From: Sasha Levin Date: Sun, 13 Nov 2022 22:41:31 +0000 (-0500) Subject: Fixes for 6.0 X-Git-Tag: v5.10.155~51^2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dda1c7bb81d8966847b49551315c92d529a7efdf;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.0 Signed-off-by: Sasha Levin --- diff --git a/queue-6.0/alsa-arm-pxa-pxa2xx-ac97-lib-fix-return-value-check-.patch b/queue-6.0/alsa-arm-pxa-pxa2xx-ac97-lib-fix-return-value-check-.patch new file mode 100644 index 00000000000..a5e74ac311a --- /dev/null +++ b/queue-6.0/alsa-arm-pxa-pxa2xx-ac97-lib-fix-return-value-check-.patch @@ -0,0 +1,42 @@ +From cd3e4495ba9ecb8cd0eabd5b41674a896deae6df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 16:20:01 +0800 +Subject: ALSA: arm: pxa: pxa2xx-ac97-lib: fix return value check of + platform_get_irq() + +From: Yang Yingliang + +[ Upstream commit 46cf1954de3f324dc7f9472c12c3bd03b268a11b ] + +platform_get_irq() returns negative error number on failure, fix the +return value check in pxa2xx_ac97_hw_probe() and assign the error code +to 'ret'. + +Fixes: 2548e6c76ebf ("ARM: pxa: pxa2xx-ac97-lib: use IRQ resource") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221029082001.3207380-1-yangyingliang@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/arm/pxa2xx-ac97-lib.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/arm/pxa2xx-ac97-lib.c b/sound/arm/pxa2xx-ac97-lib.c +index e55c0421718b..2ca33fd5a575 100644 +--- a/sound/arm/pxa2xx-ac97-lib.c ++++ b/sound/arm/pxa2xx-ac97-lib.c +@@ -402,8 +402,10 @@ int pxa2xx_ac97_hw_probe(struct platform_device *dev) + goto err_clk2; + + irq = platform_get_irq(dev, 0); +- if (!irq) ++ if (irq < 0) { ++ ret = irq; + goto err_irq; ++ } + + ret = request_irq(irq, pxa2xx_ac97_irq, 0, "AC97", NULL); + if (ret < 0) +-- +2.35.1 + diff --git a/queue-6.0/alsa-memalloc-don-t-fall-back-for-sg-buffer-with-iom.patch b/queue-6.0/alsa-memalloc-don-t-fall-back-for-sg-buffer-with-iom.patch new file mode 100644 index 00000000000..7080e720aa7 --- /dev/null +++ b/queue-6.0/alsa-memalloc-don-t-fall-back-for-sg-buffer-with-iom.patch @@ -0,0 +1,96 @@ +From 7173d70fe1e5d18b388590c0c73c4f5b89611f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:22:16 +0100 +Subject: ALSA: memalloc: Don't fall back for SG-buffer with IOMMU + +From: Takashi Iwai + +[ Upstream commit 9736a325137b62499d2b4be3fc2d742b131f75da ] + +When the non-contiguous page allocation for SG buffer allocation +fails, the memalloc helper tries to fall back to the old page +allocation methods. This would, however, result in the bogus page +addresses when IOMMU is enabled. Usually in such a case, the fallback +allocation should fail as well, but occasionally it succeeds and +hitting a bad access. + +The fallback was thought for non-IOMMU case, and as the error from +dma_alloc_noncontiguous() with IOMMU essentially implies a fatal +memory allocation error, we should return the error straightforwardly +without fallback. This avoids the corner case like the above. + +The patch also renames the local variable "dma_ops" with snd_ prefix +for avoiding the name conflict. + +Fixes: a8d302a0b770 ("ALSA: memalloc: Revive x86-specific WC page allocations again") +Reported-by: Kai Vehmanen +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2211041541090.3532114@eliteleevi.tm.intel.com +Link: https://lore.kernel.org/r/20221110132216.30605-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/memalloc.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/sound/core/memalloc.c b/sound/core/memalloc.c +index cfcd8eff4139..2a773ed2b32a 100644 +--- a/sound/core/memalloc.c ++++ b/sound/core/memalloc.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -526,19 +527,20 @@ static void *snd_dma_noncontig_alloc(struct snd_dma_buffer *dmab, size_t size) + struct sg_table *sgt; + void *p; + +- sgt = dma_alloc_noncontiguous(dmab->dev.dev, size, dmab->dev.dir, +- DEFAULT_GFP, 0); +- if (!sgt) { + #ifdef CONFIG_SND_DMA_SGBUF ++ if (!get_dma_ops(dmab->dev.dev)) { + if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG) + dmab->dev.type = SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK; + else + dmab->dev.type = SNDRV_DMA_TYPE_DEV_SG_FALLBACK; + return snd_dma_sg_fallback_alloc(dmab, size); +-#else +- return NULL; +-#endif + } ++#endif ++ ++ sgt = dma_alloc_noncontiguous(dmab->dev.dev, size, dmab->dev.dir, ++ DEFAULT_GFP, 0); ++ if (!sgt) ++ return NULL; + + dmab->dev.need_sync = dma_need_sync(dmab->dev.dev, + sg_dma_address(sgt->sgl)); +@@ -874,7 +876,7 @@ static const struct snd_malloc_ops snd_dma_noncoherent_ops = { + /* + * Entry points + */ +-static const struct snd_malloc_ops *dma_ops[] = { ++static const struct snd_malloc_ops *snd_dma_ops[] = { + [SNDRV_DMA_TYPE_CONTINUOUS] = &snd_dma_continuous_ops, + [SNDRV_DMA_TYPE_VMALLOC] = &snd_dma_vmalloc_ops, + #ifdef CONFIG_HAS_DMA +@@ -900,7 +902,7 @@ static const struct snd_malloc_ops *snd_dma_get_ops(struct snd_dma_buffer *dmab) + if (WARN_ON_ONCE(!dmab)) + return NULL; + if (WARN_ON_ONCE(dmab->dev.type <= SNDRV_DMA_TYPE_UNKNOWN || +- dmab->dev.type >= ARRAY_SIZE(dma_ops))) ++ dmab->dev.type >= ARRAY_SIZE(snd_dma_ops))) + return NULL; +- return dma_ops[dmab->dev.type]; ++ return snd_dma_ops[dmab->dev.type]; + } +-- +2.35.1 + diff --git a/queue-6.0/bnxt_en-fix-possible-crash-in-bnxt_hwrm_set_coal.patch b/queue-6.0/bnxt_en-fix-possible-crash-in-bnxt_hwrm_set_coal.patch new file mode 100644 index 00000000000..a7a4ffaca0c --- /dev/null +++ b/queue-6.0/bnxt_en-fix-possible-crash-in-bnxt_hwrm_set_coal.patch @@ -0,0 +1,81 @@ +From 429d6f8948ca03c764504ddb044217d11000ecd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 19:33:26 -0400 +Subject: bnxt_en: Fix possible crash in bnxt_hwrm_set_coal() + +From: Michael Chan + +[ Upstream commit 6d81ea3765dfa6c8a20822613c81edad1c4a16a0 ] + +During the error recovery sequence, the rtnl_lock is not held for the +entire duration and some datastructures may be freed during the sequence. +Check for the BNXT_STATE_OPEN flag instead of netif_running() to ensure +that the device is fully operational before proceeding to reconfigure +the coalescing settings. + +This will fix a possible crash like this: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP NOPTI +CPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G IOE --------- - - 4.18.0-348.el8.x86_64 #1 +Hardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019 +RIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en] +Code: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 <48> 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6 +RSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5 +RDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28 +RBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c +R13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0 +FS: 00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + ethnl_set_coalesce+0x3ce/0x4c0 + genl_family_rcv_msg_doit.isra.15+0x10f/0x150 + genl_family_rcv_msg+0xb3/0x160 + ? coalesce_fill_reply+0x480/0x480 + genl_rcv_msg+0x47/0x90 + ? genl_family_rcv_msg+0x160/0x160 + netlink_rcv_skb+0x4c/0x120 + genl_rcv+0x24/0x40 + netlink_unicast+0x196/0x230 + netlink_sendmsg+0x204/0x3d0 + sock_sendmsg+0x4c/0x50 + __sys_sendto+0xee/0x160 + ? syscall_trace_enter+0x1d3/0x2c0 + ? __audit_syscall_exit+0x249/0x2a0 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x5b/0x1a0 + entry_SYSCALL_64_after_hwframe+0x65/0xca +RIP: 0033:0x7f38524163bb + +Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.") +Reviewed-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 87eb5362ad70..a18225456966 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -162,7 +162,7 @@ static int bnxt_set_coalesce(struct net_device *dev, + } + + reset_coalesce: +- if (netif_running(dev)) { ++ if (test_bit(BNXT_STATE_OPEN, &bp->state)) { + if (update_stats) { + rc = bnxt_close_nic(bp, true, false); + if (!rc) +-- +2.35.1 + diff --git a/queue-6.0/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch b/queue-6.0/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch new file mode 100644 index 00000000000..bedddedb547 --- /dev/null +++ b/queue-6.0/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch @@ -0,0 +1,45 @@ +From cd54e2a1d9b843f54f14e46e1884462207bb0845 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 19:33:27 -0400 +Subject: bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer + +From: Alex Barba + +[ Upstream commit 02597d39145bb0aa81d04bf39b6a913ce9a9d465 ] + +In the bnxt_en driver ndo_rx_flow_steer returns '0' whenever an entry +that we are attempting to steer is already found. This is not the +correct behavior. The return code should be the value/index that +corresponds to the entry. Returning zero all the time causes the +RFS records to be incorrect unless entry '0' is the correct one. As +flows migrate to different cores this can create entries that are not +correct. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Reported-by: Akshay Navgire +Signed-off-by: Alex Barba +Signed-off-by: Andy Gospodarek +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 96da0ba3d507..be5df8fca264 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12894,8 +12894,8 @@ static int bnxt_rx_flow_steer(struct net_device *dev, const struct sk_buff *skb, + rcu_read_lock(); + hlist_for_each_entry_rcu(fltr, head, hash) { + if (bnxt_fltr_match(fltr, new_fltr)) { ++ rc = fltr->sw_id; + rcu_read_unlock(); +- rc = 0; + goto err_free; + } + } +-- +2.35.1 + diff --git a/queue-6.0/bpf-add-helper-macro-bpf_for_each_reg_in_vstate.patch b/queue-6.0/bpf-add-helper-macro-bpf_for_each_reg_in_vstate.patch new file mode 100644 index 00000000000..2c9d9015497 --- /dev/null +++ b/queue-6.0/bpf-add-helper-macro-bpf_for_each_reg_in_vstate.patch @@ -0,0 +1,304 @@ +From 400a5e53ebec9c0e1260ce2ec11db1d085109402 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 22:41:28 +0200 +Subject: bpf: Add helper macro bpf_for_each_reg_in_vstate + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit b239da34203f49c40b5d656220c39647c3ff0b3c ] + +For a lot of use cases in future patches, we will want to modify the +state of registers part of some same 'group' (e.g. same ref_obj_id). It +won't just be limited to releasing reference state, but setting a type +flag dynamically based on certain actions, etc. + +Hence, we need a way to easily pass a callback to the function that +iterates over all registers in current bpf_verifier_state in all frames +upto (and including) the curframe. + +While in C++ we would be able to easily use a lambda to pass state and +the callback together, sadly we aren't using C++ in the kernel. The next +best thing to avoid defining a function for each case seems like +statement expressions in GNU C. The kernel already uses them heavily, +hence they can passed to the macro in the style of a lambda. The +statement expression will then be substituted in the for loop bodies. + +Variables __state and __reg are set to current bpf_func_state and reg +for each invocation of the expression inside the passed in verifier +state. + +Then, convert mark_ptr_or_null_regs, clear_all_pkt_pointers, +release_reference, find_good_pkt_pointers, find_equal_scalars to +use bpf_for_each_reg_in_vstate. + +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220904204145.3089-16-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: f1db20814af5 ("bpf: Fix wrong reg type conversion in release_reference()") +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 21 ++++++ + kernel/bpf/verifier.c | 135 ++++++++--------------------------- + 2 files changed, 49 insertions(+), 107 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 1fdddbf3546b..184b957e28ad 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -348,6 +348,27 @@ struct bpf_verifier_state { + iter < frame->allocated_stack / BPF_REG_SIZE; \ + iter++, reg = bpf_get_spilled_reg(iter, frame)) + ++/* Invoke __expr over regsiters in __vst, setting __state and __reg */ ++#define bpf_for_each_reg_in_vstate(__vst, __state, __reg, __expr) \ ++ ({ \ ++ struct bpf_verifier_state *___vstate = __vst; \ ++ int ___i, ___j; \ ++ for (___i = 0; ___i <= ___vstate->curframe; ___i++) { \ ++ struct bpf_reg_state *___regs; \ ++ __state = ___vstate->frame[___i]; \ ++ ___regs = __state->regs; \ ++ for (___j = 0; ___j < MAX_BPF_REG; ___j++) { \ ++ __reg = &___regs[___j]; \ ++ (void)(__expr); \ ++ } \ ++ bpf_for_each_spilled_reg(___j, __state, __reg) { \ ++ if (!__reg) \ ++ continue; \ ++ (void)(__expr); \ ++ } \ ++ } \ ++ }) ++ + /* linked list of verifier states used to prune search */ + struct bpf_verifier_state_list { + struct bpf_verifier_state state; +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2d7ece2a87fa..7bfeb249214e 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6500,31 +6500,15 @@ static int check_func_proto(const struct bpf_func_proto *fn, int func_id, + /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END] + * are now invalid, so turn them into unknown SCALAR_VALUE. + */ +-static void __clear_all_pkt_pointers(struct bpf_verifier_env *env, +- struct bpf_func_state *state) ++static void clear_all_pkt_pointers(struct bpf_verifier_env *env) + { +- struct bpf_reg_state *regs = state->regs, *reg; +- int i; +- +- for (i = 0; i < MAX_BPF_REG; i++) +- if (reg_is_pkt_pointer_any(®s[i])) +- mark_reg_unknown(env, regs, i); ++ struct bpf_func_state *state; ++ struct bpf_reg_state *reg; + +- bpf_for_each_spilled_reg(i, state, reg) { +- if (!reg) +- continue; ++ bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({ + if (reg_is_pkt_pointer_any(reg)) + __mark_reg_unknown(env, reg); +- } +-} +- +-static void clear_all_pkt_pointers(struct bpf_verifier_env *env) +-{ +- struct bpf_verifier_state *vstate = env->cur_state; +- int i; +- +- for (i = 0; i <= vstate->curframe; i++) +- __clear_all_pkt_pointers(env, vstate->frame[i]); ++ })); + } + + enum { +@@ -6553,41 +6537,24 @@ static void mark_pkt_end(struct bpf_verifier_state *vstate, int regn, bool range + reg->range = AT_PKT_END; + } + +-static void release_reg_references(struct bpf_verifier_env *env, +- struct bpf_func_state *state, +- int ref_obj_id) +-{ +- struct bpf_reg_state *regs = state->regs, *reg; +- int i; +- +- for (i = 0; i < MAX_BPF_REG; i++) +- if (regs[i].ref_obj_id == ref_obj_id) +- mark_reg_unknown(env, regs, i); +- +- bpf_for_each_spilled_reg(i, state, reg) { +- if (!reg) +- continue; +- if (reg->ref_obj_id == ref_obj_id) +- __mark_reg_unknown(env, reg); +- } +-} +- + /* The pointer with the specified id has released its reference to kernel + * resources. Identify all copies of the same pointer and clear the reference. + */ + static int release_reference(struct bpf_verifier_env *env, + int ref_obj_id) + { +- struct bpf_verifier_state *vstate = env->cur_state; ++ struct bpf_func_state *state; ++ struct bpf_reg_state *reg; + int err; +- int i; + + err = release_reference_state(cur_func(env), ref_obj_id); + if (err) + return err; + +- for (i = 0; i <= vstate->curframe; i++) +- release_reg_references(env, vstate->frame[i], ref_obj_id); ++ bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({ ++ if (reg->ref_obj_id == ref_obj_id) ++ __mark_reg_unknown(env, reg); ++ })); + + return 0; + } +@@ -9283,34 +9250,14 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + return 0; + } + +-static void __find_good_pkt_pointers(struct bpf_func_state *state, +- struct bpf_reg_state *dst_reg, +- enum bpf_reg_type type, int new_range) +-{ +- struct bpf_reg_state *reg; +- int i; +- +- for (i = 0; i < MAX_BPF_REG; i++) { +- reg = &state->regs[i]; +- if (reg->type == type && reg->id == dst_reg->id) +- /* keep the maximum range already checked */ +- reg->range = max(reg->range, new_range); +- } +- +- bpf_for_each_spilled_reg(i, state, reg) { +- if (!reg) +- continue; +- if (reg->type == type && reg->id == dst_reg->id) +- reg->range = max(reg->range, new_range); +- } +-} +- + static void find_good_pkt_pointers(struct bpf_verifier_state *vstate, + struct bpf_reg_state *dst_reg, + enum bpf_reg_type type, + bool range_right_open) + { +- int new_range, i; ++ struct bpf_func_state *state; ++ struct bpf_reg_state *reg; ++ int new_range; + + if (dst_reg->off < 0 || + (dst_reg->off == 0 && range_right_open)) +@@ -9375,9 +9322,11 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *vstate, + * the range won't allow anything. + * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16. + */ +- for (i = 0; i <= vstate->curframe; i++) +- __find_good_pkt_pointers(vstate->frame[i], dst_reg, type, +- new_range); ++ bpf_for_each_reg_in_vstate(vstate, state, reg, ({ ++ if (reg->type == type && reg->id == dst_reg->id) ++ /* keep the maximum range already checked */ ++ reg->range = max(reg->range, new_range); ++ })); + } + + static int is_branch32_taken(struct bpf_reg_state *reg, u32 val, u8 opcode) +@@ -9866,7 +9815,7 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, + + if (!reg_may_point_to_spin_lock(reg)) { + /* For not-NULL ptr, reg->ref_obj_id will be reset +- * in release_reg_references(). ++ * in release_reference(). + * + * reg->id is still used by spin_lock ptr. Other + * than spin_lock ptr type, reg->id can be reset. +@@ -9876,22 +9825,6 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, + } + } + +-static void __mark_ptr_or_null_regs(struct bpf_func_state *state, u32 id, +- bool is_null) +-{ +- struct bpf_reg_state *reg; +- int i; +- +- for (i = 0; i < MAX_BPF_REG; i++) +- mark_ptr_or_null_reg(state, &state->regs[i], id, is_null); +- +- bpf_for_each_spilled_reg(i, state, reg) { +- if (!reg) +- continue; +- mark_ptr_or_null_reg(state, reg, id, is_null); +- } +-} +- + /* The logic is similar to find_good_pkt_pointers(), both could eventually + * be folded together at some point. + */ +@@ -9899,10 +9832,9 @@ static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, + bool is_null) + { + struct bpf_func_state *state = vstate->frame[vstate->curframe]; +- struct bpf_reg_state *regs = state->regs; ++ struct bpf_reg_state *regs = state->regs, *reg; + u32 ref_obj_id = regs[regno].ref_obj_id; + u32 id = regs[regno].id; +- int i; + + if (ref_obj_id && ref_obj_id == id && is_null) + /* regs[regno] is in the " == NULL" branch. +@@ -9911,8 +9843,9 @@ static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, + */ + WARN_ON_ONCE(release_reference_state(state, id)); + +- for (i = 0; i <= vstate->curframe; i++) +- __mark_ptr_or_null_regs(vstate->frame[i], id, is_null); ++ bpf_for_each_reg_in_vstate(vstate, state, reg, ({ ++ mark_ptr_or_null_reg(state, reg, id, is_null); ++ })); + } + + static bool try_match_pkt_pointers(const struct bpf_insn *insn, +@@ -10025,23 +9958,11 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, + { + struct bpf_func_state *state; + struct bpf_reg_state *reg; +- int i, j; + +- for (i = 0; i <= vstate->curframe; i++) { +- state = vstate->frame[i]; +- for (j = 0; j < MAX_BPF_REG; j++) { +- reg = &state->regs[j]; +- if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) +- *reg = *known_reg; +- } +- +- bpf_for_each_spilled_reg(j, state, reg) { +- if (!reg) +- continue; +- if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) +- *reg = *known_reg; +- } +- } ++ bpf_for_each_reg_in_vstate(vstate, state, reg, ({ ++ if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) ++ *reg = *known_reg; ++ })); + } + + static int check_cond_jmp_op(struct bpf_verifier_env *env, +-- +2.35.1 + diff --git a/queue-6.0/bpf-fix-wrong-reg-type-conversion-in-release_referen.patch b/queue-6.0/bpf-fix-wrong-reg-type-conversion-in-release_referen.patch new file mode 100644 index 00000000000..032e1e3d460 --- /dev/null +++ b/queue-6.0/bpf-fix-wrong-reg-type-conversion-in-release_referen.patch @@ -0,0 +1,56 @@ +From ace1c260283cdfb0d73073ede9f1d94f7c14bbde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:34:39 +0800 +Subject: bpf: Fix wrong reg type conversion in release_reference() + +From: Youlin Li + +[ Upstream commit f1db20814af532f85e091231223e5e4818e8464b ] + +Some helper functions will allocate memory. To avoid memory leaks, the +verifier requires the eBPF program to release these memories by calling +the corresponding helper functions. + +When a resource is released, all pointer registers corresponding to the +resource should be invalidated. The verifier use release_references() to +do this job, by apply __mark_reg_unknown() to each relevant register. + +It will give these registers the type of SCALAR_VALUE. A register that +will contain a pointer value at runtime, but of type SCALAR_VALUE, which +may allow the unprivileged user to get a kernel pointer by storing this +register into a map. + +Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this +problem. + +Fixes: fd978bf7fd31 ("bpf: Add reference tracking to verifier") +Signed-off-by: Youlin Li +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20221103093440.3161-1-liulin063@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 7bfeb249214e..69fb46fdf763 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6552,8 +6552,12 @@ static int release_reference(struct bpf_verifier_env *env, + return err; + + bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({ +- if (reg->ref_obj_id == ref_obj_id) +- __mark_reg_unknown(env, reg); ++ if (reg->ref_obj_id == ref_obj_id) { ++ if (!env->allow_ptr_leaks) ++ __mark_reg_not_init(env, reg); ++ else ++ __mark_reg_unknown(env, reg); ++ } + })); + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/bpf-sock_map-move-cancel_work_sync-out-of-sock-lock.patch b/queue-6.0/bpf-sock_map-move-cancel_work_sync-out-of-sock-lock.patch new file mode 100644 index 00000000000..9041a186ae0 --- /dev/null +++ b/queue-6.0/bpf-sock_map-move-cancel_work_sync-out-of-sock-lock.patch @@ -0,0 +1,128 @@ +From 6a2fe81a632ca3ea44f6aa07e69c3eda1ed29903 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 21:34:17 -0700 +Subject: bpf, sock_map: Move cancel_work_sync() out of sock lock + +From: Cong Wang + +[ Upstream commit 8bbabb3fddcd0f858be69ed5abc9b470a239d6f2 ] + +Stanislav reported a lockdep warning, which is caused by the +cancel_work_sync() called inside sock_map_close(), as analyzed +below by Jakub: + +psock->work.func = sk_psock_backlog() + ACQUIRE psock->work_mutex + sk_psock_handle_skb() + skb_send_sock() + __skb_send_sock() + sendpage_unlocked() + kernel_sendpage() + sock->ops->sendpage = inet_sendpage() + sk->sk_prot->sendpage = tcp_sendpage() + ACQUIRE sk->sk_lock + tcp_sendpage_locked() + RELEASE sk->sk_lock + RELEASE psock->work_mutex + +sock_map_close() + ACQUIRE sk->sk_lock + sk_psock_stop() + sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED) + cancel_work_sync() + __cancel_work_timer() + __flush_work() + // wait for psock->work to finish + RELEASE sk->sk_lock + +We can move the cancel_work_sync() out of the sock lock protection, +but still before saved_close() was called. + +Fixes: 799aa7f98d53 ("skmsg: Avoid lock_sock() in sk_psock_backlog()") +Reported-by: Stanislav Fomichev +Signed-off-by: Cong Wang +Signed-off-by: Daniel Borkmann +Tested-by: Jakub Sitnicki +Acked-by: John Fastabend +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20221102043417.279409-1-xiyou.wangcong@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 2 +- + net/core/skmsg.c | 7 ++----- + net/core/sock_map.c | 7 ++++--- + 3 files changed, 7 insertions(+), 9 deletions(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index 48f4b645193b..70d6cb94e580 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -376,7 +376,7 @@ static inline void sk_psock_report_error(struct sk_psock *psock, int err) + } + + struct sk_psock *sk_psock_init(struct sock *sk, int node); +-void sk_psock_stop(struct sk_psock *psock, bool wait); ++void sk_psock_stop(struct sk_psock *psock); + + #if IS_ENABLED(CONFIG_BPF_STREAM_PARSER) + int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock); +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 1efdc47a999b..e6b9ced3eda8 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -803,16 +803,13 @@ static void sk_psock_link_destroy(struct sk_psock *psock) + } + } + +-void sk_psock_stop(struct sk_psock *psock, bool wait) ++void sk_psock_stop(struct sk_psock *psock) + { + spin_lock_bh(&psock->ingress_lock); + sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); + sk_psock_cork_free(psock); + __sk_psock_zap_ingress(psock); + spin_unlock_bh(&psock->ingress_lock); +- +- if (wait) +- cancel_work_sync(&psock->work); + } + + static void sk_psock_done_strp(struct sk_psock *psock); +@@ -850,7 +847,7 @@ void sk_psock_drop(struct sock *sk, struct sk_psock *psock) + sk_psock_stop_verdict(sk, psock); + write_unlock_bh(&sk->sk_callback_lock); + +- sk_psock_stop(psock, false); ++ sk_psock_stop(psock); + + INIT_RCU_WORK(&psock->rwork, sk_psock_destroy); + queue_rcu_work(system_wq, &psock->rwork); +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 9a9fb9487d63..632df0c52562 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -1596,7 +1596,7 @@ void sock_map_destroy(struct sock *sk) + saved_destroy = psock->saved_destroy; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); +- sk_psock_stop(psock, false); ++ sk_psock_stop(psock); + sk_psock_put(sk, psock); + saved_destroy(sk); + } +@@ -1619,9 +1619,10 @@ void sock_map_close(struct sock *sk, long timeout) + saved_close = psock->saved_close; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); +- sk_psock_stop(psock, true); +- sk_psock_put(sk, psock); ++ sk_psock_stop(psock); + release_sock(sk); ++ cancel_work_sync(&psock->work); ++ sk_psock_put(sk, psock); + saved_close(sk, timeout); + } + EXPORT_SYMBOL_GPL(sock_map_close); +-- +2.35.1 + diff --git a/queue-6.0/bpf-sockmap-fix-the-sk-sk_forward_alloc-warning-of-s.patch b/queue-6.0/bpf-sockmap-fix-the-sk-sk_forward_alloc-warning-of-s.patch new file mode 100644 index 00000000000..dc04b447caa --- /dev/null +++ b/queue-6.0/bpf-sockmap-fix-the-sk-sk_forward_alloc-warning-of-s.patch @@ -0,0 +1,90 @@ +From 2d30412c41d5feb15f3b1c4fb1b9ee9d31462faa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 09:31:36 +0800 +Subject: bpf, sockmap: Fix the sk->sk_forward_alloc warning of + sk_stream_kill_queues + +From: Wang Yufen + +[ Upstream commit 8ec95b94716a1e4d126edc3fb2bc426a717e2dba ] + +When running `test_sockmap` selftests, the following warning appears: + + WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0 + Call Trace: + + inet_csk_destroy_sock+0x55/0x110 + tcp_rcv_state_process+0xd28/0x1380 + ? tcp_v4_do_rcv+0x77/0x2c0 + tcp_v4_do_rcv+0x77/0x2c0 + __release_sock+0x106/0x130 + __tcp_close+0x1a7/0x4e0 + tcp_close+0x20/0x70 + inet_release+0x3c/0x80 + __sock_release+0x3a/0xb0 + sock_close+0x14/0x20 + __fput+0xa3/0x260 + task_work_run+0x59/0xb0 + exit_to_user_mode_prepare+0x1b3/0x1c0 + syscall_exit_to_user_mode+0x19/0x50 + do_syscall_64+0x48/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged +while msg has more_data"), where I used msg->sg.size to replace the tosend, +causing breakage: + + if (msg->apply_bytes && msg->apply_bytes < tosend) + tosend = psock->apply_bytes; + +Fixes: 84472b436e76 ("bpf, sockmap: Fix more uncharged while msg has more_data") +Reported-by: Jakub Sitnicki +Signed-off-by: Wang Yufen +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/1667266296-8794-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index c501c329b1db..cf9c3e8f7ccb 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -278,7 +278,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + { + bool cork = false, enospc = sk_msg_full(msg); + struct sock *sk_redir; +- u32 tosend, delta = 0; ++ u32 tosend, origsize, sent, delta = 0; + u32 eval = __SK_NONE; + int ret; + +@@ -333,10 +333,12 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + cork = true; + psock->cork = NULL; + } +- sk_msg_return(sk, msg, msg->sg.size); ++ sk_msg_return(sk, msg, tosend); + release_sock(sk); + ++ origsize = msg->sg.size; + ret = tcp_bpf_sendmsg_redir(sk_redir, msg, tosend, flags); ++ sent = origsize - msg->sg.size; + + if (eval == __SK_REDIRECT) + sock_put(sk_redir); +@@ -375,7 +377,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + msg->sg.data[msg->sg.start].page_link && + msg->sg.data[msg->sg.start].length) { + if (eval == __SK_REDIRECT) +- sk_mem_charge(sk, msg->sg.size); ++ sk_mem_charge(sk, tosend - sent); + goto more_data; + } + } +-- +2.35.1 + diff --git a/queue-6.0/bpf-verifier-fix-memory-leak-in-array-reallocation-f.patch b/queue-6.0/bpf-verifier-fix-memory-leak-in-array-reallocation-f.patch new file mode 100644 index 00000000000..3308d6e887b --- /dev/null +++ b/queue-6.0/bpf-verifier-fix-memory-leak-in-array-reallocation-f.patch @@ -0,0 +1,76 @@ +From 3bf787281c302265407eb8ee253f8d2df8c76ae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 19:54:30 -0700 +Subject: bpf, verifier: Fix memory leak in array reallocation for stack state + +From: Kees Cook + +[ Upstream commit 42378a9ca55347102bbf86708776061d8fe3ece2 ] + +If an error (NULL) is returned by krealloc(), callers of realloc_array() +were setting their allocation pointers to NULL, but on error krealloc() +does not touch the original allocation. This would result in a memory +resource leak. Instead, free the old allocation on the error handling +path. + +The memory leak information is as follows as also reported by Zhengchao: + + unreferenced object 0xffff888019801800 (size 256): + comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0 + [<0000000086712a0b>] krealloc+0x83/0xd0 + [<00000000139aab02>] realloc_array+0x82/0xe2 + [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186 + [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341 + [<0000000081780455>] do_check_common+0x5358/0xb350 + [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d + [<000000002973c690>] bpf_prog_load+0x13db/0x2240 + [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0 + [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0 + [<0000000056fedaf5>] do_syscall_64+0x35/0x80 + [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: c69431aab67a ("bpf: verifier: Improve function state reallocation") +Reported-by: Zhengchao Shao +Reported-by: Kees Cook +Signed-off-by: Kees Cook +Signed-off-by: Daniel Borkmann +Reviewed-by: Bill Wendling +Cc: Lorenz Bauer +Link: https://lore.kernel.org/bpf/20221029025433.2533810-1-keescook@chromium.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 8b5ea7f6b536..2d7ece2a87fa 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1011,12 +1011,17 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t + */ + static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) + { ++ void *new_arr; ++ + if (!new_n || old_n == new_n) + goto out; + +- arr = krealloc_array(arr, new_n, size, GFP_KERNEL); +- if (!arr) ++ new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL); ++ if (!new_arr) { ++ kfree(arr); + return NULL; ++ } ++ arr = new_arr; + + if (new_n > old_n) + memset(arr + old_n * size, 0, (new_n - old_n) * size); +-- +2.35.1 + diff --git a/queue-6.0/bpftool-fix-null-pointer-dereference-when-pin-prog-m.patch b/queue-6.0/bpftool-fix-null-pointer-dereference-when-pin-prog-m.patch new file mode 100644 index 00000000000..3b259ba0ecd --- /dev/null +++ b/queue-6.0/bpftool-fix-null-pointer-dereference-when-pin-prog-m.patch @@ -0,0 +1,50 @@ +From 3a3ddc18628f8f280a788bf50adf8cf20be41f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 16:40:34 +0800 +Subject: bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} + without FILE + +From: Pu Lehui + +[ Upstream commit 34de8e6e0e1f66e431abf4123934a2581cb5f133 ] + +When using bpftool to pin {PROG, MAP, LINK} without FILE, +segmentation fault will occur. The reson is that the lack +of FILE will cause strlen to trigger NULL pointer dereference. +The corresponding stacktrace is shown below: + +do_pin + do_pin_any + do_pin_fd + mount_bpffs_for_pin + strlen(name) <- NULL pointer dereference + +Fix it by adding validation to the common process. + +Fixes: 75a1e792c335 ("tools: bpftool: Allow all prog/map handles for pinning objects") +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20221102084034.3342995-1-pulehui@huaweicloud.