + +[ Upstream commit 62e1e94b246e685d89c3163aaef4b160e42ceb02 ] + +Use binding list to track set transaction and to check for unbound +chains before entering the commit phase. + +Bail out if chain binding remain unused before entering the commit +step. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c0126aac035f8..984720964a498 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -372,6 +372,11 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr + nft_set_is_anonymous(nft_trans_set(trans))) + list_add_tail(&trans->binding_list, &nft_net->binding_list); + break; ++ case NFT_MSG_NEWCHAIN: ++ if (!nft_trans_chain_update(trans) && ++ nft_chain_binding(nft_trans_chain(trans))) ++ list_add_tail(&trans->binding_list, &nft_net->binding_list); ++ break; + } + + list_add_tail(&trans->list, &nft_net->commit_list); +@@ -9221,6 +9226,14 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + return -EINVAL; + } + break; ++ case NFT_MSG_NEWCHAIN: ++ if (!nft_trans_chain_update(trans) && ++ nft_chain_binding(nft_trans_chain(trans)) && ++ !nft_trans_chain_bound(trans)) { ++ pr_warn_once("nftables ruleset with unbound chain\n"); ++ return -EINVAL; ++ } ++ break; + } + } + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nfnetlink_osf-fix-module-autoload.patch b/queue-6.1/netfilter-nfnetlink_osf-fix-module-autoload.patch new file mode 100644 index 00000000000..84ed3dce891 --- /dev/null +++ b/queue-6.1/netfilter-nfnetlink_osf-fix-module-autoload.patch @@ -0,0 +1,40 @@ +From 067bb697a348f1a2995d7dc2b0e20a1fa4c5b3bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:14:25 +0200 +Subject: netfilter: nfnetlink_osf: fix module autoload + +From: Pablo Neira Ayuso + +[ Upstream commit 62f9a68a36d4441a6c412b81faed102594bc6670 ] + +Move the alias from xt_osf to nfnetlink_osf. + +Fixes: f9324952088f ("netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 1 + + net/netfilter/xt_osf.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index ee6840bd59337..8f1bfa6ccc2d9 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -439,3 +439,4 @@ module_init(nfnl_osf_init); + module_exit(nfnl_osf_fini); + + MODULE_LICENSE("GPL"); ++MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF); +diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c +index e1990baf3a3b7..dc9485854002a 100644 +--- a/net/netfilter/xt_osf.c ++++ b/net/netfilter/xt_osf.c +@@ -71,4 +71,3 @@ MODULE_AUTHOR("Evgeniy Polyakov "); + MODULE_DESCRIPTION("Passive OS fingerprint matching."); + MODULE_ALIAS("ipt_osf"); + MODULE_ALIAS("ip6t_osf"); +-MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF); +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nft_set_pipapo-.walk-does-not-deal-with-ge.patch b/queue-6.1/netfilter-nft_set_pipapo-.walk-does-not-deal-with-ge.patch new file mode 100644 index 00000000000..037f5ab58ca --- /dev/null +++ b/queue-6.1/netfilter-nft_set_pipapo-.walk-does-not-deal-with-ge.patch @@ -0,0 +1,46 @@ +From 2c613944536a1840c596a14896b295a19e1e54b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:20:04 +0200 +Subject: netfilter: nft_set_pipapo: .walk does not deal with generations + +From: Pablo Neira Ayuso + +[ Upstream commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 ] + +The .walk callback iterates over the current active set, but it might be +useful to iterate over the next generation set. Use the generation mask +to determine what set view (either current or next generation) is use +for the walk iteration. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index c867b5b772e86..0452ee586c1cc 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1974,12 +1974,16 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_iter *iter) + { + struct nft_pipapo *priv = nft_set_priv(set); ++ struct net *net = read_pnet(&set->net); + struct nft_pipapo_match *m; + struct nft_pipapo_field *f; + int i, r; + + rcu_read_lock(); +- m = rcu_dereference(priv->match); ++ if (iter->genmask == nft_genmask_cur(net)) ++ m = rcu_dereference(priv->match); ++ else ++ m = priv->clone; + + if (unlikely(!m)) + goto out; +-- +2.39.2 + diff --git a/queue-6.1/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch b/queue-6.1/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch new file mode 100644 index 00000000000..a5131c5d54d --- /dev/null +++ b/queue-6.1/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch @@ -0,0 +1,40 @@ +From e103013513d72e197d217e4a6dc35158d60ec96b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 22:27:46 +0500 +Subject: nfcsim.c: Fix error checking for debugfs_create_dir + +From: Osama Muhammad + +[ Upstream commit 9b9e46aa07273ceb96866b2e812b46f1ee0b8d2f ] + +This patch fixes the error checking in nfcsim.c. +The DebugFS kernel API is developed in +a way that the caller can safely ignore the errors that +occur during the creation of DebugFS nodes. + +Signed-off-by: Osama Muhammad +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/nfcsim.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/nfc/nfcsim.c b/drivers/nfc/nfcsim.c +index 85bf8d586c707..0f6befe8be1e2 100644 +--- a/drivers/nfc/nfcsim.c ++++ b/drivers/nfc/nfcsim.c +@@ -336,10 +336,6 @@ static struct dentry *nfcsim_debugfs_root; + static void nfcsim_debugfs_init(void) + { + nfcsim_debugfs_root = debugfs_create_dir("nfcsim", NULL); +- +- if (!nfcsim_debugfs_root) +- pr_err("Could not create debugfs entry\n"); +- + } + + static void nfcsim_debugfs_remove(void) +-- +2.39.2 + diff --git a/queue-6.1/null_blk-fix-memory-release-when-memory_backed-1.patch b/queue-6.1/null_blk-fix-memory-release-when-memory_backed-1.patch new file mode 100644 index 00000000000..f5b586c9489 --- /dev/null +++ b/queue-6.1/null_blk-fix-memory-release-when-memory_backed-1.patch @@ -0,0 +1,48 @@ +From 099aa7b3006ca24bd193cc6ebb9321021bc53a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 11:53:53 +0530 +Subject: null_blk: Fix: memory release when memory_backed=1 + +From: Nitesh Shetty + +[ Upstream commit 8cfb98196cceec35416041c6b91212d2b99392e4 ] + +Memory/pages are not freed, when unloading nullblk driver. + +Steps to reproduce issue + 1.free -h + total used free shared buff/cache available +Mem: 7.8Gi 260Mi 7.1Gi 3.0Mi 395Mi 7.3Gi +Swap: 0B 0B 0B + 2.modprobe null_blk memory_backed=1 + 3.dd if=/dev/urandom of=/dev/nullb0 oflag=direct bs=1M count=1000 + 4.modprobe -r null_blk + 5.free -h + total used free shared buff/cache available +Mem: 7.8Gi 1.2Gi 6.1Gi 3.0Mi 398Mi 6.3Gi +Swap: 0B 0B 0B + +Signed-off-by: Anuj Gupta +Signed-off-by: Nitesh Shetty +Link: https://lore.kernel.org/r/20230605062354.24785-1-nj.shetty@samsung.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index c45d09a9a9421..e8cb914223cdf 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -2194,6 +2194,7 @@ static void null_destroy_dev(struct nullb *nullb) + struct nullb_device *dev = nullb->dev; + + null_del_dev(nullb); ++ null_free_device_storage(dev, false); + null_free_dev(dev); + } + +-- +2.39.2 + diff --git a/queue-6.1/nvme-check-io-start-time-when-deciding-to-defer-ka.patch b/queue-6.1/nvme-check-io-start-time-when-deciding-to-defer-ka.patch new file mode 100644 index 00000000000..242bc16195a --- /dev/null +++ b/queue-6.1/nvme-check-io-start-time-when-deciding-to-defer-ka.patch @@ -0,0 +1,107 @@ +From 10de1efa98ae7cab47aea4f8e51bc0f98507f1a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:22:03 -0600 +Subject: nvme: check IO start time when deciding to defer KA + +From: Uday Shankar + +[ Upstream commit 774a9636514764ddc0d072ae0d1d1c01a47e6ddd ] + +When a command completes, we set a flag which will skip sending a +keep alive at the next run of nvme_keep_alive_work when TBKAS is on. +However, if the command was submitted long ago, it's possible that +the controller may have also restarted its keep alive timer (as a +result of receiving the command) long ago. The following trace +demonstrates the issue, assuming TBKAS is on and KATO = 8 for +simplicity: + +1. t = 0: submit I/O commands A, B, C, D, E +2. t = 0.5: commands A, B, C, D, E reach controller, restart its keep + alive timer +3. t = 1: A completes +4. t = 2: run nvme_keep_alive_work, see recent completion, do nothing +5. t = 3: B completes +6. t = 4: run nvme_keep_alive_work, see recent completion, do nothing +7. t = 5: C completes +8. t = 6: run nvme_keep_alive_work, see recent completion, do nothing +9. t = 7: D completes +10. t = 8: run nvme_keep_alive_work, see recent completion, do nothing +11. t = 9: E completes + +At this point, 8.5 seconds have passed without restarting the +controller's keep alive timer, so the controller will detect a keep +alive timeout. + +Fix this by checking the IO start time when deciding to defer sending a +keep alive command. Only set comp_seen if the command started after the +most recent run of nvme_keep_alive_work. With this change, the +completions of B, C, and D will not set comp_seen and the run of +nvme_keep_alive_work at t = 4 will send a keep alive. + +Reported-by: Costa Sapuntzakis +Reported-by: Randy Jennings +Signed-off-by: Uday Shankar +Reviewed-by: Hannes Reinecke +Reviewed-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 14 +++++++++++++- + drivers/nvme/host/nvme.h | 1 + + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index a97f2f21c5321..15eb2ee1be66e 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -395,7 +395,16 @@ void nvme_complete_rq(struct request *req) + trace_nvme_complete_rq(req); + nvme_cleanup_cmd(req); + +- if (ctrl->kas) ++ /* ++ * Completions of long-running commands should not be able to ++ * defer sending of periodic keep alives, since the controller ++ * may have completed processing such commands a long time ago ++ * (arbitrarily close to command submission time). ++ * req->deadline - req->timeout is the command submission time ++ * in jiffies. ++ */ ++ if (ctrl->kas && ++ req->deadline - req->timeout >= ctrl->ka_last_check_time) + ctrl->comp_seen = true; + + switch (nvme_decide_disposition(req)) { +@@ -1235,6 +1244,7 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, + return RQ_END_IO_NONE; + } + ++ ctrl->ka_last_check_time = jiffies; + ctrl->comp_seen = false; + spin_lock_irqsave(&ctrl->lock, flags); + if (ctrl->state == NVME_CTRL_LIVE || +@@ -1253,6 +1263,8 @@ static void nvme_keep_alive_work(struct work_struct *work) + bool comp_seen = ctrl->comp_seen; + struct request *rq; + ++ ctrl->ka_last_check_time = jiffies; ++ + if ((ctrl->ctratt & NVME_CTRL_ATTR_TBKAS) && comp_seen) { + dev_dbg(ctrl->device, + "reschedule traffic based keep-alive timer\n"); +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 3f82de6060ef7..2aa514c3dfa17 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -323,6 +323,7 @@ struct nvme_ctrl { + struct delayed_work ka_work; + struct delayed_work