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index 067e9ea59e3b..3bdbc0ce75b1 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -300,6 +300,9 @@ int do_pin_any(int argc, char **argv, int (*get_fd)(int *, char ***)) + int err; + int fd; + ++ if (!REQ_ARGS(3)) ++ return -EINVAL; ++ + fd = get_fd(&argc, &argv); + if (fd < 0) + return fd; +-- +2.35.1 + diff --git a/queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rx_re.patch b/queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rx_re.patch new file mode 100644 index 00000000000..fbe140af144 --- /dev/null +++ b/queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rx_re.patch @@ -0,0 +1,64 @@ +From 31affe4662c595ceea6697def677007d4d311ad1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 16:56:50 +0800 +Subject: can: af_can: fix NULL pointer dereference in can_rx_register() + +From: Zhengchao Shao + +[ Upstream commit 8aa59e355949442c408408c2d836e561794c40a1 ] + +It causes NULL pointer dereference when testing as following: +(a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket. +(b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan + link device, and bind vxcan device to bond device (can also use + ifenslave command to bind vxcan device to bond device). +(c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket. +(d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket. + +The bond device invokes the can-raw protocol registration interface to +receive CAN packets. However, ml_priv is not allocated to the dev, +dev_rcv_lists is assigned to NULL in can_rx_register(). In this case, +it will occur the NULL pointer dereference issue. + +The following is the stack information: +BUG: kernel NULL pointer dereference, address: 0000000000000008 +PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP +RIP: 0010:can_rx_register+0x12d/0x1e0 +Call Trace: + +raw_enable_filters+0x8d/0x120 +raw_enable_allfilters+0x3b/0x130 +raw_bind+0x118/0x4f0 +__sys_bind+0x163/0x1a0 +__x64_sys_bind+0x1e/0x30 +do_syscall_64+0x35/0x80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + + +Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") +Signed-off-by: Zhengchao Shao +Reviewed-by: Marc Kleine-Budde +Link: https://lore.kernel.org/all/20221028085650.170470-1-shaozhengchao@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 1fb49d51b25d..e48ccf7cf200 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -451,7 +451,7 @@ int can_rx_register(struct net *net, struct net_device *dev, canid_t can_id, + + /* insert new receiver (dev,canid,mask) -> (func,data) */ + +- if (dev && dev->type != ARPHRD_CAN) ++ if (dev && (dev->type != ARPHRD_CAN || !can_get_ml_priv(dev))) + return -ENODEV; + + if (dev && !net_eq(net, dev_net(dev))) +-- +2.35.1 + diff --git a/queue-6.0/capabilities-fix-undefined-behavior-in-bit-shift-for.patch b/queue-6.0/capabilities-fix-undefined-behavior-in-bit-shift-for.patch new file mode 100644 index 00000000000..0893d38df7e --- /dev/null +++ b/queue-6.0/capabilities-fix-undefined-behavior-in-bit-shift-for.patch @@ -0,0 +1,53 @@ +From 9811253c7dc1990fd4aae885f79bdd8d5680ba39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 19:25:36 +0800 +Subject: capabilities: fix undefined behavior in bit shift for CAP_TO_MASK + +From: Gaosheng Cui + +[ Upstream commit 46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in security/commoncap.c:1252:2 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + cap_task_prctl+0x561/0x6f0 + security_task_prctl+0x5a/0xb0 + __x64_sys_prctl+0x61/0x8f0 + do_syscall_64+0x58/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + +Fixes: e338d263a76a ("Add 64-bit capability support to the kernel") +Signed-off-by: Gaosheng Cui +Acked-by: Andrew G. Morgan +Reviewed-by: Serge Hallyn +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + include/uapi/linux/capability.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h +index 463d1ba2232a..3d61a0ae055d 100644 +--- a/include/uapi/linux/capability.h ++++ b/include/uapi/linux/capability.h +@@ -426,7 +426,7 @@ struct vfs_ns_cap_data { + */ + + #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ +-#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ ++#define CAP_TO_MASK(x) (1U << ((x) & 31)) /* mask for indexed __u32 */ + + + #endif /* _UAPI_LINUX_CAPABILITY_H */ +-- +2.35.1 + diff --git a/queue-6.0/cxgb4vf-shut-down-the-adapter-when-t4vf_update_port_.patch b/queue-6.0/cxgb4vf-shut-down-the-adapter-when-t4vf_update_port_.patch new file mode 100644 index 00000000000..b4d6eae278d --- /dev/null +++ b/queue-6.0/cxgb4vf-shut-down-the-adapter-when-t4vf_update_port_.patch @@ -0,0 +1,39 @@ +From c348b5b96570ae7f4549a423ec45013d53312a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 09:21:00 +0800 +Subject: cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in + cxgb4vf_open() + +From: Zhengchao Shao + +[ Upstream commit c6092ea1e6d7bd12acd881f6aa2b5054cd70e096 ] + +When t4vf_update_port_info() failed in cxgb4vf_open(), resources applied +during adapter goes up are not cleared. Fix it. Only be compiled, not be +tested. + +Fixes: 18d79f721e0a ("cxgb4vf: Update port information in cxgb4vf_open()") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109012100.99132-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c +index c2822e635f89..40bb473ec3c8 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c +@@ -858,7 +858,7 @@ static int cxgb4vf_open(struct net_device *dev) + */ + err = t4vf_update_port_info(pi); + if (err < 0) +- return err; ++ goto err_unwind; + + /* + * Note that this interface is up and start everything up ... +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-apple-admac-fix-grabbing-of-channels-in-of.patch b/queue-6.0/dmaengine-apple-admac-fix-grabbing-of-channels-in-of.patch new file mode 100644 index 00000000000..ee664942ce3 --- /dev/null +++ b/queue-6.0/dmaengine-apple-admac-fix-grabbing-of-channels-in-of.patch @@ -0,0 +1,40 @@ +From 38affe2195fe0831d44c3f81e40cb8f294f3b0d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 15:23:23 +0200 +Subject: dmaengine: apple-admac: Fix grabbing of channels in of_xlate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit 8454f880c24bca0d9d4bfb6ed4a4a5429a4d9b20 ] + +The of_xlate callback is supposed to return the channel after already +having 'grabbed' it for private use, so fill that in. + +Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20221019132324.8585-1-povik+lin@cutebit.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/apple-admac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c +index d1f74a3aa999..6780761a1640 100644 +--- a/drivers/dma/apple-admac.c ++++ b/drivers/dma/apple-admac.c +@@ -490,7 +490,7 @@ static struct dma_chan *admac_dma_of_xlate(struct of_phandle_args *dma_spec, + return NULL; + } + +- return &ad->channels[index].chan; ++ return dma_get_slave_channel(&ad->channels[index].chan); + } + + static int admac_drain_reports(struct admac_data *ad, int channo) +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-idxd-fix-max-batch-size-for-intel-iaa.patch b/queue-6.0/dmaengine-idxd-fix-max-batch-size-for-intel-iaa.patch new file mode 100644 index 00000000000..524d630626f --- /dev/null +++ b/queue-6.0/dmaengine-idxd-fix-max-batch-size-for-intel-iaa.patch @@ -0,0 +1,152 @@ +From 9aaccec614f2527a979dd257400f07a900aefcb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 04:15:27 +0800 +Subject: dmaengine: idxd: Fix max batch size for Intel IAA + +From: Xiaochen Shen + +[ Upstream commit e8dbd6445dd6b38c4c50410a86f13158486ee99a ] + +>From Intel IAA spec [1], Intel IAA does not support batch processing. + +Two batch related default values for IAA are incorrect in current code: +(1) The max batch size of device is set during device initialization, + that indicates batch is supported. It should be always 0 on IAA. +(2) The max batch size of work queue is set to WQ_DEFAULT_MAX_BATCH (32) + as the default value regardless of Intel DSA or IAA device during + work queue setup and cleanup. It should be always 0 on IAA. + +Fix the issues by setting the max batch size of device and max batch +size of work queue to 0 on IAA device, that means batch is not +supported. + +[1]: https://cdrdv2.intel.com/v1/dl/getContent/721858 + +Fixes: 23084545dbb0 ("dmaengine: idxd: set max_xfer and max_batch for RO device") +Fixes: 92452a72ebdf ("dmaengine: idxd: set defaults for wq configs") +Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") +Signed-off-by: Xiaochen Shen +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20220930201528.18621-2-xiaochen.shen@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 6 +++--- + drivers/dma/idxd/idxd.h | 32 ++++++++++++++++++++++++++++++++ + drivers/dma/idxd/init.c | 4 ++-- + drivers/dma/idxd/sysfs.c | 2 +- + 4 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 5a8cc52c1abf..cc7aabe4dc84 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -388,7 +388,7 @@ static void idxd_wq_disable_cleanup(struct idxd_wq *wq) + clear_bit(WQ_FLAG_BLOCK_ON_FAULT, &wq->flags); + memset(wq->name, 0, WQ_NAME_SIZE); + wq->max_xfer_bytes = WQ_DEFAULT_MAX_XFER; +- wq->max_batch_size = WQ_DEFAULT_MAX_BATCH; ++ idxd_wq_set_max_batch_size(idxd->data->type, wq, WQ_DEFAULT_MAX_BATCH); + } + + static void idxd_wq_device_reset_cleanup(struct idxd_wq *wq) +@@ -863,7 +863,7 @@ static int idxd_wq_config_write(struct idxd_wq *wq) + + /* bytes 12-15 */ + wq->wqcfg->max_xfer_shift = ilog2(wq->max_xfer_bytes); +- wq->wqcfg->max_batch_shift = ilog2(wq->max_batch_size); ++ idxd_wqcfg_set_max_batch_shift(idxd->data->type, wq->wqcfg, ilog2(wq->max_batch_size)); + + dev_dbg(dev, "WQ %d CFGs\n", wq->id); + for (i = 0; i < WQCFG_STRIDES(idxd); i++) { +@@ -1031,7 +1031,7 @@ static int idxd_wq_load_config(struct idxd_wq *wq) + wq->priority = wq->wqcfg->priority; + + wq->max_xfer_bytes = 1ULL << wq->wqcfg->max_xfer_shift; +- wq->max_batch_size = 1ULL << wq->wqcfg->max_batch_shift; ++ idxd_wq_set_max_batch_size(idxd->data->type, wq, 1U << wq->wqcfg->max_batch_shift); + + for (i = 0; i < WQCFG_STRIDES(idxd); i++) { + wqcfg_offset = WQCFG_OFFSET(idxd, wq->id, i); +diff --git a/drivers/dma/idxd/idxd.h b/drivers/dma/idxd/idxd.h +index 33640a41e172..05c3f8694478 100644 +--- a/drivers/dma/idxd/idxd.h ++++ b/drivers/dma/idxd/idxd.h +@@ -542,6 +542,38 @@ static inline int idxd_wq_refcount(struct idxd_wq *wq) + return wq->client_count; + }; + ++/* ++ * Intel IAA does not support batch processing. ++ * The max batch size of device, max batch size of wq and ++ * max batch shift of wqcfg should be always 0 on IAA. ++ */ ++static inline void idxd_set_max_batch_size(int idxd_type, struct idxd_device *idxd, ++ u32 max_batch_size) ++{ ++ if (idxd_type == IDXD_TYPE_IAX) ++ idxd->max_batch_size = 0; ++ else ++ idxd->max_batch_size = max_batch_size; ++} ++ ++static inline void idxd_wq_set_max_batch_size(int idxd_type, struct idxd_wq *wq, ++ u32 max_batch_size) ++{ ++ if (idxd_type == IDXD_TYPE_IAX) ++ wq->max_batch_size = 0; ++ else ++ wq->max_batch_size = max_batch_size; ++} ++ ++static inline void idxd_wqcfg_set_max_batch_shift(int idxd_type, union wqcfg *wqcfg, ++ u32 max_batch_shift) ++{ ++ if (idxd_type == IDXD_TYPE_IAX) ++ wqcfg->max_batch_shift = 0; ++ else ++ wqcfg->max_batch_shift = max_batch_shift; ++} ++ + int __must_check __idxd_driver_register(struct idxd_device_driver *idxd_drv, + struct module *module, const char *mod_name); + #define idxd_driver_register(driver) \ +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index 913a55ccb864..cf94795ca1af 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -177,7 +177,7 @@ static int idxd_setup_wqs(struct idxd_device *idxd) + init_completion(&wq->wq_dead); + init_completion(&wq->wq_resurrect); + wq->max_xfer_bytes = WQ_DEFAULT_MAX_XFER; +- wq->max_batch_size = WQ_DEFAULT_MAX_BATCH; ++ idxd_wq_set_max_batch_size(idxd->data->type, wq, WQ_DEFAULT_MAX_BATCH); + wq->enqcmds_retries = IDXD_ENQCMDS_RETRIES; + wq->wqcfg = kzalloc_node(idxd->wqcfg_size, GFP_KERNEL, dev_to_node(dev)); + if (!wq->wqcfg) { +@@ -402,7 +402,7 @@ static void idxd_read_caps(struct idxd_device *idxd) + + idxd->max_xfer_bytes = 1ULL << idxd->hw.gen_cap.max_xfer_shift; + dev_dbg(dev, "max xfer size: %llu bytes\n", idxd->max_xfer_bytes); +- idxd->max_batch_size = 1U << idxd->hw.gen_cap.max_batch_shift; ++ idxd_set_max_batch_size(idxd->data->type, idxd, 1U << idxd->hw.gen_cap.max_batch_shift); + dev_dbg(dev, "max batch size: %u\n", idxd->max_batch_size); + if (idxd->hw.gen_cap.config_en) + set_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags); +diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c +index b6760b28a963..82538622320a 100644 +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -961,7 +961,7 @@ static ssize_t wq_max_batch_size_store(struct device *dev, struct device_attribu + if (batch_size > idxd->max_batch_size) + return -EINVAL; + +- wq->max_batch_size = (u32)batch_size; ++ idxd_wq_set_max_batch_size(idxd->data->type, wq, (u32)batch_size); + + return count; + } +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-idxd-fix-ro-device-state-error-after-been-.patch b/queue-6.0/dmaengine-idxd-fix-ro-device-state-error-after-been-.patch new file mode 100644 index 00000000000..c886ab22a97 --- /dev/null +++ b/queue-6.0/dmaengine-idxd-fix-ro-device-state-error-after-been-.patch @@ -0,0 +1,63 @@ +From d54a1bba1e1cde6728a3097c084a832a90979b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 11:28:35 +0800 +Subject: dmaengine: idxd: fix RO device state error after been disabled/reset + +From: Fengqian Gao + +[ Upstream commit 0b8c97a1d8c1bb6a853b8bb1778e8fef17b86fc9 ] + +When IDXD is not configurable, that means its WQ, engine, and group +configurations cannot be changed. But it can be disabled and its state +should be set as disabled regardless it's configurable or not. + +Fix this by setting device state IDXD_DEV_DISABLED for read-only device +as well in idxd_device_clear_state(). + +Fixes: cf4ac3fef338 ("dmaengine: idxd: fix lockdep warning on device driver removal") +Signed-off-by: Fengqian Gao +Reviewed-by: Xiaochen Shen +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20220930032835.2290-1-fengqian.gao@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index cc7aabe4dc84..bd6e50f795be 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -724,13 +724,21 @@ static void idxd_device_wqs_clear_state(struct idxd_device *idxd) + + void idxd_device_clear_state(struct idxd_device *idxd) + { +- if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) +- return; ++ /* IDXD is always disabled. Other states are cleared only when IDXD is configurable. */ ++ if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) { ++ /* ++ * Clearing wq state is protected by wq lock. ++ * So no need to be protected by device lock. ++ */ ++ idxd_device_wqs_clear_state(idxd); ++ ++ spin_lock(&idxd->dev_lock); ++ idxd_groups_clear_state(idxd); ++ idxd_engines_clear_state(idxd); ++ } else { ++ spin_lock(&idxd->dev_lock); ++ } + +- idxd_device_wqs_clear_state(idxd); +- spin_lock(&idxd->dev_lock); +- idxd_groups_clear_state(idxd); +- idxd_engines_clear_state(idxd); + idxd->state = IDXD_DEV_DISABLED; + spin_unlock(&idxd->dev_lock); + } +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch b/queue-6.0/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch new file mode 100644 index 00000000000..9fd39b5fa2a --- /dev/null +++ b/queue-6.0/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch @@ -0,0 +1,38 @@ +From 88e1507819da3ffe6e4ff4f75db68cc2eff03efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 21:50:09 +0200 +Subject: dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() + +From: Christophe JAILLET + +[ Upstream commit 081195d17a0c4c636da2b869bd5809d42e8cbb13 ] + +A clk_prepare_enable() call in the probe is not balanced by a corresponding +clk_disable_unprepare() in the remove function. + +Add the missing call. + +Fixes: 3cd2c313f1d6 ("dmaengine: mv_xor_v2: Fix clock resource by adding a register clock") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/e9e3837a680c9bd2438e4db2b83270c6c052d005.1666640987.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mv_xor_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/mv_xor_v2.c b/drivers/dma/mv_xor_v2.c +index f629ef6fd3c2..113834e1167b 100644 +--- a/drivers/dma/mv_xor_v2.c ++++ b/drivers/dma/mv_xor_v2.c +@@ -893,6 +893,7 @@ static int mv_xor_v2_remove(struct platform_device *pdev) + tasklet_kill(&xor_dev->irq_tasklet); + + clk_disable_unprepare(xor_dev->clk); ++ clk_disable_unprepare(xor_dev->reg_clk); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-pxa_dma-use-platform_get_irq_optional.patch b/queue-6.0/dmaengine-pxa_dma-use-platform_get_irq_optional.patch new file mode 100644 index 00000000000..20c44f26850 --- /dev/null +++ b/queue-6.0/dmaengine-pxa_dma-use-platform_get_irq_optional.patch @@ -0,0 +1,49 @@ +From 59d5b463f338745c6fd97675f5081bb6194e8ab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 17:07:09 -0700 +Subject: dmaengine: pxa_dma: use platform_get_irq_optional + +From: Doug Brown + +[ Upstream commit b3d726cb8497c6b12106fd617d46eef11763ea86 ] + +The first IRQ is required, but IRQs 1 through (nb_phy_chans - 1) are +optional, because on some platforms (e.g. PXA168) there is a single IRQ +shared between all channels. + +This change inhibits a flood of "IRQ index # not found" messages at +startup. Tested on a PXA168-based device. + +Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()") +Signed-off-by: Doug Brown +Link: https://lore.kernel.org/r/20220906000709.52705-1-doug@schmorgal.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pxa_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index e7034f6f3994..22a392fe6d32 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -1247,14 +1247,14 @@ static int pxad_init_phys(struct platform_device *op, + return -ENOMEM; + + for (i = 0; i < nb_phy_chans; i++) +- if (platform_get_irq(op, i) > 0) ++ if (platform_get_irq_optional(op, i) > 0) + nr_irq++; + + for (i = 0; i < nb_phy_chans; i++) { + phy = &pdev->phys[i]; + phy->base = pdev->base; + phy->idx = i; +- irq = platform_get_irq(op, i); ++ irq = platform_get_irq_optional(op, i); + if ((nr_irq > 1) && (irq > 0)) + ret = devm_request_irq(&op->dev, irq, + pxad_chan_handler, +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-stm32-dma-fix-potential-race-between-pause.patch b/queue-6.0/dmaengine-stm32-dma-fix-potential-race-between-pause.patch new file mode 100644 index 00000000000..3f6afb10c19 --- /dev/null +++ b/queue-6.0/dmaengine-stm32-dma-fix-potential-race-between-pause.patch @@ -0,0 +1,71 @@ +From cedabd9626747e5790bca93067891eb40d1ccc40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 10:36:11 +0200 +Subject: dmaengine: stm32-dma: fix potential race between pause and resume + +From: Amelie Delaunay + +[ Upstream commit 140fd5e74a1cc7413df88c735fff5ec64d33c1d3 ] + +When disabling dma channel, a TCF flag is set and as TCIE is enabled, an +interrupt is raised. +On a busy system, the interrupt may have latency and the user can ask for +dmaengine_resume while stm32-dma driver has not yet managed the complete +pause (backup of registers to restore state in resume). +To avoid such a case, instead of waiting the interrupt to backup the +registers, do it just after disabling the channel and discard Transfer +Complete interrupt in case the channel is paused. + +Fixes: 099a9a94be0e ("dmaengine: stm32-dma: add device_pause/device_resume support") +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20221024083611.132588-1-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32-dma.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c +index adb25a11c70f..5aeaaac846df 100644 +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -663,6 +663,8 @@ static void stm32_dma_handle_chan_paused(struct stm32_dma_chan *chan) + + chan->chan_reg.dma_sndtr = stm32_dma_read(dmadev, STM32_DMA_SNDTR(chan->id)); + ++ chan->status = DMA_PAUSED; ++ + dev_dbg(chan2dev(chan), "vchan %pK: paused\n", &chan->vchan); + } + +@@ -775,9 +777,7 @@ static irqreturn_t stm32_dma_chan_irq(int irq, void *devid) + if (status & STM32_DMA_TCI) { + stm32_dma_irq_clear(chan, STM32_DMA_TCI); + if (scr & STM32_DMA_SCR_TCIE) { +- if (chan->status == DMA_PAUSED && !(scr & STM32_DMA_SCR_EN)) +- stm32_dma_handle_chan_paused(chan); +- else ++ if (chan->status != DMA_PAUSED) + stm32_dma_handle_chan_done(chan, scr); + } + status &= ~STM32_DMA_TCI; +@@ -824,13 +824,11 @@ static int stm32_dma_pause(struct dma_chan *c) + return -EPERM; + + spin_lock_irqsave(&chan->vchan.lock, flags); ++ + ret = stm32_dma_disable_chan(chan); +- /* +- * A transfer complete flag is set to indicate the end of transfer due to the stream +- * interruption, so wait for interrupt +- */ + if (!ret) +- chan->status = DMA_PAUSED; ++ stm32_dma_handle_chan_paused(chan); ++ + spin_unlock_irqrestore(&chan->vchan.lock, flags); + + return ret; +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-ti-k3-udma-glue-fix-memory-leak-when-regis.patch b/queue-6.0/dmaengine-ti-k3-udma-glue-fix-memory-leak-when-regis.patch new file mode 100644 index 00000000000..8b2bc0d498c --- /dev/null +++ b/queue-6.0/dmaengine-ti-k3-udma-glue-fix-memory-leak-when-regis.patch @@ -0,0 +1,55 @@ +From c2d749e9e61bc0a5ee661dcdd85ef002e24a017b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 14:28:27 +0800 +Subject: dmaengine: ti: k3-udma-glue: fix memory leak when register device + fail + +From: Yang Yingliang + +[ Upstream commit ac2b9f34f02052709aea7b34bb2a165e1853eb41 ] + +If device_register() fails, it should call put_device() to give +up reference, the name allocated in dev_set_name() can be freed +in callback function kobject_cleanup(). + +Fixes: 5b65781d06ea ("dmaengine: ti: k3-udma-glue: Add support for K3 PKTDMA") +Signed-off-by: Yang Yingliang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20221020062827.2914148-1-yangyingliang@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma-glue.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/ti/k3-udma-glue.c b/drivers/dma/ti/k3-udma-glue.c +index 4fdd9f06b723..4f1aeb81e9c7 100644 +--- a/drivers/dma/ti/k3-udma-glue.c ++++ b/drivers/dma/ti/k3-udma-glue.c +@@ -299,6 +299,7 @@ struct k3_udma_glue_tx_channel *k3_udma_glue_request_tx_chn(struct device *dev, + ret = device_register(&tx_chn->common.chan_dev); + if (ret) { + dev_err(dev, "Channel Device registration failed %d\n", ret); ++ put_device(&tx_chn->common.chan_dev); + tx_chn->common.chan_dev.parent = NULL; + goto err; + } +@@ -917,6 +918,7 @@ k3_udma_glue_request_rx_chn_priv(struct device *dev, const char *name, + ret = device_register(&rx_chn->common.chan_dev); + if (ret) { + dev_err(dev, "Channel Device registration failed %d\n", ret); ++ put_device(&rx_chn->common.chan_dev); + rx_chn->common.chan_dev.parent = NULL; + goto err; + } +@@ -1048,6 +1050,7 @@ k3_udma_glue_request_remote_rx_chn(struct device *dev, const char *name, + ret = device_register(&rx_chn->common.chan_dev); + if (ret) { + dev_err(dev, "Channel Device registration failed %d\n", ret); ++ put_device(&rx_chn->common.chan_dev); + rx_chn->common.chan_dev.parent = NULL; + goto err; + } +-- +2.35.1 + diff --git a/queue-6.0/dmanegine-idxd-reformat-opcap-output-to-match-bitmap.patch b/queue-6.0/dmanegine-idxd-reformat-opcap-output-to-match-bitmap.patch new file mode 100644 index 00000000000..95092cc7c67 --- /dev/null +++ b/queue-6.0/dmanegine-idxd-reformat-opcap-output-to-match-bitmap.patch @@ -0,0 +1,131 @@ +From fe1152549dcb073489e653f8ec78f018b29554b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 09:12:19 -0700 +Subject: dmanegine: idxd: reformat opcap output to match bitmap_parse() input + +From: Dave Jiang + +[ Upstream commit a8563a33a5e26064061f2fb34215c97f0e2995f4 ] + +To make input and output consistent and prepping for the per WQ operation +configuration support, change the output of opcap display to match the +input that is expected by bitmap_parse() helper function. The output will +be a bitmap with field width as the number of bits using the %*pb format +specifier for printk() family. + +Signed-off-by: Dave Jiang +Co-developed-by: Fenghua Yu +Signed-off-by: Fenghua Yu +Link: https://lore.kernel.org/r/20220917161222.2835172-3-fenghua.yu@intel.com +Signed-off-by: Vinod Koul +Stable-dep-of: e8dbd6445dd6 ("dmaengine: idxd: Fix max batch size for Intel IAA") +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/idxd.h | 2 ++ + drivers/dma/idxd/init.c | 20 ++++++++++++++++++++ + drivers/dma/idxd/registers.h | 2 ++ + drivers/dma/idxd/sysfs.c | 9 ++------- + 4 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/drivers/dma/idxd/idxd.h b/drivers/dma/idxd/idxd.h +index fed0dfc1eaa8..33640a41e172 100644 +--- a/drivers/dma/idxd/idxd.h ++++ b/drivers/dma/idxd/idxd.h +@@ -308,6 +308,8 @@ struct idxd_device { + struct work_struct work; + + struct idxd_pmu *idxd_pmu; ++ ++ unsigned long *opcap_bmap; + }; + + /* IDXD software descriptor */ +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index aa3478257ddb..913a55ccb864 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -369,6 +369,19 @@ static void idxd_read_table_offsets(struct idxd_device *idxd) + dev_dbg(dev, "IDXD Perfmon Offset: %#x\n", idxd->perfmon_offset); + } + ++static void multi_u64_to_bmap(unsigned long *bmap, u64 *val, int count) ++{ ++ int i, j, nr; ++ ++ for (i = 0, nr = 0; i < count; i++) { ++ for (j = 0; j < BITS_PER_LONG_LONG; j++) { ++ if (val[i] & BIT(j)) ++ set_bit(nr, bmap); ++ nr++; ++ } ++ } ++} ++ + static void idxd_read_caps(struct idxd_device *idxd) + { + struct device *dev = &idxd->pdev->dev; +@@ -427,6 +440,7 @@ static void idxd_read_caps(struct idxd_device *idxd) + IDXD_OPCAP_OFFSET + i * sizeof(u64)); + dev_dbg(dev, "opcap[%d]: %#llx\n", i, idxd->hw.opcap.bits[i]); + } ++ multi_u64_to_bmap(idxd->opcap_bmap, &idxd->hw.opcap.bits[0], 4); + } + + static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) +@@ -448,6 +462,12 @@ static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_d + if (idxd->id < 0) + return NULL; + ++ idxd->opcap_bmap = bitmap_zalloc_node(IDXD_MAX_OPCAP_BITS, GFP_KERNEL, dev_to_node(dev)); ++ if (!idxd->opcap_bmap) { ++ ida_free(&idxd_ida, idxd->id); ++ return NULL; ++ } ++ + device_initialize(conf_dev); + conf_dev->parent = dev; + conf_dev->bus = &dsa_bus_type; +diff --git a/drivers/dma/idxd/registers.h b/drivers/dma/idxd/registers.h +index 02449aa9c454..4c96ea85f843 100644 +--- a/drivers/dma/idxd/registers.h ++++ b/drivers/dma/idxd/registers.h +@@ -90,6 +90,8 @@ struct opcap { + u64 bits[4]; + }; + ++#define IDXD_MAX_OPCAP_BITS 256U ++ + #define IDXD_OPCAP_OFFSET 0x40 + + #define IDXD_TABLE_OFFSET 0x60 +diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c +index 3f262a57441b..b6760b28a963 100644 +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -1177,14 +1177,8 @@ static ssize_t op_cap_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct idxd_device *idxd = confdev_to_idxd(dev); +- int i, rc = 0; +- +- for (i = 0; i < 4; i++) +- rc += sysfs_emit_at(buf, rc, "%#llx ", idxd->hw.opcap.bits[i]); + +- rc--; +- rc += sysfs_emit_at(buf, rc, "\n"); +- return rc; ++ return sysfs_emit(buf, "%*pb\n", IDXD_MAX_OPCAP_BITS, idxd->opcap_bmap); + } + static DEVICE_ATTR_RO(op_cap); + +@@ -1408,6 +1402,7 @@ static void idxd_conf_device_release(struct device *dev) + kfree(idxd->wqs); + kfree(idxd->engines); + ida_free(&idxd_ida, idxd->id); ++ bitmap_free(idxd->opcap_bmap); + kfree(idxd); + } + +-- +2.35.1 + diff --git a/queue-6.0/drivers-net-xgene-disable-napi-when-register-irq-fai.patch b/queue-6.0/drivers-net-xgene-disable-napi-when-register-irq-fai.patch new file mode 100644 index 00000000000..b1a5f2fafd6 --- /dev/null +++ b/queue-6.0/drivers-net-xgene-disable-napi-when-register-irq-fai.patch @@ -0,0 +1,42 @@ +From abb35c361dab2b9d7e48a0bc8ae0ab902e8bb2e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 12:30:32 +0800 +Subject: drivers: net: xgene: disable napi when register irq failed in + xgene_enet_open() + +From: Zhengchao Shao + +[ Upstream commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867 ] + +When failed to register irq in xgene_enet_open() for opening device, +napi isn't disabled. When open xgene device next time, it will reports +a invalid opcode issue. Fix it. Only be compiled, not be tested. + +Fixes: aeb20b6b3f4e ("drivers: net: xgene: fix: ifconfig up/down crash") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221107043032.357673-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +index 53dc8d5fede8..c51d9edb3828 100644 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +@@ -1004,8 +1004,10 @@ static int xgene_enet_open(struct net_device *ndev) + + xgene_enet_napi_enable(pdata); + ret = xgene_enet_register_irq(ndev); +- if (ret) ++ if (ret) { ++ xgene_enet_napi_disable(pdata); + return ret; ++ } + + if (ndev->phydev) { + phy_start(ndev->phydev); +-- +2.35.1 + diff --git a/queue-6.0/drm-i915-do-not-set-cache_dirty-for-dgfx.patch b/queue-6.0/drm-i915-do-not-set-cache_dirty-for-dgfx.patch new file mode 100644 index 00000000000..3fbea4151c8 --- /dev/null +++ b/queue-6.0/drm-i915-do-not-set-cache_dirty-for-dgfx.patch @@ -0,0 +1,69 @@ +From b01bb20551e058f65fce8acc71be3f3f2fe47e38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 22:14:16 -0700 +Subject: drm/i915: Do not set cache_dirty for DGFX + +From: Niranjana Vishwanathapura + +[ Upstream commit 19b168136395150a4a6e011f944eb30d3d85094b ] + +Currently on DG1, which does not have LLC, we hit the below +warning while rebinding an userptr invalidated object. + +WARNING: CPU: 4 PID: 13008 at drivers/gpu/drm/i915/gem/i915_gem_pages.c:34 __i915_gem_object_set_pages+0x296/0x2d0 [i915] +... +RIP: 0010:__i915_gem_object_set_pages+0x296/0x2d0 [i915] +... +Call Trace: + + i915_gem_userptr_get_pages+0x175/0x1a0 [i915] + ____i915_gem_object_get_pages+0x32/0xb0 [i915] + i915_gem_object_userptr_submit_init+0x286/0x470 [i915] + eb_lookup_vmas+0x2ff/0xcf0 [i915] + ? __intel_wakeref_get_first+0x55/0xb0 [i915] + i915_gem_do_execbuffer+0x785/0x21d0 [i915] + i915_gem_execbuffer2_ioctl+0xe7/0x3d0 [i915] + +We shouldn't be setting the obj->cache_dirty for DGFX, +fix it. + +Fixes: d70af57944a1 ("drm/i915/shmem: ensure flush during swap-in on non-LLC") +Suggested-by: Matthew Auld +Reported-by: Niranjana Vishwanathapura +Signed-off-by: Niranjana Vishwanathapura +Acked-by: Nirmoy Das +Reviewed-by: Matthew Auld +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20221102051416.27327-1-niranjana.vishwanathapura@intel.com +(cherry picked from commit 0aeec60c76ca2631696b4228f3fc99fe3a80013d) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +index 34b9c76cd8e6..b5eb279a5c2c 100644 +--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +@@ -369,14 +369,14 @@ __i915_gem_object_release_shmem(struct drm_i915_gem_object *obj, + + __start_cpu_write(obj); + /* +- * On non-LLC platforms, force the flush-on-acquire if this is ever ++ * On non-LLC igfx platforms, force the flush-on-acquire if this is ever + * swapped-in. Our async flush path is not trust worthy enough yet(and + * happens in the wrong order), and with some tricks it's conceivable + * for userspace to change the cache-level to I915_CACHE_NONE after the + * pages are swapped-in, and since execbuf binds the object before doing + * the async flush, we have a race window. + */ +- if (!HAS_LLC(i915)) ++ if (!HAS_LLC(i915) && !IS_DGFX(i915)) + obj->cache_dirty = true; + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-i915-psr-send-update-also-on-invalidate.patch b/queue-6.0/drm-i915-psr-send-update-also-on-invalidate.patch new file mode 100644 index 00000000000..c31abc725a2 --- /dev/null +++ b/queue-6.0/drm-i915-psr-send-update-also-on-invalidate.patch @@ -0,0 +1,70 @@ +From ca58eb4522fa9e138f7a5836af754912c1e0cd96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 08:46:49 +0300 +Subject: drm/i915/psr: Send update also on invalidate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +[ Upstream commit 4ff4ebac3f1378f4ba6e11fe5ad4a4ac590bb8a4 ] + +Currently we are observing mouse cursor stuttering when using +xrandr --scaling=1.2x1.2. X scaling/transformation seems to be +doing fronbuffer rendering. When moving mouse cursor X seems to +perform several invalidates and only one DirtyFB. I.e. it seems +to be assuming updates are sent to panel while drawing is done. + +Earlier we were disabling PSR in frontbuffer invalidate call back +(when drawing in X started). PSR was re-enabled in frontbuffer +flush callback (dirtyfb ioctl). This was working fine with X +scaling/transformation. Now we are just enabling continuous full +frame (cff) in PSR invalidate callback. Enabling cff doesn't +trigger any updates. It just configures PSR to send full frame +when updates are sent. I.e. there are no updates on screen before +PSR flush callback is made. X seems to be doing several updates +in frontbuffer before doing dirtyfb ioctl. + +Fix this by sending single update on every invalidate callback. + +Cc: José Roberto de Souza +Cc: Ville Syrjälä +Cc: Mika Kahola + +Fixes: 805f04d42a6b ("drm/i915/display/psr: Use continuos full frame to handle frontbuffer invalidations") +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6679 +Signed-off-by: Jouni Högander +Reported-by: Brian J. Tarricone +Tested-by: Brian J. Tarricone +Reviewed-by: Mika Kahola +Reviewed-by: José Roberto de Souza +Signed-off-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20221024054649.31299-1-jouni.hogander@intel.com +(cherry picked from commit d755f89220a2b49bc90b7b520bb6edeb4adb5f01) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index e6a870641cd2..fbe777e02ea7 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -2188,8 +2188,11 @@ static void _psr_invalidate_handle(struct intel_dp *intel_dp) + if (intel_dp->psr.psr2_sel_fetch_enabled) { + u32 val; + +- if (intel_dp->psr.psr2_sel_fetch_cff_enabled) ++ if (intel_dp->psr.psr2_sel_fetch_cff_enabled) { ++ /* Send one update otherwise lag is observed in screen */ ++ intel_de_write(dev_priv, CURSURFLIVE(intel_dp->psr.pipe), 0); + return; ++ } + + val = man_trk_ctl_enable_bit_get(dev_priv) | + man_trk_ctl_partial_frame_bit_get(dev_priv) | +-- +2.35.1 + diff --git a/queue-6.0/drm-vc4-fix-missing-platform_unregister_drivers-call.patch b/queue-6.0/drm-vc4-fix-missing-platform_unregister_drivers-call.patch new file mode 100644 index 00000000000..02f3e1de835 --- /dev/null +++ b/queue-6.0/drm-vc4-fix-missing-platform_unregister_drivers-call.patch @@ -0,0 +1,65 @@ +From 00b603ba88ad08f49382681707fd05fedd41e403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 01:47:05 +0000 +Subject: drm/vc4: Fix missing platform_unregister_drivers() call in + vc4_drm_register() + +From: Yuan Can + +[ Upstream commit cf53db768a8790fdaae2fa3a81322b080285f7e5 ] + +A problem about modprobe vc4 failed is triggered with the following log +given: + + [ 420.327987] Error: Driver 'vc4_hvs' is already registered, aborting... + [ 420.333904] failed to register platform driver vc4_hvs_driver [vc4]: -16 + modprobe: ERROR: could not insert 'vc4': Device or resource busy + +The reason is that vc4_drm_register() returns platform_driver_register() +directly without checking its return value, if platform_driver_register() +fails, it returns without unregistering all the vc4 drivers, resulting the +vc4 can never be installed later. +A simple call graph is shown as below: + + vc4_drm_register() + platform_register_drivers() # all vc4 drivers are registered + platform_driver_register() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without unregister drivers + +Fixing this problem by checking the return value of +platform_driver_register() and do platform_unregister_drivers() if +error happened. + +Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.") +Signed-off-by: Yuan Can +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20221103014705.109322-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_drv.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c +index c186ace7f83b..2064863a0fd3 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.c ++++ b/drivers/gpu/drm/vc4/vc4_drv.c +@@ -476,7 +476,12 @@ static int __init vc4_drm_register(void) + if (ret) + return ret; + +- return platform_driver_register(&vc4_platform_driver); ++ ret = platform_driver_register(&vc4_platform_driver); ++ if (ret) ++ platform_unregister_drivers(component_drivers, ++ ARRAY_SIZE(component_drivers)); ++ ++ return ret; + } + + static void __exit vc4_drm_unregister(void) +-- +2.35.1 + diff --git a/queue-6.0/drm-vc4-hdmi-fix-hsm-clock-too-low-on-pi4.patch b/queue-6.0/drm-vc4-hdmi-fix-hsm-clock-too-low-on-pi4.patch new file mode 100644 index 00000000000..01aec24ac31 --- /dev/null +++ b/queue-6.0/drm-vc4-hdmi-fix-hsm-clock-too-low-on-pi4.patch @@ -0,0 +1,177 @@ +From f3a75545ffb0763584ca7467cdb588490f6d1107 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 15:13:39 +0200 +Subject: drm/vc4: hdmi: Fix HSM clock too low on Pi4 + +From: maxime@cerno.tech + +[ Upstream commit 3bc6a37f59f21a8bfaf74d0975b2eb0b2d52a065 ] + +Commit ae71ab585c81 ("drm/vc4: hdmi: Enforce the minimum rate at +runtime_resume") reintroduced the call to clk_set_min_rate in an attempt +to fix the boot without a monitor connected on the RaspberryPi3. + +However, that introduced a regression breaking the display output +entirely (black screen but no vblank timeout) on the Pi4. + +This is due to the fact that we now have in a typical modeset at boot, +in vc4_hdmi_encoder_pre_crtc_configure(), we have a first call to +clk_set_min_rate() asking for the minimum rate of the HSM clock for our +given resolution, and then a call to pm_runtime_resume_and_get(). We +will thus execute vc4_hdmi_runtime_resume() which, since the commit +mentioned above, will call clk_set_min_rate() a second time with the +absolute minimum rate we want to enforce on the HSM clock. + +We're thus effectively erasing the minimum mandated by the mode we're +trying to set. The fact that only the Pi4 is affected is due to the fact +that it uses a different clock driver that tries to minimize the HSM +clock at all time. It will thus lower the HSM clock rate to 120MHz on +the second clk_set_min_rate() call. + +The Pi3 doesn't use the same driver and will not change the frequency on +the second clk_set_min_rate() call since it's still within the new +boundaries and it doesn't have the code to minimize the clock rate as +needed. So even though the boundaries are still off, the clock rate is +still the right one for our given mode, so everything works. + +There is a lot of moving parts, so I couldn't find any obvious +solution: + + - Reverting the original is not an option, as that would break the Pi3 + again. + + - We can't move the clk_set_min_rate() call in _pre_crtc_configure() + since because, on the Pi3, the HSM clock has the CLK_SET_RATE_GATE + flag which prevents the clock rate from being changed after it's + been enabled. Our calls to clk_set_min_rate() can change it, so they + need to be done before clk_prepare_enable(). + + - We can't remove the call to clk_prepare_enable() from the + runtime_resume hook to put it into _pre_crtc_configure() either, + since we need that clock to be enabled to access the registers, and + we can't count on the fact that the display will be active in all + situations (doing any CEC operation, or listing the modes while + inactive are valid for example()). + + - We can't drop the call to clk_set_min_rate() in + _pre_crtc_configure() since we would need to still enforce the + minimum rate for a given resolution, and runtime_resume doesn't have + access to the current mode, if there's any. + + - We can't copy the TMDS character rate into vc4_hdmi and reuse it + since, because it's part of the KMS atomic state, it needs to be + protected by a mutex. Unfortunately, some functions (CEC operations, + mostly) can be reentrant (through the CEC framework) and still need + a pm_runtime_get. + +However, we can work around this issue by leveraging the fact that the +clk_set_min_rate() calls set boundaries for its given struct clk, and +that each different clk_get() call will return a different instance of +struct clk. The clock framework will then aggregate the boundaries for +each struct clk instances linked to a given clock, plus its hardware +boundaries, and will use that. + +We can thus get an extra HSM clock user for runtime_pm use only, and use +our different clock instances depending on the context: runtime_pm will +use its own to set the absolute minimum clock setup so that we never +lock the CPU waiting for a register access, and the modeset part will +set its requirement for the current resolution. And we let the CCF do +the coordination. + +It's not an ideal solution, but it's fairly unintrusive and doesn't +really change any part of the logic so it looks like a rather safe fix. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2136234 +Fixes: ae71ab585c81 ("drm/vc4: hdmi: Enforce the minimum rate at runtime_resume") +Reported-by: Peter Robinson +Reviewed-by: Javier Martinez Canillas +Tested-by: Peter Robinson +Link: https://lore.kernel.org/r/20221021131339.2203291-1-maxime@cerno.tech +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 21 +++++++++++++++++---- + drivers/gpu/drm/vc4/vc4_hdmi.h | 1 + + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 874c6bd787c5..4e5bba0822a5 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -2712,9 +2712,16 @@ static int vc4_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi) + DRM_ERROR("Failed to get HDMI state machine clock\n"); + return PTR_ERR(vc4_hdmi->hsm_clock); + } ++ + vc4_hdmi->audio_clock = vc4_hdmi->hsm_clock; + vc4_hdmi->cec_clock = vc4_hdmi->hsm_clock; + ++ vc4_hdmi->hsm_rpm_clock = devm_clk_get(dev, "hdmi"); ++ if (IS_ERR(vc4_hdmi->hsm_rpm_clock)) { ++ DRM_ERROR("Failed to get HDMI state machine clock\n"); ++ return PTR_ERR(vc4_hdmi->hsm_rpm_clock); ++ } ++ + return 0; + } + +@@ -2796,6 +2803,12 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi) + return PTR_ERR(vc4_hdmi->hsm_clock); + } + ++ vc4_hdmi->hsm_rpm_clock = devm_clk_get(dev, "hdmi"); ++ if (IS_ERR(vc4_hdmi->hsm_rpm_clock)) { ++ DRM_ERROR("Failed to get HDMI state machine clock\n"); ++ return PTR_ERR(vc4_hdmi->hsm_rpm_clock); ++ } ++ + vc4_hdmi->pixel_bvb_clock = devm_clk_get(dev, "bvb"); + if (IS_ERR(vc4_hdmi->pixel_bvb_clock)) { + DRM_ERROR("Failed to get pixel bvb clock\n"); +@@ -2859,7 +2872,7 @@ static int vc4_hdmi_runtime_suspend(struct device *dev) + { + struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); + +- clk_disable_unprepare(vc4_hdmi->hsm_clock); ++ clk_disable_unprepare(vc4_hdmi->hsm_rpm_clock); + + return 0; + } +@@ -2877,11 +2890,11 @@ static int vc4_hdmi_runtime_resume(struct device *dev) + * its frequency while the power domain is active so that it + * keeps its rate. + */ +- ret = clk_set_min_rate(vc4_hdmi->hsm_clock, HSM_MIN_CLOCK_FREQ); ++ ret = clk_set_min_rate(vc4_hdmi->hsm_rpm_clock, HSM_MIN_CLOCK_FREQ); + if (ret) + return ret; + +- ret = clk_prepare_enable(vc4_hdmi->hsm_clock); ++ ret = clk_prepare_enable(vc4_hdmi->hsm_rpm_clock); + if (ret) + return ret; + +@@ -2894,7 +2907,7 @@ static int vc4_hdmi_runtime_resume(struct device *dev) + * case, it will lead to a silent CPU stall. Let's make sure we + * prevent such a case. + */ +- rate = clk_get_rate(vc4_hdmi->hsm_clock); ++ rate = clk_get_rate(vc4_hdmi->hsm_rpm_clock); + if (!rate) { + ret = -EINVAL; + goto err_disable_clk; +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.h b/drivers/gpu/drm/vc4/vc4_hdmi.h +index c3ed2b07df23..47f141ec8c40 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.h ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.h +@@ -171,6 +171,7 @@ struct vc4_hdmi { + struct clk *cec_clock; + struct clk *pixel_clock; + struct clk *hsm_clock; ++ struct clk *hsm_rpm_clock; + struct clk *audio_clock; + struct clk *pixel_bvb_clock; + +-- +2.35.1 + diff --git a/queue-6.0/dt-bindings-net-tsnep-fix-typo-on-generic-nvmem-prop.patch b/queue-6.0/dt-bindings-net-tsnep-fix-typo-on-generic-nvmem-prop.patch new file mode 100644 index 00000000000..345a76dc40f --- /dev/null +++ b/queue-6.0/dt-bindings-net-tsnep-fix-typo-on-generic-nvmem-prop.patch @@ -0,0 +1,40 @@ +From 16ac28ede58ff9ea58dd8265bc24c80a16eea252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 17:21:47 +0100 +Subject: dt-bindings: net: tsnep: Fix typo on generic nvmem property + +From: Miquel Raynal + +[ Upstream commit ec683f02a150b9c4428f08accd387c8c216ea0e5 ] + +While working on the nvmem description I figured out this file had the +"nvmem-cell-names" property name misspelled. Fix the typo, as +"nvmem-cells-names" has never existed. + +Fixes: 603094b2cdb7 ("dt-bindings: net: Add tsnep Ethernet controller") +Signed-off-by: Miquel Raynal +Reviewed-by: Gerhard Engleder +Acked-by: Rob Herring +Link: https://lore.kernel.org/r/20221104162147.1288230-1-miquel.raynal@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/net/engleder,tsnep.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/net/engleder,tsnep.yaml b/Documentation/devicetree/bindings/net/engleder,tsnep.yaml +index d0e1476e15b5..ccc42cb470da 100644 +--- a/Documentation/devicetree/bindings/net/engleder,tsnep.yaml ++++ b/Documentation/devicetree/bindings/net/engleder,tsnep.yaml +@@ -28,7 +28,7 @@ properties: + + nvmem-cells: true + +- nvmem-cells-names: true ++ nvmem-cell-names: true + + phy-connection-type: + enum: +-- +2.35.1 + diff --git a/queue-6.0/eth-sp7021-drop-free_netdev-from-spl2sw_init_netdev.patch b/queue-6.0/eth-sp7021-drop-free_netdev-from-spl2sw_init_netdev.patch new file mode 100644 index 00000000000..24add313ec8 --- /dev/null +++ b/queue-6.0/eth-sp7021-drop-free_netdev-from-spl2sw_init_netdev.patch @@ -0,0 +1,36 @@ +From 4c67a0d5a6d1172c872b6c11ca5a647f3f053806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 15:01:16 +0000 +Subject: eth: sp7021: drop free_netdev() from spl2sw_init_netdev() + +From: Wei Yongjun + +[ Upstream commit de91b3197d15172407608b2c357aab7ac1451e2b ] + +It's not necessary to free netdev allocated with devm_alloc_etherdev() +and using free_netdev() leads to double free. + +Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021") +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20221109150116.2988194-1-weiyongjun@huaweicloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sunplus/spl2sw_driver.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/sunplus/spl2sw_driver.c b/drivers/net/ethernet/sunplus/spl2sw_driver.c +index 61d1d07dc070..d6f1fef4ff3a 100644 +--- a/drivers/net/ethernet/sunplus/spl2sw_driver.c ++++ b/drivers/net/ethernet/sunplus/spl2sw_driver.c +@@ -286,7 +286,6 @@ static u32 spl2sw_init_netdev(struct platform_device *pdev, u8 *mac_addr, + if (ret) { + dev_err(&pdev->dev, "Failed to register net device \"%s\"!\n", + ndev->name); +- free_netdev(ndev); + *r_ndev = NULL; + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch b/queue-6.0/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch new file mode 100644 index 00000000000..5ad45d11720 --- /dev/null +++ b/queue-6.0/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch @@ -0,0 +1,86 @@ +From 6ef482a946e77bba1dc76b5e8305a0caa71a83ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:37:41 +0800 +Subject: ethernet: s2io: disable napi when start nic failed in s2io_card_up() + +From: Zhengchao Shao + +[ Upstream commit 0348c1ab980c1d43fb37b758d4b760990c066cb5 ] + +When failed to start nic or add interrupt service routine in +s2io_card_up() for opening device, napi isn't disabled. When open +s2io device next time, it will trigger a BUG_ON()in napi_enable(). +Compile tested only. + +Fixes: 5f490c968056 ("S2io: Fixed synchronization between scheduling of napi with card reset and close") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109023741.131552-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/s2io.c | 29 +++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index 30f955efa830..8f74c039b3be 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -7128,9 +7128,8 @@ static int s2io_card_up(struct s2io_nic *sp) + if (ret) { + DBG_PRINT(ERR_DBG, "%s: Out of memory in Open\n", + dev->name); +- s2io_reset(sp); +- free_rx_buffers(sp); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_fill_buff; + } + DBG_PRINT(INFO_DBG, "Buf in ring:%d is %d:\n", i, + ring->rx_bufs_left); +@@ -7168,18 +7167,16 @@ static int s2io_card_up(struct s2io_nic *sp) + /* Enable Rx Traffic and interrupts on the NIC */ + if (start_nic(sp)) { + DBG_PRINT(ERR_DBG, "%s: Starting NIC failed\n", dev->name); +- s2io_reset(sp); +- free_rx_buffers(sp); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_out; + } + + /* Add interrupt service routine */ + if (s2io_add_isr(sp) != 0) { + if (sp->config.intr_type == MSI_X) + s2io_rem_isr(sp); +- s2io_reset(sp); +- free_rx_buffers(sp); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_out; + } + + timer_setup(&sp->alarm_timer, s2io_alarm_handle, 0); +@@ -7199,6 +7196,20 @@ static int s2io_card_up(struct s2io_nic *sp) + } + + return 0; ++ ++err_out: ++ if (config->napi) { ++ if (config->intr_type == MSI_X) { ++ for (i = 0; i < sp->config.rx_ring_num; i++) ++ napi_disable(&sp->mac_control.rings[i].napi); ++ } else { ++ napi_disable(&sp->napi); ++ } ++ } ++err_fill_buff: ++ s2io_reset(sp); ++ free_rx_buffers(sp); ++ return ret; + } + + /** +-- +2.35.1 + diff --git a/queue-6.0/ethernet-tundra-free-irq-when-alloc-ring-failed-in-t.patch b/queue-6.0/ethernet-tundra-free-irq-when-alloc-ring-failed-in-t.patch new file mode 100644 index 00000000000..8e975029678 --- /dev/null +++ b/queue-6.0/ethernet-tundra-free-irq-when-alloc-ring-failed-in-t.patch @@ -0,0 +1,45 @@ +From 040620c212aafafb478c08fd2fde91937ea751c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 12:40:16 +0800 +Subject: ethernet: tundra: free irq when alloc ring failed in tsi108_open() + +From: Zhengchao Shao + +[ Upstream commit acce40037041f97baad18142bb253064491ebde3 ] + +When alloc tx/rx ring failed in tsi108_open(), it doesn't free irq. Fix +it. + +Fixes: 5e123b844a1c ("[PATCH] Add tsi108/9 On Chip Ethernet device driver support") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109044016.126866-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/tundra/tsi108_eth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c +index 5251fc324221..a2fe0534c769 100644 +--- a/drivers/net/ethernet/tundra/tsi108_eth.c ++++ b/drivers/net/ethernet/tundra/tsi108_eth.c +@@ -1303,12 +1303,15 @@ static int tsi108_open(struct net_device *dev) + + data->rxring = dma_alloc_coherent(&data->pdev->dev, rxring_size, + &data->rxdma, GFP_KERNEL); +- if (!data->rxring) ++ if (!data->rxring) { ++ free_irq(data->irq_num, dev); + return -ENOMEM; ++ } + + data->txring = dma_alloc_coherent(&data->pdev->dev, txring_size, + &data->txdma, GFP_KERNEL); + if (!data->txring) { ++ free_irq(data->irq_num, dev); + dma_free_coherent(&data->pdev->dev, rxring_size, data->rxring, + data->rxdma); + return -ENOMEM; +-- +2.35.1 + diff --git a/queue-6.0/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch b/queue-6.0/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch new file mode 100644 index 00000000000..4833efbd72c --- /dev/null +++ b/queue-6.0/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch @@ -0,0 +1,49 @@ +From 9edf303897c9a481483c8b04234fc627fe5a3df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:09:05 +0800 +Subject: hamradio: fix issue of dev reference count leakage in + bpq_device_event() + +From: Zhengchao Shao + +[ Upstream commit 85cbaf032d3cd9f595152625eda5d4ecb1d6d78d ] + +When following tests are performed, it will cause dev reference counting +leakage. +a)ip link add bond2 type bond mode balance-rr +b)ip link set bond2 up +c)ifenslave -f bond2 rose1 +d)ip link del bond2 + +When new bond device is created, the default type of the bond device is +ether. And the bond device is up, bpq_device_event() receives the message +and creates a new bpq device. In this case, the reference count value of +dev is hold once. But after "ifenslave -f bond2 rose1" command is +executed, the type of the bond device is changed to rose. When the bond +device is unregistered, bpq_device_event() will not put the dev reference +count. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhengchao Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/bpqether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c +index 30af0081e2be..83a16d10eedb 100644 +--- a/drivers/net/hamradio/bpqether.c ++++ b/drivers/net/hamradio/bpqether.c +@@ -533,7 +533,7 @@ static int bpq_device_event(struct notifier_block *this, + if (!net_eq(dev_net(dev), &init_net)) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev)) ++ if (!dev_is_ethdev(dev) && !bpq_get_ax25_dev(dev)) + return NOTIFY_DONE; + + switch (event) { +-- +2.35.1 + diff --git a/queue-6.0/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch b/queue-6.0/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch new file mode 100644 index 00000000000..274e495d6cf --- /dev/null +++ b/queue-6.0/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch @@ -0,0 +1,37 @@ +From e34fb18739d90e0b7c57208638e9c3418732b217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 21:40:43 +0800 +Subject: HID: hyperv: fix possible memory leak in mousevsc_probe() + +From: Yang Yingliang + +[ Upstream commit b5bcb94b0954a026bbd671741fdb00e7141f9c91 ] + +If hid_add_device() returns error, it should call hid_destroy_device() +to free hid_dev which is allocated in hid_allocate_device(). + +Fixes: 74c4fb058083 ("HID: hv_mouse: Properly add the hid device") +Signed-off-by: Yang Yingliang +Reviewed-by: Wei Liu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-hyperv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c +index e0bc73124196..ab57b49a44ed 100644 +--- a/drivers/hid/hid-hyperv.c ++++ b/drivers/hid/hid-hyperv.c +@@ -499,7 +499,7 @@ static int mousevsc_probe(struct hv_device *device, + + ret = hid_add_device(hid_dev); + if (ret) +- goto probe_err1; ++ goto probe_err2; + + + ret = hid_parse(hid_dev); +-- +2.35.1 + diff --git a/queue-6.0/hwspinlock-qcom-correct-mmio-max-register-for-newer-.patch b/queue-6.0/hwspinlock-qcom-correct-mmio-max-register-for-newer-.patch new file mode 100644 index 00000000000..366048d8957 --- /dev/null +++ b/queue-6.0/hwspinlock-qcom-correct-mmio-max-register-for-newer-.patch @@ -0,0 +1,38 @@ +From 9071c22caec4104c7d3cb2a285d261a82b809bae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 11:20:23 +0200 +Subject: hwspinlock: qcom: correct MMIO max register for newer SoCs + +From: Krzysztof Kozlowski + +[ Upstream commit 90cb380f9ceb811059340d06ff5fd0c0e93ecbe1 ] + +Newer ARMv8 Qualcomm SoCs using 0x1000 register stride have maximum +register 0x20000 (32 mutexes * 0x1000). + +Fixes: 7a1e6fb1c606 ("hwspinlock: qcom: Allow mmio usage in addition to syscon") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220909092035.223915-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/hwspinlock/qcom_hwspinlock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwspinlock/qcom_hwspinlock.c b/drivers/hwspinlock/qcom_hwspinlock.c +index 80ea45b3a815..9734e149d981 100644 +--- a/drivers/hwspinlock/qcom_hwspinlock.c ++++ b/drivers/hwspinlock/qcom_hwspinlock.c +@@ -121,7 +121,7 @@ static const struct regmap_config tcsr_mutex_config = { + .reg_bits = 32, + .reg_stride = 4, + .val_bits = 32, +- .max_register = 0x40000, ++ .max_register = 0x20000, + .fast_io = true, + }; + +-- +2.35.1 + diff --git a/queue-6.0/iavf-fix-vf-driver-counting-vlan-0-filters.patch b/queue-6.0/iavf-fix-vf-driver-counting-vlan-0-filters.patch new file mode 100644 index 00000000000..62b2bb6037f --- /dev/null +++ b/queue-6.0/iavf-fix-vf-driver-counting-vlan-0-filters.patch @@ -0,0 +1,42 @@ +From 9215c9438154175eed00bee9b6e5ca97b8cecbd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 10:45:37 +0200 +Subject: iavf: Fix VF driver counting VLAN 0 filters + +From: Michal Jaron + +[ Upstream commit 0e710a3ffd0caaf23b8791b041e8792f252f8e4f ] + +VF driver mistakenly counts VLAN 0 filters, when no PF driver +counts them. +Do not count VLAN 0 filters, when VLAN_V2 is engaged. +Counting those filters in, will affect filters size by -1, when +sending batched VLAN addition message. + +Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Michal Jaron +Signed-off-by: Kamil Maziarz +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 5a9e6563923e..24a701fd140e 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2438,6 +2438,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + list_for_each_entry(f, &adapter->vlan_filter_list, list) { + if (f->is_new_vlan) { + f->is_new_vlan = false; ++ if (!f->vlan.vid) ++ continue; + if (f->vlan.tpid == ETH_P_8021Q) + set_bit(f->vlan.vid, + adapter->vsi.active_cvlans); +-- +2.35.1 + diff --git a/queue-6.0/ice-fix-spurious-interrupt-during-removal-of-trusted.patch b/queue-6.0/ice-fix-spurious-interrupt-during-removal-of-trusted.patch new file mode 100644 index 00000000000..aecee883ac7 --- /dev/null +++ b/queue-6.0/ice-fix-spurious-interrupt-during-removal-of-trusted.patch @@ -0,0 +1,108 @@ +From 6105610287092656b6027e0b731a9091dabb172f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 10:22:22 -0400 +Subject: ice: Fix spurious interrupt during removal of trusted VF + +From: Norbert Zulinski + +[ Upstream commit f23df5220d2bf8d5e639f074b76f206a736d09e1 ] + +Previously, during removal of trusted VF when VF is down there was +number of spurious interrupt equal to number of queues on VF. + +Add check if VF already has inactive queues. If VF is disabled and +has inactive rx queues then do not disable rx queues. +Add check in ice_vsi_stop_tx_ring if it's VF's vsi and if VF is +disabled. + +Fixes: efe41860008e ("ice: Fix memory corruption in VF driver") +Signed-off-by: Norbert Zulinski +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_base.c | 2 +- + drivers/net/ethernet/intel/ice/ice_lib.c | 25 +++++++++++++++++++++ + drivers/net/ethernet/intel/ice/ice_lib.h | 1 + + drivers/net/ethernet/intel/ice/ice_vf_lib.c | 5 ++++- + 4 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index 1e3243808178..9ee022bb8ec2 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -959,7 +959,7 @@ ice_vsi_stop_tx_ring(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, + * associated to the queue to schedule NAPI handler + */ + q_vector = ring->q_vector; +- if (q_vector) ++ if (q_vector && !(vsi->vf && ice_is_vf_disabled(vsi->vf))) + ice_trigger_sw_intr(hw, q_vector); + + status = ice_dis_vsi_txq(vsi->port_info, txq_meta->vsi_idx, +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 58d483e2f539..11399f55e647 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2222,6 +2222,31 @@ int ice_vsi_stop_xdp_tx_rings(struct ice_vsi *vsi) + return ice_vsi_stop_tx_rings(vsi, ICE_NO_RESET, 0, vsi->xdp_rings, vsi->num_xdp_txq); + } + ++/** ++ * ice_vsi_is_rx_queue_active ++ * @vsi: the VSI being configured ++ * ++ * Return true if at least one queue is active. ++ */ ++bool ice_vsi_is_rx_queue_active(struct ice_vsi *vsi) ++{ ++ struct ice_pf *pf = vsi->back; ++ struct ice_hw *hw = &pf->hw; ++ int i; ++ ++ ice_for_each_rxq(vsi, i) { ++ u32 rx_reg; ++ int pf_q; ++ ++ pf_q = vsi->rxq_map[i]; ++ rx_reg = rd32(hw, QRX_CTRL(pf_q)); ++ if (rx_reg & QRX_CTRL_QENA_STAT_M) ++ return true; ++ } ++ ++ return false; ++} ++ + /** + * ice_vsi_is_vlan_pruning_ena - check if VLAN pruning is enabled or not + * @vsi: VSI to check whether or not VLAN pruning is enabled. +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.h b/drivers/net/ethernet/intel/ice/ice_lib.h +index 8712b1d2ceec..441fb132f194 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.h ++++ b/drivers/net/ethernet/intel/ice/ice_lib.h +@@ -127,4 +127,5 @@ u16 ice_vsi_num_non_zero_vlans(struct ice_vsi *vsi); + bool ice_is_feature_supported(struct ice_pf *pf, enum ice_feature f); + void ice_clear_feature_support(struct ice_pf *pf, enum ice_feature f); + void ice_init_feature_support(struct ice_pf *pf); ++bool ice_vsi_is_rx_queue_active(struct ice_vsi *vsi); + #endif /* !