failfast_work; + struct nvme_command ka_cmd; ++ unsigned long ka_last_check_time; + struct work_struct fw_act_work; + unsigned long events; + +-- +2.39.2 + diff --git a/queue-6.1/nvme-double-ka-polling-frequency-to-avoid-kato-with-.patch b/queue-6.1/nvme-double-ka-polling-frequency-to-avoid-kato-with-.patch new file mode 100644 index 00000000000..a0a6e86720c --- /dev/null +++ b/queue-6.1/nvme-double-ka-polling-frequency-to-avoid-kato-with-.patch @@ -0,0 +1,81 @@ +From cf151bf29c0f7bf4fa3be7f38fd97dc25facd9d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:22:02 -0600 +Subject: nvme: double KA polling frequency to avoid KATO with TBKAS on +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uday Shankar + +[ Upstream commit ea4d453b9ec9ea279c39744cd0ecb47ef48ede35 ] + +With TBKAS on, the completion of one command can defer sending a +keep alive for up to twice the delay between successive runs of +nvme_keep_alive_work. The current delay of KATO / 2 thus makes it +possible for one command to defer sending a keep alive for up to +KATO, which can result in the controller detecting a KATO. The following +trace demonstrates the issue, taking KATO = 8 for simplicity: + +1. t = 0: run nvme_keep_alive_work, no keep-alive sent +2. t = ε: I/O completion seen, set comp_seen = true +3. t = 4: run nvme_keep_alive_work, see comp_seen == true, + skip sending keep-alive, set comp_seen = false +4. t = 8: run nvme_keep_alive_work, see comp_seen == false, + send a keep-alive command. + +Here, there is a delay of 8 - ε between receiving a command completion +and sending the next command. With ε small, the controller is likely to +detect a keep alive timeout. + +Fix this by running nvme_keep_alive_work with a delay of KATO / 4 +whenever TBKAS is on. Going through the above trace now gives us a +worst-case delay of 4 - ε, which is in line with the recommendation of +sending a command every KATO / 2 in the NVMe specification. + +Reported-by: Costa Sapuntzakis +Reported-by: Randy Jennings +Signed-off-by: Uday Shankar +Reviewed-by: Hannes Reinecke +Reviewed-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 2e22c78991ccf..a97f2f21c5321 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1198,9 +1198,25 @@ EXPORT_SYMBOL_NS_GPL(nvme_execute_passthru_rq, NVME_TARGET_PASSTHRU); + * The host should send Keep Alive commands at half of the Keep Alive Timeout + * accounting for transport roundtrip times [..]. + */ ++static unsigned long nvme_keep_alive_work_period(struct nvme_ctrl *ctrl) ++{ ++ unsigned long delay = ctrl->kato * HZ / 2; ++ ++ /* ++ * When using Traffic Based Keep Alive, we need to run ++ * nvme_keep_alive_work at twice the normal frequency, as one ++ * command completion can postpone sending a keep alive command ++ * by up to twice the delay between runs. ++ */ ++ if (ctrl->ctratt & NVME_CTRL_ATTR_TBKAS) ++ delay /= 2; ++ return delay; ++} ++ + static void nvme_queue_keep_alive_work(struct nvme_ctrl *ctrl) + { +- queue_delayed_work(nvme_wq, &ctrl->ka_work, ctrl->kato * HZ / 2); ++ queue_delayed_work(nvme_wq, &ctrl->ka_work, ++ nvme_keep_alive_work_period(ctrl)); + } + + static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, +-- +2.39.2 + diff --git a/queue-6.1/nvme-improve-handling-of-long-keep-alives.patch b/queue-6.1/nvme-improve-handling-of-long-keep-alives.patch new file mode 100644 index 00000000000..a2b3f194817 --- /dev/null +++ b/queue-6.1/nvme-improve-handling-of-long-keep-alives.patch @@ -0,0 +1,79 @@ +From 10953f7a8464a9cafd160ecda35191cfe334adf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:22:04 -0600 +Subject: nvme: improve handling of long keep alives +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uday Shankar + +[ Upstream commit c7275ce6a5fd32ca9f5a6294ed89cf0523181af9 ] + +Upon keep alive completion, nvme_keep_alive_work is scheduled with the +same delay every time. If keep alive commands are completing slowly, +this may cause a keep alive timeout. The following trace illustrates the +issue, taking KATO = 8 and TBKAS off for simplicity: + +1. t = 0: run nvme_keep_alive_work, send keep alive +2. t = ε: keep alive reaches controller, controller restarts its keep + alive timer +3. t = 4: host receives keep alive completion, schedules + nvme_keep_alive_work with delay 4 +4. t = 8: run nvme_keep_alive_work, send keep alive + +Here, a keep alive having RTT of 4 causes a delay of at least 8 - ε +between the controller receiving successive keep alives. With ε small, +the controller is likely to detect a keep alive timeout. + +Fix this by calculating the RTT of the keep alive command, and adjusting +the scheduling delay of the next keep alive work accordingly. + +Reported-by: Costa Sapuntzakis +Reported-by: Randy Jennings +Signed-off-by: Uday Shankar +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 15eb2ee1be66e..a7d9b5b42b388 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1234,6 +1234,20 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, + struct nvme_ctrl *ctrl = rq->end_io_data; + unsigned long flags; + bool startka = false; ++ unsigned long rtt = jiffies - (rq->deadline - rq->timeout); ++ unsigned long delay = nvme_keep_alive_work_period(ctrl); ++ ++ /* ++ * Subtract off the keepalive RTT so nvme_keep_alive_work runs ++ * at the desired frequency. ++ */ ++ if (rtt <= delay) { ++ delay -= rtt; ++ } else { ++ dev_warn(ctrl->device, "long keepalive RTT (%u ms)\n", ++ jiffies_to_msecs(rtt)); ++ delay = 0; ++ } + + blk_mq_free_request(rq); + +@@ -1252,7 +1266,7 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, + startka = true; + spin_unlock_irqrestore(&ctrl->lock, flags); + if (startka) +- nvme_queue_keep_alive_work(ctrl); ++ queue_delayed_work(nvme_wq, &ctrl->ka_work, delay); + return RQ_END_IO_NONE; + } + +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-amd-pmf-register-notify-handler-only-if.patch b/queue-6.1/platform-x86-amd-pmf-register-notify-handler-only-if.patch new file mode 100644 index 00000000000..397b43c8c45 --- /dev/null +++ b/queue-6.1/platform-x86-amd-pmf-register-notify-handler-only-if.patch @@ -0,0 +1,105 @@ +From bb77f7af2c52be00c1c02f1a35dafbf7302c0c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 11:33:09 +0530 +Subject: platform/x86/amd/pmf: Register notify handler only if SPS is enabled + +From: Shyam Sundar S K + +[ Upstream commit 146b6f6855e7656e8329910606595220c761daac ] + +Power source notify handler is getting registered even when none of the +PMF feature in enabled leading to a crash. + +... +[ 22.592162] Call Trace: +[ 22.592164] +[ 22.592164] ? rcu_note_context_switch+0x5e0/0x660 +[ 22.592166] ? __warn+0x81/0x130 +[ 22.592171] ? rcu_note_context_switch+0x5e0/0x660 +[ 22.592172] ? report_bug+0x171/0x1a0 +[ 22.592175] ? prb_read_valid+0x1b/0x30 +[ 22.592177] ? handle_bug+0x3c/0x80 +[ 22.592178] ? exc_invalid_op+0x17/0x70 +[ 22.592179] ? asm_exc_invalid_op+0x1a/0x20 +[ 22.592182] ? rcu_note_context_switch+0x5e0/0x660 +[ 22.592183] ? acpi_ut_delete_object_desc+0x86/0xb0 +[ 22.592186] ? acpi_ut_update_ref_count.part.0+0x22d/0x930 +[ 22.592187] __schedule+0xc0/0x1410 +[ 22.592189] ? ktime_get+0x3c/0xa0 +[ 22.592191] ? lapic_next_event+0x1d/0x30 +[ 22.592193] ? hrtimer_start_range_ns+0x25b/0x350 +[ 22.592196] schedule+0x5e/0xd0 +[ 22.592197] schedule_hrtimeout_range_clock+0xbe/0x140 +[ 22.592199] ? __pfx_hrtimer_wakeup+0x10/0x10 +[ 22.592200] usleep_range_state+0x64/0x90 +[ 22.592203] amd_pmf_send_cmd+0x106/0x2a0 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616] +[ 22.592207] amd_pmf_update_slider+0x56/0x1b0 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616] +[ 22.592210] amd_pmf_set_sps_power_limits+0x72/0x80 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616] +[ 22.592213] amd_pmf_pwr_src_notify_call+0x49/0x90 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616] +[ 22.592216] notifier_call_chain+0x5a/0xd0 +[ 22.592218] atomic_notifier_call_chain+0x32/0x50 +... + +Fix this by moving the registration of source change notify handler only +when SPS(Static Slider) is advertised as supported. + +Reported-by: Allen Zhong +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217571 +Fixes: 4c71ae414474 ("platform/x86/amd/pmf: Add support SPS PMF feature") +Tested-by: Patil Rajesh Reddy +Reviewed-by: Mario Limonciello +Signed-off-by: Shyam Sundar S K +Link: https://lore.kernel.org/r/20230622060309.310001-1-Shyam-sundar.S-k@amd.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmf/core.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/amd/pmf/core.c b/drivers/platform/x86/amd/pmf/core.c +index dc9803e1a4b9b..73d2357e32f8e 100644 +--- a/drivers/platform/x86/amd/pmf/core.c ++++ b/drivers/platform/x86/amd/pmf/core.c +@@ -297,6 +297,8 @@ static void amd_pmf_init_features(struct amd_pmf_dev *dev) + /* Enable Static Slider */ + if (is_apmf_func_supported(dev, APMF_FUNC_STATIC_SLIDER_GRANULAR)) { + amd_pmf_init_sps(dev); ++ dev->pwr_src_notifier.notifier_call = amd_pmf_pwr_src_notify_call; ++ power_supply_reg_notifier(&dev->pwr_src_notifier); + dev_dbg(dev->dev, "SPS enabled and Platform Profiles registered\n"); + } + +@@ -315,8 +317,10 @@ static void amd_pmf_init_features(struct amd_pmf_dev *dev) + + static void amd_pmf_deinit_features(struct amd_pmf_dev *dev) + { +- if (is_apmf_func_supported(dev, APMF_FUNC_STATIC_SLIDER_GRANULAR)) ++ if (is_apmf_func_supported(dev, APMF_FUNC_STATIC_SLIDER_GRANULAR)) { ++ power_supply_unreg_notifier(&dev->pwr_src_notifier); + amd_pmf_deinit_sps(dev); ++ } + + if (is_apmf_func_supported(dev, APMF_FUNC_AUTO_MODE)) { + amd_pmf_deinit_auto_mode(dev); +@@ -399,9 +403,6 @@ static int amd_pmf_probe(struct platform_device *pdev) + apmf_install_handler(dev); + amd_pmf_dbgfs_register(dev); + +- dev->pwr_src_notifier.notifier_call = amd_pmf_pwr_src_notify_call; +- power_supply_reg_notifier(&dev->pwr_src_notifier); +- + dev_info(dev->dev, "registered PMF device successfully\n"); + + return 0; +@@ -411,7 +412,6 @@ static int amd_pmf_remove(struct platform_device *pdev) + { + struct amd_pmf_dev *dev = platform_get_drvdata(pdev); + +- power_supply_unreg_notifier(&dev->pwr_src_notifier); + amd_pmf_deinit_features(dev); + apmf_acpi_deinit(dev); + amd_pmf_dbgfs_unregister(dev); +-- +2.39.2 + diff --git a/queue-6.1/revert-net-align-so_rcvmark-required-privileges-with.patch b/queue-6.1/revert-net-align-so_rcvmark-required-privileges-with.patch new file mode 100644 index 00000000000..1eea47011ed --- /dev/null +++ b/queue-6.1/revert-net-align-so_rcvmark-required-privileges-with.patch @@ -0,0 +1,80 @@ +From dbf1713d6f49738e60e2e9e2ccdc28bfd7c8e06f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 03:31:30 -0700 +Subject: revert "net: align SO_RCVMARK required privileges with