_ICE_LIB_H_ */ +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +index 0abeed092de1..1c51778db951 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +@@ -576,7 +576,10 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags) + return -EINVAL; + } + ice_vsi_stop_lan_tx_rings(vsi, ICE_NO_RESET, vf->vf_id); +- ice_vsi_stop_all_rx_rings(vsi); ++ ++ if (ice_vsi_is_rx_queue_active(vsi)) ++ ice_vsi_stop_all_rx_rings(vsi); ++ + dev_dbg(dev, "VF is already disabled, there is no need for resetting it, telling VM, all is fine %d\n", + vf->vf_id); + return 0; +-- +2.35.1 + diff --git a/queue-6.0/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch b/queue-6.0/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch new file mode 100644 index 00000000000..bbd25a62996 --- /dev/null +++ b/queue-6.0/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch @@ -0,0 +1,77 @@ +From b190375b9b76fa5ef875be7b691368c0954e71e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:32:16 +0100 +Subject: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to + network + +From: Alexander Potapenko + +[ Upstream commit c23fb2c82267638f9d206cb96bb93e1f93ad7828 ] + +When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved +remained uninitialized, resulting in a 1-byte infoleak: + + BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 + __netdev_start_xmit ./include/linux/netdevice.h:4841 + netdev_start_xmit ./include/linux/netdevice.h:4857 + xmit_one net/core/dev.c:3590 + dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 + __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 + dev_queue_xmit ./include/linux/netdevice.h:3009 + __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 + __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 + netlink_deliver_tap net/netlink/af_netlink.c:338 + __netlink_sendskb net/netlink/af_netlink.c:1263 + netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 + netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 + nlmsg_unicast ./include/net/netlink.h:1061 + rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 + ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 + rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 + ... + Uninit was created at: + slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 + slab_alloc_node mm/slub.c:3398 + __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 + __do_kmalloc_node mm/slab_common.c:954 + __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 + kmalloc_reserve net/core/skbuff.c:437 + __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 + alloc_skb ./include/linux/skbuff.h:1267 + nlmsg_new ./include/net/netlink.h:964 + ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 + rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 + netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 + rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 + netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 + ... + +This patch ensures that the reserved field is always initialized. + +Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com +Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") +Signed-off-by: Alexander Potapenko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrlabel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c +index 8a22486cf270..17ac45aa7194 100644 +--- a/net/ipv6/addrlabel.c ++++ b/net/ipv6/addrlabel.c +@@ -437,6 +437,7 @@ static void ip6addrlbl_putmsg(struct nlmsghdr *nlh, + { + struct ifaddrlblmsg *ifal = nlmsg_data(nlh); + ifal->ifal_family = AF_INET6; ++ ifal->__ifal_reserved = 0; + ifal->ifal_prefixlen = prefixlen; + ifal->ifal_flags = 0; + ifal->ifal_index = ifindex; +-- +2.35.1 + diff --git a/queue-6.0/kvm-s390-pci-fix-allocation-size-of-aift-kzdev-eleme.patch b/queue-6.0/kvm-s390-pci-fix-allocation-size-of-aift-kzdev-eleme.patch new file mode 100644 index 00000000000..a0f1ba54e01 --- /dev/null +++ b/queue-6.0/kvm-s390-pci-fix-allocation-size-of-aift-kzdev-eleme.patch @@ -0,0 +1,43 @@ +From 9bee705f3ede4765743ac142243f6536fcdd70c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 22:32:33 -0300 +Subject: KVM: s390: pci: Fix allocation size of aift kzdev elements + +From: Rafael Mendonca + +[ Upstream commit b6662e37772715447aeff2538444ff291e02ea31 ] + +The 'kzdev' field of struct 'zpci_aift' is an array of pointers to +'kvm_zdev' structs. Allocate the proper size accordingly. + +Reported by Coccinelle: + WARNING: Use correct pointer type argument for sizeof + +Fixes: 98b1d33dac5f ("KVM: s390: pci: do initial setup for AEN interpretation") +Signed-off-by: Rafael Mendonca +Reviewed-by: Christian Borntraeger +Reviewed-by: Matthew Rosato +Link: https://lore.kernel.org/r/20221026013234.960859-1-rafaelmendsr@gmail.com +Message-Id: <20221026013234.960859-1-rafaelmendsr@gmail.com> +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kvm/pci.c b/arch/s390/kvm/pci.c +index c50c1645c0ae..ded1af2ddae9 100644 +--- a/arch/s390/kvm/pci.c ++++ b/arch/s390/kvm/pci.c +@@ -126,7 +126,7 @@ int kvm_s390_pci_aen_init(u8 nisc) + return -EPERM; + + mutex_lock(&aift->aift_lock); +- aift->kzdev = kcalloc(ZPCI_NR_DEVICES, sizeof(struct kvm_zdev), ++ aift->kzdev = kcalloc(ZPCI_NR_DEVICES, sizeof(struct kvm_zdev *), + GFP_KERNEL); + if (!aift->kzdev) { + rc = -ENOMEM; +-- +2.35.1 + diff --git a/queue-6.0/kvm-s390-pv-don-t-allow-userspace-to-set-the-clock-u.patch b/queue-6.0/kvm-s390-pv-don-t-allow-userspace-to-set-the-clock-u.patch new file mode 100644 index 00000000000..4dd0b14a09a --- /dev/null +++ b/queue-6.0/kvm-s390-pv-don-t-allow-userspace-to-set-the-clock-u.patch @@ -0,0 +1,166 @@ +From 6610e319ae1671156e73e948eee68c090b0fa27b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 18:07:12 +0200 +Subject: KVM: s390: pv: don't allow userspace to set the clock under PV + +From: Nico Boehr + +[ Upstream commit 6973091d1b50ab4042f6a2d495f59e9db3662ab8 ] + +When running under PV, the guest's TOD clock is under control of the +ultravisor and the hypervisor isn't allowed to change it. Hence, don't +allow userspace to change the guest's TOD clock by returning +-EOPNOTSUPP. + +When userspace changes the guest's TOD clock, KVM updates its +kvm.arch.epoch field and, in addition, the epoch field in all state +descriptions of all VCPUs. + +But, under PV, the ultravisor will ignore the epoch field in the state +description and simply overwrite it on next SIE exit with the actual +guest epoch. This leads to KVM having an incorrect view of the guest's +TOD clock: it has updated its internal kvm.arch.epoch field, but the +ultravisor ignores the field in the state description. + +Whenever a guest is now waiting for a clock comparator, KVM will +incorrectly calculate the time when the guest should wake up, possibly +causing the guest to sleep for much longer than expected. + +With this change, kvm_s390_set_tod() will now take the kvm->lock to be +able to call kvm_s390_pv_is_protected(). Since kvm_s390_set_tod_clock() +also takes kvm->lock, use __kvm_s390_set_tod_clock() instead. + +The function kvm_s390_set_tod_clock is now unused, hence remove it. +Update the documentation to indicate the TOD clock attr calls can now +return -EOPNOTSUPP. + +Fixes: 0f3035047140 ("KVM: s390: protvirt: Do only reset registers that are accessible") +Reported-by: Marc Hartmayer +Signed-off-by: Nico Boehr +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Link: https://lore.kernel.org/r/20221011160712.928239-2-nrb@linux.ibm.com +Message-Id: <20221011160712.928239-2-nrb@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + Documentation/virt/kvm/devices/vm.rst | 3 +++ + arch/s390/kvm/kvm-s390.c | 26 +++++++++++++++++--------- + arch/s390/kvm/kvm-s390.h | 1 - + 3 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/Documentation/virt/kvm/devices/vm.rst b/Documentation/virt/kvm/devices/vm.rst +index 0aa5b1cfd700..60acc39e0e93 100644 +--- a/Documentation/virt/kvm/devices/vm.rst ++++ b/Documentation/virt/kvm/devices/vm.rst +@@ -215,6 +215,7 @@ KVM_S390_VM_TOD_EXT). + :Parameters: address of a buffer in user space to store the data (u8) to + :Returns: -EFAULT if the given address is not accessible from kernel space; + -EINVAL if setting the TOD clock extension to != 0 is not supported ++ -EOPNOTSUPP for a PV guest (TOD managed by the ultravisor) + + 3.2. ATTRIBUTE: KVM_S390_VM_TOD_LOW + ----------------------------------- +@@ -224,6 +225,7 @@ the POP (u64). + + :Parameters: address of a buffer in user space to store the data (u64) to + :Returns: -EFAULT if the given address is not accessible from kernel space ++ -EOPNOTSUPP for a PV guest (TOD managed by the ultravisor) + + 3.3. ATTRIBUTE: KVM_S390_VM_TOD_EXT + ----------------------------------- +@@ -237,6 +239,7 @@ it, it is stored as 0 and not allowed to be set to a value != 0. + (kvm_s390_vm_tod_clock) to + :Returns: -EFAULT if the given address is not accessible from kernel space; + -EINVAL if setting the TOD clock extension to != 0 is not supported ++ -EOPNOTSUPP for a PV guest (TOD managed by the ultravisor) + + 4. GROUP: KVM_S390_VM_CRYPTO + ============================ +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index b7ef0b71014d..2486281027c0 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1207,6 +1207,8 @@ static int kvm_s390_vm_get_migration(struct kvm *kvm, + return 0; + } + ++static void __kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod); ++ + static int kvm_s390_set_tod_ext(struct kvm *kvm, struct kvm_device_attr *attr) + { + struct kvm_s390_vm_tod_clock gtod; +@@ -1216,7 +1218,7 @@ static int kvm_s390_set_tod_ext(struct kvm *kvm, struct kvm_device_attr *attr) + + if (!test_kvm_facility(kvm, 139) && gtod.epoch_idx) + return -EINVAL; +- kvm_s390_set_tod_clock(kvm, >od); ++ __kvm_s390_set_tod_clock(kvm, >od); + + VM_EVENT(kvm, 3, "SET: TOD extension: 0x%x, TOD base: 0x%llx", + gtod.epoch_idx, gtod.tod); +@@ -1247,7 +1249,7 @@ static int kvm_s390_set_tod_low(struct kvm *kvm, struct kvm_device_attr *attr) + sizeof(gtod.tod))) + return -EFAULT; + +- kvm_s390_set_tod_clock(kvm, >od); ++ __kvm_s390_set_tod_clock(kvm, >od); + VM_EVENT(kvm, 3, "SET: TOD base: 0x%llx", gtod.tod); + return 0; + } +@@ -1259,6 +1261,16 @@ static int kvm_s390_set_tod(struct kvm *kvm, struct kvm_device_attr *attr) + if (attr->flags) + return -EINVAL; + ++ mutex_lock(&kvm->lock); ++ /* ++ * For protected guests, the TOD is managed by the ultravisor, so trying ++ * to change it will never bring the expected results. ++ */ ++ if (kvm_s390_pv_is_protected(kvm)) { ++ ret = -EOPNOTSUPP; ++ goto out_unlock; ++ } ++ + switch (attr->attr) { + case KVM_S390_VM_TOD_EXT: + ret = kvm_s390_set_tod_ext(kvm, attr); +@@ -1273,6 +1285,9 @@ static int kvm_s390_set_tod(struct kvm *kvm, struct kvm_device_attr *attr) + ret = -ENXIO; + break; + } ++ ++out_unlock: ++ mutex_unlock(&kvm->lock); + return ret; + } + +@@ -4379,13 +4394,6 @@ static void __kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_t + preempt_enable(); + } + +-void kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod) +-{ +- mutex_lock(&kvm->lock); +- __kvm_s390_set_tod_clock(kvm, gtod); +- mutex_unlock(&kvm->lock); +-} +- + int kvm_s390_try_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod) + { + if (!mutex_trylock(&kvm->lock)) +diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h +index f6fd668f887e..4755492dfabc 100644 +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -363,7 +363,6 @@ int kvm_s390_handle_sigp(struct kvm_vcpu *vcpu); + int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu); + + /* implemented in kvm-s390.c */ +-void kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod); + int kvm_s390_try_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod); + long kvm_arch_fault_in_page(struct kvm_vcpu *vcpu, gpa_t gpa, int writable); + int kvm_s390_store_status_unloaded(struct kvm_vcpu *vcpu, unsigned long addr); +-- +2.35.1 + diff --git a/queue-6.0/macsec-clear-encryption-keys-from-the-stack-after-se.patch b/queue-6.0/macsec-clear-encryption-keys-from-the-stack-after-se.patch new file mode 100644 index 00000000000..452ac1e0e7e --- /dev/null +++ b/queue-6.0/macsec-clear-encryption-keys-from-the-stack-after-se.patch @@ -0,0 +1,47 @@ +From e7e771d76f6b96ecdcd71cc31bb1425b2c0a5f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 22:33:16 +0100 +Subject: macsec: clear encryption keys from the stack after setting up offload + +From: Sabrina Dubroca + +[ Upstream commit aaab73f8fba4fd38f4d2617440d541a1c334e819 ] + +macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack +offloading context to pass it to the drivers, but leaves it there when +it's done. Clear it with memzero_explicit as soon as it's not needed +anymore. + +Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Antoine Tenart +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 2add76c8064b..ddfa853ec9b5 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1861,6 +1861,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) + secy->key_len); + + err = macsec_offload(ops->mdo_add_rxsa, &ctx); ++ memzero_explicit(ctx.sa.key, secy->key_len); + if (err) + goto cleanup; + } +@@ -2103,6 +2104,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) + secy->key_len); + + err = macsec_offload(ops->mdo_add_txsa, &ctx); ++ memzero_explicit(ctx.sa.key, secy->key_len); + if (err) + goto cleanup; + } +-- +2.35.1 + diff --git a/queue-6.0/macsec-delete-new-rxsc-when-offload-fails.patch b/queue-6.0/macsec-delete-new-rxsc-when-offload-fails.patch new file mode 100644 index 00000000000..df9e48ee391 --- /dev/null +++ b/queue-6.0/macsec-delete-new-rxsc-when-offload-fails.patch @@ -0,0 +1,59 @@ +From 7c9ed956559bc4dbb1014635d4a05c7763c3b394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 22:33:13 +0100 +Subject: macsec: delete new rxsc when offload fails + +From: Sabrina Dubroca + +[ Upstream commit 93a30947821c203d08865c4e17ea181c9668ce52 ] + +Currently we get an inconsistent state: + - netlink returns the error to userspace + - the RXSC is installed but not offloaded + +Then the device could get confused when we try to add an RXSA, because +the RXSC isn't supposed to exist. + +Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Antoine Tenart +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index c6d271e5687e..3fce89a05312 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1904,7 +1904,6 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) + struct macsec_rx_sc *rx_sc; + struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; + struct macsec_secy *secy; +- bool was_active; + int ret; + + if (!attrs[MACSEC_ATTR_IFINDEX]) +@@ -1932,7 +1931,6 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) + return PTR_ERR(rx_sc); + } + +- was_active = rx_sc->active; + if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) + rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); + +@@ -1959,7 +1957,8 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) + return 0; + + cleanup: +- rx_sc->active = was_active; ++ del_rx_sc(secy, sci); ++ free_rx_sc(rx_sc); + rtnl_unlock(); + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/macsec-fix-detection-of-rxscs-when-toggling-offloadi.patch b/queue-6.0/macsec-fix-detection-of-rxscs-when-toggling-offloadi.patch new file mode 100644 index 00000000000..92f1accbfb9 --- /dev/null +++ b/queue-6.0/macsec-fix-detection-of-rxscs-when-toggling-offloadi.patch @@ -0,0 +1,44 @@ +From 4e76abff586b36e9434be46741f2ec5d19545284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 22:33:15 +0100 +Subject: macsec: fix detection of RXSCs when toggling offloading + +From: Sabrina Dubroca + +[ Upstream commit 80df4706357a5a06bbbc70273bf2611df1ceee04 ] + +macsec_is_configured incorrectly uses secy->n_rx_sc to check if some +RXSCs exist. secy->n_rx_sc only counts the number of active RXSCs, but +there can also be inactive SCs as well, which may be stored in the +driver (in case we're disabling offloading), or would have to be +pushed to the device (in case we're trying to enable offloading). + +As long as RXSCs active on creation and never turned off, the issue is +not visible. + +Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Antoine Tenart +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 6caab70efdb8..2add76c8064b 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2599,7 +2599,7 @@ static bool macsec_is_configured(struct macsec_dev *macsec) + struct macsec_tx_sc *tx_sc = &secy->tx_sc; + int i; + +- if (secy->n_rx_sc > 0) ++ if (secy->rx_sc) + return true; + + for (i = 0; i < MACSEC_NUM_AN; i++) +-- +2.35.1 + diff --git a/queue-6.0/macsec-fix-secy-n_rx_sc-accounting.patch b/queue-6.0/macsec-fix-secy-n_rx_sc-accounting.patch new file mode 100644 index 00000000000..0d33c03ce3f --- /dev/null +++ b/queue-6.0/macsec-fix-secy-n_rx_sc-accounting.patch @@ -0,0 +1,82 @@ +From 4888cab3cc65527e6b45e12f5ab2a76bd8051fdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 22:33:14 +0100 +Subject: macsec: fix secy->n_rx_sc accounting + +From: Sabrina Dubroca + +[ Upstream commit 73a4b31c9d11f98ae3bc5286d5382930adb0e9c7 ] + +secy->n_rx_sc is supposed to be the number of _active_ rxsc's within a +secy. This is then used by macsec_send_sci to help decide if we should +add the SCI to the header or not. + +This logic is currently broken when we create a new RXSC and turn it +off at creation, as create_rx_sc always sets ->active to true (and +immediately uses that to increment n_rx_sc), and only later +macsec_add_rxsc sets rx_sc->active. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Antoine Tenart +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 3fce89a05312..6caab70efdb8 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1427,7 +1427,8 @@ static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci) + return NULL; + } + +-static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci) ++static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci, ++ bool active) + { + struct macsec_rx_sc *rx_sc; + struct macsec_dev *macsec; +@@ -1451,7 +1452,7 @@ static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci) + } + + rx_sc->sci = sci; +- rx_sc->active = true; ++ rx_sc->active = active; + refcount_set(&rx_sc->refcnt, 1); + + secy = &macsec_priv(dev)->secy; +@@ -1904,6 +1905,7 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) + struct macsec_rx_sc *rx_sc; + struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; + struct macsec_secy *secy; ++ bool active = true; + int ret; + + if (!attrs[MACSEC_ATTR_IFINDEX]) +@@ -1925,15 +1927,15 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) + secy = &macsec_priv(dev)->secy; + sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); + +- rx_sc = create_rx_sc(dev, sci); ++ if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) ++ active = nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); ++ ++ rx_sc = create_rx_sc(dev, sci, active); + if (IS_ERR(rx_sc)) { + rtnl_unlock(); + return PTR_ERR(rx_sc); + } + +- if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) +- rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); +- + if (macsec_is_offloaded(netdev_priv(dev))) { + const struct macsec_ops *ops; + struct macsec_context ctx; +-- +2.35.1 + diff --git a/queue-6.0/mctp-fix-an-error-handling-path-in-mctp_init.patch b/queue-6.0/mctp-fix-an-error-handling-path-in-mctp_init.patch new file mode 100644 index 00000000000..46c203e4b13 --- /dev/null +++ b/queue-6.0/mctp-fix-an-error-handling-path-in-mctp_init.patch @@ -0,0 +1,60 @@ +From dd2f1076ee4d63db089de6c7a02990551ddcb0a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 09:55:17 +0000 +Subject: mctp: Fix an error handling path in mctp_init() + +From: Wei Yongjun + +[ Upstream commit d4072058af4fd8fb4658e7452289042a406a9398 ] + +If mctp_neigh_init() return error, the routes resources should +be released in the error handling path. Otherwise some resources +leak. + +Fixes: 4d8b9319282a ("mctp: Add neighbour implementation") +Signed-off-by: Wei Yongjun +Acked-by: Matt Johnston +Link: https://lore.kernel.org/r/20221108095517.620115-1-weiyongjun@huaweicloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 4 +++- + net/mctp/route.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index b6b5e496fa40..fc9e728b6333 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -665,12 +665,14 @@ static __init int mctp_init(void) + + rc = mctp_neigh_init(); + if (rc) +- goto err_unreg_proto; ++ goto err_unreg_routes; + + mctp_device_init(); + + return 0; + ++err_unreg_routes: ++ mctp_routes_exit(); + err_unreg_proto: + proto_unregister(&mctp_proto); + err_unreg_sock: +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 2155f15a074c..f9a80b82dc51 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -1400,7 +1400,7 @@ int __init mctp_routes_init(void) + return register_pernet_subsys(&mctp_net_ops); + } + +-void __exit mctp_routes_exit(void) ++void mctp_routes_exit(void) + { + unregister_pernet_subsys(&mctp_net_ops); + rtnl_unregister(PF_MCTP, RTM_DELROUTE); +-- +2.35.1 + diff --git a/queue-6.0/net-atlantic-macsec-clear-encryption-keys-from-the-s.patch b/queue-6.0/net-atlantic-macsec-clear-encryption-keys-from-the-s.patch new file mode 100644 index 00000000000..ab2c8d26ee8 --- /dev/null +++ b/queue-6.0/net-atlantic-macsec-clear-encryption-keys-from-the-s.patch @@ -0,0 +1,98 @@ +From 7945ee1fb5ae251b120570050d54c44523737000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:34:59 +0100 +Subject: net: atlantic: macsec: clear encryption keys from the stack + +From: Antoine Tenart + +[ Upstream commit 879785def0f5e71d54399de0f8a5cb399db14171 ] + +Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after +setting up offload") made sure to clean encryption keys from the stack +after setting up offloading, but the atlantic driver made a copy and did +not clear it. Fix this. + +[4 Fixes tags below, all part of the same series, no need to split this] + +Fixes: 9ff40a751a6f ("net: atlantic: MACSec ingress offload implementation") +Fixes: b8f8a0b7b5cb ("net: atlantic: MACSec ingress offload HW bindings") +Fixes: 27736563ce32 ("net: atlantic: MACSec egress offload implementation") +Fixes: 9d106c6dd81b ("net: atlantic: MACSec egress offload HW bindings") +Signed-off-by: Antoine Tenart +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/aquantia/atlantic/aq_macsec.c | 2 ++ + .../aquantia/atlantic/macsec/macsec_api.c | 18 +++++++++++------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c +index 8b53d6688a4b..958b7f8c77d9 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c +@@ -585,6 +585,7 @@ static int aq_update_txsa(struct aq_nic_s *nic, const unsigned int sc_idx, + + ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx); + ++ memzero_explicit(&key_rec, sizeof(key_rec)); + return ret; + } + +@@ -932,6 +933,7 @@ static int aq_update_rxsa(struct aq_nic_s *nic, const unsigned int sc_idx, + + ret = aq_mss_set_ingress_sakey_record(hw, &sa_key_record, sa_idx); + ++ memzero_explicit(&sa_key_record, sizeof(sa_key_record)); + return ret; + } + +diff --git a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c +index 36c7cf05630a..431924959520 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c ++++ b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c +@@ -757,6 +757,7 @@ set_ingress_sakey_record(struct aq_hw_s *hw, + u16 table_index) + { + u16 packed_record[18]; ++ int ret; + + if (table_index >= NUMROWS_INGRESSSAKEYRECORD) + return -EINVAL; +@@ -789,9 +790,12 @@ set_ingress_sakey_record(struct aq_hw_s *hw, + + packed_record[16] = rec->key_len & 0x3; + +- return set_raw_ingress_record(hw, packed_record, 18, 2, +- ROWOFFSET_INGRESSSAKEYRECORD + +- table_index); ++ ret = set_raw_ingress_record(hw, packed_record, 18, 2, ++ ROWOFFSET_INGRESSSAKEYRECORD + ++ table_index); ++ ++ memzero_explicit(packed_record, sizeof(packed_record)); ++ return ret; + } + + int aq_mss_set_ingress_sakey_record(struct aq_hw_s *hw, +@@ -1739,14 +1743,14 @@ static int set_egress_sakey_record(struct aq_hw_s *hw, + ret = set_raw_egress_record(hw, packed_record, 8, 2, + ROWOFFSET_EGRESSSAKEYRECORD + table_index); + if (unlikely(ret)) +- return ret; ++ goto clear_key; + ret = set_raw_egress_record(hw, packed_record + 8, 8, 2, + ROWOFFSET_EGRESSSAKEYRECORD + table_index - + 32); +- if (unlikely(ret)) +- return ret; + +- return 0; ++clear_key: ++ memzero_explicit(packed_record, sizeof(packed_record)); ++ return ret; + } + + int aq_mss_set_egress_sakey_record(struct aq_hw_s *hw, +-- +2.35.1 + diff --git a/queue-6.0/net-broadcom-fix-bcmgenet-kconfig.patch b/queue-6.0/net-broadcom-fix-bcmgenet-kconfig.patch new file mode 100644 index 00000000000..a49cce855df --- /dev/null +++ b/queue-6.0/net-broadcom-fix-bcmgenet-kconfig.patch @@ -0,0 +1,50 @@ +From 2b0fb4ee11acc6f7389f4c57c30838afb20211ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 17:02:45 +0800 +Subject: net: broadcom: Fix BCMGENET Kconfig + +From: YueHaibing + +[ Upstream commit 8d820bc9d12b8beebca836cceaf2bbe68216c2f8 ] + +While BCMGENET select BROADCOM_PHY as y, but PTP_1588_CLOCK_OPTIONAL is m, +kconfig warning and build errors: + +WARNING: unmet direct dependencies detected for BROADCOM_PHY + Depends on [m]: NETDEVICES [=y] && PHYLIB [=y] && PTP_1588_CLOCK_OPTIONAL [=m] + Selected by [y]: + - BCMGENET [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && HAS_IOMEM [=y] && ARCH_BCM2835 [=y] + +drivers/net/phy/broadcom.o: In function `bcm54xx_suspend': +broadcom.c:(.text+0x6ac): undefined reference to `bcm_ptp_stop' +drivers/net/phy/broadcom.o: In function `bcm54xx_phy_probe': +broadcom.c:(.text+0x784): undefined reference to `bcm_ptp_probe' +drivers/net/phy/broadcom.o: In function `bcm54xx_config_init': +broadcom.c:(.text+0xd4c): undefined reference to `bcm_ptp_config_init' + +Fixes: 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET") +Signed-off-by: YueHaibing +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221105090245.8508-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig +index 56e0fb07aec7..1cd3c289f49b 100644 +--- a/drivers/net/ethernet/broadcom/Kconfig ++++ b/drivers/net/ethernet/broadcom/Kconfig +@@ -77,7 +77,7 @@ config BCMGENET + select BCM7XXX_PHY + select MDIO_BCM_UNIMAC + select DIMLIB +- select BROADCOM_PHY if ARCH_BCM2835 ++ select BROADCOM_PHY if (ARCH_BCM2835 && PTP_1588_CLOCK_OPTIONAL) + help + This driver supports the built-in Ethernet MACs found in the + Broadcom BCM7xxx Set Top Box family chipset. +-- +2.35.1 + diff --git a/queue-6.0/net-cpsw-disable-napi-in-cpsw_ndo_open.patch b/queue-6.0/net-cpsw-disable-napi-in-cpsw_ndo_open.patch new file mode 100644 index 00000000000..67a83a56d14 --- /dev/null +++ b/queue-6.0/net-cpsw-disable-napi-in-cpsw_ndo_open.patch @@ -0,0 +1,38 @@ +From 1e1adab32319f1001e806c69a176769cddf7e1be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 09:15:37 +0800 +Subject: net: cpsw: disable napi in cpsw_ndo_open() + +From: Zhengchao Shao + +[ Upstream commit 6d47b53fb3f363a74538a1dbd09954af3d8d4131 ] + +When failed to create xdp rxqs or fill rx channels in cpsw_ndo_open() for +opening device, napi isn't disabled. When open cpsw device next time, it +will report a invalid opcode issue. Compiled tested only. + +Fixes: d354eb85d618 ("drivers: net: cpsw: dual_emac: simplify napi usage") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109011537.96975-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c +index ed66c4d4d830..613e2c7c950c 100644 +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -854,6 +854,8 @@ static int cpsw_ndo_open(struct net_device *ndev) + + err_cleanup: + if (!cpsw->usage_count) { ++ napi_disable(&cpsw->napi_rx); ++ napi_disable(&cpsw->napi_tx); + cpdma_ctlr_stop(cpsw->dma); + cpsw_destroy_xdp_rxqs(cpsw); + } +-- +2.35.1 + diff --git a/queue-6.0/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch b/queue-6.0/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch new file mode 100644 index 00000000000..e6ef478ca86 --- /dev/null +++ b/queue-6.0/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch @@ -0,0 +1,37 @@ +From e9910e68b07dc086f7a0809a70d41d99203a34c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:14:51 +0800 +Subject: net: cxgb3_main: disable napi when bind qsets failed in cxgb_up() + +From: Zhengchao Shao + +[ Upstream commit d75aed1428da787cbe42bc073d76f1354f364d92 ] + +When failed to bind qsets in cxgb_up() for opening device, napi isn't +disabled. When open cxgb3 device next time, it will trigger a BUG_ON() +in napi_enable(). Compile tested only. + +Fixes: 48c4b6dbb7e2 ("cxgb3 - fix port up/down error path") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109021451.121490-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index 174b1e156669..481d85bfa483 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -1302,6 +1302,7 @@ static int cxgb_up(struct adapter *adap) + if (ret < 0) { + CH_ERR(adap, "failed to bind qsets, err %d\n", ret); + t3_intr_disable(adap); ++ quiesce_rx(adap); + free_irq_resources(adap); + err = ret; + goto out; +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-mtk-star-emac-disable-napi-when-connect.patch b/queue-6.0/net-ethernet-mtk-star-emac-disable-napi-when-connect.patch new file mode 100644 index 00000000000..3ada8662598 --- /dev/null +++ b/queue-6.0/net-ethernet-mtk-star-emac-disable-napi-when-connect.patch @@ -0,0 +1,40 @@ +From cf8d0e96254bd928de54d49e26f9c52d9421a800 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 09:21:59 +0800 +Subject: net: ethernet: mtk-star-emac: disable napi when connect and start PHY + failed in mtk_star_enable() + +From: Zhengchao Shao + +[ Upstream commit b0c09c7f08c2467b2089bdf4adb2fbbc2464f4a8 ] + +When failed to connect to and start PHY in mtk_star_enable() for opening +device, napi isn't disabled. When open mtk star device next time, it will +reports a invalid opcode issue. Fix it. Only be compiled, not be tested. + +Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver") +Signed-off-by: Zhengchao Shao +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221107012159.211387-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_star_emac.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c +index 3f0e5e64de50..57f4373b30ba 100644 +--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c ++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c +@@ -1026,6 +1026,8 @@ static int mtk_star_enable(struct net_device *ndev) + return 0; + + err_free_irq: ++ napi_disable(&priv->rx_napi); ++ napi_disable(&priv->tx_napi); + free_irq(ndev->irq, ndev); + err_free_skbs: + mtk_star_free_rx_skbs(priv); +-- +2.35.1 + diff --git a/queue-6.0/net-fman-unregister-ethernet-device-on-removal.patch b/queue-6.0/net-fman-unregister-ethernet-device-on-removal.patch new file mode 100644 index 00000000000..a44f5b81400 --- /dev/null +++ b/queue-6.0/net-fman-unregister-ethernet-device-on-removal.patch @@ -0,0 +1,53 @@ +From d67177e912c24a8e19a43a8b51504f959cd67e71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 14:28:30 -0400 +Subject: net: fman: Unregister ethernet device on removal + +From: Sean Anderson + +[ Upstream commit b7cbc6740bd6ad5d43345a2504f7e4beff0d709f ] + +When the mac device gets removed, it leaves behind the ethernet device. +This will result in a segfault next time the ethernet device accesses +mac_dev. Remove the ethernet device when we get removed to prevent +this. This is not completely reversible, since some resources aren't +cleaned up properly, but that can be addressed later. + +Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver") +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20221103182831.2248833-1-sean.anderson@seco.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/mac.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c +index 39ae965cd4f6..b0c756b65cc2 100644 +--- a/drivers/net/ethernet/freescale/fman/mac.c ++++ b/drivers/net/ethernet/freescale/fman/mac.c +@@ -882,12 +882,21 @@ static int mac_probe(struct platform_device *_of_dev) + return err; + } + ++static int mac_remove(struct platform_device *pdev) ++{ ++ struct mac_device *mac_dev = platform_get_drvdata(pdev); ++ ++ platform_device_unregister(mac_dev->priv->eth_dev); ++ return 0; ++} ++ + static struct platform_driver mac_driver = { + .driver = { + .name = KBUILD_MODNAME, + .of_match_table = mac_match, + }, + .probe = mac_probe, ++ .remove = mac_remove, + }; + + builtin_platform_driver(mac_driver); +-- +2.35.1 + diff --git a/queue-6.0/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch b/queue-6.0/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch new file mode 100644 index 00000000000..0e406a5c554 --- /dev/null +++ b/queue-6.0/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch @@ -0,0 +1,105 @@ +From b73e442d222eecc9b407d93a645eb9c54339725f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 17:53:25 +0100 +Subject: net: gso: fix panic on frag_list with mixed head alloc types + +From: Jiri Benc + +[ Upstream commit 9e4b7a99a03aefd37ba7bb1f022c8efab5019165 ] + +Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when +splitting gso_size mangled skb having linear-headed frag_list"), it is +allowed to change gso_size of a GRO packet. However, that commit assumes +that "checking the first list_skb member suffices; i.e if either of the +list_skb members have non head_frag head, then the first one has too". + +It turns out this assumption does not hold. We've seen BUG_ON being hit +in skb_segment when skbs on the frag_list had differing head_frag with +the vmxnet3 driver. This happens because __netdev_alloc_skb and +__napi_alloc_skb can return a skb that is page backed or kmalloced +depending on the requested size. As the result, the last small skb in +the GRO packet can be kmalloced. + +There are three different locations where this can be fixed: + +(1) We could check head_frag in GRO and not allow GROing skbs with + different head_frag. However, that would lead to performance + regression on normal forward paths with unmodified gso_size, where + !head_frag in the last packet is not a problem. + +(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating + that NETIF_F_SG is undesirable. That would need to eat a bit in + sk_buff. Furthermore, that flag can be unset when all skbs on the + frag_list are page backed. To retain good performance, + bpf_skb_net_grow/shrink would have to walk the frag_list. + +(3) Walk the frag_list in skb_segment when determining whether + NETIF_F_SG should be cleared. This of course slows things down. + +This patch implements (3). To limit the performance impact in +skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set +that have gso_size changed. Normal paths thus will not hit it. + +We could check only the last skb but since we need to walk the whole +list anyway, let's stay on the safe side. + +Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list") +Signed-off-by: Jiri Benc +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5e1a8eeb5e32..d9c19ae05fe6 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4031,23 +4031,25 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, + int i = 0; + int pos; + +- if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) && +- (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) { +- /* gso_size is untrusted, and we have a frag_list with a linear +- * non head_frag head. +- * +- * (we assume checking the first list_skb member suffices; +- * i.e if either of the list_skb members have non head_frag +- * head, then the first one has too). +- * +- * If head_skb's headlen does not fit requested gso_size, it +- * means that the frag_list members do NOT terminate on exact +- * gso_size boundaries. Hence we cannot perform skb_frag_t page +- * sharing. Therefore we must fallback to copying the frag_list +- * skbs; we do so by disabling SG. +- */ +- if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) +- features &= ~NETIF_F_SG; ++ if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) && ++ mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) { ++ struct sk_buff *check_skb; ++ ++ for (check_skb = list_skb; check_skb; check_skb = check_skb->next) { ++ if (skb_headlen(check_skb) && !check_skb->head_frag) { ++ /* gso_size is untrusted, and we have a frag_list with ++ * a linear non head_frag item. ++ * ++ * If head_skb's headlen does not fit requested gso_size, ++ * it means that the frag_list members do NOT terminate ++ * on exact gso_size boundaries. Hence we cannot perform ++ * skb_frag_t page sharing. Therefore we must fallback to ++ * copying the frag_list skbs; we do so by disabling SG. ++ */ ++ features &= ~NETIF_F_SG; ++ break; ++ } ++ } + } + + __skb_push(head_skb, doffset); +-- +2.35.1 + diff --git a/queue-6.0/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch b/queue-6.0/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch new file mode 100644 index 00000000000..981668c8135 --- /dev/null +++ b/queue-6.0/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch @@ -0,0 +1,49 @@ +From 49cfb2aacd52172dbfef429a273f47b7ee3c8f11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:05:37 +0800 +Subject: net: lapbether: fix issue of dev reference count leakage in + lapbeth_device_event() + +From: Zhengchao Shao + +[ Upstream commit 531705a765493655472c993627106e19f7e5a6d2 ] + +When following tests are performed, it will cause dev reference counting +leakage. +a)ip link add bond2 type bond mode balance-rr +b)ip link set bond2 up +c)ifenslave -f bond2 rose1 +d)ip link del bond2 + +When new bond device is created, the default type of the bond device is +ether. And the bond device is up, lapbeth_device_event() receives the +message and creates a new lapbeth device. In this case, the reference +count value of dev is hold once. But after "ifenslave -f bond2 rose1" +command is executed, the type of the bond device is changed to rose. When +the bond device is unregistered, lapbeth_device_event() will not put the +dev reference count. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhengchao Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 960f1393595c..cb360dca3250 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -446,7 +446,7 @@ static int lapbeth_device_event(struct notifier_block *this, + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev)) ++ if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) + return NOTIFY_DONE; + + switch (event) { +-- +2.35.1 + diff --git a/queue-6.0/net-lapbether-fix-issue-of-invalid-opcode-in-lapbeth.patch b/queue-6.0/net-lapbether-fix-issue-of-invalid-opcode-in-lapbeth.patch new file mode 100644 index 00000000000..00aea5fc050 --- /dev/null +++ b/queue-6.0/net-lapbether-fix-issue-of-invalid-opcode-in-lapbeth.patch @@ -0,0 +1,55 @@ +From 2795a34836f7ccc0ad6e1c13ce0140fcaa61d486 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 09:14:45 +0800 +Subject: net: lapbether: fix issue of invalid opcode in lapbeth_open() + +From: Zhengchao Shao + +[ Upstream commit 3faf7e14ec0c3462c2d747fa6793b8645d1391df ] + +If lapb_register() failed when lapb device goes to up for the first time, +the NAPI is not disabled. As a result, the invalid opcode issue is +reported when the lapb device goes to up for the second time. + +The stack info is as follows: +[ 1958.311422][T11356] kernel BUG at net/core/dev.c:6442! +[ 1958.312206][T11356] invalid opcode: 0000 [#1] PREEMPT SMP KASAN +[ 1958.315979][T11356] RIP: 0010:napi_enable+0x16a/0x1f0 +[ 1958.332310][T11356] Call Trace: +[ 1958.332817][T11356] +[ 1958.336135][T11356] lapbeth_open+0x18/0x90 +[ 1958.337446][T11356] __dev_open+0x258/0x490 +[ 1958.341672][T11356] __dev_change_flags+0x4d4/0x6a0 +[ 1958.345325][T11356] dev_change_flags+0x93/0x160 +[ 1958.346027][T11356] devinet_ioctl+0x1276/0x1bf0 +[ 1958.346738][T11356] inet_ioctl+0x1c8/0x2d0 +[ 1958.349638][T11356] sock_ioctl+0x5d1/0x750 +[ 1958.356059][T11356] __x64_sys_ioctl+0x3ec/0x1790 +[ 1958.365594][T11356] do_syscall_64+0x35/0x80 +[ 1958.366239][T11356] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[ 1958.377381][T11356] + +Fixes: 514e1150da9c ("net: x25: Queue received packets in the drivers instead of per-CPU queues") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221107011445.207372-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index cb360dca3250..d62a904d2e42 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -325,6 +325,7 @@ static int lapbeth_open(struct net_device *dev) + + err = lapb_register(dev, &lapbeth_callbacks); + if (err != LAPB_OK) { ++ napi_disable(&lapbeth->napi); + pr_err("lapb_register error: %d\n", err); + return -ENODEV; + } +-- +2.35.1 + diff --git a/queue-6.0/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch b/queue-6.0/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch new file mode 100644 index 00000000000..1c932958123 --- /dev/null +++ b/queue-6.0/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch @@ -0,0 +1,68 @@ +From ea19477088aa3c87016f311b5366689133780dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 17:07:34 +0800 +Subject: net: macvlan: fix memory leaks of macvlan_common_newlink + +From: Chuang Wang + +[ Upstream commit 23569b5652ee8e8e55a12f7835f59af6f3cefc30 ] + +kmemleak reports memory leaks in macvlan_common_newlink, as follows: + + ip link add link eth0 name .. type macvlan mode source macaddr add + + +kmemleak reports: + +unreferenced object 0xffff8880109bb140 (size 64): + comm "ip", pid 284, jiffies 4294986150 (age 430.108s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 b8 aa 5a 12 80 88 ff ff ..........Z..... + 80 1b fa 0d 80 88 ff ff 1e ff ac af c7 c1 6b 6b ..............kk + backtrace: + [] kmem_cache_alloc_trace+0x1c7/0x300 + [] macvlan_hash_add_source+0x45/0xc0 + [] macvlan_changelink_sources+0xd7/0x170 + [] macvlan_common_newlink+0x38c/0x5a0 + [] macvlan_newlink+0xe/0x20 + [] __rtnl_newlink+0x7af/0xa50 + [] rtnl_newlink+0x48/0x70 + ... + +In the scenario where the macvlan mode is configured as 'source', +macvlan_changelink_sources() will be execured to reconfigure list of +remote source mac addresses, at the same time, if register_netdevice() +return an error, the resource generated by macvlan_changelink_sources() +is not cleaned up. + +Using this patch, in the case of an error, it will execute +macvlan_flush_sources() to ensure that the resource is cleaned up. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Chuang Wang +Link: https://lore.kernel.org/r/20221109090735.690500-1-nashuiliang@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 1080d6ebff63..9983d37ee87d 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1533,8 +1533,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) ++ if (create && macvlan_port_get_rtnl(lowerdev)) { ++ macvlan_flush_sources(port, vlan); + macvlan_port_destroy(port->dev); ++ } + return err; + } + EXPORT_SYMBOL_GPL(macvlan_common_newlink); +-- +2.35.1 + diff --git a/queue-6.0/net-marvell-prestera-fix-memory-leak-in-prestera_rxt.patch b/queue-6.0/net-marvell-prestera-fix-memory-leak-in-prestera_rxt.patch new file mode 100644 index 00000000000..91092a78066 --- /dev/null +++ b/queue-6.0/net-marvell-prestera-fix-memory-leak-in-prestera_rxt.patch @@ -0,0 +1,51 @@ +From d8659c4fe8c61e33da2cd7d2b6b42fe37741c80b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 10:56:07 +0800 +Subject: net: marvell: prestera: fix memory leak in + prestera_rxtx_switch_init() + +From: Zhengchao Shao + +[ Upstream commit 519b58bbfa825f042fcf80261cc18e1e35f85ffd ] + +When prestera_sdma_switch_init() failed, the memory pointed to by +sw->rxtx isn't released. Fix it. Only be compiled, not be tested. + +Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") +Signed-off-by: Zhengchao Shao +Reviewed-by: Vadym Kochan +Link: https://lore.kernel.org/r/20221108025607.338450-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_rxtx.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c b/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c +index dc3e3ddc60bf..faa5109a09d7 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c +@@ -776,6 +776,7 @@ static netdev_tx_t prestera_sdma_xmit(struct prestera_sdma *sdma, + int prestera_rxtx_switch_init(struct prestera_switch *sw) + { + struct prestera_rxtx *rxtx; ++ int err; + + rxtx = kzalloc(sizeof(*rxtx), GFP_KERNEL); + if (!rxtx) +@@ -783,7 +784,11 @@ int prestera_rxtx_switch_init(struct prestera_switch *sw) + + sw->rxtx = rxtx; + +- return prestera_sdma_switch_init(sw); ++ err = prestera_sdma_switch_init(sw); ++ if (err) ++ kfree(rxtx); ++ ++ return err; + } + + void prestera_rxtx_switch_fini(struct prestera_switch *sw) +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-allow-async-trigger-completion-execution-on.patch b/queue-6.0/net-mlx5-allow-async-trigger-completion-execution-on.patch new file mode 100644 index 00000000000..15dcf09458b --- /dev/null +++ b/queue-6.0/net-mlx5-allow-async-trigger-completion-execution-on.patch @@ -0,0 +1,58 @@ +From 0e296e7cdcae169ae33cf6d54ba449592416c8d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:38 -0700 +Subject: net/mlx5: Allow async trigger completion execution on single CPU + systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roy Novich + +[ Upstream commit 2808b37b59288ad8f1897e3546c2296df3384b65 ] + +For a single CPU system, the kernel thread executing mlx5_cmd_flush() +never releases the CPU but calls down_trylock(&cmd→sem) in a busy loop. +On a single processor system, this leads to a deadlock as the kernel +thread which executes mlx5_cmd_invoke() never gets scheduled. Fix this, +by adding the cond_resched() call to the loop, allow the command +completion kernel thread to execute. + +Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free") +Signed-off-by: Alexander Schmidt +Signed-off-by: Roy Novich +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 46ba4c2faad2..2e0d59ca62b5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1770,12 +1770,17 @@ void mlx5_cmd_flush(struct mlx5_core_dev *dev) + struct mlx5_cmd *cmd = &dev->cmd; + int i; + +- for (i = 0; i < cmd->max_reg_cmds; i++) +- while (down_trylock(&cmd->sem)) ++ for (i = 0; i < cmd->max_reg_cmds; i++) { ++ while (down_trylock(&cmd->sem)) { + mlx5_cmd_trigger_completions(dev); ++ cond_resched(); ++ } ++ } + +- while (down_trylock(&cmd->pages_sem)) ++ while (down_trylock(&cmd->pages_sem)) { + mlx5_cmd_trigger_completions(dev); ++ cond_resched(); ++ } + + /* Unlock cmdif */ + up(&cmd->pages_sem); +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-bridge-verify-lag-state-when-adding-bond-to.patch b/queue-6.0/net-mlx5-bridge-verify-lag-state-when-adding-bond-to.patch new file mode 100644 index 00000000000..35e406bf8bd --- /dev/null +++ b/queue-6.0/net-mlx5-bridge-verify-lag-state-when-adding-bond-to.patch @@ -0,0 +1,81 @@ +From 3f52cd989baf3dd7c29e7d13edfaab8a151ffa2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:37 -0700 +Subject: net/mlx5: Bridge, verify LAG state when adding bond to bridge + +From: Vlad Buslov + +[ Upstream commit 15f8f168952f54d3c86d734dc764f20844e423ac ] + +Mlx5 LAG is initialized asynchronously on a workqueue which means that for +a brief moment after setting mlx5 UL representors as lower devices of a +bond netdevice the LAG itself is not fully initialized in the driver. When +adding such bond device to a bridge mlx5 bridge code will not consider it +as offload-capable, skip creating necessary bookkeeping and fail any +further bridge offload-related commands with it (setting VLANs, offloading +FDBs, etc.). In order to make the error explicit during bridge +initialization stage implement the code that detects such condition during +NETDEV_PRECHANGEUPPER event and returns an error. + +Fixes: ff9b7521468b ("net/mlx5: Bridge, support LAG") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/rep/bridge.c | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +index 39ef2a2561a3..8099a21e674c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +@@ -164,6 +164,36 @@ static int mlx5_esw_bridge_port_changeupper(struct notifier_block *nb, void *ptr + return err; + } + ++static int ++mlx5_esw_bridge_changeupper_validate_netdev(void *ptr) ++{ ++ struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct netdev_notifier_changeupper_info *info = ptr; ++ struct net_device *upper = info->upper_dev; ++ struct net_device *lower; ++ struct list_head *iter; ++ ++ if (!netif_is_bridge_master(upper) || !netif_is_lag_master(dev)) ++ return 0; ++ ++ netdev_for_each_lower_dev(dev, lower, iter) { ++ struct mlx5_core_dev *mdev; ++ struct mlx5e_priv *priv; ++ ++ if (!mlx5e_eswitch_rep(lower)) ++ continue; ++ ++ priv = netdev_priv(lower); ++ mdev = priv->mdev; ++ if (!mlx5_lag_is_active(mdev)) ++ return -EAGAIN; ++ if (!mlx5_lag_is_shared_fdb(mdev)) ++ return -EOPNOTSUPP; ++ } ++ ++ return 0; ++} ++ + static int mlx5_esw_bridge_switchdev_port_event(struct notifier_block *nb, + unsigned long event, void *ptr) + { +@@ -171,6 +201,7 @@ static int mlx5_esw_bridge_switchdev_port_event(struct notifier_block *nb, + + switch (event) { + case NETDEV_PRECHANGEUPPER: ++ err = mlx5_esw_bridge_changeupper_validate_netdev(ptr); + break; + + case NETDEV_CHANGEUPPER: +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-e-switch-set-to-legacy-mode-if-failed-to-ch.patch b/queue-6.0/net-mlx5-e-switch-set-to-legacy-mode-if-failed-to-ch.patch new file mode 100644 index 00000000000..d15bf9a03c3 --- /dev/null +++ b/queue-6.0/net-mlx5-e-switch-set-to-legacy-mode-if-failed-to-ch.patch @@ -0,0 +1,99 @@ +From 6f395fa24c8315289eea9635759e5bee73586733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:39 -0700 +Subject: net/mlx5: E-switch, Set to legacy mode if failed to change switchdev + mode + +From: Chris Mi + +[ Upstream commit e12de39c07a7872c1ac7250311bb60b74ff29f25 ] + +No need to rollback to the other mode because probably will fail +again. Just set to legacy mode and clear fdb table created flag. +So that fdb table will not be cleared again. + +Fixes: f019679ea5f2 ("net/mlx5: E-switch, Remove dependency between sriov and eswitch mode") +Signed-off-by: Chris Mi +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 14 ++++++++------ + .../mellanox/mlx5/core/eswitch_offloads.c | 18 +++--------------- + 2 files changed, 11 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 6aa58044b949..4d8b8f6143cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1388,12 +1388,14 @@ void mlx5_eswitch_disable_locked(struct mlx5_eswitch *esw) + esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS", + esw->esw_funcs.num_vfs, esw->enabled_vports); + +- esw->fdb_table.flags &= ~MLX5_ESW_FDB_CREATED; +- if (esw->mode == MLX5_ESWITCH_OFFLOADS) +- esw_offloads_disable(esw); +- else if (esw->mode == MLX5_ESWITCH_LEGACY) +- esw_legacy_disable(esw); +- mlx5_esw_acls_ns_cleanup(esw); ++ if (esw->fdb_table.flags & MLX5_ESW_FDB_CREATED) { ++ esw->fdb_table.flags &= ~MLX5_ESW_FDB_CREATED; ++ if (esw->mode == MLX5_ESWITCH_OFFLOADS) ++ esw_offloads_disable(esw); ++ else if (esw->mode == MLX5_ESWITCH_LEGACY) ++ esw_legacy_disable(esw); ++ mlx5_esw_acls_ns_cleanup(esw); ++ } + + if (esw->mode == MLX5_ESWITCH_OFFLOADS) + devl_rate_nodes_destroy(devlink); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index a9f4c652f859..3c68cac4a9c2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -2207,7 +2207,7 @@ static int esw_create_restore_table(struct mlx5_eswitch *esw) + static int esw_offloads_start(struct mlx5_eswitch *esw, + struct netlink_ext_ack *extack) + { +- int err, err1; ++ int err; + + esw->mode = MLX5_ESWITCH_OFFLOADS; + err = mlx5_eswitch_enable_locked(esw, esw->dev->priv.sriov.num_vfs); +@@ -2215,11 +2215,6 @@ static int esw_offloads_start(struct mlx5_eswitch *esw, + NL_SET_ERR_MSG_MOD(extack, + "Failed setting eswitch to offloads"); + esw->mode = MLX5_ESWITCH_LEGACY; +- err1 = mlx5_eswitch_enable_locked(esw, MLX5_ESWITCH_IGNORE_NUM_VFS); +- if (err1) { +- NL_SET_ERR_MSG_MOD(extack, +- "Failed setting eswitch back to legacy"); +- } + mlx5_rescan_drivers(esw->dev); + } + if (esw->offloads.inline_mode == MLX5_INLINE_MODE_NONE) { +@@ -3272,19 +3267,12 @@ int esw_offloads_enable(struct mlx5_eswitch *esw) + static int esw_offloads_stop(struct mlx5_eswitch *esw, + struct netlink_ext_ack *extack) + { +- int err, err1; ++ int err; + + esw->mode = MLX5_ESWITCH_LEGACY; + err = mlx5_eswitch_enable_locked(esw, MLX5_ESWITCH_IGNORE_NUM_VFS); +- if (err) { ++ if (err) + NL_SET_ERR_MSG_MOD(extack, "Failed setting eswitch to legacy"); +- esw->mode = MLX5_ESWITCH_OFFLOADS; +- err1 = mlx5_eswitch_enable_locked(esw, MLX5_ESWITCH_IGNORE_NUM_VFS); +- if (err1) { +- NL_SET_ERR_MSG_MOD(extack, +- "Failed setting eswitch back to offloads"); +- } +- } + + return err; + } +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-fw_reset-don-t-try-to-load-device-in-case-p.patch b/queue-6.0/net-mlx5-fw_reset-don-t-try-to-load-device-in-case-p.patch new file mode 100644 index 00000000000..6f66aaae97f --- /dev/null +++ b/queue-6.0/net-mlx5-fw_reset-don-t-try-to-load-device-in-case-p.patch @@ -0,0 +1,39 @@ +From 01a53c81344185c10ea25a498bc0b02c4e010625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:40 -0700 +Subject: net/mlx5: fw_reset: Don't try to load device in case PCI isn't + working + +From: Shay Drory + +[ Upstream commit 7d167b4a4c810919ba1affd02fc6b7f40e7e6eeb ] + +In case PCI reads fail after unload, there is no use in trying to +load the device. + +Fixes: 5ec697446f46 ("net/mlx5: Add support for devlink reload action fw activate") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index 07c583996c29..9d908a0ccfef 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -152,7 +152,8 @@ static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev) + mlx5_unload_one(dev); + if (mlx5_health_wait_pci_up(dev)) + mlx5_core_err(dev, "reset reload flow aborted, PCI reads still not working\n"); +- mlx5_load_one(dev, false); ++ else ++ mlx5_load_one(dev, false); + devlink_remote_reload_actions_performed(priv_to_devlink(dev), 0, + BIT(DEVLINK_RELOAD_ACTION_DRIVER_REINIT) | + BIT(DEVLINK_RELOAD_ACTION_FW_ACTIVATE)); +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5e-add-missing-sanity-checks-for-max-tx-wqe-s.patch b/queue-6.0/net-mlx5e-add-missing-sanity-checks-for-max-tx-wqe-s.patch new file mode 100644 index 00000000000..8b858af294c --- /dev/null +++ b/queue-6.0/net-mlx5e-add-missing-sanity-checks-for-max-tx-wqe-s.patch @@ -0,0 +1,119 @@ +From 42544b07276bded61bfa837a7235e41ef774db62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:42 -0700 +Subject: net/mlx5e: Add missing sanity checks for max TX WQE size + +From: Maxim Mikityanskiy + +[ Upstream commit f9c955b4fe5c8626d11b8a9b93ccc0ba77358fec ] + +The commit cited below started using the firmware capability for the +maximum TX WQE size. This commit adds an important check to verify that +the driver doesn't attempt to exceed this capability, and also restores +another check mistakenly removed in the cited commit (a WQE must not +exceed the page size). + +Fixes: c27bd1718c06 ("net/mlx5e: Read max WQEBBs on the SQ from firmware") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/txrx.h | 24 ++++++++++++++++++- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 7 ++++++ + .../net/ethernet/mellanox/mlx5/core/en_tx.c | 5 ++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h b/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h +index ff8ca7a7e103..aeed165a2dec 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h +@@ -11,6 +11,27 @@ + + #define INL_HDR_START_SZ (sizeof(((struct mlx5_wqe_eth_seg *)NULL)->inline_hdr.start)) + ++/* IPSEC inline data includes: ++ * 1. ESP trailer: up to 255 bytes of padding, 1 byte for pad length, 1 byte for ++ * next header. ++ * 2. ESP authentication data: 16 bytes for ICV. ++ */ ++#define MLX5E_MAX_TX_IPSEC_DS DIV_ROUND_UP(sizeof(struct mlx5_wqe_inline_seg) + \ ++ 255 + 1 + 1 + 16, MLX5_SEND_WQE_DS) ++ ++/* 366 should be big enough to cover all L2, L3 and L4 headers with possible ++ * encapsulations. ++ */ ++#define MLX5E_MAX_TX_INLINE_DS DIV_ROUND_UP(366 - INL_HDR_START_SZ + VLAN_HLEN, \ ++ MLX5_SEND_WQE_DS) ++ ++/* Sync the calculation with mlx5e_sq_calc_wqe_attr. */ ++#define MLX5E_MAX_TX_WQEBBS DIV_ROUND_UP(MLX5E_TX_WQE_EMPTY_DS_COUNT + \ ++ MLX5E_MAX_TX_INLINE_DS + \ ++ MLX5E_MAX_TX_IPSEC_DS + \ ++ MAX_SKB_FRAGS + 1, \ ++ MLX5_SEND_WQEBB_NUM_DS) ++ + #define MLX5E_RX_ERR_CQE(cqe) (get_cqe_opcode(cqe) != MLX5_CQE_RESP_SEND) + + static inline +@@ -424,6 +445,8 @@ mlx5e_set_eseg_swp(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg, + + static inline u16 mlx5e_stop_room_for_wqe(struct mlx5_core_dev *mdev, u16 wqe_size) + { ++ WARN_ON_ONCE(PAGE_SIZE / MLX5_SEND_WQE_BB < mlx5e_get_max_sq_wqebbs(mdev)); ++ + /* A WQE must not cross the page boundary, hence two conditions: + * 1. Its size must not exceed the page size. + * 2. If the WQE size is X, and the space remaining in a page is less +@@ -436,7 +459,6 @@ static inline u16 mlx5e_stop_room_for_wqe(struct mlx5_core_dev *mdev, u16 wqe_si + "wqe_size %u is greater than max SQ WQEBBs %u", + wqe_size, mlx5e_get_max_sq_wqebbs(mdev)); + +- + return MLX5E_STOP_ROOM(wqe_size); + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 02eb2f0fa2ae..6cf6a81775a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5514,6 +5514,13 @@ int mlx5e_attach_netdev(struct mlx5e_priv *priv) + if (priv->fs) + priv->fs->state_destroy = !test_bit(MLX5E_STATE_DESTROYING, &priv->state); + ++ /* Validate the max_wqe_size_sq capability. */ ++ if (WARN_ON_ONCE(mlx5e_get_max_sq_wqebbs(priv->mdev) < MLX5E_MAX_TX_WQEBBS)) { ++ mlx5_core_warn(priv->mdev, "MLX5E: Max SQ WQEBBs firmware capability: %u, needed %lu\n", ++ mlx5e_get_max_sq_wqebbs(priv->mdev), MLX5E_MAX_TX_WQEBBS); ++ return -EIO; ++ } ++ + /* max number of channels may have changed */ + max_nch = mlx5e_calc_max_nch(priv->mdev, priv->netdev, profile); + if (priv->channels.params.num_channels > max_nch) { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 4d45150a3f8e..a30e50d9969f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -304,6 +304,8 @@ static void mlx5e_sq_calc_wqe_attr(struct sk_buff *skb, const struct mlx5e_tx_at + u16 ds_cnt_inl = 0; + u16 ds_cnt_ids = 0; + ++ /* Sync the calculation with MLX5E_MAX_TX_WQEBBS. */ ++ + if (attr->insz) + ds_cnt_ids = DIV_ROUND_UP(sizeof(struct mlx5_wqe_inline_seg) + attr->insz, + MLX5_SEND_WQE_DS); +@@ -316,6 +318,9 @@ static void mlx5e_sq_calc_wqe_attr(struct sk_buff *skb, const struct mlx5e_tx_at + inl += VLAN_HLEN; + + ds_cnt_inl = DIV_ROUND_UP(inl, MLX5_SEND_WQE_DS); ++ if (WARN_ON_ONCE(ds_cnt_inl > MLX5E_MAX_TX_INLINE_DS)) ++ netdev_warn(skb->dev, "ds_cnt_inl = %u > max %u\n", ds_cnt_inl, ++ (u16)MLX5E_MAX_TX_INLINE_DS); + ds_cnt += ds_cnt_inl; + } + +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5e-e-switch-fix-comparing-termination-table-i.patch b/queue-6.0/net-mlx5e-e-switch-fix-comparing-termination-table-i.patch new file mode 100644 index 00000000000..c5ceb700376 --- /dev/null +++ b/queue-6.0/net-mlx5e-e-switch-fix-comparing-termination-table-i.patch @@ -0,0 +1,60 @@ +From 38dd6d0933266c2d773614203e8b18eaa17a33e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:46 -0700 +Subject: net/mlx5e: E-Switch, Fix comparing termination table instance + +From: Roi Dayan + +[ Upstream commit f4f4096b410e8d31c3f07f39de3b17d144edd53d ] + +The pkt_reformat pointer being saved under flow_act and not +dest attribute in the termination table instance. +Fix the comparison pointers. + +Also fix returning success if one pkt_reformat pointer is null +and the other is not. + +Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink") +Signed-off-by: Roi Dayan +Reviewed-by: Chris Mi +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/eswitch_offloads_termtbl.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +index ee568bf34ae2..108a3503f413 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -30,9 +30,9 @@ mlx5_eswitch_termtbl_hash(struct mlx5_flow_act *flow_act, + sizeof(dest->vport.num), hash); + hash = jhash((const void *)&dest->vport.vhca_id, + sizeof(dest->vport.num), hash); +- if (dest->vport.pkt_reformat) +- hash = jhash(dest->vport.pkt_reformat, +- sizeof(*dest->vport.pkt_reformat), ++ if (flow_act->pkt_reformat) ++ hash = jhash(flow_act->pkt_reformat, ++ sizeof(*flow_act->pkt_reformat), + hash); + return hash; + } +@@ -53,9 +53,11 @@ mlx5_eswitch_termtbl_cmp(struct mlx5_flow_act *flow_act1, + if (ret) + return ret; + +- return dest1->vport.pkt_reformat && dest2->vport.pkt_reformat ? +- memcmp(dest1->vport.pkt_reformat, dest2->vport.pkt_reformat, +- sizeof(*dest1->vport.pkt_reformat)) : 0; ++ if (flow_act1->pkt_reformat && flow_act2->pkt_reformat) ++ return memcmp(flow_act1->pkt_reformat, flow_act2->pkt_reformat, ++ sizeof(*flow_act1->pkt_reformat)); ++ ++ return !(flow_act1->pkt_reformat == flow_act2->pkt_reformat); + } + + static int +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5e-fix-tc-acts-array-not-to-be-dependent-on-e.patch b/queue-6.0/net-mlx5e-fix-tc-acts-array-not-to-be-dependent-on-e.patch new file mode 100644 index 00000000000..32a07165d2f --- /dev/null +++ b/queue-6.0/net-mlx5e-fix-tc-acts-array-not-to-be-dependent-on-e.patch @@ -0,0 +1,132 @@ +From 3296eec47d0e905cfae8bdfd39ed8e9858773584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:44 -0700 +Subject: net/mlx5e: Fix tc acts array not to be dependent on enum order + +From: Roi Dayan + +[ Upstream commit 08912ea799cd2a43b8999457e316967fe4e2f327 ] + +The tc acts array should not be dependent on kernel internal +flow action id enum. Fix the array initialization. + +Fixes: fad547906980 ("net/mlx5e: Add tc action infrastructure") +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc/act/act.c | 92 +++++++------------ + 1 file changed, 32 insertions(+), 60 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c +index 305fde62a78d..3337241cfd84 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c +@@ -6,70 +6,42 @@ + #include "en/tc_priv.h" + #include "mlx5_core.h" + +-/* Must be aligned with enum flow_action_id. */ + static struct mlx5e_tc_act *tc_acts_fdb[NUM_FLOW_ACTIONS] = { +- &mlx5e_tc_act_accept, +- &mlx5e_tc_act_drop, +- &mlx5e_tc_act_trap, +- &mlx5e_tc_act_goto, +- &mlx5e_tc_act_mirred, +- &mlx5e_tc_act_mirred, +- &mlx5e_tc_act_redirect_ingress, +- NULL, /* FLOW_ACTION_MIRRED_INGRESS, */ +- &mlx5e_tc_act_vlan, +- &mlx5e_tc_act_vlan, +- &mlx5e_tc_act_vlan_mangle, +- &mlx5e_tc_act_tun_encap, +- &mlx5e_tc_act_tun_decap, +- &mlx5e_tc_act_pedit, +- &mlx5e_tc_act_pedit, +- &mlx5e_tc_act_csum, +- NULL, /* FLOW_ACTION_MARK, */ +- &mlx5e_tc_act_ptype, +- NULL, /* FLOW_ACTION_PRIORITY, */ +- NULL, /* FLOW_ACTION_WAKE, */ +- NULL, /* FLOW_ACTION_QUEUE, */ +- &mlx5e_tc_act_sample, +- &mlx5e_tc_act_police, +- &mlx5e_tc_act_ct, +- NULL, /* FLOW_ACTION_CT_METADATA, */ +- &mlx5e_tc_act_mpls_push, +- &mlx5e_tc_act_mpls_pop, +- NULL, /* FLOW_ACTION_MPLS_MANGLE, */ +- NULL, /* FLOW_ACTION_GATE, */ +- NULL, /* FLOW_ACTION_PPPOE_PUSH, */ +- NULL, /* FLOW_ACTION_JUMP, */ +- NULL, /* FLOW_ACTION_PIPE, */ +- &mlx5e_tc_act_vlan, +- &mlx5e_tc_act_vlan, ++ [FLOW_ACTION_ACCEPT] = &mlx5e_tc_act_accept, ++ [FLOW_ACTION_DROP] = &mlx5e_tc_act_drop, ++ [FLOW_ACTION_TRAP] = &mlx5e_tc_act_trap, ++ [FLOW_ACTION_GOTO] = &mlx5e_tc_act_goto, ++ [FLOW_ACTION_REDIRECT] = &mlx5e_tc_act_mirred, ++ [FLOW_ACTION_MIRRED] = &mlx5e_tc_act_mirred, ++ [FLOW_ACTION_REDIRECT_INGRESS] = &mlx5e_tc_act_redirect_ingress, ++ [FLOW_ACTION_VLAN_PUSH] = &mlx5e_tc_act_vlan, ++ [FLOW_ACTION_VLAN_POP] = &mlx5e_tc_act_vlan, ++ [FLOW_ACTION_VLAN_MANGLE] = &mlx5e_tc_act_vlan_mangle, ++ [FLOW_ACTION_TUNNEL_ENCAP] = &mlx5e_tc_act_tun_encap, ++ [FLOW_ACTION_TUNNEL_DECAP] = &mlx5e_tc_act_tun_decap, ++ [FLOW_ACTION_MANGLE] = &mlx5e_tc_act_pedit, ++ [FLOW_ACTION_ADD] = &mlx5e_tc_act_pedit, ++ [FLOW_ACTION_CSUM] = &mlx5e_tc_act_csum, ++ [FLOW_ACTION_PTYPE] = &mlx5e_tc_act_ptype, ++ [FLOW_ACTION_SAMPLE] = &mlx5e_tc_act_sample, ++ [FLOW_ACTION_POLICE] = &mlx5e_tc_act_police, ++ [FLOW_ACTION_CT] = &mlx5e_tc_act_ct, ++ [FLOW_ACTION_MPLS_PUSH] = &mlx5e_tc_act_mpls_push, ++ [FLOW_ACTION_MPLS_POP] = &mlx5e_tc_act_mpls_pop, ++ [FLOW_ACTION_VLAN_PUSH_ETH] = &mlx5e_tc_act_vlan, ++ [FLOW_ACTION_VLAN_POP_ETH] = &mlx5e_tc_act_vlan, + }; + +-/* Must be aligned with enum flow_action_id. */ + static struct mlx5e_tc_act *tc_acts_nic[NUM_FLOW_ACTIONS] = { +- &mlx5e_tc_act_accept, +- &mlx5e_tc_act_drop, +- NULL, /* FLOW_ACTION_TRAP, */ +- &mlx5e_tc_act_goto, +- &mlx5e_tc_act_mirred_nic, +- NULL, /* FLOW_ACTION_MIRRED, */ +- NULL, /* FLOW_ACTION_REDIRECT_INGRESS, */ +- NULL, /* FLOW_ACTION_MIRRED_INGRESS, */ +- NULL, /* FLOW_ACTION_VLAN_PUSH, */ +- NULL, /* FLOW_ACTION_VLAN_POP, */ +- NULL, /* FLOW_ACTION_VLAN_MANGLE, */ +- NULL, /* FLOW_ACTION_TUNNEL_ENCAP, */ +- NULL, /* FLOW_ACTION_TUNNEL_DECAP, */ +- &mlx5e_tc_act_pedit, +- &mlx5e_tc_act_pedit, +- &mlx5e_tc_act_csum, +- &mlx5e_tc_act_mark, +- NULL, /* FLOW_ACTION_PTYPE, */ +- NULL, /* FLOW_ACTION_PRIORITY, */ +- NULL, /* FLOW_ACTION_WAKE, */ +- NULL, /* FLOW_ACTION_QUEUE, */ +- NULL, /* FLOW_ACTION_SAMPLE, */ +- NULL, /* FLOW_ACTION_POLICE, */ +- &mlx5e_tc_act_ct, ++ [FLOW_ACTION_ACCEPT] = &mlx5e_tc_act_accept, ++ [FLOW_ACTION_DROP] = &mlx5e_tc_act_drop, ++ [FLOW_ACTION_GOTO] = &mlx5e_tc_act_goto, ++ [FLOW_ACTION_REDIRECT] = &mlx5e_tc_act_mirred_nic, ++ [FLOW_ACTION_MANGLE] = &mlx5e_tc_act_pedit, ++ [FLOW_ACTION_ADD] = &mlx5e_tc_act_pedit, ++ [FLOW_ACTION_CSUM] = &mlx5e_tc_act_csum, ++ [FLOW_ACTION_MARK] = &mlx5e_tc_act_mark, ++ [FLOW_ACTION_CT] = &mlx5e_tc_act_ct, + }; + + /** +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5e-tc-fix-wrong-rejection-of-packet-per-secon.patch b/queue-6.0/net-mlx5e-tc-fix-wrong-rejection-of-packet-per-secon.patch new file mode 100644 index 00000000000..99cb3e6bad7 --- /dev/null +++ b/queue-6.0/net-mlx5e-tc-fix-wrong-rejection-of-packet-per-secon.patch @@ -0,0 +1,42 @@ +From 4f77622f8e547029cd35d4999b37f4adc93c4983 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 23:55:45 -0700 +Subject: net/mlx5e: TC, Fix wrong rejection of packet-per-second policing + +From: Jianbo Liu + +[ Upstream commit 9e06430841363a1d2932d546fdce1cc5edb3c2a0 ] + +In the bellow commit, we added support for PPS policing without +removing the check which block offload of such cases. +Fix it by removing this check. + +Fixes: a8d52b024d6d ("net/mlx5e: TC, Support offloading police action") +Signed-off-by: Jianbo Liu +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index a687f047e3ae..229c14b1af00 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -4739,12 +4739,6 @@ int mlx5e_policer_validate(const struct flow_action *action, + return -EOPNOTSUPP; + } + +- if (act->police.rate_pkt_ps) { +- NL_SET_ERR_MSG_MOD(extack, +- "QoS offload not support packets per second"); +- return -EOPNOTSUPP; +- } +- + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch b/queue-6.0/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch new file mode 100644 index 00000000000..4ea296dad90 --- /dev/null +++ b/queue-6.0/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch @@ -0,0 +1,38 @@ +From cee1386cc7a214cbabbd46fbb32eecbd215968a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:54:32 +0800 +Subject: net: mv643xx_eth: disable napi when init rxq or txq failed in + mv643xx_eth_open() + +From: Zhengchao Shao + +[ Upstream commit f111606b63ff2282428ffbac0447c871eb957b6c ] + +When failed to init rxq or txq in mv643xx_eth_open() for opening device, +napi isn't disabled. When open mv643xx_eth device next time, it will +trigger a BUG_ON() in napi_enable(). Compile tested only. + +Fixes: 2257e05c1705 ("mv643xx_eth: get rid of receive-side locking") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109025432.80900-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index