SO_MARK" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Å»enczykowski + +[ Upstream commit a9628e88776eb7d045cf46467f1afdd0f7fe72ea ] + +This reverts commit 1f86123b9749 ("net: align SO_RCVMARK required +privileges with SO_MARK") because the reasoning in the commit message +is not really correct: + SO_RCVMARK is used for 'reading' incoming skb mark (via cmsg), as such + it is more equivalent to 'getsockopt(SO_MARK)' which has no priv check + and retrieves the socket mark, rather than 'setsockopt(SO_MARK) which + sets the socket mark and does require privs. + + Additionally incoming skb->mark may already be visible if + sysctl_fwmark_reflect and/or sysctl_tcp_fwmark_accept are enabled. + + Furthermore, it is easier to block the getsockopt via bpf + (either cgroup setsockopt hook, or via syscall filters) + then to unblock it if it requires CAP_NET_RAW/ADMIN. + +On Android the socket mark is (among other things) used to store +the network identifier a socket is bound to. Setting it is privileged, +but retrieving it is not. We'd like unprivileged userspace to be able +to read the network id of incoming packets (where mark is set via +iptables [to be moved to bpf])... + +An alternative would be to add another sysctl to control whether +setting SO_RCVMARK is privilged or not. +(or even a MASK of which bits in the mark can be exposed) +But this seems like over-engineering... + +Note: This is a non-trivial revert, due to later merged commit e42c7beee71d +("bpf: net: Consider has_current_bpf_ctx() when testing capable() in sk_setsockopt()") +which changed both 'ns_capable' into 'sockopt_ns_capable' calls. + +Fixes: 1f86123b9749 ("net: align SO_RCVMARK required privileges with SO_MARK") +Cc: Larysa Zaremba +Cc: Simon Horman +Cc: Paolo Abeni +Cc: Eyal Birger +Cc: Jakub Kicinski +Cc: Eric Dumazet +Cc: Patrick Rohr +Signed-off-by: Maciej Å»enczykowski +Reviewed-by: Simon Horman +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230618103130.51628-1-maze@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 83f590d8d0850..b021cb9c95ef3 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1355,12 +1355,6 @@ int sk_setsockopt(struct sock *sk, int level, int optname, + __sock_set_mark(sk, val); + break; + case SO_RCVMARK: +- if (!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) && +- !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { +- ret = -EPERM; +- break; +- } +- + sock_valbool_flag(sk, SOCK_RCVMARK, valbool); + break; + +-- +2.39.2 + diff --git a/queue-6.1/revert-net-phy-dp83867-perform-soft-reset-and-retain.patch b/queue-6.1/revert-net-phy-dp83867-perform-soft-reset-and-retain.patch new file mode 100644 index 00000000000..09f54815164 --- /dev/null +++ b/queue-6.1/revert-net-phy-dp83867-perform-soft-reset-and-retain.patch @@ -0,0 +1,47 @@ +From 59341799a35d8db58e896da57edd986cb91c9003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 17:44:35 +0200 +Subject: Revert "net: phy: dp83867: perform soft reset and retain established + link" + +From: Francesco Dolcini + +[ Upstream commit a129b41fe0a8b4da828c46b10f5244ca07a3fec3 ] + +This reverts commit da9ef50f545f86ffe6ff786174d26500c4db737a. + +This fixes a regression in which the link would come up, but no +communication was possible. + +The reverted commit was also removing a comment about +DP83867_PHYCR_FORCE_LINK_GOOD, this is not added back in this commits +since it seems that this is unrelated to the original code change. + +Closes: https://lore.kernel.org/all/ZGuDJos8D7N0J6Z2@francesco-nb.int.toradex.com/ +Fixes: da9ef50f545f ("net: phy: dp83867: perform soft reset and retain established link") +Signed-off-by: Francesco Dolcini +Reviewed-by: Andrew Lunn +Reviewed-by: Praneeth Bajjuri +Link: https://lore.kernel.org/r/20230619154435.355485-1-francesco@dolcini.it +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 14990f8462ae3..f7436191fa807 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -905,7 +905,7 @@ static int dp83867_phy_reset(struct phy_device *phydev) + { + int err; + +- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET); + if (err < 0) + return err; + +-- +2.39.2 + diff --git a/queue-6.1/s390-cio-unregister-device-when-the-only-path-is-gon.patch b/queue-6.1/s390-cio-unregister-device-when-the-only-path-is-gon.patch new file mode 100644 index 00000000000..8614b26a820 --- /dev/null +++ b/queue-6.1/s390-cio-unregister-device-when-the-only-path-is-gon.patch @@ -0,0 +1,62 @@ +From e14754fb829ddf70e3b44c53a02ad909c9447b65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 20:53:20 +0200 +Subject: s390/cio: unregister device when the only path is gone + +From: Vineeth Vijayan + +[ Upstream commit 89c0c62e947a01e7a36b54582fd9c9e346170255 ] + +Currently, if the device is offline and all the channel paths are +either configured or varied offline, the associated subchannel gets +unregistered. Don't unregister the subchannel, instead unregister +offline device. + +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/device.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c +index ba4c69226c337..02813b63f90fd 100644 +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -1367,6 +1367,7 @@ void ccw_device_set_notoper(struct ccw_device *cdev) + enum io_sch_action { + IO_SCH_UNREG, + IO_SCH_ORPH_UNREG, ++ IO_SCH_UNREG_CDEV, + IO_SCH_ATTACH, + IO_SCH_UNREG_ATTACH, + IO_SCH_ORPH_ATTACH, +@@ -1399,7 +1400,7 @@ static enum io_sch_action sch_get_action(struct subchannel *sch) + } + if ((sch->schib.pmcw.pam & sch->opm) == 0) { + if (ccw_device_notify(cdev, CIO_NO_PATH) != NOTIFY_OK) +- return IO_SCH_UNREG; ++ return IO_SCH_UNREG_CDEV; + return IO_SCH_DISC; + } + if (device_is_disconnected(cdev)) +@@ -1461,6 +1462,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process) + case IO_SCH_ORPH_ATTACH: + ccw_device_set_disconnected(cdev); + break; ++ case IO_SCH_UNREG_CDEV: + case IO_SCH_UNREG_ATTACH: + case IO_SCH_UNREG: + if (!cdev) +@@ -1494,6 +1496,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process) + if (rc) + goto out; + break; ++ case IO_SCH_UNREG_CDEV: + case IO_SCH_UNREG_ATTACH: + spin_lock_irqsave(sch->lock, flags); + sch_set_cdev(sch, NULL); +-- +2.39.2 + diff --git a/queue-6.1/s390-purgatory-disable-branch-profiling.patch b/queue-6.1/s390-purgatory-disable-branch-profiling.patch new file mode 100644 index 00000000000..0f8fe7407cf --- /dev/null +++ b/queue-6.1/s390-purgatory-disable-branch-profiling.patch @@ -0,0 +1,36 @@ +From 3a3834d1b5829380fe235ef5b128e1964efd7446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 19:41:45 +0200 +Subject: s390/purgatory: disable branch profiling + +From: Alexander Gordeev + +[ Upstream commit 03c5c83b70dca3729a3eb488e668e5044bd9a5ea ] + +Avoid linker error for randomly generated config file that +has CONFIG_BRANCH_PROFILE_NONE enabled and make it similar +to riscv, x86 and also to commit 4bf3ec384edf ("s390: disable +branch profiling for vdso"). + +Reviewed-by: Vasily Gorbik +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/purgatory/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile +index d237bc6841cb8..4cbf306b8181f 100644 +--- a/arch/s390/purgatory/Makefile ++++ b/arch/s390/purgatory/Makefile +@@ -26,6 +26,7 @@ KBUILD_CFLAGS += -Wno-pointer-sign -Wno-sign-compare + KBUILD_CFLAGS += -fno-zero-initialized-in-bss -fno-builtin -ffreestanding + KBUILD_CFLAGS += -c -MD -Os -m64 -msoft-float -fno-common + KBUILD_CFLAGS += -fno-stack-protector ++KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING + KBUILD_CFLAGS += $(CLANG_FLAGS) + KBUILD_CFLAGS += $(call cc-option,-fno-PIE) + KBUILD_AFLAGS := $(filter-out -DCC_USING_EXPOLINE,$(KBUILD_AFLAGS)) +-- +2.39.2 + diff --git a/queue-6.1/sch_netem-acquire-qdisc-lock-in-netem_change.patch b/queue-6.1/sch_netem-acquire-qdisc-lock-in-netem_change.patch new file mode 100644 index 00000000000..4d0a003ac57 --- /dev/null +++ b/queue-6.1/sch_netem-acquire-qdisc-lock-in-netem_change.patch @@ -0,0 +1,109 @@ +From 966f341567fb3f60ff8de57f49c454ac46ee1610 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 18:44:25 +0000 +Subject: sch_netem: acquire qdisc lock in netem_change() + +From: Eric Dumazet + +[ Upstream commit 2174a08db80d1efeea382e25ac41c4e7511eb6d6 ] + +syzbot managed to trigger a divide error [1] in netem. + +It could happen if q->rate changes while netem_enqueue() +is running, since q->rate is read twice. + +It turns out netem_change() always lacked proper synchronization. + +[1] +divide error: 0000 [#1] SMP KASAN +CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 +RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] +RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline] +RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576 +Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03 +RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246 +RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000 +RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d +RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297 +R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358 +R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000 +FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0 +Call Trace: + +[] __dev_xmit_skb net/core/dev.c:3931 [inline] +[] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290 +[] dev_queue_xmit include/linux/netdevice.h:3030 [inline] +[] neigh_hh_output include/net/neighbour.h:531 [inline] +[] neigh_output include/net/neighbour.h:545 [inline] +[] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235 +[] __ip_finish_output+0xc3/0x2b0 +[] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437 +[] dst_output include/net/dst.h:444 [inline] +[] ip_local_out net/ipv4/ip_output.c:127 [inline] +[] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542 +[] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Stephen Hemminger +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620184425.1179809-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index fb00ac40ecb72..aa9842158df0a 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -966,6 +966,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + if (ret < 0) + return ret; + ++ sch_tree_lock(sch); + /* backup q->clg and q->loss_model */ + old_clg = q->clg; + old_loss_model = q->loss_model; +@@ -974,7 +975,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]); + if (ret) { + q->loss_model = old_loss_model; +- return ret; ++ goto unlock; + } + } else { + q->loss_model = CLG_RANDOM; +@@ -1041,6 +1042,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + /* capping jitter to the range acceptable by tabledist() */ + q->jitter = min_t(s64, abs(q->jitter), INT_MAX); + ++unlock: ++ sch_tree_unlock(sch); + return ret; + + get_table_failure: +@@ -1050,7 +1053,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + */ + q->clg = old_clg; + q->loss_model = old_loss_model; +- return ret; ++ ++ goto unlock; + } + + static int netem_init(struct Qdisc *sch, struct nlattr *opt, +-- +2.39.2 + diff --git a/queue-6.1/scsi-target-iscsi-prevent-login-threads-from-racing-.patch b/queue-6.1/scsi-target-iscsi-prevent-login-threads-from-racing-.patch new file mode 100644 index 00000000000..1a56c017c87 --- /dev/null +++ b/queue-6.1/scsi-target-iscsi-prevent-login-threads-from-racing-.patch @@ -0,0 +1,71 @@ +From 798c7cc74b16e258fe1aca856d0fe635b3da66ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 18:22:19 +0200 +Subject: scsi: target: iscsi: Prevent login threads from racing between each + other + +From: Maurizio Lombardi + +[ Upstream commit 2a737d3b8c792400118d6cf94958f559de9c5e59 ] + +The tpg->np_login_sem is a semaphore that is used to serialize the login +process when multiple login threads run concurrently against the same +target portal group. + +The iscsi_target_locate_portal() function finds the tpg, calls +iscsit_access_np() against the np_login_sem semaphore and saves the tpg +pointer in conn->tpg; + +If iscsi_target_locate_portal() fails, the caller will check for the +conn->tpg pointer and, if it's not NULL, then it will assume that +iscsi_target_locate_portal() called iscsit_access_np() on the semaphore. + +Make sure that conn->tpg gets initialized only if iscsit_access_np() was +successful, otherwise iscsit_deaccess_np() may end up being called against +a semaphore we never took, allowing more than one thread to access the same +tpg. + +Signed-off-by: Maurizio Lombardi +Link: https://lore.kernel.org/r/20230508162219.1731964-4-mlombard@redhat.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_nego.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index ff49c8f3fe241..62b2d0dcfda86 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -1128,6 +1128,7 @@ int iscsi_target_locate_portal( + iscsi_target_set_sock_callbacks(conn); + + login->np = np; ++ conn->tpg = NULL; + + login_req = (struct iscsi_login_req *) login->req; + payload_length = ntoh24(login_req->dlength); +@@ -1195,7 +1196,6 @@ int iscsi_target_locate_portal( + */ + sessiontype = strncmp(s_buf, DISCOVERY, 9); + if (!sessiontype) { +- conn->tpg = iscsit_global->discovery_tpg; + if (!login->leading_connection) + goto get_target; + +@@ -1212,9 +1212,11 @@ int iscsi_target_locate_portal( + * Serialize access across the discovery struct iscsi_portal_group to + * process login attempt. + */ ++ conn->tpg = iscsit_global->discovery_tpg; + if (iscsit_access_np(np, conn->tpg) < 0) { + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, + ISCSI_LOGIN_STATUS_SVC_UNAVAILABLE); ++ conn->tpg = NULL; + ret = -1; + goto out; + } +-- +2.39.2 + diff --git a/queue-6.1/selftests-forwarding-fix-race-condition-in-mirror-in.patch b/queue-6.1/selftests-forwarding-fix-race-condition-in-mirror-in.patch new file mode 100644 index 00000000000..98b1fd7b56d --- /dev/null +++ b/queue-6.1/selftests-forwarding-fix-race-condition-in-mirror-in.patch @@ -0,0 +1,79 @@ +From bf523da75cc581d958ebbfbfdaf53951947cab91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 14:45:15 +0200 +Subject: selftests: forwarding: Fix race condition in mirror installation + +From: Danielle Ratson + +[ Upstream commit c7c059fba6fb19c3bc924925c984772e733cb594 ] + +When mirroring to a gretap in hardware the device expects to be +programmed with the egress port and all the encapsulating headers. This +requires the driver to resolve the path the packet will take in the +software data path and program the device accordingly. + +If the path cannot be resolved (in this case because of an unresolved +neighbor), then mirror installation fails until the path is resolved. +This results in a race that causes the test to sometimes fail. + +Fix this by setting the neighbor's state to permanent in a couple of +tests, so that it is always valid. + +Fixes: 35c31d5c323f ("selftests: forwarding: Test mirror-to-gretap w/ UL 802.1d") +Fixes: 239e754af854 ("selftests: forwarding: Test mirror-to-gretap w/ UL 802.1q") +Signed-off-by: Danielle Ratson +Reviewed-by: Petr Machata +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/268816ac729cb6028c7a34d4dda6f4ec7af55333.1687264607.git.petrm@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh | 4 ++++ + .../testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh +index c5095da7f6bf8..aec752a22e9ec 100755 +--- a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh +@@ -93,12 +93,16 @@ cleanup() + + test_gretap() + { ++ ip neigh replace 192.0.2.130 lladdr $(mac_get $h3) \ ++ nud permanent dev br2 + full_test_span_gre_dir gt4 ingress 8 0 "mirror to gretap" + full_test_span_gre_dir gt4 egress 0 8 "mirror to gretap" + } + + test_ip6gretap() + { ++ ip neigh replace 2001:db8:2::2 lladdr $(mac_get $h3) \ ++ nud permanent dev br2 + full_test_span_gre_dir gt6 ingress 8 0 "mirror to ip6gretap" + full_test_span_gre_dir gt6 egress 0 8 "mirror to ip6gretap" + } +diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh +index 9ff22f28032dd..0cf4c47a46f9b 100755 +--- a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh +@@ -90,12 +90,16 @@ cleanup() + + test_gretap() + { ++ ip neigh replace 192.0.2.130 lladdr $(mac_get $h3) \ ++ nud permanent dev br1 + full_test_span_gre_dir gt4 ingress 8 0 "mirror to gretap" + full_test_span_gre_dir gt4 egress 0 8 "mirror to gretap" + } + + test_ip6gretap() + { ++ ip neigh replace 2001:db8:2::2 lladdr $(mac_get $h3) \ ++ nud permanent dev br1 + full_test_span_gre_dir gt6 ingress 8 0 "mirror to ip6gretap" + full_test_span_gre_dir gt6 egress 0 8 "mirror to ip6gretap" + } +-- +2.39.2 + diff --git a/queue-6.1/selftests-net-fcnal-test-check-if-fips-mode-is-enabl.patch b/queue-6.1/selftests-net-fcnal-test-check-if-fips-mode-is-enabl.patch new file mode 100644 index 00000000000..b8b3c7052c5 --- /dev/null +++ b/queue-6.1/selftests-net-fcnal-test-check-if-fips-mode-is-enabl.patch @@ -0,0 +1,92 @@ +From c5bca96fcc43846e2fb486fdc031b364df02382c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 09:32:22 -0300 +Subject: selftests: net: fcnal-test: check if FIPS mode is enabled + +From: Magali Lemes + +[ Upstream commit d7a2fc1437f71cb058c7b11bc33dfc19e4bf277a ] + +There are some MD5 tests which fail when the kernel is in FIPS mode, +since MD5 is not FIPS compliant. Add a check and only run those tests +if FIPS mode is not enabled. + +Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") +Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") +Reviewed-by: David Ahern +Signed-off-by: Magali Lemes +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 21ca91473c095..ee6880ac3e5ed 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}" + + which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) + ++# Check if FIPS mode is enabled ++if [ -f /proc/sys/crypto/fips_enabled ]; then ++ fips_enabled=`cat /proc/sys/crypto/fips_enabled` ++else ++ fips_enabled=0 ++fi ++ + ################################################################################ + # utilities + +@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf() + run_cmd nettest -d ${NSA_DEV} -r ${a} + log_test_addr ${a} $? 1 "No server, device client, local conn" + +- ipv4_tcp_md5_novrf ++ [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf + } + + ipv4_tcp_vrf() +@@ -1270,9 +1277,11 @@ ipv4_tcp_vrf() + log_test_addr ${a} $? 1 "Global server, local connection" + + # run MD5 tests +- setup_vrf_dup +- ipv4_tcp_md5 +- cleanup_vrf_dup ++ if [ "$fips_enabled" = "0" ]; then ++ setup_vrf_dup ++ ipv4_tcp_md5 ++ cleanup_vrf_dup ++ fi + + # + # enable VRF global server +@@ -2772,7 +2781,7 @@ ipv6_tcp_novrf() + log_test_addr ${a} $? 1 "No server, device client, local conn" + done + +- ipv6_tcp_md5_novrf ++ [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf + } + + ipv6_tcp_vrf() +@@ -2842,9 +2851,11 @@ ipv6_tcp_vrf() + log_test_addr ${a} $? 1 "Global server, local connection" + + # run MD5 tests +- setup_vrf_dup +- ipv6_tcp_md5 +- cleanup_vrf_dup ++ if [ "$fips_enabled" = "0" ]; then ++ setup_vrf_dup ++ ipv6_tcp_md5 ++ cleanup_vrf_dup ++ fi + + # + # enable VRF global server +-- +2.39.2 + diff --git a/queue-6.1/selftests-net-tls-check-if-fips-mode-is-enabled.patch b/queue-6.1/selftests-net-tls-check-if-fips-mode-is-enabled.patch new file mode 100644 index 00000000000..3619e88c48b --- /dev/null +++ b/queue-6.1/selftests-net-tls-check-if-fips-mode-is-enabled.patch @@ -0,0 +1,105 @@ +From d6cce43a2372bb1aa5a8af265576f09816dd88d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 09:32:20 -0300 +Subject: selftests: net: tls: check if FIPS mode is enabled + +From: Magali Lemes + +[ Upstream commit d113c395c67b62fc0d3f2004c0afc406aca0a2b7 ] + +TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not +FIPS compliant. When fips=1, this set of tests fails. Add a check and only +run these tests if not in FIPS mode. + +Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests") +Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests") +Reviewed-by: Jakub Kicinski +Signed-off-by: Magali Lemes +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tls.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c +index 2cbb12736596d..c0ad8385441f2 100644 +--- a/tools/testing/selftests/net/tls.c ++++ b/tools/testing/selftests/net/tls.c +@@ -25,6 +25,8 @@ + #define TLS_PAYLOAD_MAX_LEN 16384 + #define SOL_TLS 282 + ++static int fips_enabled; ++ + struct tls_crypto_info_keys { + union { + struct tls12_crypto_info_aes_gcm_128 aes128; +@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls) + { + uint16_t tls_version; + uint16_t cipher_type; +- bool nopad; ++ bool nopad, fips_non_compliant; + }; + + FIXTURE_VARIANT_ADD(tls, 12_aes_gcm) +@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha) + { + .tls_version = TLS_1_2_VERSION, + .cipher_type = TLS_CIPHER_CHACHA20_POLY1305, ++ .fips_non_compliant = true, + }; + + FIXTURE_VARIANT_ADD(tls, 13_chacha) + { + .tls_version = TLS_1_3_VERSION, + .cipher_type = TLS_CIPHER_CHACHA20_POLY1305, ++ .fips_non_compliant = true, + }; + + FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm) + { + .tls_version = TLS_1_3_VERSION, + .cipher_type = TLS_CIPHER_SM4_GCM, ++ .fips_non_compliant = true, + }; + + FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm) + { + .tls_version = TLS_1_3_VERSION, + .cipher_type = TLS_CIPHER_SM4_CCM, ++ .fips_non_compliant = true, + }; + + FIXTURE_VARIANT_ADD(tls, 12_aes_ccm) +@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) + int one = 1; + int ret; + ++ if (fips_enabled && variant->fips_non_compliant) ++ SKIP(return, "Unsupported cipher in FIPS mode"); ++ + tls_crypto_info_init(variant->tls_version, variant->cipher_type, + &tls12); + +@@ -1820,4 +1829,17 @@ TEST(tls_v6ops) { + close(sfd); + } + ++static void __attribute__((constructor)) fips_check(void) { ++ int res; ++ FILE *f; ++ ++ f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (f) { ++ res = fscanf(f, "%d", &fips_enabled); ++ if (res != 1) ++ ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n"); ++ fclose(f); ++ } ++} ++ + TEST_HARNESS_MAIN +-- +2.39.2 + diff --git a/queue-6.1/selftests-net-vrf-xfrm-tests-change-authentication-a.patch b/queue-6.1/selftests-net-vrf-xfrm-tests-change-authentication-a.patch new file mode 100644 index 00000000000..e9a9287f95f --- /dev/null +++ b/queue-6.1/selftests-net-vrf-xfrm-tests-change-authentication-a.patch @@ -0,0 +1,109 @@ +From 2dcf4b67d4f3e0b8738491cf3ab69df88d09c310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 09:32:21 -0300 +Subject: selftests: net: vrf-xfrm-tests: change authentication and encryption + algos + +From: Magali Lemes + +[ Upstream commit cb43c60e64ca67fcc9d23bd08f51d2ab8209d9d7 ] + +The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede) +algorithms for performing authentication and encryption, respectively. +This causes the tests to fail when fips=1 is set, since these algorithms +are not allowed in FIPS mode. Therefore, switch from hmac(md5) and +cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant. + +Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms") +Reviewed-by: David Ahern +Signed-off-by: Magali Lemes +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh +index 184da81f554ff..452638ae8aed8 100755 +--- a/tools/testing/selftests/net/vrf-xfrm-tests.sh ++++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh +@@ -264,60 +264,60 @@ setup_xfrm() + ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ + proto esp spi ${SPI_1} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ +- enc 'cbc(des3_ede)' ${ENC_1} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ ++ enc 'cbc(aes)' ${ENC_1} \ + sel src ${h1_4} dst ${h2_4} ${devarg} + + ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ + proto esp spi ${SPI_1} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ +- enc 'cbc(des3_ede)' ${ENC_1} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ ++ enc 'cbc(aes)' ${ENC_1} \ + sel src ${h1_4} dst ${h2_4} + + + ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ + proto esp spi ${SPI_2} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ +- enc 'cbc(des3_ede)' ${ENC_2} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ ++ enc 'cbc(aes)' ${ENC_2} \ + sel src ${h2_4} dst ${h1_4} ${devarg} + + ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ + proto esp spi ${SPI_2} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ +- enc 'cbc(des3_ede)' ${ENC_2} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ ++ enc 'cbc(aes)' ${ENC_2} \ + sel src ${h2_4} dst ${h1_4} + + + ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ + proto esp spi ${SPI_1} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ +- enc 'cbc(des3_ede)' ${ENC_1} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ ++ enc 'cbc(aes)' ${ENC_1} \ + sel src ${h1_6} dst ${h2_6} ${devarg} + + ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ + proto esp spi ${SPI_1} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ +- enc 'cbc(des3_ede)' ${ENC_1} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ ++ enc 'cbc(aes)' ${ENC_1} \ + sel src ${h1_6} dst ${h2_6} + + + ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ + proto esp spi ${SPI_2} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ +- enc 'cbc(des3_ede)' ${ENC_2} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ ++ enc 'cbc(aes)' ${ENC_2} \ + sel src ${h2_6} dst ${h1_6} ${devarg} + + ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ + proto esp spi ${SPI_2} reqid 0 mode tunnel \ + replay-window 4 replay-oseq 0x4 \ +- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ +- enc 'cbc(des3_ede)' ${ENC_2} \ ++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ ++ enc 'cbc(aes)' ${ENC_2} \ + sel src ${h2_6} dst ${h1_6} + } + +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series index aee963c545d..9b26e42c9de 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -76,3 +76,91 @@ arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch +memfd-check-for-non-null-file_seals-in-memfd_create-.patch +mmc-meson-gx-fix-deferred-probing.patch +ieee802154-hwsim-fix-possible-memory-leaks.patch +xfrm-treat-already-verified-secpath-entries-as-optio.patch +xfrm-interface-rename-xfrm_interface.c-to-xfrm_inter.patch +xfrm-ensure-policies-always-checked-on-xfrm-i-input-.patch +kvm-arm64-pmu-restore-the-host-s-pmuserenr_el0.patch +bpf-track-immediate-values-written-to-stack-by-bpf_s.patch +bpf-fix-verifier-id-tracking-of-scalars-on-spill.patch +xfrm-fix-inbound-ipv4-udp-esp-packets-to-udpv6-duals.patch +bpf-fix-a-bpf_jit_dump-issue-for-x86_64-with-sysctl-.patch +selftests-net-tls-check-if-fips-mode-is-enabled.patch +selftests-net-vrf-xfrm-tests-change-authentication-a.patch +selftests-net-fcnal-test-check-if-fips-mode-is-enabl.patch +xfrm-linearize-the-skb-after-offloading-if-needed.patch +net-mlx5-dr-fix-wrong-action-data-allocation-in-deca.patch +sfc-use-budget-for-tx-completions.patch +net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch +mmc-mtk-sd-fix-deferred-probing.patch +mmc-mvsdio-fix-deferred-probing.patch +mmc-omap-fix-deferred-probing.patch +mmc-omap_hsmmc-fix-deferred-probing.patch +mmc-owl-fix-deferred-probing.patch +mmc-sdhci-acpi-fix-deferred-probing.patch +mmc-sh_mmcif-fix-deferred-probing.patch +mmc-usdhi60rol0-fix-deferred-probing.patch +ipvs-align-inner_mac_header-for-encapsulation.patch +net-dsa-mt7530-fix-trapping-frames-on-non-mt7621-soc.patch +net-dsa-mt7530-fix-handling-of-bpdus-on-mt7530-switc.patch +net-dsa-mt7530-fix-handling-of-lldp-frames.patch +be2net-extend-xmit-workaround-to-be3-chip.patch +netfilter-nf_tables-fix-chain-binding-transaction-lo.patch +netfilter-nf_tables-add-nft_trans_prepare_error-to-d.patch +netfilter-nf_tables-drop-map-element-references-from.patch +netfilter-nft_set_pipapo-.walk-does-not-deal-with-ge.patch +netfilter-nf_tables-disallow-element-updates-of-boun.patch +netfilter-nf_tables-reject-unbound-anonymous-set-bef.patch +netfilter-nf_tables-reject-unbound-chain-set-before-.patch +netfilter-nf_tables-disallow-updates-of-anonymous-se.patch +netfilter-nfnetlink_osf-fix-module-autoload.patch +revert-net-phy-dp83867-perform-soft-reset-and-retain.patch +bpf-btf-accept-function-names-that-contain-dots.patch +bpf-force-kprobe-multi-expected_attach_type-for-kpro.patch +io_uring-net-use-the-correct-msghdr-union-member-in-.patch +selftests-forwarding-fix-race-condition-in-mirror-in.patch +platform-x86-amd-pmf-register-notify-handler-only-if.patch +sch_netem-acquire-qdisc-lock-in-netem_change.patch +revert-net-align-so_rcvmark-required-privileges-with.patch +arm64-dts-rockchip-enable-gpu-on-soquartz-cm4.patch +arm64-dts-rockchip-fix-nextrst-on-soquartz.patch +gpiolib-fix-gpio-chip-irq-initialization-restriction.patch +gpio-sifive-add-missing-check-for-platform_get_irq.patch +gpiolib-fix-irq_domain-resource-tracking-for-gpiochi.patch +scsi-target-iscsi-prevent-login-threads-from-racing-.patch +hid-wacom-add-error-check-to-wacom_parse_and_registe.patch +arm64-add-missing-set-way-cmo-encodings.patch +smb3-missing-null-check-in-smb2_change_notify.patch +media-cec-core-disable-adapter-in-cec_devnode_unregi.patch +media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch +nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch +btrfs-fix-an-uninitialized-variable-warning-in-btrfs.patch +usb-gadget-udc-fix-null-dereference-in-remove.patch +nvme-double-ka-polling-frequency-to-avoid-kato-with-.patch +nvme-check-io-start-time-when-deciding-to-defer-ka.patch +nvme-improve-handling-of-long-keep-alives.patch +input-soc_button_array-add-invalid-acpi_index-dmi-qu.patch +arm64-dts-qcom-sc7280-idp-drop-incorrect-dai-cells-f.patch +arm64-dts-qcom-sc7280-qcard-drop-incorrect-dai-cells.patch +s390-cio-unregister-device-when-the-only-path-is-gon.patch +spi-lpspi-disable-lpspi-module-irq-in-dma-mode.patch +asoc-codecs-wcd938x-sdw-do-not-set-can_multi_write-f.patch +asoc-simple-card-add-missing-of_node_put-in-case-of-.patch +soundwire-dmi-quirks-add-new-mapping-for-hp-spectre-.patch +soundwire-qcom-add-proper-error-paths-in-qcom_swrm_s.patch +asoc-nau8824-add-quirk-to-active-high-jack-detect.patch +asoc-amd-yc-add-thinkpad-neo14-to-quirks-list-for-ac.patch +gfs2-don-t-get-stuck-writing-page-onto-itself-under-.patch +s390-purgatory-disable-branch-profiling.patch +asoc-fsl_sai-enable-bci-bit-if-sai-works-on-synchron.patch +alsa-hda-realtek-add-intel-reference-board-and-nuc-1.patch +i2c-mchp-pci1xxxx-avoid-cast-to-incompatible-functio.patch +arm-dts-fix-erroneous-ads-touchscreen-polarities.patch +null_blk-fix-memory-release-when-memory_backed-1.patch +drm-exynos-vidi-fix-a-wrong-error-return.patch +drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch +drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch +vhost_vdpa-tell-vqs-about-the-negotiated.patch +vhost_net-revert-upend_idx-only-on-retriable-error.patch diff --git a/queue-6.1/sfc-use-budget-for-tx-completions.patch b/queue-6.1/sfc-use-budget-for-tx-completions.patch new file mode 100644 index 00000000000..b63b7acf654 --- /dev/null +++ b/queue-6.1/sfc-use-budget-for-tx-completions.patch @@ -0,0 +1,261 @@ +From da3af96c2b9e6226e48fabc91bf040a7f04ebc5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:49:29 +0200 +Subject: sfc: use budget for TX completions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit 4aaf2c52834b7f95acdf9fb0211a1b60adbf421b ] + +When running workloads heavy unbalanced towards TX (high TX, low RX +traffic), sfc driver can retain the CPU during too long times. Although +in many cases this is not enough to be visible, it can affect +performance and system responsiveness. + +A way to reproduce it is to use a debug kernel and run some parallel +netperf TX tests. In some systems, this will lead to this message being +logged: + kernel:watchdog: BUG: soft lockup - CPU#12 stuck for 22s! + +The reason is that sfc driver doesn't account any NAPI budget for the TX +completion events work. With high-TX/low-RX traffic, this makes that the +CPU is held for long time for NAPI poll. + +Documentations says "drivers can process completions for any number of Tx +packets but should only process up to budget number of Rx packets". +However, many drivers do limit the amount of TX completions that they +process in a single NAPI poll. + +In the same way, this patch adds a limit for the TX work in sfc. With +the patch applied, the watchdog warning never