b6be0552a6c1..40a5957b1449 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2481,6 +2481,7 @@ static int mv643xx_eth_open(struct net_device *dev) + for (i = 0; i < mp->rxq_count; i++) + rxq_deinit(mp->rxq + i); + out: ++ napi_disable(&mp->napi); + free_irq(dev->irq, dev); + + return err; +-- +2.35.1 + diff --git a/queue-6.0/net-nixge-disable-napi-when-enable-interrupts-failed.patch b/queue-6.0/net-nixge-disable-napi-when-enable-interrupts-failed.patch new file mode 100644 index 00000000000..d447677240d --- /dev/null +++ b/queue-6.0/net-nixge-disable-napi-when-enable-interrupts-failed.patch @@ -0,0 +1,38 @@ +From ef89d609bb91ff098177fa3fb9c3eb31daebc065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 18:14:43 +0800 +Subject: net: nixge: disable napi when enable interrupts failed in + nixge_open() + +From: Zhengchao Shao + +[ Upstream commit b06334919c7a068d54ba5b219c05e919d89943f7 ] + +When failed to enable interrupts in nixge_open() for opening device, +napi isn't disabled. When open nixge device next time, it will reports +a invalid opcode issue. Fix it. Only be compiled, not be tested. + +Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221107101443.120205-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ni/nixge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index 4b3482ce90a1..4fc279a17562 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -900,6 +900,7 @@ static int nixge_open(struct net_device *ndev) + err_rx_irq: + free_irq(priv->tx_irq, ndev); + err_tx_irq: ++ napi_disable(&priv->napi); + phy_stop(phy); + phy_disconnect(phy); + tasklet_kill(&priv->dma_err_tasklet); +-- +2.35.1 + diff --git a/queue-6.0/net-phy-mscc-macsec-clear-encryption-keys-when-freei.patch b/queue-6.0/net-phy-mscc-macsec-clear-encryption-keys-when-freei.patch new file mode 100644 index 00000000000..1e920dd1b35 --- /dev/null +++ b/queue-6.0/net-phy-mscc-macsec-clear-encryption-keys-when-freei.patch @@ -0,0 +1,37 @@ +From c93c52027e4e42cf4157d3de9805a1464ef22ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:34:58 +0100 +Subject: net: phy: mscc: macsec: clear encryption keys when freeing a flow + +From: Antoine Tenart + +[ Upstream commit 1b16b3fdf675cca15a537572bac50cc5354368fc ] + +Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after +setting up offload") made sure to clean encryption keys from the stack +after setting up offloading, but the MSCC PHY driver made a copy, kept +it in the flow data and did not clear it when freeing a flow. Fix this. + +Fixes: 28c5107aa904 ("net: phy: mscc: macsec support") +Signed-off-by: Antoine Tenart +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_macsec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c +index b7b2521c73fb..c00eef457b85 100644 +--- a/drivers/net/phy/mscc/mscc_macsec.c ++++ b/drivers/net/phy/mscc/mscc_macsec.c +@@ -632,6 +632,7 @@ static void vsc8584_macsec_free_flow(struct vsc8531_private *priv, + + list_del(&flow->list); + clear_bit(flow->index, bitmap); ++ memzero_explicit(flow->key, sizeof(flow->key)); + kfree(flow); + } + +-- +2.35.1 + diff --git a/queue-6.0/net-stmmac-dwmac-meson8b-fix-meson8b_devm_clk_prepar.patch b/queue-6.0/net-stmmac-dwmac-meson8b-fix-meson8b_devm_clk_prepar.patch new file mode 100644 index 00000000000..c9dbe640fe1 --- /dev/null +++ b/queue-6.0/net-stmmac-dwmac-meson8b-fix-meson8b_devm_clk_prepar.patch @@ -0,0 +1,55 @@ +From 89afd77aa02b28a6fe511a221a538a27092c460d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 09:30:04 +0100 +Subject: net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable() + +From: Rasmus Villemoes + +[ Upstream commit ed4314f7729714d788698ade4f9905ee5378ebc0 ] + +There are two problems with meson8b_devm_clk_prepare_enable(), +introduced in commit a54dc4a49045 ("net: stmmac: dwmac-meson8b: +Make the clock enabling code re-usable"): + +- It doesn't pass the clk argument, but instead always the + rgmii_tx_clk of the device. + +- It silently ignores the return value of devm_add_action_or_reset(). + +The former didn't become an actual bug until another user showed up in +the next commit 9308c47640d5 ("net: stmmac: dwmac-meson8b: add support +for the RX delay configuration"). The latter means the callers could +end up with the clock not actually prepared/enabled. + +Fixes: a54dc4a49045 ("net: stmmac: dwmac-meson8b: Make the clock enabling code re-usable") +Signed-off-by: Rasmus Villemoes +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20221104083004.2212520-1-linux@rasmusvillemoes.dk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +index c7a6588d9398..e8b507f88fbc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +@@ -272,11 +272,9 @@ static int meson8b_devm_clk_prepare_enable(struct meson8b_dwmac *dwmac, + if (ret) + return ret; + +- devm_add_action_or_reset(dwmac->dev, +- (void(*)(void *))clk_disable_unprepare, +- dwmac->rgmii_tx_clk); +- +- return 0; ++ return devm_add_action_or_reset(dwmac->dev, ++ (void(*)(void *))clk_disable_unprepare, ++ clk); + } + + static int meson8b_init_rgmii_delays(struct meson8b_dwmac *dwmac) +-- +2.35.1 + diff --git a/queue-6.0/net-tun-call-napi_schedule_prep-to-ensure-we-own-a-n.patch b/queue-6.0/net-tun-call-napi_schedule_prep-to-ensure-we-own-a-n.patch new file mode 100644 index 00000000000..c80e8cc734e --- /dev/null +++ b/queue-6.0/net-tun-call-napi_schedule_prep-to-ensure-we-own-a-n.patch @@ -0,0 +1,98 @@ +From a23cd3bfa6665d69860538b891dcfe6668d89ad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 18:00:11 +0000 +Subject: net: tun: call napi_schedule_prep() to ensure we own a napi + +From: Eric Dumazet + +[ Upstream commit 07d120aa33cc9d9115753d159f64d20c94458781 ] + +A recent patch exposed another issue in napi_get_frags() +caught by syzbot [1] + +Before feeding packets to GRO, and calling napi_complete() +we must first grab NAPI_STATE_SCHED. + +[1] +WARNING: CPU: 0 PID: 3612 at net/core/dev.c:6076 napi_complete_done+0x45b/0x880 net/core/dev.c:6076 +Modules linked in: +CPU: 0 PID: 3612 Comm: syz-executor408 Not tainted 6.1.0-rc3-syzkaller-00175-g1118b2049d77 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:napi_complete_done+0x45b/0x880 net/core/dev.c:6076 +Code: c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 24 04 00 00 41 89 5d 1c e9 73 fc ff ff e8 b5 53 22 fa <0f> 0b e9 82 fe ff ff e8 a9 53 22 fa 48 8b 5c 24 08 31 ff 48 89 de +RSP: 0018:ffffc90003c4f920 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000030 RCX: 0000000000000000 +RDX: ffff8880251c0000 RSI: ffffffff875a58db RDI: 0000000000000007 +RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff888072d02628 +R13: ffff888072d02618 R14: ffff888072d02634 R15: 0000000000000000 +FS: 0000555555f13300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055c44d3892b8 CR3: 00000000172d2000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +napi_complete include/linux/netdevice.h:510 [inline] +tun_get_user+0x206d/0x3a60 drivers/net/tun.c:1980 +tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2027 +call_write_iter include/linux/fs.h:2191 [inline] +do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735 +do_iter_write+0x182/0x700 fs/read_write.c:861 +vfs_writev+0x1aa/0x630 fs/read_write.c:934 +do_writev+0x133/0x2f0 fs/read_write.c:977 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f37021a3c19 + +Fixes: 1118b2049d77 ("net: tun: Fix memory leaks of napi_get_frags") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Wang Yufen +Link: https://lore.kernel.org/r/20221107180011.188437-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 975b9912bf8f..3387074a2bdb 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1967,18 +1967,25 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + skb_headlen(skb)); + + if (unlikely(headlen > skb_headlen(skb))) { ++ WARN_ON_ONCE(1); ++ err = -ENOMEM; + dev_core_stats_rx_dropped_inc(tun->dev); ++napi_busy: + napi_free_frags(&tfile->napi); + rcu_read_unlock(); + mutex_unlock(&tfile->napi_mutex); +- WARN_ON(1); +- return -ENOMEM; ++ return err; + } + +- local_bh_disable(); +- napi_gro_frags(&tfile->napi); +- napi_complete(&tfile->napi); +- local_bh_enable(); ++ if (likely(napi_schedule_prep(&tfile->napi))) { ++ local_bh_disable(); ++ napi_gro_frags(&tfile->napi); ++ napi_complete(&tfile->napi); ++ local_bh_enable(); ++ } else { ++ err = -EBUSY; ++ goto napi_busy; ++ } + mutex_unlock(&tfile->napi_mutex); + } else if (tfile->napi_enabled) { + struct sk_buff_head *queue = &tfile->sk.sk_write_queue; +-- +2.35.1 + diff --git a/queue-6.0/net-tun-fix-memory-leaks-of-napi_get_frags.patch b/queue-6.0/net-tun-fix-memory-leaks-of-napi_get_frags.patch new file mode 100644 index 00000000000..79efed6d49f --- /dev/null +++ b/queue-6.0/net-tun-fix-memory-leaks-of-napi_get_frags.patch @@ -0,0 +1,73 @@ +From 638dd26b439ba0e619dd85ca911ddd4c341092ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 17:41:19 +0800 +Subject: net: tun: Fix memory leaks of napi_get_frags + +From: Wang Yufen + +[ Upstream commit 1118b2049d77ca0b505775fc1a8d1909cf19a7ec ] + +kmemleak reports after running test_progs: + +unreferenced object 0xffff8881b1672dc0 (size 232): + comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s) + hex dump (first 32 bytes): + e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... + 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace: + [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150 + [<0000000041c7fc09>] __napi_build_skb+0x15/0x50 + [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540 + [<000000003ecfa30e>] napi_get_frags+0x59/0x140 + [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun] + [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun] + [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320 + [<000000008f338ea2>] do_iter_write+0x135/0x630 + [<000000008a3377a4>] vfs_writev+0x12e/0x440 + [<00000000a6b5639a>] do_writev+0x104/0x280 + [<00000000ccf065d8>] do_syscall_64+0x3b/0x90 + [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The issue occurs in the following scenarios: +tun_get_user() + napi_gro_frags() + napi_frags_finish() + case GRO_NORMAL: + gro_normal_one() + list_add_tail(&skb->list, &napi->rx_list); + <-- While napi->rx_count < READ_ONCE(gro_normal_batch), + <-- gro_normal_list() is not called, napi->rx_list is not empty + <-- not ask to complete the gro work, will cause memory leaks in + <-- following tun_napi_del() +... +tun_napi_del() + netif_napi_del() + __netif_napi_del() + <-- &napi->rx_list is not empty, which caused memory leaks + +To fix, add napi_complete() after napi_gro_frags(). + +Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver") +Signed-off-by: Wang Yufen +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index b02bd0a6c0a9..975b9912bf8f 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1977,6 +1977,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + + local_bh_disable(); + napi_gro_frags(&tfile->napi); ++ napi_complete(&tfile->napi); + local_bh_enable(); + mutex_unlock(&tfile->napi_mutex); + } else if (tfile->napi_enabled) { +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-invalid-mux-header-type.patch b/queue-6.0/net-wwan-iosm-fix-invalid-mux-header-type.patch new file mode 100644 index 00000000000..b99773e3459 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-invalid-mux-header-type.patch @@ -0,0 +1,62 @@ +From e1146a410f201e8b3b31b81a16bbc78eef96fd81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 13:05:13 +0530 +Subject: net: wwan: iosm: fix invalid mux header type + +From: M Chetan Kumar + +[ Upstream commit 02d2d2ea4a3bc2391f6ac31f6854da83e8a63829 ] + +Data stall seen during peak DL throughput test & packets are +dropped by mux layer due to invalid header type in datagram. + +During initlization Mux aggregration protocol is set to default +UL/DL size and TD count of Mux lite protocol. This configuration +mismatch between device and driver is resulting in data stall/packet +drops. + +Override the UL/DL size and TD count for Mux aggregation protocol. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_imem_ops.c | 8 ++++++++ + drivers/net/wwan/iosm/iosm_ipc_mux.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c +index 57304a5adf68..6e32eb91bba9 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c +@@ -91,6 +91,14 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, + } + + ipc_chnl_cfg_get(&chnl_cfg, ipc_imem->nr_of_channels); ++ ++ if (ipc_imem->mmio->mux_protocol == MUX_AGGREGATION && ++ ipc_imem->nr_of_channels == IPC_MEM_IP_CHL_ID_0) { ++ chnl_cfg.ul_nr_of_entries = IPC_MEM_MAX_TDS_MUX_AGGR_UL; ++ chnl_cfg.dl_nr_of_entries = IPC_MEM_MAX_TDS_MUX_AGGR_DL; ++ chnl_cfg.dl_buf_size = IPC_MEM_MAX_ADB_BUF_SIZE; ++ } ++ + ipc_imem_channel_init(ipc_imem, IPC_CTYPE_WWAN, chnl_cfg, + IRQ_MOD_OFF); + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.h b/drivers/net/wwan/iosm/iosm_ipc_mux.h +index cd9d74cc097f..9968bb885c1f 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux.h ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux.h +@@ -10,6 +10,7 @@ + + #define IPC_MEM_MAX_UL_DG_ENTRIES 100 + #define IPC_MEM_MAX_TDS_MUX_AGGR_UL 60 ++#define IPC_MEM_MAX_TDS_MUX_AGGR_DL 60 + + #define IPC_MEM_MAX_ADB_BUF_SIZE (16 * 1024) + #define IPC_MEM_MAX_UL_ADB_BUF_SIZE IPC_MEM_MAX_ADB_BUF_SIZE +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_pcie_read_bios_.patch b/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_pcie_read_bios_.patch new file mode 100644 index 00000000000..95744f1c69b --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_pcie_read_bios_.patch @@ -0,0 +1,59 @@ +From d97ff351052a9a5940a09acf1e2b37c4752bd6f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 13:04:49 +0530 +Subject: net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg + +From: M Chetan Kumar + +[ Upstream commit d38a648d2d6cc7bee11c6f533ff9426a00c2a74c ] + +ipc_pcie_read_bios_cfg() is using the acpi_evaluate_dsm() to +obtain the wwan power state configuration from BIOS but is +not freeing the acpi_object. The acpi_evaluate_dsm() returned +acpi_object to be freed. + +Free the acpi_object after use. + +Fixes: 7e98d785ae61 ("net: iosm: entry point") +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_pcie.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +index 31f57b986df2..97cb6846c6ae 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +@@ -232,6 +232,7 @@ static void ipc_pcie_config_init(struct iosm_pcie *ipc_pcie) + */ + static enum ipc_pcie_sleep_state ipc_pcie_read_bios_cfg(struct device *dev) + { ++ enum ipc_pcie_sleep_state sleep_state = IPC_PCIE_D0L12; + union acpi_object *object; + acpi_handle handle_acpi; + +@@ -242,12 +243,16 @@ static enum ipc_pcie_sleep_state ipc_pcie_read_bios_cfg(struct device *dev) + } + + object = acpi_evaluate_dsm(handle_acpi, &wwan_acpi_guid, 0, 3, NULL); ++ if (!object) ++ goto default_ret; ++ ++ if (object->integer.value == 3) ++ sleep_state = IPC_PCIE_D3L2; + +- if (object && object->integer.value == 3) +- return IPC_PCIE_D3L2; ++ kfree(object); + + default_ret: +- return IPC_PCIE_D0L12; ++ return sleep_state; + } + + static int ipc_pcie_probe(struct pci_dev *pci, +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_wwan_dellink.patch b/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_wwan_dellink.patch new file mode 100644 index 00000000000..5913e62d014 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_wwan_dellink.patch @@ -0,0 +1,42 @@ +From 89796c5587e21b6115715b48f5011056a48e557a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 18:40:00 +0800 +Subject: net: wwan: iosm: fix memory leak in ipc_wwan_dellink + +From: HW He + +[ Upstream commit f25caaca424703d5a0607310f0452f978f1f78d9 ] + +IOSM driver registers network device without setting the +needs_free_netdev flag, and does NOT call free_netdev() when +unregisters network device, which causes a memory leak. + +This patch sets needs_free_netdev to true when registers +network device, which makes netdev subsystem call free_netdev() +automatically after unregister_netdevice(). + +Fixes: 2a54f2c77934 ("net: iosm: net driver") +Signed-off-by: HW He +Reviewed-by: Loic Poulain +Signed-off-by: Zhaoping Shu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c +index 4712f01a7e33..3d70b34f96e3 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c +@@ -168,6 +168,7 @@ static void ipc_wwan_setup(struct net_device *iosm_dev) + iosm_dev->max_mtu = ETH_MAX_MTU; + + iosm_dev->flags = IFF_POINTOPOINT | IFF_NOARP; ++ iosm_dev->needs_free_netdev = true; + + iosm_dev->netdev_ops = &ipc_inm_ops; + } +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-mhi-fix-memory-leak-in-mhi_mbim_dellink.patch b/queue-6.0/net-wwan-mhi-fix-memory-leak-in-mhi_mbim_dellink.patch new file mode 100644 index 00000000000..c9e9972a533 --- /dev/null +++ b/queue-6.0/net-wwan-mhi-fix-memory-leak-in-mhi_mbim_dellink.patch @@ -0,0 +1,41 @@ +From 409041a865f969e1eb1a07e81bc0a11b97520838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 18:54:19 +0800 +Subject: net: wwan: mhi: fix memory leak in mhi_mbim_dellink + +From: HW He + +[ Upstream commit 668205b9c9f94d5ed6ab00cce9a46a654c2b5d16 ] + +MHI driver registers network device without setting the +needs_free_netdev flag, and does NOT call free_netdev() when +unregisters network device, which causes a memory leak. + +This patch sets needs_free_netdev to true when registers +network device, which makes netdev subsystem call free_netdev() +automatically after unregister_netdevice(). + +Fixes: aa730a9905b7 ("net: wwan: Add MHI MBIM network driver") +Signed-off-by: HW He +Signed-off-by: Zhaoping Shu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/mhi_wwan_mbim.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wwan/mhi_wwan_mbim.c b/drivers/net/wwan/mhi_wwan_mbim.c +index 6872782e8dd8..ef70bb7c88ad 100644 +--- a/drivers/net/wwan/mhi_wwan_mbim.c ++++ b/drivers/net/wwan/mhi_wwan_mbim.c +@@ -582,6 +582,7 @@ static void mhi_mbim_setup(struct net_device *ndev) + ndev->min_mtu = ETH_MIN_MTU; + ndev->max_mtu = MHI_MAX_BUF_SZ - ndev->needed_headroom; + ndev->tx_queue_len = 1000; ++ ndev->needs_free_netdev = true; + } + + static const struct wwan_ops mhi_mbim_wwan_ops = { +-- +2.35.1 + diff --git a/queue-6.0/netfilter-cleanup-nft_net-module_list-from-nf_tables.patch b/queue-6.0/netfilter-cleanup-nft_net-module_list-from-nf_tables.patch new file mode 100644 index 00000000000..f6bb0a49358 --- /dev/null +++ b/queue-6.0/netfilter-cleanup-nft_net-module_list-from-nf_tables.patch @@ -0,0 +1,79 @@ +From dc135f3b8c28bdee8680ec33c0ec98ddbfc4c6a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 22:08:49 +0900 +Subject: netfilter: Cleanup nft_net->module_list from nf_tables_exit_net() + +From: Shigeru Yoshida + +[ Upstream commit 03c1f1ef1584c981935fab2fa0c45d3e43e2c235 ] + +syzbot reported a warning like below [1]: + +WARNING: CPU: 3 PID: 9 at net/netfilter/nf_tables_api.c:10096 nf_tables_exit_net+0x71c/0x840 +Modules linked in: +CPU: 2 PID: 9 Comm: kworker/u8:0 Tainted: G W 6.1.0-rc3-00072-g8e5423e991e8 #47 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 +Workqueue: netns cleanup_net +RIP: 0010:nf_tables_exit_net+0x71c/0x840 +... +Call Trace: + + ? __nft_release_table+0xfc0/0xfc0 + ops_exit_list+0xb5/0x180 + cleanup_net+0x506/0xb10 + ? unregister_pernet_device+0x80/0x80 + process_one_work+0xa38/0x1730 + ? pwq_dec_nr_in_flight+0x2b0/0x2b0 + ? rwlock_bug.part.0+0x90/0x90 + ? _raw_spin_lock_irq+0x46/0x50 + worker_thread+0x67e/0x10e0 + ? process_one_work+0x1730/0x1730 + kthread+0x2e5/0x3a0 + ? kthread_complete_and_exit+0x40/0x40 + ret_from_fork+0x1f/0x30 + + +In nf_tables_exit_net(), there is a case where nft_net->commit_list is +empty but nft_net->module_list is not empty. Such a case occurs with +the following scenario: + +1. nfnetlink_rcv_batch() is called +2. nf_tables_newset() returns -EAGAIN and NFNL_BATCH_FAILURE bit is + set to status +3. nf_tables_abort() is called with NFNL_ABORT_AUTOLOAD + (nft_net->commit_list is released, but nft_net->module_list is not + because of NFNL_ABORT_AUTOLOAD flag) +4. Jump to replay label +5. netlink_skb_clone() fails and returns from the function (this is + caused by fault injection in the reproducer of syzbot) + +This patch fixes this issue by calling __nf_tables_abort() when +nft_net->module_list is not empty in nf_tables_exit_net(). + +Fixes: eb014de4fd41 ("netfilter: nf_tables: autoload modules from the abort path") +Link: https://syzkaller.appspot.com/bug?id=802aba2422de4218ad0c01b46c9525cc9d4e4aa3 [1] +Reported-by: syzbot+178efee9e2d7f87f5103@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 879f4a1a27d5..42e370575c30 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net) + struct nftables_pernet *nft_net = nft_pernet(net); + + mutex_lock(&nft_net->commit_mutex); +- if (!list_empty(&nft_net->commit_list)) ++ if (!list_empty(&nft_net->commit_list) || ++ !list_empty(&nft_net->module_list)) + __nf_tables_abort(net, NFNL_ABORT_NONE); + __nft_release_tables(net); + mutex_unlock(&nft_net->commit_mutex); +-- +2.35.1 + diff --git a/queue-6.0/netfilter-nfnetlink-fix-potential-dead-lock-in-nfnet.patch b/queue-6.0/netfilter-nfnetlink-fix-potential-dead-lock-in-nfnet.patch new file mode 100644 index 00000000000..46372445d5d --- /dev/null +++ b/queue-6.0/netfilter-nfnetlink-fix-potential-dead-lock-in-nfnet.patch @@ -0,0 +1,35 @@ +From fe1dc887da3b33dde19424e15f20c7679abb83f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 09:12:02 +0800 +Subject: netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() + +From: Ziyang Xuan + +[ Upstream commit 03832a32bf8ff0a8305d94ddd3979835a807248f ] + +When type is NFNL_CB_MUTEX and -EAGAIN error occur in nfnetlink_rcv_msg(), +it does not execute nfnl_unlock(). That would trigger potential dead lock. + +Fixes: 50f2db9e368f ("netfilter: nfnetlink: consolidate callback types") +Signed-off-by: Ziyang Xuan +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 9c44518cb70f..6d18fb346868 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -294,6 +294,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, + nfnl_lock(subsys_id); + if (nfnl_dereference_protected(subsys_id) != ss || + nfnetlink_find_client(type, ss) != nc) { ++ nfnl_unlock(subsys_id); + err = -EAGAIN; + break; + } +-- +2.35.1 + diff --git a/queue-6.0/octeontx2-pf-fix-sqe-threshold-checking.patch b/queue-6.0/octeontx2-pf-fix-sqe-threshold-checking.patch new file mode 100644 index 00000000000..91c7441d4c6 --- /dev/null +++ b/queue-6.0/octeontx2-pf-fix-sqe-threshold-checking.patch @@ -0,0 +1,129 @@ +From 49d59407fcdd2548371b871fdfac593756eeadbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 09:05:05 +0530 +Subject: octeontx2-pf: Fix SQE threshold checking + +From: Ratheesh Kannoth + +[ Upstream commit f0dfc4c88ef39be0ba736aa0ce6119263fc19aeb ] + +Current way of checking available SQE count which is based on +HW updated SQB count could result in driver submitting an SQE +even before CQE for the previously transmitted SQE at the same +index is processed in NAPI resulting losing SKB pointers, +hence a leak. Fix this by checking a consumer index which +is updated once CQE is processed. + +Fixes: 3ca6c4c882a7 ("octeontx2-pf: Add packet transmission support") +Signed-off-by: Ratheesh Kannoth +Reviewed-by: Sunil Kovvuri Goutham +Link: https://lore.kernel.org/r/20221107033505.2491464-1-rkannoth@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/nic/otx2_common.c | 1 + + .../marvell/octeontx2/nic/otx2_txrx.c | 32 +++++++++++-------- + .../marvell/octeontx2/nic/otx2_txrx.h | 1 + + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index d686c7b6252f..9c2baa437c23 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -863,6 +863,7 @@ static int otx2_sq_init(struct otx2_nic *pfvf, u16 qidx, u16 sqb_aura) + } + + sq->head = 0; ++ sq->cons_head = 0; + sq->sqe_per_sqb = (pfvf->hw.sqb_size / sq->sqe_size) - 1; + sq->num_sqbs = (qset->sqe_cnt + sq->sqe_per_sqb) / sq->sqe_per_sqb; + /* Set SQE threshold to 10% of total SQEs */ +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +index a18e8efd0f1e..664f977433f4 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -435,6 +435,7 @@ static int otx2_tx_napi_handler(struct otx2_nic *pfvf, + struct otx2_cq_queue *cq, int budget) + { + int tx_pkts = 0, tx_bytes = 0, qidx; ++ struct otx2_snd_queue *sq; + struct nix_cqe_tx_s *cqe; + int processed_cqe = 0; + +@@ -445,6 +446,9 @@ static int otx2_tx_napi_handler(struct otx2_nic *pfvf, + return 0; + + process_cqe: ++ qidx = cq->cq_idx - pfvf->hw.rx_queues; ++ sq = &pfvf->qset.sq[qidx]; ++ + while (likely(processed_cqe < budget) && cq->pend_cqe) { + cqe = (struct nix_cqe_tx_s *)otx2_get_next_cqe(cq); + if (unlikely(!cqe)) { +@@ -452,18 +456,20 @@ static int otx2_tx_napi_handler(struct otx2_nic *pfvf, + return 0; + break; + } ++ + if (cq->cq_type == CQ_XDP) { +- qidx = cq->cq_idx - pfvf->hw.rx_queues; +- otx2_xdp_snd_pkt_handler(pfvf, &pfvf->qset.sq[qidx], +- cqe); ++ otx2_xdp_snd_pkt_handler(pfvf, sq, cqe); + } else { +- otx2_snd_pkt_handler(pfvf, cq, +- &pfvf->qset.sq[cq->cint_idx], +- cqe, budget, &tx_pkts, &tx_bytes); ++ otx2_snd_pkt_handler(pfvf, cq, sq, cqe, budget, ++ &tx_pkts, &tx_bytes); + } ++ + cqe->hdr.cqe_type = NIX_XQE_TYPE_INVALID; + processed_cqe++; + cq->pend_cqe--; ++ ++ sq->cons_head++; ++ sq->cons_head &= (sq->sqe_cnt - 1); + } + + /* Free CQEs to HW */ +@@ -972,17 +978,17 @@ bool otx2_sq_append_skb(struct net_device *netdev, struct otx2_snd_queue *sq, + { + struct netdev_queue *txq = netdev_get_tx_queue(netdev, qidx); + struct otx2_nic *pfvf = netdev_priv(netdev); +- int offset, num_segs, free_sqe; ++ int offset, num_segs, free_desc; + struct nix_sqe_hdr_s *sqe_hdr; + +- /* Check if there is room for new SQE. +- * 'Num of SQBs freed to SQ's pool - SQ's Aura count' +- * will give free SQE count. ++ /* Check if there is enough room between producer ++ * and consumer index. + */ +- free_sqe = (sq->num_sqbs - *sq->aura_fc_addr) * sq->sqe_per_sqb; ++ free_desc = (sq->cons_head - sq->head - 1 + sq->sqe_cnt) & (sq->sqe_cnt - 1); ++ if (free_desc < sq->sqe_thresh) ++ return false; + +- if (free_sqe < sq->sqe_thresh || +- free_sqe < otx2_get_sqe_count(pfvf, skb)) ++ if (free_desc < otx2_get_sqe_count(pfvf, skb)) + return false; + + num_segs = skb_shinfo(skb)->nr_frags + 1; +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h +index fbe62bbfb789..93cac2c2664c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h +@@ -79,6 +79,7 @@ struct sg_list { + struct otx2_snd_queue { + u8 aura_id; + u16 head; ++ u16 cons_head; + u16 sqe_size; + u32 sqe_cnt; + u16 num_sqbs; +-- +2.35.1 + diff --git a/queue-6.0/octeontx2-pf-nix-tx-overwrites-sq_ctx_hw_s-sq_int.patch b/queue-6.0/octeontx2-pf-nix-tx-overwrites-sq_ctx_hw_s-sq_int.patch new file mode 100644 index 00000000000..76bf1bb3473 --- /dev/null +++ b/queue-6.0/octeontx2-pf-nix-tx-overwrites-sq_ctx_hw_s-sq_int.patch @@ -0,0 +1,265 @@ +From fa1b334af17c5a8f5f7924960cc46262be716299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 08:41:13 +0530 +Subject: octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT] + +From: Ratheesh Kannoth + +[ Upstream commit 51afe9026d0c63263abe9840e629f118d7405b36 ] + +In scenarios where multiple errors have occurred +for a SQ before SW starts handling error interrupt, +SQ_CTX[OP_INT] may get overwritten leading to +NIX_LF_SQ_OP_INT returning incorrect value. +To workaround this read LMT, MNQ and SQ individual +error status registers to determine the cause of error. + +Fixes: 4ff7d1488a84 ("octeontx2-pf: Error handling support") +Signed-off-by: Ratheesh Kannoth +Reviewed-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 135 ++++++++++++++---- + .../marvell/octeontx2/nic/otx2_struct.h | 57 ++++++++ + 2 files changed, 162 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 9376d0e62914..80fde101df96 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include "otx2_reg.h" + #include "otx2_common.h" +@@ -1161,6 +1162,59 @@ int otx2_set_real_num_queues(struct net_device *netdev, + } + EXPORT_SYMBOL(otx2_set_real_num_queues); + ++static char *nix_sqoperr_e_str[NIX_SQOPERR_MAX] = { ++ "NIX_SQOPERR_OOR", ++ "NIX_SQOPERR_CTX_FAULT", ++ "NIX_SQOPERR_CTX_POISON", ++ "NIX_SQOPERR_DISABLED", ++ "NIX_SQOPERR_SIZE_ERR", ++ "NIX_SQOPERR_OFLOW", ++ "NIX_SQOPERR_SQB_NULL", ++ "NIX_SQOPERR_SQB_FAULT", ++ "NIX_SQOPERR_SQE_SZ_ZERO", ++}; ++ ++static char *nix_mnqerr_e_str[NIX_MNQERR_MAX] = { ++ "NIX_MNQERR_SQ_CTX_FAULT", ++ "NIX_MNQERR_SQ_CTX_POISON", ++ "NIX_MNQERR_SQB_FAULT", ++ "NIX_MNQERR_SQB_POISON", ++ "NIX_MNQERR_TOTAL_ERR", ++ "NIX_MNQERR_LSO_ERR", ++ "NIX_MNQERR_CQ_QUERY_ERR", ++ "NIX_MNQERR_MAX_SQE_SIZE_ERR", ++ "NIX_MNQERR_MAXLEN_ERR", ++ "NIX_MNQERR_SQE_SIZEM1_ZERO", ++}; ++ ++static char *nix_snd_status_e_str[NIX_SND_STATUS_MAX] = { ++ "NIX_SND_STATUS_GOOD", ++ "NIX_SND_STATUS_SQ_CTX_FAULT", ++ "NIX_SND_STATUS_SQ_CTX_POISON", ++ "NIX_SND_STATUS_SQB_FAULT", ++ "NIX_SND_STATUS_SQB_POISON", ++ "NIX_SND_STATUS_HDR_ERR", ++ "NIX_SND_STATUS_EXT_ERR", ++ "NIX_SND_STATUS_JUMP_FAULT", ++ "NIX_SND_STATUS_JUMP_POISON", ++ "NIX_SND_STATUS_CRC_ERR", ++ "NIX_SND_STATUS_IMM_ERR", ++ "NIX_SND_STATUS_SG_ERR", ++ "NIX_SND_STATUS_MEM_ERR", ++ "NIX_SND_STATUS_INVALID_SUBDC", ++ "NIX_SND_STATUS_SUBDC_ORDER_ERR", ++ "NIX_SND_STATUS_DATA_FAULT", ++ "NIX_SND_STATUS_DATA_POISON", ++ "NIX_SND_STATUS_NPC_DROP_ACTION", ++ "NIX_SND_STATUS_LOCK_VIOL", ++ "NIX_SND_STATUS_NPC_UCAST_CHAN_ERR", ++ "NIX_SND_STATUS_NPC_MCAST_CHAN_ERR", ++ "NIX_SND_STATUS_NPC_MCAST_ABORT", ++ "NIX_SND_STATUS_NPC_VTAG_PTR_ERR", ++ "NIX_SND_STATUS_NPC_VTAG_SIZE_ERR", ++ "NIX_SND_STATUS_SEND_STATS_ERR", ++}; ++ + static irqreturn_t otx2_q_intr_handler(int irq, void *data) + { + struct otx2_nic *pf = data; +@@ -1194,46 +1248,67 @@ static irqreturn_t otx2_q_intr_handler(int irq, void *data) + + /* SQ */ + for (qidx = 0; qidx < pf->hw.tot_tx_queues; qidx++) { ++ u64 sq_op_err_dbg, mnq_err_dbg, snd_err_dbg; ++ u8 sq_op_err_code, mnq_err_code, snd_err_code; ++ ++ /* Below debug registers captures first errors corresponding to ++ * those registers. We don't have to check against SQ qid as ++ * these are fatal errors. ++ */ ++ + ptr = otx2_get_regaddr(pf, NIX_LF_SQ_OP_INT); + val = otx2_atomic64_add((qidx << 44), ptr); + otx2_write64(pf, NIX_LF_SQ_OP_INT, (qidx << 44) | + (val & NIX_SQINT_BITS)); + +- if (!(val & (NIX_SQINT_BITS | BIT_ULL(42)))) +- continue; +- + if (val & BIT_ULL(42)) { + netdev_err(pf->netdev, "SQ%lld: error reading NIX_LF_SQ_OP_INT, NIX_LF_ERR_INT 0x%llx\n", + qidx, otx2_read64(pf, NIX_LF_ERR_INT)); +- } else { +- if (val & BIT_ULL(NIX_SQINT_LMT_ERR)) { +- netdev_err(pf->netdev, "SQ%lld: LMT store error NIX_LF_SQ_OP_ERR_DBG:0x%llx", +- qidx, +- otx2_read64(pf, +- NIX_LF_SQ_OP_ERR_DBG)); +- otx2_write64(pf, NIX_LF_SQ_OP_ERR_DBG, +- BIT_ULL(44)); +- } +- if (val & BIT_ULL(NIX_SQINT_MNQ_ERR)) { +- netdev_err(pf->netdev, "SQ%lld: Meta-descriptor enqueue error NIX_LF_MNQ_ERR_DGB:0x%llx\n", +- qidx, +- otx2_read64(pf, NIX_LF_MNQ_ERR_DBG)); +- otx2_write64(pf, NIX_LF_MNQ_ERR_DBG, +- BIT_ULL(44)); +- } +- if (val & BIT_ULL(NIX_SQINT_SEND_ERR)) { +- netdev_err(pf->netdev, "SQ%lld: Send error, NIX_LF_SEND_ERR_DBG 0x%llx", +- qidx, +- otx2_read64(pf, +- NIX_LF_SEND_ERR_DBG)); +- otx2_write64(pf, NIX_LF_SEND_ERR_DBG, +- BIT_ULL(44)); +- } +- if (val & BIT_ULL(NIX_SQINT_SQB_ALLOC_FAIL)) +- netdev_err(pf->netdev, "SQ%lld: SQB allocation failed", +- qidx); ++ goto done; + } + ++ sq_op_err_dbg = otx2_read64(pf, NIX_LF_SQ_OP_ERR_DBG); ++ if (!(sq_op_err_dbg & BIT(44))) ++ goto chk_mnq_err_dbg; ++ ++ sq_op_err_code = FIELD_GET(GENMASK(7, 0), sq_op_err_dbg); ++ netdev_err(pf->netdev, "SQ%lld: NIX_LF_SQ_OP_ERR_DBG(%llx) err=%s\n", ++ qidx, sq_op_err_dbg, nix_sqoperr_e_str[sq_op_err_code]); ++ ++ otx2_write64(pf, NIX_LF_SQ_OP_ERR_DBG, BIT_ULL(44)); ++ ++ if (sq_op_err_code == NIX_SQOPERR_SQB_NULL) ++ goto chk_mnq_err_dbg; ++ ++ /* Err is not NIX_SQOPERR_SQB_NULL, call aq function to read SQ structure. ++ * TODO: But we are in irq context. How to call mbox functions which does sleep ++ */ ++ ++chk_mnq_err_dbg: ++ mnq_err_dbg = otx2_read64(pf, NIX_LF_MNQ_ERR_DBG); ++ if (!