appears. + +Tested with netperf in different combinations: single process / parallel +processes, TCP / UDP and different sizes of UDP messages. Repeated the +tests before and after the patch, without any noticeable difference in +network or CPU performance. + +Test hardware: +Intel(R) Xeon(R) CPU E5-1620 v4 @ 3.50GHz (4 cores, 2 threads/core) +Solarflare Communications XtremeScale X2522-25G Network Adapter + +Fixes: 5227ecccea2d ("sfc: remove tx and MCDI handling from NAPI budget consideration") +Fixes: d19a53721863 ("sfc_ef100: TX path for EF100 NICs") +Reported-by: Fei Liu +Signed-off-by: Íñigo Huguet +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20230615084929.10506-1-ihuguet@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 25 ++++++++++++++++++------- + drivers/net/ethernet/sfc/ef100_nic.c | 7 ++++++- + drivers/net/ethernet/sfc/ef100_tx.c | 4 ++-- + drivers/net/ethernet/sfc/ef100_tx.h | 2 +- + drivers/net/ethernet/sfc/tx_common.c | 4 +++- + drivers/net/ethernet/sfc/tx_common.h | 2 +- + 6 files changed, 31 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index d30459dbfe8f8..b63e47af63655 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -2950,7 +2950,7 @@ static u32 efx_ef10_extract_event_ts(efx_qword_t *event) + return tstamp; + } + +-static void ++static int + efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) + { + struct efx_nic *efx = channel->efx; +@@ -2958,13 +2958,14 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) + unsigned int tx_ev_desc_ptr; + unsigned int tx_ev_q_label; + unsigned int tx_ev_type; ++ int work_done; + u64 ts_part; + + if (unlikely(READ_ONCE(efx->reset_pending))) +- return; ++ return 0; + + if (unlikely(EFX_QWORD_FIELD(*event, ESF_DZ_TX_DROP_EVENT))) +- return; ++ return 0; + + /* Get the transmit queue */ + tx_ev_q_label = EFX_QWORD_FIELD(*event, ESF_DZ_TX_QLABEL); +@@ -2973,8 +2974,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) + if (!tx_queue->timestamping) { + /* Transmit completion */ + tx_ev_desc_ptr = EFX_QWORD_FIELD(*event, ESF_DZ_TX_DESCR_INDX); +- efx_xmit_done(tx_queue, tx_ev_desc_ptr & tx_queue->ptr_mask); +- return; ++ return efx_xmit_done(tx_queue, tx_ev_desc_ptr & tx_queue->ptr_mask); + } + + /* Transmit timestamps are only available for 8XXX series. They result +@@ -3000,6 +3000,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) + * fields in the event. + */ + tx_ev_type = EFX_QWORD_FIELD(*event, ESF_EZ_TX_SOFT1); ++ work_done = 0; + + switch (tx_ev_type) { + case TX_TIMESTAMP_EVENT_TX_EV_COMPLETION: +@@ -3016,6 +3017,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) + tx_queue->completed_timestamp_major = ts_part; + + efx_xmit_done_single(tx_queue); ++ work_done = 1; + break; + + default: +@@ -3026,6 +3028,8 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) + EFX_QWORD_VAL(*event)); + break; + } ++ ++ return work_done; + } + + static void +@@ -3081,13 +3085,16 @@ static void efx_ef10_handle_driver_generated_event(struct efx_channel *channel, + } + } + ++#define EFX_NAPI_MAX_TX 512 ++ + static int efx_ef10_ev_process(struct efx_channel *channel, int quota) + { + struct efx_nic *efx = channel->efx; + efx_qword_t event, *p_event; + unsigned int read_ptr; +- int ev_code; ++ int spent_tx = 0; + int spent = 0; ++ int ev_code; + + if (quota <= 0) + return spent; +@@ -3126,7 +3133,11 @@ static int efx_ef10_ev_process(struct efx_channel *channel, int quota) + } + break; + case ESE_DZ_EV_CODE_TX_EV: +- efx_ef10_handle_tx_event(channel, &event); ++ spent_tx += efx_ef10_handle_tx_event(channel, &event); ++ if (spent_tx >= EFX_NAPI_MAX_TX) { ++ spent = quota; ++ goto out; ++ } + break; + case ESE_DZ_EV_CODE_DRIVER_EV: + efx_ef10_handle_driver_event(channel, &event); +diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c +index ad686c671ab89..fa1f7039a8e28 100644 +--- a/drivers/net/ethernet/sfc/ef100_nic.c ++++ b/drivers/net/ethernet/sfc/ef100_nic.c +@@ -242,6 +242,8 @@ static void ef100_ev_read_ack(struct efx_channel *channel) + efx_reg(channel->efx, ER_GZ_EVQ_INT_PRIME)); + } + ++#define EFX_NAPI_MAX_TX 512 ++ + static int ef100_ev_process(struct efx_channel *channel, int quota) + { + struct efx_nic *efx = channel->efx; +@@ -249,6 +251,7 @@ static int ef100_ev_process(struct efx_channel *channel, int quota) + bool evq_phase, old_evq_phase; + unsigned int read_ptr; + efx_qword_t *p_event; ++ int spent_tx = 0; + int spent = 0; + bool ev_phase; + int ev_type; +@@ -284,7 +287,9 @@ static int ef100_ev_process(struct efx_channel *channel, int quota) + efx_mcdi_process_event(channel, p_event); + break; + case ESE_GZ_EF100_EV_TX_COMPLETION: +- ef100_ev_tx(channel, p_event); ++ spent_tx += ef100_ev_tx(channel, p_event); ++ if (spent_tx >= EFX_NAPI_MAX_TX) ++ spent = quota; + break; + case ESE_GZ_EF100_EV_DRIVER: + netif_info(efx, drv, efx->net_dev, +diff --git a/drivers/net/ethernet/sfc/ef100_tx.c b/drivers/net/ethernet/sfc/ef100_tx.c +index 29ffaf35559d6..849e5555bd128 100644 +--- a/drivers/net/ethernet/sfc/ef100_tx.c ++++ b/drivers/net/ethernet/sfc/ef100_tx.c +@@ -346,7 +346,7 @@ void ef100_tx_write(struct efx_tx_queue *tx_queue) + ef100_tx_push_buffers(tx_queue); + } + +-void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event) ++int ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event) + { + unsigned int tx_done = + EFX_QWORD_FIELD(*p_event, ESF_GZ_EV_TXCMPL_NUM_DESC); +@@ -357,7 +357,7 @@ void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event) + unsigned int tx_index = (tx_queue->read_count + tx_done - 1) & + tx_queue->ptr_mask; + +- efx_xmit_done(tx_queue, tx_index); ++ return efx_xmit_done(tx_queue, tx_index); + } + + /* Add a socket buffer to a TX queue +diff --git a/drivers/net/ethernet/sfc/ef100_tx.h b/drivers/net/ethernet/sfc/ef100_tx.h +index e9e11540fcdea..d9a0819c5a72c 100644 +--- a/drivers/net/ethernet/sfc/ef100_tx.h ++++ b/drivers/net/ethernet/sfc/ef100_tx.h +@@ -20,7 +20,7 @@ void ef100_tx_init(struct efx_tx_queue *tx_queue); + void ef100_tx_write(struct efx_tx_queue *tx_queue); + unsigned int ef100_tx_max_skb_descs(struct efx_nic *efx); + +-void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event); ++int ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event); + + netdev_tx_t ef100_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb); + int __ef100_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb, +diff --git a/drivers/net/ethernet/sfc/tx_common.c b/drivers/net/ethernet/sfc/tx_common.c +index 67e789b96c437..755aa92bf8236 100644 +--- a/drivers/net/ethernet/sfc/tx_common.c ++++ b/drivers/net/ethernet/sfc/tx_common.c +@@ -249,7 +249,7 @@ void efx_xmit_done_check_empty(struct efx_tx_queue *tx_queue) + } + } + +-void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index) ++int efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index) + { + unsigned int fill_level, pkts_compl = 0, bytes_compl = 0; + unsigned int efv_pkts_compl = 0; +@@ -279,6 +279,8 @@ void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index) + } + + efx_xmit_done_check_empty(tx_queue); ++ ++ return pkts_compl + efv_pkts_compl; + } + + /* Remove buffers put into a tx_queue for the current packet. +diff --git a/drivers/net/ethernet/sfc/tx_common.h b/drivers/net/ethernet/sfc/tx_common.h +index d87aecbc7bf1a..1e9f42938aac9 100644 +--- a/drivers/net/ethernet/sfc/tx_common.h ++++ b/drivers/net/ethernet/sfc/tx_common.h +@@ -28,7 +28,7 @@ static inline bool efx_tx_buffer_in_use(struct efx_tx_buffer *buffer) + } + + void efx_xmit_done_check_empty(struct efx_tx_queue *tx_queue); +-void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index); ++int efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index); + + void efx_enqueue_unwind(struct efx_tx_queue *tx_queue, + unsigned int insert_count); +-- +2.39.2 + diff --git a/queue-6.1/smb3-missing-null-check-in-smb2_change_notify.patch b/queue-6.1/smb3-missing-null-check-in-smb2_change_notify.patch new file mode 100644 index 00000000000..7455d8403ef --- /dev/null +++ b/queue-6.1/smb3-missing-null-check-in-smb2_change_notify.patch @@ -0,0 +1,39 @@ +From 569191fc527799b235c4e36b825b8238f42d4412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 18:53:28 -0500 +Subject: smb3: missing null check in SMB2_change_notify + +From: Steve French + +[ Upstream commit b535cc796a4b4942cd189652588e8d37c1f5925a ] + +If plen is null when passed in, we only checked for null +in one of the two places where it could be used. Although +plen is always valid (not null) for current callers of the +SMB2_change_notify function, this change makes it more consistent. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/202305251831.3V1gbbFs-lkp@intel.com/ +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 537e8679900b8..3ca593cdda76e 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3779,7 +3779,7 @@ SMB2_change_notify(const unsigned int xid, struct cifs_tcon *tcon, + if (*out_data == NULL) { + rc = -ENOMEM; + goto cnotify_exit; +- } else ++ } else if (plen) + *plen = le32_to_cpu(smb_rsp->OutputBufferLength); + } + +-- +2.39.2 + diff --git a/queue-6.1/soundwire-dmi-quirks-add-new-mapping-for-hp-spectre-.patch b/queue-6.1/soundwire-dmi-quirks-add-new-mapping-for-hp-spectre-.patch new file mode 100644 index 00000000000..b89df8b5fc7 --- /dev/null +++ b/queue-6.1/soundwire-dmi-quirks-add-new-mapping-for-hp-spectre-.patch @@ -0,0 +1,44 @@ +From 5ea885bf8334e13db682744d1cca917e6a8cfc0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 15:48:59 +0800 +Subject: soundwire: dmi-quirks: add new mapping for HP Spectre x360 + +From: Pierre-Louis Bossart + +[ Upstream commit 700581ede41d029403feec935df4616309696fd7 ] + +A BIOS/DMI update seems to have broken some devices, let's add a new +mapping. + +Link: https://github.com/thesofproject/linux/issues/4323 +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20230515074859.3097-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/dmi-quirks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c +index 58ea013fa918a..2a1096dab63d3 100644 +--- a/drivers/soundwire/dmi-quirks.c ++++ b/drivers/soundwire/dmi-quirks.c +@@ -99,6 +99,13 @@ static const struct dmi_system_id adr_remap_quirk_table[] = { + }, + .driver_data = (void *)intel_tgl_bios, + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_BOARD_NAME, "8709"), ++ }, ++ .driver_data = (void *)intel_tgl_bios, ++ }, + { + /* quirk used for NUC15 'Bishop County' LAPBC510 and LAPBC710 skews */ + .matches = { +-- +2.39.2 + diff --git a/queue-6.1/soundwire-qcom-add-proper-error-paths-in-qcom_swrm_s.patch b/queue-6.1/soundwire-qcom-add-proper-error-paths-in-qcom_swrm_s.patch new file mode 100644 index 00000000000..3c086c64c6f --- /dev/null +++ b/queue-6.1/soundwire-qcom-add-proper-error-paths-in-qcom_swrm_s.patch @@ -0,0 +1,63 @@ +From 98a4197d82a12bf32e1f6362bd96f4bb578c47d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:37:36 +0200 +Subject: soundwire: qcom: add proper error paths in qcom_swrm_startup() + +From: Krzysztof Kozlowski + +[ Upstream commit 99e09b9c0ab43346c52f2787ca4e5c4b1798362e ] + +Reverse actions in qcom_swrm_startup() error paths to avoid leaking +stream memory and keeping runtime PM unbalanced. + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230517163736.997553-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/qcom.