(mnq_err_dbg & BIT(44))) ++ goto chk_snd_err_dbg; ++ ++ mnq_err_code = FIELD_GET(GENMASK(7, 0), mnq_err_dbg); ++ netdev_err(pf->netdev, "SQ%lld: NIX_LF_MNQ_ERR_DBG(%llx) err=%s\n", ++ qidx, mnq_err_dbg, nix_mnqerr_e_str[mnq_err_code]); ++ otx2_write64(pf, NIX_LF_MNQ_ERR_DBG, BIT_ULL(44)); ++ ++chk_snd_err_dbg: ++ snd_err_dbg = otx2_read64(pf, NIX_LF_SEND_ERR_DBG); ++ if (snd_err_dbg & BIT(44)) { ++ snd_err_code = FIELD_GET(GENMASK(7, 0), snd_err_dbg); ++ netdev_err(pf->netdev, "SQ%lld: NIX_LF_SND_ERR_DBG:0x%llx err=%s\n", ++ qidx, snd_err_dbg, nix_snd_status_e_str[snd_err_code]); ++ otx2_write64(pf, NIX_LF_SEND_ERR_DBG, BIT_ULL(44)); ++ } ++ ++done: ++ /* Print values and reset */ ++ if (val & BIT_ULL(NIX_SQINT_SQB_ALLOC_FAIL)) ++ netdev_err(pf->netdev, "SQ%lld: SQB allocation failed", ++ qidx); ++ + schedule_work(&pf->reset_task); + } + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h +index 4bbd12ff26e6..e5f30fd778fc 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h +@@ -274,4 +274,61 @@ enum nix_sqint_e { + BIT_ULL(NIX_SQINT_SEND_ERR) | \ + BIT_ULL(NIX_SQINT_SQB_ALLOC_FAIL)) + ++enum nix_sqoperr_e { ++ NIX_SQOPERR_OOR = 0, ++ NIX_SQOPERR_CTX_FAULT = 1, ++ NIX_SQOPERR_CTX_POISON = 2, ++ NIX_SQOPERR_DISABLED = 3, ++ NIX_SQOPERR_SIZE_ERR = 4, ++ NIX_SQOPERR_OFLOW = 5, ++ NIX_SQOPERR_SQB_NULL = 6, ++ NIX_SQOPERR_SQB_FAULT = 7, ++ NIX_SQOPERR_SQE_SZ_ZERO = 8, ++ NIX_SQOPERR_MAX, ++}; ++ ++enum nix_mnqerr_e { ++ NIX_MNQERR_SQ_CTX_FAULT = 0, ++ NIX_MNQERR_SQ_CTX_POISON = 1, ++ NIX_MNQERR_SQB_FAULT = 2, ++ NIX_MNQERR_SQB_POISON = 3, ++ NIX_MNQERR_TOTAL_ERR = 4, ++ NIX_MNQERR_LSO_ERR = 5, ++ NIX_MNQERR_CQ_QUERY_ERR = 6, ++ NIX_MNQERR_MAX_SQE_SIZE_ERR = 7, ++ NIX_MNQERR_MAXLEN_ERR = 8, ++ NIX_MNQERR_SQE_SIZEM1_ZERO = 9, ++ NIX_MNQERR_MAX, ++}; ++ ++enum nix_snd_status_e { ++ NIX_SND_STATUS_GOOD = 0x0, ++ NIX_SND_STATUS_SQ_CTX_FAULT = 0x1, ++ NIX_SND_STATUS_SQ_CTX_POISON = 0x2, ++ NIX_SND_STATUS_SQB_FAULT = 0x3, ++ NIX_SND_STATUS_SQB_POISON = 0x4, ++ NIX_SND_STATUS_HDR_ERR = 0x5, ++ NIX_SND_STATUS_EXT_ERR = 0x6, ++ NIX_SND_STATUS_JUMP_FAULT = 0x7, ++ NIX_SND_STATUS_JUMP_POISON = 0x8, ++ NIX_SND_STATUS_CRC_ERR = 0x9, ++ NIX_SND_STATUS_IMM_ERR = 0x10, ++ NIX_SND_STATUS_SG_ERR = 0x11, ++ NIX_SND_STATUS_MEM_ERR = 0x12, ++ NIX_SND_STATUS_INVALID_SUBDC = 0x13, ++ NIX_SND_STATUS_SUBDC_ORDER_ERR = 0x14, ++ NIX_SND_STATUS_DATA_FAULT = 0x15, ++ NIX_SND_STATUS_DATA_POISON = 0x16, ++ NIX_SND_STATUS_NPC_DROP_ACTION = 0x17, ++ NIX_SND_STATUS_LOCK_VIOL = 0x18, ++ NIX_SND_STATUS_NPC_UCAST_CHAN_ERR = 0x19, ++ NIX_SND_STATUS_NPC_MCAST_CHAN_ERR = 0x20, ++ NIX_SND_STATUS_NPC_MCAST_ABORT = 0x21, ++ NIX_SND_STATUS_NPC_VTAG_PTR_ERR = 0x22, ++ NIX_SND_STATUS_NPC_VTAG_SIZE_ERR = 0x23, ++ NIX_SND_STATUS_SEND_MEM_FAULT = 0x24, ++ NIX_SND_STATUS_SEND_STATS_ERR = 0x25, ++ NIX_SND_STATUS_MAX, ++}; ++ + #endif /* OTX2_STRUCT_H */ +-- +2.35.1 + diff --git a/queue-6.0/pci-hv-fix-the-definition-of-vector-in-hv_compose_ms.patch b/queue-6.0/pci-hv-fix-the-definition-of-vector-in-hv_compose_ms.patch new file mode 100644 index 00000000000..ef51a00c6b9 --- /dev/null +++ b/queue-6.0/pci-hv-fix-the-definition-of-vector-in-hv_compose_ms.patch @@ -0,0 +1,105 @@ +From 52dcf3987902623d88ab7def23b3d0269127e9ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 13:52:56 -0700 +Subject: PCI: hv: Fix the definition of vector in hv_compose_msi_msg() + +From: Dexuan Cui + +[ Upstream commit e70af8d040d2b7904dca93d942ba23fb722e21b1 ] + +The local variable 'vector' must be u32 rather than u8: see the +struct hv_msi_desc3. + +'vector_count' should be u16 rather than u8: see struct hv_msi_desc, +hv_msi_desc2 and hv_msi_desc3. + +Fixes: a2bad844a67b ("PCI: hv: Fix interrupt mapping for multi-MSI") +Signed-off-by: Dexuan Cui +Cc: Jeffrey Hugo +Cc: Carl Vanderlip +Reviewed-by: Jeffrey Hugo +Link: https://lore.kernel.org/r/20221027205256.17678-1-decui@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index e7c6f6629e7c..ba64284eaf9f 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1614,7 +1614,7 @@ static void hv_pci_compose_compl(void *context, struct pci_response *resp, + + static u32 hv_compose_msi_req_v1( + struct pci_create_interrupt *int_pkt, const struct cpumask *affinity, +- u32 slot, u8 vector, u8 vector_count) ++ u32 slot, u8 vector, u16 vector_count) + { + int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE; + int_pkt->wslot.slot = slot; +@@ -1642,7 +1642,7 @@ static int hv_compose_msi_req_get_cpu(const struct cpumask *affinity) + + static u32 hv_compose_msi_req_v2( + struct pci_create_interrupt2 *int_pkt, const struct cpumask *affinity, +- u32 slot, u8 vector, u8 vector_count) ++ u32 slot, u8 vector, u16 vector_count) + { + int cpu; + +@@ -1661,7 +1661,7 @@ static u32 hv_compose_msi_req_v2( + + static u32 hv_compose_msi_req_v3( + struct pci_create_interrupt3 *int_pkt, const struct cpumask *affinity, +- u32 slot, u32 vector, u8 vector_count) ++ u32 slot, u32 vector, u16 vector_count) + { + int cpu; + +@@ -1701,7 +1701,12 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + struct compose_comp_ctxt comp; + struct tran_int_desc *int_desc; + struct msi_desc *msi_desc; +- u8 vector, vector_count; ++ /* ++ * vector_count should be u16: see hv_msi_desc, hv_msi_desc2 ++ * and hv_msi_desc3. vector must be u32: see hv_msi_desc3. ++ */ ++ u16 vector_count; ++ u32 vector; + struct { + struct pci_packet pci_pkt; + union { +@@ -1767,6 +1772,11 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + vector_count = 1; + } + ++ /* ++ * hv_compose_msi_req_v1 and v2 are for x86 only, meaning 'vector' ++ * can't exceed u8. Cast 'vector' down to u8 for v1/v2 explicitly ++ * for better readability. ++ */ + memset(&ctxt, 0, sizeof(ctxt)); + init_completion(&comp.comp_pkt.host_event); + ctxt.pci_pkt.completion_func = hv_pci_compose_compl; +@@ -1777,7 +1787,7 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + size = hv_compose_msi_req_v1(&ctxt.int_pkts.v1, + dest, + hpdev->desc.win_slot.slot, +- vector, ++ (u8)vector, + vector_count); + break; + +@@ -1786,7 +1796,7 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + size = hv_compose_msi_req_v2(&ctxt.int_pkts.v2, + dest, + hpdev->desc.win_slot.slot, +- vector, ++ (u8)vector, + vector_count); + break; + +-- +2.35.1 + diff --git a/queue-6.0/perf-stat-fix-crash-with-per-node-metric-only-in-csv.patch b/queue-6.0/perf-stat-fix-crash-with-per-node-metric-only-in-csv.patch new file mode 100644 index 00000000000..f1abb35dacd --- /dev/null +++ b/queue-6.0/perf-stat-fix-crash-with-per-node-metric-only-in-csv.patch @@ -0,0 +1,79 @@ +From e4ac9a608fddedafaad67d72f0bc75300c688990 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 13:33:06 -0800 +Subject: perf stat: Fix crash with --per-node --metric-only in CSV mode + +From: Namhyung Kim + +[ Upstream commit 84d1b2013272947ad9b13025df89226d8fa31cc5 ] + +The following command will get segfault due to missing aggr_header_csv +for AGGR_NODE: + + $ sudo perf stat -a --per-node -x, --metric-only true + +Committer testing: + +Before this patch: + + # perf stat -a --per-node -x, --metric-only true + Segmentation fault (core dumped) + # + +After: + + # gdb perf + -bash: gdb: command not found + # perf stat -a --per-node -x, --metric-only true + node,Ghz,frontend cycles idle,backend cycles idle,insn per cycle,branch-misses of all branches, + N0,32,0.335,2.10,0.65,0.69,0.03,1.92, + # + +Fixes: 86895b480a2f10c7 ("perf stat: Add --per-node agregation support") +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Cc: Xing Zhengjun +Link: http://lore.kernel.org/lkml/20221107213314.3239159-2-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-display.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c +index b82844cb0ce7..aa9d9d2936e7 100644 +--- a/tools/perf/util/stat-display.c ++++ b/tools/perf/util/stat-display.c +@@ -556,7 +556,7 @@ static void printout(struct perf_stat_config *config, struct aggr_cpu_id id, int + [AGGR_CORE] = 2, + [AGGR_THREAD] = 1, + [AGGR_UNSET] = 0, +- [AGGR_NODE] = 0, ++ [AGGR_NODE] = 1, + }; + + pm = config->metric_only ? print_metric_only_csv : print_metric_csv; +@@ -1126,6 +1126,7 @@ static int aggr_header_lens[] = { + [AGGR_SOCKET] = 12, + [AGGR_NONE] = 6, + [AGGR_THREAD] = 24, ++ [AGGR_NODE] = 6, + [AGGR_GLOBAL] = 0, + }; + +@@ -1135,6 +1136,7 @@ static const char *aggr_header_csv[] = { + [AGGR_SOCKET] = "socket,cpus", + [AGGR_NONE] = "cpu,", + [AGGR_THREAD] = "comm-pid,", ++ [AGGR_NODE] = "node,", + [AGGR_GLOBAL] = "" + }; + +-- +2.35.1 + diff --git a/queue-6.0/perf-stat-fix-printing-os-prefix-in-csv-metrics-outp.patch b/queue-6.0/perf-stat-fix-printing-os-prefix-in-csv-metrics-outp.patch new file mode 100644 index 00000000000..72bf29c7fd0 --- /dev/null +++ b/queue-6.0/perf-stat-fix-printing-os-prefix-in-csv-metrics-outp.patch @@ -0,0 +1,124 @@ +From 75cf88a4464632278cadbc9769fc96776a051e07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 14:26:04 +0530 +Subject: perf stat: Fix printing os->prefix in CSV metrics output + +From: Athira Rajeev + +[ Upstream commit ad353b710c7493df3d4fc2d3a51819126bed2e81 ] + +'perf stat' with CSV output option prints an extra empty string as first +field in metrics output line. Sample output below: + + # ./perf stat -x, --per-socket -a -C 1 ls + S0,1,1.78,msec,cpu-clock,1785146,100.00,0.973,CPUs utilized + S0,1,26,,context-switches,1781750,100.00,0.015,M/sec + S0,1,1,,cpu-migrations,1780526,100.00,0.561,K/sec + S0,1,1,,page-faults,1779060,100.00,0.561,K/sec + S0,1,875807,,cycles,1769826,100.00,0.491,GHz + S0,1,85281,,stalled-cycles-frontend,1767512,100.00,9.74,frontend cycles idle + S0,1,576839,,stalled-cycles-backend,1766260,100.00,65.86,backend cycles idle + S0,1,288430,,instructions,1762246,100.00,0.33,insn per cycle +====> ,S0,1,,,,,,,2.00,stalled cycles per insn + +The above command line uses field separator as "," via "-x," option and +per-socket option displays socket value as first field. But here the +last line for "stalled cycles per insn" has "," in the beginning. + +Sample output using interval mode: + + # ./perf stat -I 1000 -x, --per-socket -a -C 1 ls + 0.001813453,S0,1,1.87,msec,cpu-clock,1872052,100.00,0.002,CPUs utilized + 0.001813453,S0,1,2,,context-switches,1868028,100.00,1.070,K/sec + ------ + 0.001813453,S0,1,85379,,instructions,1856754,100.00,0.32,insn per cycle +====> 0.001813453,,S0,1,,,,,,,1.34,stalled cycles per insn + +Above result also has an extra CSV separator after +the timestamp. Patch addresses extra field separator +in the beginning of the metric output line. + +The counter stats are displayed by function +"perf_stat__print_shadow_stats" in code +"util/stat-shadow.c". While printing the stats info +for "stalled cycles per insn", function "new_line_csv" +is used as new_line callback. + +The new_line_csv function has check for "os->prefix" +and if prefix is not null, it will be printed along +with cvs separator. +Snippet from "new_line_csv": + if (os->prefix) + fprintf(os->fh, "%s%s", os->prefix, config->csv_sep); + +Here os->prefix gets printed followed by "," +which is the cvs separator. The os->prefix is +used in interval mode option ( -I ), to print +time stamp on every new line. But prefix is +already set to contain CSV separator when used +in interval mode for CSV option. + +Reference: Function "static void print_interval" +Snippet: + sprintf(prefix, "%6lu.%09lu%s", ts->tv_sec, ts->tv_nsec, config->csv_sep); + +Also if prefix is not assigned (if not used with +-I option), it gets set to empty string. +Reference: function printout() in util/stat-display.c +Snippet: + .prefix = prefix ? prefix : "", + +Since prefix already set to contain cvs_sep in interval +option, patch removes printing config->csv_sep in +new_line_csv function to avoid printing extra field. + +After the patch: + + # ./perf stat -x, --per-socket -a -C 1 ls + S0,1,2.04,msec,cpu-clock,2045202,100.00,1.013,CPUs utilized + S0,1,2,,context-switches,2041444,100.00,979.289,/sec + S0,1,0,,cpu-migrations,2040820,100.00,0.000,/sec + S0,1,2,,page-faults,2040288,100.00,979.289,/sec + S0,1,254589,,cycles,2036066,100.00,0.125,GHz + S0,1,82481,,stalled-cycles-frontend,2032420,100.00,32.40,frontend cycles idle + S0,1,113170,,stalled-cycles-backend,2031722,100.00,44.45,backend cycles idle + S0,1,88766,,instructions,2030942,100.00,0.35,insn per cycle + S0,1,,,,,,,1.27,stalled cycles per insn + +Fixes: 92a61f6412d3a09d ("perf stat: Implement CSV metrics output") +Reported-by: Disha Goel +Reviewed-By: Kajol Jain +Signed-off-by: Athira Jajeev +Tested-by: Disha Goel +Cc: Andi Kleen +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: linuxppc-dev@lists.ozlabs.org +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Cc: Nageswara R Sastry +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20221018085605.63834-1-atrajeev@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c +index aa9d9d2936e7..7c5f5219dbff 100644 +--- a/tools/perf/util/stat-display.c ++++ b/tools/perf/util/stat-display.c +@@ -273,7 +273,7 @@ static void new_line_csv(struct perf_stat_config *config, void *ctx) + + fputc('\n', os->fh); + if (os->prefix) +- fprintf(os->fh, "%s%s", os->prefix, config->csv_sep); ++ fprintf(os->fh, "%s", os->prefix); + aggr_printout(config, os->evsel, os->id, os->nr); + for (i = 0; i < os->nfields; i++) + fputs(config->csv_sep, os->fh); +-- +2.35.1 + diff --git a/queue-6.0/perf-test-fix-skipping-branch-stack-sampling-test.patch b/queue-6.0/perf-test-fix-skipping-branch-stack-sampling-test.patch new file mode 100644 index 00000000000..ff7e17eba36 --- /dev/null +++ b/queue-6.0/perf-test-fix-skipping-branch-stack-sampling-test.patch @@ -0,0 +1,85 @@ +From f982c40c213612d80b936f18b60889723f70f598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 13:19:13 +0100 +Subject: perf test: Fix skipping branch stack sampling test + +From: James Clark + +[ Upstream commit 20ebc4a649b82e6ad892684c76ea1e8dd786d336 ] + +Commit f4a2aade6809c657 ("perf tests powerpc: Fix branch stack sampling +test to include sanity check for branch filter") added a skip if certain +branch options aren't available. + +But the change added both -b (--branch-any) and --branch-filter options +at the same time, which will always result in a failure on any platform +because the arguments can't be used together. + +Fix this by removing -b (--branch-any) and leaving --branch-filter which +already specifies 'any'. Also add warning messages to the test and perf +tool. + +Output on x86 before this fix: + + $ sudo ./perf test branch + 108: Check branch stack sampling : Skip + +After: + + $ sudo ./perf test branch + 108: Check branch stack sampling : Ok + +Fixes: f4a2aade6809c657 ("perf tests powerpc: Fix branch stack sampling test to include sanity check for branch filter") +Signed-off-by: James Clark +Tested-by: Athira Jajeev +Cc: Alexander Shishkin +Cc: Anshuman.Khandual@arm.com +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kajol Jain +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20221028121913.745307-1-james.clark@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/test_brstack.sh | 5 ++++- + tools/perf/util/parse-branch-options.c | 4 +++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/tests/shell/test_brstack.sh b/tools/perf/tests/shell/test_brstack.sh +index ec801cffae6b..d7ff5c4b4da4 100755 +--- a/tools/perf/tests/shell/test_brstack.sh ++++ b/tools/perf/tests/shell/test_brstack.sh +@@ -13,7 +13,10 @@ fi + + # skip the test if the hardware doesn't support branch stack sampling + # and if the architecture doesn't support filter types: any,save_type,u +-perf record -b -o- -B --branch-filter any,save_type,u true > /dev/null 2>&1 || exit 2 ++if ! perf record -o- --no-buildid --branch-filter any,save_type,u -- true > /dev/null 2>&1 ; then ++ echo "skip: system doesn't support filter types: any,save_type,u" ++ exit 2 ++fi + + TMPDIR=$(mktemp -d /tmp/__perf_test.program.XXXXX) + +diff --git a/tools/perf/util/parse-branch-options.c b/tools/perf/util/parse-branch-options.c +index bb4aa88c50a8..35264b5684d0 100644 +--- a/tools/perf/util/parse-branch-options.c ++++ b/tools/perf/util/parse-branch-options.c +@@ -101,8 +101,10 @@ parse_branch_stack(const struct option *opt, const char *str, int unset) + /* + * cannot set it twice, -b + --branch-filter for instance + */ +- if (*mode) ++ if (*mode) { ++ pr_err("Error: Can't use --branch-any (-b) with --branch-filter (-j).\n"); + return -1; ++ } + + return parse_branch_str(str, mode); + } +-- +2.35.1 + diff --git a/queue-6.0/perf-tools-add-the-include-perf-directory-to-.gitign.patch b/queue-6.0/perf-tools-add-the-include-perf-directory-to-.gitign.patch new file mode 100644 index 00000000000..78cceea34db --- /dev/null +++ b/queue-6.0/perf-tools-add-the-include-perf-directory-to-.gitign.patch @@ -0,0 +1,57 @@ +From 542240b33c5ba90699d3ab60b0bd4a6f5dea674f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 02:27:04 -0700 +Subject: perf tools: Add the include/perf/ directory to .gitignore + +From: Donglin Peng + +[ Upstream commit 94d957ae513fc420d0a5a9bac815eb49ffebb56f ] + +Commit 3af1dfdd51e06697 ("perf build: Move perf_dlfilters.h in the +source tree") moved perf_dlfilters.h to the include/perf/ directory +while include/perf is ignored because it has 'perf' in the name. Newly +created files in the include/perf/ directory will be ignored. + +Testing: + +Before: + + $ touch tools/perf/include/perf/junk + $ git status | grep junk + $ git check-ignore -v tools/perf/include/perf/junk + tools/perf/.gitignore:6:perf tools/perf/include/perf/junk + +After: + + $ git status | grep junk + tools/perf/include/perf/junk + $ git check-ignore -v tools/perf/include/perf/junk + +Add !include/perf/ to perf's .gitignore file. + +Fixes: 3af1dfdd51e06697 ("perf build: Move perf_dlfilters.h in the source tree") +Signed-off-by: Donglin Peng +Acked-by: Adrian Hunter +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20221103092704.173391-1-dolinux.peng@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/.gitignore | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/.gitignore b/tools/perf/.gitignore +index 4b9c71faa01a..f136309044da 100644 +--- a/tools/perf/.gitignore ++++ b/tools/perf/.gitignore +@@ -4,6 +4,7 @@ PERF-GUI-VARS + PERF-VERSION-FILE + FEATURE-DUMP + perf ++!include/perf/ + perf-read-vdso32 + perf-read-vdsox32 + perf-help +-- +2.35.1 + diff --git a/queue-6.0/phy-ralink-mt7621-pci-add-sentinel-to-quirks-table.patch b/queue-6.0/phy-ralink-mt7621-pci-add-sentinel-to-quirks-table.patch new file mode 100644 index 00000000000..58ff8c33b25 --- /dev/null +++ b/queue-6.0/phy-ralink-mt7621-pci-add-sentinel-to-quirks-table.patch @@ -0,0 +1,46 @@ +From 82008f77a8e299a4009b276bec6d20e467fc16b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 06:52:41 +1000 +Subject: phy: ralink: mt7621-pci: add sentinel to quirks table + +From: John Thomson + +[ Upstream commit 819b885cd886c193782891c4f51bbcab3de119a4 ] + +With mt7621 soc_dev_attr fixed to register the soc as a device, +kernel will experience an oops in soc_device_match_attr + +This quirk test was introduced in the staging driver in +commit 9445ccb3714c ("staging: mt7621-pci-phy: add quirks for 'E2' +revision using 'soc_device_attribute'"). The staging driver was removed, +and later re-added in commit d87da32372a0 ("phy: ralink: Add PHY driver +for MT7621 PCIe PHY") for kernel 5.11 + +Link: https://lore.kernel.org/lkml/26ebbed1-0fe9-4af9-8466-65f841d0b382@app.fastmail.com +Fixes: d87da32372a0 ("phy: ralink: Add PHY driver for MT7621 PCIe PHY") +Signed-off-by: John Thomson +Acked-by: Sergio Paracuellos +Link: https://lore.kernel.org/r/20221104205242.3440388-2-git@johnthomson.fastmail.com.au +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/ralink/phy-mt7621-pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/ralink/phy-mt7621-pci.c b/drivers/phy/ralink/phy-mt7621-pci.c +index 5e6530f545b5..85888ab2d307 100644 +--- a/drivers/phy/ralink/phy-mt7621-pci.c ++++ b/drivers/phy/ralink/phy-mt7621-pci.c +@@ -280,7 +280,8 @@ static struct phy *mt7621_pcie_phy_of_xlate(struct device *dev, + } + + static const struct soc_device_attribute mt7621_pci_quirks_match[] = { +- { .soc_id = "mt7621", .revision = "E2" } ++ { .soc_id = "mt7621", .revision = "E2" }, ++ { /* sentinel */ } + }; + + static const struct regmap_config mt7621_pci_phy_regmap_config = { +-- +2.35.1 + diff --git a/queue-6.0/phy-stm32-fix-an-error-code-in-probe.patch b/queue-6.0/phy-stm32-fix-an-error-code-in-probe.patch new file mode 100644 index 00000000000..4a7a973c9dc --- /dev/null +++ b/queue-6.0/phy-stm32-fix-an-error-code-in-probe.patch @@ -0,0 +1,38 @@ +From 88a3a20b7fd3981536d78f9d6a8d20cb6a4c55fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 12:25:06 +0300 +Subject: phy: stm32: fix an error code in probe + +From: Dan Carpenter + +[ Upstream commit ca1c73628f5bd0c1ef6e46073cc3be2450605b06 ] + +If "index > usbphyc->nphys" is true then this returns success but it +should return -EINVAL. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://lore.kernel.org/r/Y0kq8j6S+5nDdMpr@kili +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index a98c911cc37a..5bb9647b078f 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -710,6 +710,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + ret = of_property_read_u32(child, "reg", &index); + if (ret || index > usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); ++ if (!ret) ++ ret = -EINVAL; + goto put_child; + } + +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-p2sb-don-t-fail-if-unknown-cpu-is-found.patch b/queue-6.0/platform-x86-p2sb-don-t-fail-if-unknown-cpu-is-found.patch new file mode 100644 index 00000000000..b6c91c49452 --- /dev/null +++ b/queue-6.0/platform-x86-p2sb-don-t-fail-if-unknown-cpu-is-found.patch @@ -0,0 +1,71 @@ +From 8a5c9814a904d8c7493462a251a005a7f36e7fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 17:49:16 +0200 +Subject: platform/x86: p2sb: Don't fail if unknown CPU is found + +From: Andy Shevchenko + +[ Upstream commit 53eb64c88f17b14b324fbdfd417f56c5d3fa6fee ] + +We have accessing P2SB from a very few places for quite known hardware. + +When a new SoC appears in intel-family.h it's not obvious that it needs +to be added to p2sb.c as well. Instead, provide default BDF and refactor +p2sb_get_devfn() to always succeed. If in the future we would need to +exclude something, we may add a list of unsupported IDs. + +Without this change the iTCO on Intel Comet Lake SoCs became unavailable: + + i801_smbus 0000:00:1f.4: failed to create iTCO device + +Fixes: 5c7b9167ddf8 ("i2c: i801: convert to use common P2SB accessor") +Reported-and-tested-by: Jarkko Nikula +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221104154916.35231-1-andriy.shevchenko@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/p2sb.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/p2sb.c b/drivers/platform/x86/p2sb.c +index 384d0962ae93..1cf2471d54dd 100644 +--- a/drivers/platform/x86/p2sb.c ++++ b/drivers/platform/x86/p2sb.c +@@ -19,26 +19,23 @@ + #define P2SBC 0xe0 + #define P2SBC_HIDE BIT(8) + ++#define P2SB_DEVFN_DEFAULT PCI_DEVFN(31, 1) ++ + static const struct x86_cpu_id p2sb_cpu_ids[] = { + X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, PCI_DEVFN(13, 0)), +- X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT_D, PCI_DEVFN(31, 1)), +- X86_MATCH_INTEL_FAM6_MODEL(ATOM_SILVERMONT_D, PCI_DEVFN(31, 1)), +- X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, PCI_DEVFN(31, 1)), +- X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, PCI_DEVFN(31, 1)), +- X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE, PCI_DEVFN(31, 1)), +- X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_L, PCI_DEVFN(31, 1)), + {} + }; + + static int p2sb_get_devfn(unsigned int *devfn) + { ++ unsigned int fn = P2SB_DEVFN_DEFAULT; + const struct x86_cpu_id *id; + + id = x86_match_cpu(p2sb_cpu_ids); +- if (!id) +- return -ENODEV; ++ if (id) ++ fn = (unsigned int)id->driver_data; + +- *devfn = (unsigned int)id->driver_data; ++ *devfn = fn; + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/riscv-fix-reserved-memory-setup.patch b/queue-6.0/riscv-fix-reserved-memory-setup.patch new file mode 100644 index 00000000000..9f469f53836 --- /dev/null +++ b/queue-6.0/riscv-fix-reserved-memory-setup.patch @@ -0,0 +1,106 @@ +From 88495a6856a36c3065d425894c58e71b7ad38e02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:15:25 +0000 +Subject: riscv: fix reserved memory setup + +From: Conor Dooley + +[ Upstream commit 50e63dd8ed92045eb70a72d7ec725488320fb68b ] + +Currently, RISC-V sets up reserved memory using the "early" copy of the +device tree. As a result, when trying to get a reserved memory region +using of_reserved_mem_lookup(), the pointer to reserved memory regions +is using the early, pre-virtual-memory address which causes a kernel +panic when trying to use the buffer's name: + + Unable to handle kernel paging request at virtual address 00000000401c31ac + Oops [#1] + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 + Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) + epc : string+0x4a/0xea + ra : vsnprintf+0x1e4/0x336 + epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0 + gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000 + t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20 + s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000 + a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff + a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff + s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008 + s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00 + s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002 + s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617 + t5 : ffffffff812f3618 t6 : ffffffff81203d08 + status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d + [] vsnprintf+0x1e4/0x336 + [] vprintk_store+0xf6/0x344 + [] vprintk_emit+0x56/0x192 + [] vprintk_default+0x16/0x1e + [] vprintk+0x72/0x80 + [] _printk+0x36/0x50 + [] print_reserved_mem+0x1c/0x24 + [] paging_init+0x528/0x5bc + [] setup_arch+0xd0/0x592 + [] start_kernel+0x82/0x73c + +early_init_fdt_scan_reserved_mem() takes no arguments as it operates on +initial_boot_params, which is populated by early_init_dt_verify(). On +RISC-V, early_init_dt_verify() is called twice. Once, directly, in +setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly, +very early in the boot process, by parse_dtb() when it calls +early_init_dt_scan_nodes(). + +This first call uses dtb_early_va to set initial_boot_params, which is +not usable later in the boot process when +early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the +corresponding call to early_init_dt_scan_nodes() uses fixmap addresses +and doesn't suffer the same fate. + +Move early_init_fdt_scan_reserved_mem() further along the boot sequence, +after the direct call to early_init_dt_verify() in setup_arch() so that +the names use the correct virtual memory addresses. The above supposed +that CONFIG_BUILTIN_DTB was not set, but should work equally in the case +where it is - unflatted_and_copy_device_tree() also updates +initial_boot_params. + +Reported-by: Valentina Fernandez +Reported-by: Evgenii Shatokhin +Link: https://lore.kernel.org/linux-riscv/f8e67f82-103d-156c-deb0-d6d6e2756f5e@microchip.com/ +Fixes: 922b0375fc93 ("riscv: Fix memblock reservation for device tree blob") +Signed-off-by: Conor Dooley +Tested-by: Evgenii Shatokhin +Link: https://lore.kernel.org/r/20221107151524.3941467-1-conor.dooley@microchip.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/setup.c | 1 + + arch/riscv/mm/init.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c +index ad76bb59b059..67ec1fadcfe2 100644 +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -283,6 +283,7 @@ void __init setup_arch(char **cmdline_p) + else + pr_err("No DTB found in kernel mappings\n"); + #endif ++ early_init_fdt_scan_reserved_mem(); + misc_mem_init(); + + init_resources(); +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index b56a0a75533f..50a1b6edd491 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -262,7 +262,6 @@ static void __init setup_bootmem(void) + memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va)); + } + +- early_init_fdt_scan_reserved_mem(); + dma_contiguous_reserve(dma32_phys_limit); + if (IS_ENABLED(CONFIG_64BIT)) + hugetlb_cma_reserve(PUD_SHIFT - PAGE_SHIFT); +-- +2.35.1 + diff --git a/queue-6.0/riscv-process-fix-kernel-info-leakage.patch b/queue-6.0/riscv-process-fix-kernel-info-leakage.patch new file mode 100644 index 00000000000..e4a7db0b695 --- /dev/null +++ b/queue-6.0/riscv-process-fix-kernel-info-leakage.patch @@ -0,0 +1,43 @@ +From b43aecc82138eb721c1aae2d7211db3e48f83dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 19:34:50 +0800 +Subject: riscv: process: fix kernel info leakage + +From: Jisheng Zhang + +[ Upstream commit 6510c78490c490a6636e48b61eeaa6fb65981f4b ] + +thread_struct's s[12] may contain random kernel memory content, which +may be finally leaked to userspace. This is a security hole. Fix it +by clearing the s[12] array in thread_struct when fork. + +As for kthread case, it's better to clear the s[12] array as well. + +Fixes: 7db91e57a0ac ("RISC-V: Task implementation") +Signed-off-by: Jisheng Zhang +Tested-by: Guo Ren +Link: https://lore.kernel.org/r/20221029113450.4027-1-jszhang@kernel.org +Reviewed-by: Guo Ren +Link: https://lore.kernel.org/r/CAJF2gTSdVyAaM12T%2B7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/ +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/process.