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index 21c50972047f5..b2eb3090f4b46 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -1090,8 +1090,10 @@ static int qcom_swrm_startup(struct snd_pcm_substream *substream, + } + + sruntime = sdw_alloc_stream(dai->name); +- if (!sruntime) +- return -ENOMEM; ++ if (!sruntime) { ++ ret = -ENOMEM; ++ goto err_alloc; ++ } + + ctrl->sruntime[dai->id] = sruntime; + +@@ -1101,12 +1103,19 @@ static int qcom_swrm_startup(struct snd_pcm_substream *substream, + if (ret < 0 && ret != -ENOTSUPP) { + dev_err(dai->dev, "Failed to set sdw stream on %s\n", + codec_dai->name); +- sdw_release_stream(sruntime); +- return ret; ++ goto err_set_stream; + } + } + + return 0; ++ ++err_set_stream: ++ sdw_release_stream(sruntime); ++err_alloc: ++ pm_runtime_mark_last_busy(ctrl->dev); ++ pm_runtime_put_autosuspend(ctrl->dev); ++ ++ return ret; + } + + static void qcom_swrm_shutdown(struct snd_pcm_substream *substream, +-- +2.39.2 + diff --git a/queue-6.1/spi-lpspi-disable-lpspi-module-irq-in-dma-mode.patch b/queue-6.1/spi-lpspi-disable-lpspi-module-irq-in-dma-mode.patch new file mode 100644 index 00000000000..3b562e46836 --- /dev/null +++ b/queue-6.1/spi-lpspi-disable-lpspi-module-irq-in-dma-mode.patch @@ -0,0 +1,45 @@ +From 0458e8f0dcd6ac34a50ea0164176dee586759b10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 14:35:57 +0800 +Subject: spi: lpspi: disable lpspi module irq in DMA mode + +From: Clark Wang + +[ Upstream commit 9728fb3ce11729aa8c276825ddf504edeb00611d ] + +When all bits of IER are set to 0, we still can observe the lpspi irq events +when using DMA mode to transfer data. + +So disable irq to avoid the too much irq events. + +Signed-off-by: Clark Wang +Link: https://lore.kernel.org/r/20230505063557.3962220-1-xiaoning.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-lpspi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c +index e8c1c8a4c6c82..9e324d72596af 100644 +--- a/drivers/spi/spi-fsl-lpspi.c ++++ b/drivers/spi/spi-fsl-lpspi.c +@@ -905,9 +905,14 @@ static int fsl_lpspi_probe(struct platform_device *pdev) + ret = fsl_lpspi_dma_init(&pdev->dev, fsl_lpspi, controller); + if (ret == -EPROBE_DEFER) + goto out_pm_get; +- + if (ret < 0) + dev_err(&pdev->dev, "dma setup error %d, use pio\n", ret); ++ else ++ /* ++ * disable LPSPI module IRQ when enable DMA mode successfully, ++ * to prevent the unexpected LPSPI module IRQ events. ++ */ ++ disable_irq(irq); + + ret = devm_spi_register_controller(&pdev->dev, controller); + if (ret < 0) { +-- +2.39.2 + diff --git a/queue-6.1/usb-gadget-udc-fix-null-dereference-in-remove.patch b/queue-6.1/usb-gadget-udc-fix-null-dereference-in-remove.patch new file mode 100644 index 00000000000..0559643e98a --- /dev/null +++ b/queue-6.1/usb-gadget-udc-fix-null-dereference-in-remove.patch @@ -0,0 +1,39 @@ +From 267af5583b62d6f6e08317b68e64aa798450a8ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 18:38:37 +0300 +Subject: usb: gadget: udc: fix NULL dereference in remove() + +From: Dan Carpenter + +[ Upstream commit 016da9c65fec9f0e78c4909ed9a0f2d567af6775 ] + +The "udc" pointer was never set in the probe() function so it will +lead to a NULL dereference in udc_pci_remove() when we do: + + usb_del_gadget_udc(&udc->gadget); + +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/ZG+A/dNpFWAlCChk@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/amd5536udc_pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/udc/amd5536udc_pci.c b/drivers/usb/gadget/udc/amd5536udc_pci.c +index c80f9bd51b750..a36913ae31f9e 100644 +--- a/drivers/usb/gadget/udc/amd5536udc_pci.c ++++ b/drivers/usb/gadget/udc/amd5536udc_pci.c +@@ -170,6 +170,9 @@ static int udc_pci_probe( + retval = -ENODEV; + goto err_probe; + } ++ ++ udc = dev; ++ + return 0; + + err_probe: +-- +2.39.2 + diff --git a/queue-6.1/vhost_net-revert-upend_idx-only-on-retriable-error.patch b/queue-6.1/vhost_net-revert-upend_idx-only-on-retriable-error.patch new file mode 100644 index 00000000000..d5d09a580cd --- /dev/null +++ b/queue-6.1/vhost_net-revert-upend_idx-only-on-retriable-error.patch @@ -0,0 +1,60 @@ +From e6aacda8106357dbdc51994c50a679534ace6585 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 23:44:11 +0300 +Subject: vhost_net: revert upend_idx only on retriable error + +From: Andrey Smetanin + +[ Upstream commit 1f5d2e3bab16369d5d4b4020a25db4ab1f4f082c ] + +Fix possible virtqueue used buffers leak and corresponding stuck +in case of temporary -EIO from sendmsg() which is produced by +tun driver while backend device is not up. + +In case of no-retriable error and zcopy do not revert upend_idx +to pass packet data (that is update used_idx in corresponding +vhost_zerocopy_signal_used()) as if packet data has been +transferred successfully. + +v2: set vq->heads[ubuf->desc].len equal to VHOST_DMA_DONE_LEN +in case of fake successful transmit. + +Signed-off-by: Andrey Smetanin +Message-Id: <20230424204411.24888-1-asmetanin@yandex-team.ru> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Andrey Smetanin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 4c538b30fd76d..4418192ab8aaa 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -934,13 +934,18 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) + + err = sock->ops->sendmsg(sock, &msg, len); + if (unlikely(err < 0)) { ++ bool retry = err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS; ++ + if (zcopy_used) { + if (vq->heads[ubuf->desc].len == VHOST_DMA_IN_PROGRESS) + vhost_net_ubuf_put(ubufs); +- nvq->upend_idx = ((unsigned)nvq->upend_idx - 1) +- % UIO_MAXIOV; ++ if (retry) ++ nvq->upend_idx = ((unsigned)nvq->upend_idx - 1) ++ % UIO_MAXIOV; ++ else ++ vq->heads[ubuf->desc].len = VHOST_DMA_DONE_LEN; + } +- if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) { ++ if (retry) { + vhost_discard_vq_desc(vq, 1); + vhost_net_enable_vq(net, vq); + break; +-- +2.39.2 + diff --git a/queue-6.1/vhost_vdpa-tell-vqs-about-the-negotiated.patch b/queue-6.1/vhost_vdpa-tell-vqs-about-the-negotiated.patch new file mode 100644 index 00000000000..e8806f4c07a --- /dev/null +++ b/queue-6.1/vhost_vdpa-tell-vqs-about-the-negotiated.patch @@ -0,0 +1,58 @@ +From 8f98c064799fb529e06323d37a24675d92920d16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 15:50:29 -0700 +Subject: vhost_vdpa: tell vqs about the negotiated + +From: Shannon Nelson + +[ Upstream commit 376daf317753ccb6b1ecbdece66018f7f6313a7f ] + +As is done in the net, iscsi, and vsock vhost support, let the vdpa vqs +know about the features that have been negotiated. This allows vhost +to more safely make decisions based on the features, such as when using +PACKED vs split queues. + +Signed-off-by: Shannon Nelson +Acked-by: Jason Wang +Message-Id: <20230424225031.18947-2-shannon.nelson@amd.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vdpa.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c +index d591f77961aa8..31a156669a531 100644 +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -377,7 +377,10 @@ static long vhost_vdpa_set_features(struct vhost_vdpa *v, u64 __user *featurep) + { + struct vdpa_device *vdpa = v->vdpa; + const struct vdpa_config_ops *ops = vdpa->config; ++ struct vhost_dev *d = &v->vdev; ++ u64 actual_features; + u64 features; ++ int i; + + /* + * It's not allowed to change the features after they have +@@ -392,6 +395,16 @@ static long vhost_vdpa_set_features(struct vhost_vdpa *v, u64 __user *featurep) + if (vdpa_set_features(vdpa, features)) + return -EINVAL; + ++ /* let the vqs know what has been configured */ ++ actual_features = ops->get_driver_features(vdpa); ++ for (i = 0; i < d->nvqs; ++i) { ++ struct vhost_virtqueue *vq = d->vqs[i]; ++ ++ mutex_lock(&vq->mutex); ++ vq->acked_features = actual_features; ++ mutex_unlock(&vq->mutex); ++ } ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.1/xfrm-ensure-policies-always-checked-on-xfrm-i-input-.patch b/queue-6.1/xfrm-ensure-policies-always-checked-on-xfrm-i-input-.patch new file mode 100644 index 00000000000..e970dee6135 --- /dev/null +++ b/queue-6.1/xfrm-ensure-policies-always-checked-on-xfrm-i-input-.patch @@ -0,0 +1,111 @@ +From dda4c3d94e4e00ae819515cca6db6d8cbc57639c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 01:30:22 +0000 +Subject: xfrm: Ensure policies always checked on XFRM-I input path + +From: Benedict Wong + +[ Upstream commit a287f5b0cfc6804c5b12a4be13c7c9fe27869e90 ] + +This change adds methods in the XFRM-I input path that ensures that +policies are checked prior to processing of the subsequent decapsulated +packet, after which the relevant policies may no longer be resolvable +(due to changing src/dst/proto/etc). + +Notably, raw ESP/AH packets did not perform policy checks inherently, +whereas all other encapsulated packets (UDP, TCP encapsulated) do policy +checks after calling xfrm_input handling in the respective encapsulation +layer. + +Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") +Test: Verified with additional Android Kernel Unit tests +Test: Verified against Android CTS +Signed-off-by: Benedict Wong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface_core.c | 54 +++++++++++++++++++++++++++++++--- + 1 file changed, 50 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c +index 5a67b120c4dbd..94a3609548b11 100644 +--- a/net/xfrm/xfrm_interface_core.c ++++ b/net/xfrm/xfrm_interface_core.c +@@ -310,6 +310,52 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) + skb->mark = 0; + } + ++static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type, unsigned short family) ++{ ++ struct sec_path *sp; ++ ++ sp = skb_sec_path(skb); ++ if (sp && (sp->len || sp->olen) && ++ !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) ++ goto discard; ++ ++ XFRM_SPI_SKB_CB(skb)->family = family; ++ if (family == AF_INET) { ++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; ++ } else { ++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); ++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; ++ } ++ ++ return xfrm_input(skb, nexthdr, spi, encap_type); ++discard: ++ kfree_skb(skb); ++ return 0; ++} ++ ++static int xfrmi4_rcv(struct sk_buff *skb) ++{ ++ return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET); ++} ++ ++static int xfrmi6_rcv(struct sk_buff *skb) ++{ ++ return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff], ++ 0, 0, AF_INET6); ++} ++ ++static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) ++{ ++ return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET); ++} ++ ++static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) ++{ ++ return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6); ++} ++ + static int xfrmi_rcv_cb(struct sk_buff *skb, int err) + { + const struct xfrm_mode *inner_mode; +@@ -937,8 +983,8 @@ static struct pernet_operations xfrmi_net_ops = { + }; + + static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { +- .handler = xfrm6_rcv, +- .input_handler = xfrm_input, ++ .handler = xfrmi6_rcv, ++ .input_handler = xfrmi6_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, + .priority = 10, +@@ -988,8 +1034,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { + #endif + + static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = { +- .handler = xfrm4_rcv, +- .input_handler = xfrm_input, ++ .handler = xfrmi4_rcv, ++ .input_handler = xfrmi4_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, + .priority = 10, +-- +2.39.2 + diff --git a/queue-6.1/xfrm-fix-inbound-ipv4-udp-esp-packets-to-udpv6-duals.patch b/queue-6.1/xfrm-fix-inbound-ipv4-udp-esp-packets-to-udpv6-duals.patch new file mode 100644 index 00000000000..64c40d22c36 --- /dev/null +++ b/queue-6.1/xfrm-fix-inbound-ipv4-udp-esp-packets-to-udpv6-duals.patch @@ -0,0 +1,63 @@ +From b47bfd16d9a722a91b0fd8ecbe013dec5334eba9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 04:06:54 -0700 +Subject: xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Å»enczykowski + +[ Upstream commit 1166a530a84758bb9e6b448fc8c195ed413f5ded ] + +Before Linux v5.8 an AF_INET6 SOCK_DGRAM (udp/udplite) socket +with SOL_UDP, UDP_ENCAP, UDP_ENCAP_ESPINUDP{,_NON_IKE} enabled +would just unconditionally use xfrm4_udp_encap_rcv(), afterwards +such a socket would use the newly added xfrm6_udp_encap_rcv() +which only handles IPv6 packets. + +Cc: Sabrina Dubroca +Cc: Steffen Klassert +Cc: Jakub Kicinski +Cc: Benedict Wong +Cc: Yan Yan +Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") +Signed-off-by: Maciej Å»enczykowski +Reviewed-by: Simon Horman +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_input.c | 1 + + net/ipv6/xfrm6_input.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c +index ad2afeef4f106..eac206a290d05 100644 +--- a/net/ipv4/xfrm4_input.c ++++ b/net/ipv4/xfrm4_input.c +@@ -164,6 +164,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb) + kfree_skb(skb); + return 0; + } ++EXPORT_SYMBOL(xfrm4_udp_encap_rcv); + + int xfrm4_rcv(struct sk_buff *skb) + { +diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c +index 04cbeefd89828..4907ab241d6be 100644 +--- a/net/ipv6/xfrm6_input.c ++++ b/net/ipv6/xfrm6_input.c +@@ -86,6 +86,9 @@ int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb) + __be32 *udpdata32; + __u16 encap_type = up->encap_type; + ++ if (skb->protocol == htons(ETH_P_IP)) ++ return xfrm4_udp_encap_rcv(sk, skb); ++ + /* if this is not encapsulated socket, then just return now */ + if (!encap_type) + return 1; +-- +2.39.2 + diff --git a/queue-6.1/xfrm-interface-rename-xfrm_interface.c-to-xfrm_inter.patch b/queue-6.1/xfrm-interface-rename-xfrm_interface.c-to-xfrm_inter.patch new file mode 100644 index 00000000000..4f60cebe604 --- /dev/null +++ b/queue-6.1/xfrm-interface-rename-xfrm_interface.c-to-xfrm_inter.patch @@ -0,0 +1,42 @@ +From b4d5843bfbb583939365ed0d072be27e4a70df9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 10:46:56 +0200 +Subject: xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c + +From: Eyal Birger + +[ Upstream commit ee9a113ab63468137802898bcd2c598998c96938 ] + +This change allows adding additional files to the xfrm_interface module. + +Signed-off-by: Eyal Birger +Link: https://lore.kernel.org/r/20221203084659.1837829-2-eyal.birger@gmail.com +Signed-off-by: Martin KaFai Lau +Stable-dep-of: a287f5b0cfc6 ("xfrm: Ensure policies always checked on XFRM-I input path") +Signed-off-by: Sasha Levin +--- + net/xfrm/Makefile | 2 ++ + net/xfrm/{xfrm_interface.c => xfrm_interface_core.c} | 0 + 2 files changed, 2 insertions(+) + rename net/xfrm/{xfrm_interface.c => xfrm_interface_core.c} (100%) + +diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile +index 494aa744bfb9a..08a2870fdd36f 100644 +--- a/net/xfrm/Makefile ++++ b/net/xfrm/Makefile +@@ -3,6 +3,8 @@ + # Makefile for the XFRM subsystem. + # + ++xfrm_interface-$(CONFIG_XFRM_INTERFACE) += xfrm_interface_core.o ++ + obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ + xfrm_input.o xfrm_output.o \ + xfrm_sysctl.o xfrm_replay.o xfrm_device.o +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface_core.c +similarity index 100% +rename from net/xfrm/xfrm_interface.c +rename to net/xfrm/xfrm_interface_core.c +-- +2.39.2 + diff --git a/queue-6.1/xfrm-linearize-the-skb-after-offloading-if-needed.patch b/queue-6.1/xfrm-linearize-the-skb-after-offloading-if-needed.patch new file mode 100644 index 00000000000..13738f6535a --- /dev/null +++ b/queue-6.1/xfrm-linearize-the-skb-after-offloading-if-needed.patch @@ -0,0 +1,64 @@ +From de376bbad050646bcaf890bb474dd205cc15f907 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 12:02:02 +0200 +Subject: xfrm: Linearize the skb after offloading if needed. + +From: Sebastian Andrzej Siewior + +[ Upstream commit f015b900bc3285322029b4a7d132d6aeb0e51857 ] + +With offloading enabled, esp_xmit() gets invoked very late, from within +validate_xmit_xfrm() which is after validate_xmit_skb() validates and +linearizes the skb if the underlying device does not support fragments. + +esp_output_tail() may add a fragment to the skb while adding the auth +tag/ IV. Devices without the proper support will then send skb->data +points to with the correct length so the packet will have garbage at the +end. A pcap sniffer will claim that the proper data has been sent since +it parses the skb properly. + +It is not affected with INET_ESP_OFFLOAD disabled. + +Linearize the skb after offloading if the sending hardware requires it. +It was tested on v4, v6 has been adopted. + +Fixes: 7785bba299a8d ("esp: Add a software GRO codepath") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 3 +++ + net/ipv6/esp6_offload.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 3969fa805679c..ee848be59e65a 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -340,6 +340,9 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ + + secpath_reset(skb); + ++ if (skb_needs_linearize(skb, skb->dev->features) && ++ __skb_linearize(skb)) ++ return -ENOMEM; + return 0; + } + +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 242f4295940e6..fc6a5be732634 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -375,6 +375,9 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features + + secpath_reset(skb); + ++ if (skb_needs_linearize(skb, skb->dev->features) && ++ __skb_linearize(skb)) ++ return -ENOMEM; + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.1/xfrm-treat-already-verified-secpath-entries-as-optio.patch b/queue-6.1/xfrm-treat-already-verified-secpath-entries-as-optio.patch new file mode 100644 index 00000000000..4db8f030c92 --- /dev/null +++ b/queue-6.1/xfrm-treat-already-verified-secpath-entries-as-optio.patch @@ -0,0 +1,100 @@ +From 180993a1b59ae155c635c557529de110a2bf45a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 01:30:21 +0000 +Subject: xfrm: Treat already-verified secpath entries as optional + +From: Benedict Wong + +[ Upstream commit 1f8b6df6a997a430b0c48b504638154b520781ad ] + +This change allows inbound traffic through nested IPsec tunnels to +successfully match policies and templates, while retaining the secpath +stack trace as necessary for netfilter policies. + +Specifically, this patch marks secpath entries that have already matched +against a relevant policy as having been verified, allowing it to be +treated as optional and skipped after a tunnel decapsulation (during +which the src/dst/proto/etc may have changed, and the correct policy +chain no long be resolvable). + +This approach is taken as opposed to the iteration in b0355dbbf13c, +where the secpath was cleared, since that breaks subsequent validations +that rely on the existence of the secpath entries (netfilter policies, or +transport-in-tunnel mode, where policies remain resolvable). + +Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") +Test: Tested against Android Kernel Unit Tests +Test: Tested against Android CTS +Signed-off-by: Benedict Wong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 1 + + net/xfrm/xfrm_input.c | 1 + + net/xfrm/xfrm_policy.c | 12 ++++++++++++ + 3 files changed, 14 insertions(+) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index dbc81f5eb5538..9ec6f2e92ad3a 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1039,6 +1039,7 @@ struct xfrm_offload { + struct sec_path { + int len; + int olen; ++ int verified_cnt; + + struct xfrm_state *xvec[XFRM_MAX_DEPTH]; + struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH]; +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index 2defd89da700d..ac1a645afa8df 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -131,6 +131,7 @@ struct sec_path *secpath_set(struct sk_buff *skb) + memset(sp->ovec, 0, sizeof(sp->ovec)); + sp->olen = 0; + sp->len = 0; ++ sp->verified_cnt = 0; + + return sp; + } +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index e894c269affb1..7b1b93584bdbe 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3274,6 +3274,13 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star + if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id)) + return ++idx; + if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) { ++ if (idx < sp->verified_cnt) { ++ /* Secpath entry previously verified, consider optional and ++ * continue searching ++ */ ++ continue; ++ } ++ + if (start == -1) + start = -2-idx; + break; +@@ -3648,6 +3655,9 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + * Order is _important_. Later we will implement + * some barriers, but at the moment barriers + * are implied between each two transformations. ++ * Upon success, marks secpath entries as having been ++ * verified to allow them to be skipped in future policy ++ * checks (e.g. nested tunnels). + */ + for (i = xfrm_nr-1, k = 0; i >= 0; i--) { + k = xfrm_policy_ok(tpp[i], sp, k, family, if_id); +@@ -3666,6 +3676,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + + xfrm_pols_put(pols, npols); ++ sp->verified_cnt = k; ++ + return 1; + } + XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK); +-- +2.39.2 +