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c +index ceb9ebab6558..52002d54b163 100644 +--- a/arch/riscv/kernel/process.c ++++ b/arch/riscv/kernel/process.c +@@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) + unsigned long tls = args->tls; + struct pt_regs *childregs = task_pt_regs(p); + ++ memset(&p->thread.s, 0, sizeof(p->thread.s)); ++ + /* p->thread holds context to be restored by __switch_to() */ + if (unlikely(args->fn)) { + /* Kernel thread */ +-- +2.35.1 + diff --git a/queue-6.0/riscv-vdso-fix-build-with-llvm.patch b/queue-6.0/riscv-vdso-fix-build-with-llvm.patch new file mode 100644 index 00000000000..25f43994621 --- /dev/null +++ b/queue-6.0/riscv-vdso-fix-build-with-llvm.patch @@ -0,0 +1,66 @@ +From a3cd1a6dad095f3aaf9109eba1138119622ed5b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 02:29:43 +0800 +Subject: riscv: vdso: fix build with llvm + +From: Jisheng Zhang + +[ Upstream commit 50f4dd657a0fcf90aa8da8dc2794a8100ff4c37c ] + +Even after commit 89fd4a1df829 ("riscv: jump_label: mark arguments as +const to satisfy asm constraints"), building with CC_OPTIMIZE_FOR_SIZE ++ LLVM=1 can reproduce below build error: + + CC arch/riscv/kernel/vdso/vgettimeofday.o +In file included from :4: +In file included from lib/vdso/gettimeofday.c:5: +In file included from include/vdso/datapage.h:17: +In file included from include/vdso/processor.h:10: +In file included from arch/riscv/include/asm/vdso/processor.h:7: +In file included from include/linux/jump_label.h:112: +arch/riscv/include/asm/jump_label.h:42:3: error: +invalid operand for inline asm constraint 'i' + " .option push \n\t" + ^ +1 error generated. + +I think the problem is when "-Os" is passed as CFLAGS, it's removed by +"CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os" which is +introduced in commit e05d57dcb8c7 ("riscv: Fixup __vdso_gettimeofday +broke dynamic ftrace"), thus no optimization at all for vgettimeofday.c +arm64 does remove "-Os" as well, but it forces "-O2" after removing +"-Os". + +I compared the generated vgettimeofday.o with "-O2" and "-Os", +I think no big performance difference. So let's tell the kbuild not +to remove "-Os" rather than follow arm64 style. + +vdso related performance can be improved a lot when building kernel with +CC_OPTIMIZE_FOR_SIZE after this commit, ("-Os" VS no optimization) + +Fixes: e05d57dcb8c7 ("riscv: Fixup __vdso_gettimeofday broke dynamic ftrace") +Signed-off-by: Jisheng Zhang +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20221031182943.2453-1-jszhang@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/vdso/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile +index f2e065671e4d..84ac0fe612e7 100644 +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -30,7 +30,7 @@ obj-y += vdso.o + CPPFLAGS_vdso.lds += -P -C -U$(ARCH) + + # Disable -pg to prevent insert call site +-CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os ++CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) + + # Disable profiling and instrumentation for VDSO code + GCOV_PROFILE := n +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 34b262c4c68..d445aede1a5 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -11,3 +11,103 @@ drm-amd-display-set-memclk-levels-to-be-at-least-1-f.patch drm-amdkfd-handle-cpu-fault-on-cow-mapping.patch drm-amdkfd-fix-null-pointer-dereference-in-svm_migra.patch cxl-region-recycle-region-ids.patch +hwspinlock-qcom-correct-mmio-max-register-for-newer-.patch +phy-stm32-fix-an-error-code-in-probe.patch +wifi-cfg80211-silence-a-sparse-rcu-warning.patch +wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch +soundwire-qcom-reinit-broadcast-completion.patch +soundwire-qcom-check-for-outanding-writes-before-doi.patch +alsa-arm-pxa-pxa2xx-ac97-lib-fix-return-value-check-.patch +spi-mediatek-fix-package-division-error.patch +bpf-verifier-fix-memory-leak-in-array-reallocation-f.patch +bpf-sockmap-fix-the-sk-sk_forward_alloc-warning-of-s.patch +wifi-mac80211-fix-general-protection-fault-in-ieee80.patch +wifi-mac80211-set-twt-information-frame-disabled-bit.patch +bpftool-fix-null-pointer-dereference-when-pin-prog-m.patch +hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch +drm-vc4-hdmi-fix-hsm-clock-too-low-on-pi4.patch +bpf-sock_map-move-cancel_work_sync-out-of-sock-lock.patch +pci-hv-fix-the-definition-of-vector-in-hv_compose_ms.patch +bpf-add-helper-macro-bpf_for_each_reg_in_vstate.patch +bpf-fix-wrong-reg-type-conversion-in-release_referen.patch +net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch +macsec-delete-new-rxsc-when-offload-fails.patch +macsec-fix-secy-n_rx_sc-accounting.patch +macsec-fix-detection-of-rxscs-when-toggling-offloadi.patch +macsec-clear-encryption-keys-from-the-stack-after-se.patch +octeontx2-pf-nix-tx-overwrites-sq_ctx_hw_s-sq_int.patch +net-tun-fix-memory-leaks-of-napi_get_frags.patch +bnxt_en-fix-possible-crash-in-bnxt_hwrm_set_coal.patch +bnxt_en-fix-potentially-incorrect-return-value-for-n.patch +net-fman-unregister-ethernet-device-on-removal.patch +capabilities-fix-undefined-behavior-in-bit-shift-for.patch +phy-ralink-mt7621-pci-add-sentinel-to-quirks-table.patch +kvm-s390-pv-don-t-allow-userspace-to-set-the-clock-u.patch +kvm-s390-pci-fix-allocation-size-of-aift-kzdev-eleme.patch +net-lapbether-fix-issue-of-dev-reference-count-leaka.patch +hamradio-fix-issue-of-dev-reference-count-leakage-in.patch +net-wwan-iosm-fix-memory-leak-in-ipc_wwan_dellink.patch +net-wwan-mhi-fix-memory-leak-in-mhi_mbim_dellink.patch +drm-vc4-fix-missing-platform_unregister_drivers-call.patch +tcp-prohibit-tcp_repair_options-if-data-was-already-.patch +platform-x86-p2sb-don-t-fail-if-unknown-cpu-is-found.patch +ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch +can-af_can-fix-null-pointer-dereference-in-can_rx_re.patch +drm-i915-psr-send-update-also-on-invalidate.patch +drm-i915-do-not-set-cache_dirty-for-dgfx.patch +net-stmmac-dwmac-meson8b-fix-meson8b_devm_clk_prepar.patch +dt-bindings-net-tsnep-fix-typo-on-generic-nvmem-prop.patch +net-broadcom-fix-bcmgenet-kconfig.patch +tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch +dmaengine-pxa_dma-use-platform_get_irq_optional.patch +dmanegine-idxd-reformat-opcap-output-to-match-bitmap.patch +dmaengine-idxd-fix-max-batch-size-for-intel-iaa.patch +dmaengine-idxd-fix-ro-device-state-error-after-been-.patch +dmaengine-apple-admac-fix-grabbing-of-channels-in-of.patch +dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch +dmaengine-ti-k3-udma-glue-fix-memory-leak-when-regis.patch +dmaengine-stm32-dma-fix-potential-race-between-pause.patch +net-lapbether-fix-issue-of-invalid-opcode-in-lapbeth.patch +net-ethernet-mtk-star-emac-disable-napi-when-connect.patch +octeontx2-pf-fix-sqe-threshold-checking.patch +drivers-net-xgene-disable-napi-when-register-irq-fai.patch +perf-stat-fix-crash-with-per-node-metric-only-in-csv.patch +perf-stat-fix-printing-os-prefix-in-csv-metrics-outp.patch +perf-test-fix-skipping-branch-stack-sampling-test.patch +perf-tools-add-the-include-perf-directory-to-.gitign.patch +netfilter-nfnetlink-fix-potential-dead-lock-in-nfnet.patch +netfilter-cleanup-nft_net-module_list-from-nf_tables.patch +net-marvell-prestera-fix-memory-leak-in-prestera_rxt.patch +net-tun-call-napi_schedule_prep-to-ensure-we-own-a-n.patch +net-nixge-disable-napi-when-enable-interrupts-failed.patch +net-wwan-iosm-fix-memory-leak-in-ipc_pcie_read_bios_.patch +net-wwan-iosm-fix-invalid-mux-header-type.patch +net-mlx5-bridge-verify-lag-state-when-adding-bond-to.patch +net-mlx5-allow-async-trigger-completion-execution-on.patch +net-mlx5-e-switch-set-to-legacy-mode-if-failed-to-ch.patch +net-mlx5-fw_reset-don-t-try-to-load-device-in-case-p.patch +net-mlx5e-add-missing-sanity-checks-for-max-tx-wqe-s.patch +net-mlx5e-fix-tc-acts-array-not-to-be-dependent-on-e.patch +net-mlx5e-tc-fix-wrong-rejection-of-packet-per-secon.patch +net-mlx5e-e-switch-fix-comparing-termination-table-i.patch +ice-fix-spurious-interrupt-during-removal-of-trusted.patch +iavf-fix-vf-driver-counting-vlan-0-filters.patch +net-cpsw-disable-napi-in-cpsw_ndo_open.patch +net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch +stmmac-intel-update-pch-ptp-clock-rate-from-200mhz-t.patch +mctp-fix-an-error-handling-path-in-mctp_init.patch +cxgb4vf-shut-down-the-adapter-when-t4vf_update_port_.patch +stmmac-dwmac-loongson-fix-missing-pci_disable_msi-wh.patch +stmmac-dwmac-loongson-fix-missing-pci_disable_device.patch +stmmac-dwmac-loongson-fix-missing-of_node_put-while-.patch +net-phy-mscc-macsec-clear-encryption-keys-when-freei.patch +net-atlantic-macsec-clear-encryption-keys-from-the-s.patch +ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch +net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch +alsa-memalloc-don-t-fall-back-for-sg-buffer-with-iom.patch +ethernet-tundra-free-irq-when-alloc-ring-failed-in-t.patch +net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch +riscv-process-fix-kernel-info-leakage.patch +riscv-vdso-fix-build-with-llvm.patch +riscv-fix-reserved-memory-setup.patch +eth-sp7021-drop-free_netdev-from-spl2sw_init_netdev.patch diff --git a/queue-6.0/soundwire-qcom-check-for-outanding-writes-before-doi.patch b/queue-6.0/soundwire-qcom-check-for-outanding-writes-before-doi.patch new file mode 100644 index 00000000000..c87db89b271 --- /dev/null +++ b/queue-6.0/soundwire-qcom-check-for-outanding-writes-before-doi.patch @@ -0,0 +1,42 @@ +From 38f8cf355522521affe27e3501c7ec2c62aec867 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 12:02:06 +0100 +Subject: soundwire: qcom: check for outanding writes before doing a read + +From: Srinivas Kandagatla + +[ Upstream commit 49a467310dc4fae591a3547860ee04d8730780f4 ] + +Reading will increase the fifo count, so check for outstanding cmd wrt. +write fifo depth to avoid overflow as read will also increase +write fifo cnt. + +Fixes: a661308c34de ("soundwire: qcom: wait for fifo space to be available before read/write") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20221026110210.6575-3-srinivas.kandagatla@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/qcom.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index 87ccaebc8453..6e5990611d83 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -380,6 +380,12 @@ static int qcom_swrm_cmd_fifo_rd_cmd(struct qcom_swrm_ctrl *swrm, + + val = swrm_get_packed_reg_val(&swrm->rcmd_id, len, dev_addr, reg_addr); + ++ /* ++ * Check for outstanding cmd wrt. write fifo depth to avoid ++ * overflow as read will also increase write fifo cnt. ++ */ ++ swrm_wait_for_wr_fifo_avail(swrm); ++ + /* wait for FIFO RD to complete to avoid overflow */ + usleep_range(100, 105); + swrm->reg_write(swrm, SWRM_CMD_FIFO_RD_CMD, val); +-- +2.35.1 + diff --git a/queue-6.0/soundwire-qcom-reinit-broadcast-completion.patch b/queue-6.0/soundwire-qcom-reinit-broadcast-completion.patch new file mode 100644 index 00000000000..fd6f608ab09 --- /dev/null +++ b/queue-6.0/soundwire-qcom-reinit-broadcast-completion.patch @@ -0,0 +1,40 @@ +From 630b5e49a6496781568959e843884f15fc3ca23e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 12:02:05 +0100 +Subject: soundwire: qcom: reinit broadcast completion + +From: Srinivas Kandagatla + +[ Upstream commit f936fa7a954b262cb3908bbc8f01ba19dfaf9fbf ] + +For some reason we never reinit the broadcast completion, there is a +danger that broadcast commands could be treated as completed by driver +from previous complete status. +Fix this by reinitializing the completion before sending a broadcast command. + +Fixes: ddea6cf7b619 ("soundwire: qcom: update register read/write routine") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20221026110210.6575-2-srinivas.kandagatla@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/qcom.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index 3a992a6478c3..87ccaebc8453 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -344,6 +344,9 @@ static int qcom_swrm_cmd_fifo_wr_cmd(struct qcom_swrm_ctrl *swrm, u8 cmd_data, + if (swrm_wait_for_wr_fifo_avail(swrm)) + return SDW_CMD_FAIL_OTHER; + ++ if (cmd_id == SWR_BROADCAST_CMD_ID) ++ reinit_completion(&swrm->broadcast); ++ + /* Its assumed that write is okay as we do not get any status back */ + swrm->reg_write(swrm, SWRM_CMD_FIFO_WR_CMD, val); + +-- +2.35.1 + diff --git a/queue-6.0/spi-mediatek-fix-package-division-error.patch b/queue-6.0/spi-mediatek-fix-package-division-error.patch new file mode 100644 index 00000000000..24c81ac8629 --- /dev/null +++ b/queue-6.0/spi-mediatek-fix-package-division-error.patch @@ -0,0 +1,99 @@ +From 0c4a41322e225c3241634c57b425a178fe078cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 17:16:53 +0800 +Subject: spi: mediatek: Fix package division error + +From: zhichao.liu + +[ Upstream commit cf82d0ecb84e8ef9958721193f901609b408655b ] + +Commit 7e963fb2a33ce ("spi: mediatek: add ipm design support +for MT7986") makes a mistake on package dividing operation +(one change is missing), need to fix it. + +Background: +Ipm design is expanding the HW capability of dma (adjust package +length from 1KB to 64KB), and using "dev_comp->ipm_support" flag +to indicate it. + +Issue description: +Ipm support patch (said above) is missing to handle remainder at +package dividing operation. +One case, a transmission length is 65KB, is will divide to 1K +(package length) * 65(package loop) in non-ipm desgin case, and +will divide to 64K(package length) * 1(package loop) + 1K(remainder) +in ipm design case. And the 1K remainder will be lost with the +current SW flow, and the transmission will be failure. +So, it should be fixed. + +Solution: +Add "ipm_design" flag in function "mtk_spi_get_mult_delta()" to +indicate HW capability, and modify the parameters corespondingly. + +fixes: 7e963fb2a33ce ("spi: mediatek: add ipm design support for MT7986") +Signed-off-by: zhichao.liu +Link: https://lore.kernel.org/r/20221021091653.18297-1-zhichao.liu@mediatek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index 0a3b9f7eed30..cd9dc358d396 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -551,14 +551,17 @@ static void mtk_spi_enable_transfer(struct spi_master *master) + writel(cmd, mdata->base + SPI_CMD_REG); + } + +-static int mtk_spi_get_mult_delta(u32 xfer_len) ++static int mtk_spi_get_mult_delta(struct mtk_spi *mdata, u32 xfer_len) + { +- u32 mult_delta; ++ u32 mult_delta = 0; + +- if (xfer_len > MTK_SPI_PACKET_SIZE) +- mult_delta = xfer_len % MTK_SPI_PACKET_SIZE; +- else +- mult_delta = 0; ++ if (mdata->dev_comp->ipm_design) { ++ if (xfer_len > MTK_SPI_IPM_PACKET_SIZE) ++ mult_delta = xfer_len % MTK_SPI_IPM_PACKET_SIZE; ++ } else { ++ if (xfer_len > MTK_SPI_PACKET_SIZE) ++ mult_delta = xfer_len % MTK_SPI_PACKET_SIZE; ++ } + + return mult_delta; + } +@@ -570,22 +573,22 @@ static void mtk_spi_update_mdata_len(struct spi_master *master) + + if (mdata->tx_sgl_len && mdata->rx_sgl_len) { + if (mdata->tx_sgl_len > mdata->rx_sgl_len) { +- mult_delta = mtk_spi_get_mult_delta(mdata->rx_sgl_len); ++ mult_delta = mtk_spi_get_mult_delta(mdata, mdata->rx_sgl_len); + mdata->xfer_len = mdata->rx_sgl_len - mult_delta; + mdata->rx_sgl_len = mult_delta; + mdata->tx_sgl_len -= mdata->xfer_len; + } else { +- mult_delta = mtk_spi_get_mult_delta(mdata->tx_sgl_len); ++ mult_delta = mtk_spi_get_mult_delta(mdata, mdata->tx_sgl_len); + mdata->xfer_len = mdata->tx_sgl_len - mult_delta; + mdata->tx_sgl_len = mult_delta; + mdata->rx_sgl_len -= mdata->xfer_len; + } + } else if (mdata->tx_sgl_len) { +- mult_delta = mtk_spi_get_mult_delta(mdata->tx_sgl_len); ++ mult_delta = mtk_spi_get_mult_delta(mdata, mdata->tx_sgl_len); + mdata->xfer_len = mdata->tx_sgl_len - mult_delta; + mdata->tx_sgl_len = mult_delta; + } else if (mdata->rx_sgl_len) { +- mult_delta = mtk_spi_get_mult_delta(mdata->rx_sgl_len); ++ mult_delta = mtk_spi_get_mult_delta(mdata, mdata->rx_sgl_len); + mdata->xfer_len = mdata->rx_sgl_len - mult_delta; + mdata->rx_sgl_len = mult_delta; + } +-- +2.35.1 + diff --git a/queue-6.0/stmmac-dwmac-loongson-fix-missing-of_node_put-while-.patch b/queue-6.0/stmmac-dwmac-loongson-fix-missing-of_node_put-while-.patch new file mode 100644 index 00000000000..0ba71e05a16 --- /dev/null +++ b/queue-6.0/stmmac-dwmac-loongson-fix-missing-of_node_put-while-.patch @@ -0,0 +1,78 @@ +From 49539adea12ae15ec81bf43bb367e2831070c817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 19:46:47 +0800 +Subject: stmmac: dwmac-loongson: fix missing of_node_put() while module + exiting + +From: Yang Yingliang + +[ Upstream commit 7f94d0498f9c763f37172c08059ae91804c3075a ] + +The node returned by of_get_child_by_name() with refcount decremented, +of_node_put() needs be called when finish using it. So add it in the +error path in loongson_dwmac_probe() and in loongson_dwmac_remove(). + +Fixes: 2ae34111fe4e ("stmmac: dwmac-loongson: fix invalid mdio_node") +Signed-off-by: Yang Yingliang +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/dwmac-loongson.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +index 2d480bc49c51..a25c187d3185 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +@@ -75,20 +75,24 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + plat->mdio_bus_data = devm_kzalloc(&pdev->dev, + sizeof(*plat->mdio_bus_data), + GFP_KERNEL); +- if (!plat->mdio_bus_data) +- return -ENOMEM; ++ if (!plat->mdio_bus_data) { ++ ret = -ENOMEM; ++ goto err_put_node; ++ } + plat->mdio_bus_data->needs_reset = true; + } + + plat->dma_cfg = devm_kzalloc(&pdev->dev, sizeof(*plat->dma_cfg), GFP_KERNEL); +- if (!plat->dma_cfg) +- return -ENOMEM; ++ if (!plat->dma_cfg) { ++ ret = -ENOMEM; ++ goto err_put_node; ++ } + + /* Enable pci device */ + ret = pci_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", __func__); +- return ret; ++ goto err_put_node; + } + + /* Get the base address of device */ +@@ -152,13 +156,18 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + pci_disable_msi(pdev); + err_disable_device: + pci_disable_device(pdev); ++err_put_node: ++ of_node_put(plat->mdio_node); + return ret; + } + + static void loongson_dwmac_remove(struct pci_dev *pdev) + { ++ struct net_device *ndev = dev_get_drvdata(&pdev->dev); ++ struct stmmac_priv *priv = netdev_priv(ndev); + int i; + ++ of_node_put(priv->plat->mdio_node); + stmmac_dvr_remove(&pdev->dev); + + for (i = 0; i < PCI_STD_NUM_BARS; i++) { +-- +2.35.1 + diff --git a/queue-6.0/stmmac-dwmac-loongson-fix-missing-pci_disable_device.patch b/queue-6.0/stmmac-dwmac-loongson-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..fa5e0df4471 --- /dev/null +++ b/queue-6.0/stmmac-dwmac-loongson-fix-missing-pci_disable_device.patch @@ -0,0 +1,55 @@ +From 257b9fc87ba7f2ca9684d6e73a96f192cfc44db9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 19:46:46 +0800 +Subject: stmmac: dwmac-loongson: fix missing pci_disable_device() in + loongson_dwmac_probe() + +From: Yang Yingliang + +[ Upstream commit fe5b3ce8b4377e543960220f539b989a927afd8a ] + +Add missing pci_disable_device() in the error path in loongson_dwmac_probe(). + +Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson") +Signed-off-by: Yang Yingliang +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +index 16915b4d9505..2d480bc49c51 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +@@ -97,7 +97,7 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + continue; + ret = pcim_iomap_regions(pdev, BIT(0), pci_name(pdev)); + if (ret) +- return ret; ++ goto err_disable_device; + break; + } + +@@ -108,7 +108,8 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + phy_mode = device_get_phy_mode(&pdev->dev); + if (phy_mode < 0) { + dev_err(&pdev->dev, "phy_mode not found\n"); +- return phy_mode; ++ ret = phy_mode; ++ goto err_disable_device; + } + + plat->phy_interface = phy_mode; +@@ -149,6 +150,8 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + + err_disable_msi: + pci_disable_msi(pdev); ++err_disable_device: ++ pci_disable_device(pdev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/stmmac-dwmac-loongson-fix-missing-pci_disable_msi-wh.patch b/queue-6.0/stmmac-dwmac-loongson-fix-missing-pci_disable_msi-wh.patch new file mode 100644 index 00000000000..d0061cb197a --- /dev/null +++ b/queue-6.0/stmmac-dwmac-loongson-fix-missing-pci_disable_msi-wh.patch @@ -0,0 +1,65 @@ +From 23b1466fba4a33b008326f396386be088e6cd32d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 19:46:45 +0800 +Subject: stmmac: dwmac-loongson: fix missing pci_disable_msi() while module + exiting + +From: Yang Yingliang + +[ Upstream commit f2d45fdf9a0ed2c94c01c422a0d0add8ffd42099 ] + +pci_enable_msi() has been called in loongson_dwmac_probe(), +so pci_disable_msi() needs be called in remove path and error +path of probe(). + +Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson") +Signed-off-by: Yang Yingliang +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +index 79fa7870563b..16915b4d9505 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +@@ -125,6 +125,7 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + if (res.irq < 0) { + dev_err(&pdev->dev, "IRQ macirq not found\n"); + ret = -ENODEV; ++ goto err_disable_msi; + } + + res.wol_irq = of_irq_get_byname(np, "eth_wake_irq"); +@@ -137,9 +138,18 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id + if (res.lpi_irq < 0) { + dev_err(&pdev->dev, "IRQ eth_lpi not found\n"); + ret = -ENODEV; ++ goto err_disable_msi; + } + +- return stmmac_dvr_probe(&pdev->dev, plat, &res); ++ ret = stmmac_dvr_probe(&pdev->dev, plat, &res); ++ if (ret) ++ goto err_disable_msi; ++ ++ return ret; ++ ++err_disable_msi: ++ pci_disable_msi(pdev); ++ return ret; + } + + static void loongson_dwmac_remove(struct pci_dev *pdev) +@@ -155,6 +165,7 @@ static void loongson_dwmac_remove(struct pci_dev *pdev) + break; + } + ++ pci_disable_msi(pdev); + pci_disable_device(pdev); + } + +-- +2.35.1 + diff --git a/queue-6.0/stmmac-intel-update-pch-ptp-clock-rate-from-200mhz-t.patch b/queue-6.0/stmmac-intel-update-pch-ptp-clock-rate-from-200mhz-t.patch new file mode 100644 index 00000000000..bea36a40877 --- /dev/null +++ b/queue-6.0/stmmac-intel-update-pch-ptp-clock-rate-from-200mhz-t.patch @@ -0,0 +1,87 @@ +From ba7550bfb1f937152b0d2939906d271b3dc03a89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 21:08:11 -0500 +Subject: stmmac: intel: Update PCH PTP clock rate from 200MHz to 204.8MHz + +From: Tan, Tee Min + +[ Upstream commit dcea1a8107c04b9521dee1dd37971757a22db162 ] + +Current Intel platform has an output of ~976ms interval +when probed on 1 Pulse-per-Second(PPS) hardware pin. + +The correct PTP clock frequency for PCH GbE should be 204.8MHz +instead of 200MHz. PSE GbE PTP clock rate remains at 200MHz. + +Fixes: 58da0cfa6cf1 ("net: stmmac: create dwmac-intel.c to contain all Intel platform") +Signed-off-by: Ling Pei Lee +Signed-off-by: Tan, Tee Min +Signed-off-by: Voon Weifeng +Signed-off-by: Gan Yi Fang +Link: https://lore.kernel.org/r/20221108020811.12919-1-yi.fang.gan@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +index 9af25be42401..66c30a40a6a2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +@@ -630,7 +630,6 @@ static int ehl_common_data(struct pci_dev *pdev, + { + plat->rx_queues_to_use = 8; + plat->tx_queues_to_use = 8; +- plat->clk_ptp_rate = 200000000; + plat->use_phy_wol = 1; + + plat->safety_feat_cfg->tsoee = 1; +@@ -655,6 +654,8 @@ static int ehl_sgmii_data(struct pci_dev *pdev, + plat->serdes_powerup = intel_serdes_powerup; + plat->serdes_powerdown = intel_serdes_powerdown; + ++ plat->clk_ptp_rate = 204800000; ++ + return ehl_common_data(pdev, plat); + } + +@@ -668,6 +669,8 @@ static int ehl_rgmii_data(struct pci_dev *pdev, + plat->bus_id = 1; + plat->phy_interface = PHY_INTERFACE_MODE_RGMII; + ++ plat->clk_ptp_rate = 204800000; ++ + return ehl_common_data(pdev, plat); + } + +@@ -684,6 +687,8 @@ static int ehl_pse0_common_data(struct pci_dev *pdev, + plat->bus_id = 2; + plat->addr64 = 32; + ++ plat->clk_ptp_rate = 200000000; ++ + intel_mgbe_pse_crossts_adj(intel_priv, EHL_PSE_ART_MHZ); + + return ehl_common_data(pdev, plat); +@@ -723,6 +728,8 @@ static int ehl_pse1_common_data(struct pci_dev *pdev, + plat->bus_id = 3; + plat->addr64 = 32; + ++ plat->clk_ptp_rate = 200000000; ++ + intel_mgbe_pse_crossts_adj(intel_priv, EHL_PSE_ART_MHZ); + + return ehl_common_data(pdev, plat); +@@ -758,7 +765,7 @@ static int tgl_common_data(struct pci_dev *pdev, + { + plat->rx_queues_to_use = 6; + plat->tx_queues_to_use = 4; +- plat->clk_ptp_rate = 200000000; ++ plat->clk_ptp_rate = 204800000; + plat->speed_mode_2500 = intel_speed_mode_2500; + + plat->safety_feat_cfg->tsoee = 1; +-- +2.35.1 + diff --git a/queue-6.0/tcp-prohibit-tcp_repair_options-if-data-was-already-.patch b/queue-6.0/tcp-prohibit-tcp_repair_options-if-data-was-already-.patch new file mode 100644 index 00000000000..e5eb6d9244c --- /dev/null +++ b/queue-6.0/tcp-prohibit-tcp_repair_options-if-data-was-already-.patch @@ -0,0 +1,78 @@ +From 3fdac22a207670cf75a0e9e8de3debe4e9399df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 10:27:23 +0800 +Subject: tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent + +From: Lu Wei + +[ Upstream commit 0c175da7b0378445f5ef53904247cfbfb87e0b78 ] + +If setsockopt with option name of TCP_REPAIR_OPTIONS and opt_code +of TCPOPT_SACK_PERM is called to enable sack after data is sent +and dupacks are received , it will trigger a warning in function +tcp_verify_left_out() as follows: + +============================================ +WARNING: CPU: 8 PID: 0 at net/ipv4/tcp_input.c:2132 +tcp_timeout_mark_lost+0x154/0x160 +tcp_enter_loss+0x2b/0x290 +tcp_retransmit_timer+0x50b/0x640 +tcp_write_timer_handler+0x1c8/0x340 +tcp_write_timer+0xe5/0x140 +call_timer_fn+0x3a/0x1b0 +__run_timers.part.0+0x1bf/0x2d0 +run_timer_softirq+0x43/0xb0 +__do_softirq+0xfd/0x373 +__irq_exit_rcu+0xf6/0x140 + +The warning is caused in the following steps: +1. a socket named socketA is created +2. socketA enters repair mode without build a connection +3. socketA calls connect() and its state is changed to TCP_ESTABLISHED + directly +4. socketA leaves repair mode +5. socketA calls sendmsg() to send data, packets_out and sack_outs(dup + ack receives) increase +6. socketA enters repair mode again +7. socketA calls setsockopt with TCPOPT_SACK_PERM to enable sack +8. retransmit timer expires, it calls tcp_timeout_mark_lost(), lost_out + increases +9. sack_outs + lost_out > packets_out triggers since lost_out and + sack_outs increase repeatly + +In function tcp_timeout_mark_lost(), tp->sacked_out will be cleared if +Step7 not happen and the warning will not be triggered. As suggested by +Denis and Eric, TCP_REPAIR_OPTIONS should be prohibited if data was +already sent. + +socket-tcp tests in CRIU has been tested as follows: +$ sudo ./test/zdtm.py run -t zdtm/static/socket-tcp* --keep-going \ + --ignore-taint + +socket-tcp* represent all socket-tcp tests in test/zdtm/static/. + +Fixes: b139ba4e90dc ("tcp: Repair connection-time negotiated parameters") +Signed-off-by: Lu Wei +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 5fbd0a5b48f7..cdd4f2f60f0c 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3648,7 +3648,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_REPAIR_OPTIONS: + if (!tp->repair) + err = -EINVAL; +- else if (sk->sk_state == TCP_ESTABLISHED) ++ else if (sk->sk_state == TCP_ESTABLISHED && !tp->bytes_sent) + err = tcp_repair_options_est(sk, optval, optlen); + else + err = -EPERM; +-- +2.35.1 + diff --git a/queue-6.0/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch b/queue-6.0/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch new file mode 100644 index 00000000000..1fa2056bc14 --- /dev/null +++ b/queue-6.0/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch @@ -0,0 +1,59 @@ +From 084577d397611e5b31629f812ee1568514869a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 16:48:53 -0400 +Subject: tipc: fix the msg->req tlv len check in + tipc_nl_compat_name_table_dump_header + +From: Xin Long + +[ Upstream commit 1c075b192fe41030457cd4a5f7dea730412bca40 ] + +This is a follow-up for commit 974cb0e3e7c9 ("tipc: fix uninit-value +in tipc_nl_compat_name_table_dump") where it should have type casted +sizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative +value. + +syzbot reported a call trace because of it: + + BUG: KMSAN: uninit-value in ... + tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934 + __tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238 + tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321 + tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324 + genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:775 [inline] + genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792 + netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501 + genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + +Reported-by: syzbot+e5dbaaa238680ce206ea@syzkaller.appspotmail.com +Fixes: 974cb0e3e7c9 ("tipc: fix uninit-value in tipc_nl_compat_name_table_dump") +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/ccd6a7ea801b15aec092c3b532a883b4c5708695.1667594933.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 0749df80454d..ce00f271ca6b 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -880,7 +880,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) + }; + + ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); +- if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query)) ++ if (TLV_GET_DATA_LEN(msg->req) < (int)sizeof(struct tipc_name_table_query)) + return -EINVAL; + + depth = ntohl(ntq->depth); +-- +2.35.1 + diff --git a/queue-6.0/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch b/queue-6.0/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch new file mode 100644 index 00000000000..9cf22efd897 --- /dev/null +++ b/queue-6.0/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch @@ -0,0 +1,55 @@ +From f3f6d5d606cd14a658be1c59443cbdf33e1c950d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 13:40:40 +0200 +Subject: wifi: cfg80211: fix memory leak in query_regdb_file() + +From: Arend van Spriel + +[ Upstream commit 57b962e627ec0ae53d4d16d7bd1033e27e67677a ] + +In the function query_regdb_file() the alpha2 parameter is duplicated +using kmemdup() and subsequently freed in regdb_fw_cb(). However, +request_firmware_nowait() can fail without calling regdb_fw_cb() and +thus leak memory. + +Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as firmware file") +Signed-off-by: Arend van Spriel +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index d5c7a5aa6853..c3d950d29432 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1084,6 +1084,8 @@ MODULE_FIRMWARE("regulatory.db"); + + static int query_regdb_file(const char *alpha2) + { ++ int err; ++ + ASSERT_RTNL(); + + if (regdb) +@@ -1093,9 +1095,13 @@ static int query_regdb_file(const char *alpha2) + if (!alpha2) + return -ENOMEM; + +- return request_firmware_nowait(THIS_MODULE, true, "regulatory.db", +- ®_pdev->dev, GFP_KERNEL, +- (void *)alpha2, regdb_fw_cb); ++ err = request_firmware_nowait(THIS_MODULE, true, "regulatory.db", ++ ®_pdev->dev, GFP_KERNEL, ++ (void *)alpha2, regdb_fw_cb); ++ if (err) ++ kfree(alpha2); ++ ++ return err; + } + + int reg_reload_regdb(void) +-- +2.35.1 + diff --git a/queue-6.0/wifi-cfg80211-silence-a-sparse-rcu-warning.patch b/queue-6.0/wifi-cfg80211-silence-a-sparse-rcu-warning.patch new file mode 100644 index 00000000000..cd25f14b032 --- /dev/null +++ b/queue-6.0/wifi-cfg80211-silence-a-sparse-rcu-warning.patch @@ -0,0 +1,38 @@ +From dd2f32c026177d568fb033760b332d4e45fbede8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 19:41:51 +0200 +Subject: wifi: cfg80211: silence a sparse RCU warning + +From: Johannes Berg + +[ Upstream commit 03c0ad4b06c3566de624b4f4b78ac1a5d1e4c8e7 ] + +All we're going to do with this pointer is assign it to +another __rcu pointer, but sparse can't see that, so +use rcu_access_pointer() to silence the warning here. + +Fixes: c90b93b5b782 ("wifi: cfg80211: update hidden BSSes to avoid WARN_ON") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 39fb9cc25cdc..9067e4b70855 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1674,7 +1674,9 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + if (old == rcu_access_pointer(known->pub.ies)) + rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); + +- cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); ++ cfg80211_update_hidden_bsses(known, ++ rcu_access_pointer(new->pub.beacon_ies), ++ old); + + if (old) + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-fix-general-protection-fault-in-ieee80.patch b/queue-6.0/wifi-mac80211-fix-general-protection-fault-in-ieee80.patch new file mode 100644 index 00000000000..601af05c8b3 --- /dev/null +++ b/queue-6.0/wifi-mac80211-fix-general-protection-fault-in-ieee80.patch @@ -0,0 +1,77 @@ +From 6b851ad59d30158c769eaabf908e6154c42ad105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 14:39:59 +0800 +Subject: wifi: mac80211: fix general-protection-fault in + ieee80211_subif_start_xmit() + +From: Zhengchao Shao + +[ Upstream commit 780854186946e0de2be192ee7fa5125666533b3a ] + +When device is running and the interface status is changed, the gpf issue +is triggered. The problem triggering process is as follows: +Thread A: Thread B +ieee80211_runtime_change_iftype() process_one_work() + ... ... + ieee80211_do_stop() ... + ... ... + sdata->bss = NULL ... + ... ieee80211_subif_start_xmit() + ieee80211_multicast_to_unicast + //!sdata->bss->multicast_to_unicast + cause gpf issue + +When the interface status is changed, the sending queue continues to send +packets. After the bss is set to NULL, the bss is accessed. As a result, +this causes a general-protection-fault issue. + +The following is the stack information: +general protection fault, probably for non-canonical address +0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f] +Workqueue: mld mld_ifc_work +RIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310 +Call Trace: + +dev_hard_start_xmit+0x1be/0x990 +__dev_queue_xmit+0x2c9a/0x3b60 +ip6_finish_output2+0xf92/0x1520 +ip6_finish_output+0x6af/0x11e0 +ip6_output+0x1ed/0x540 +mld_sendpack+0xa09/0xe70 +mld_ifc_work+0x71c/0xdb0 +process_one_work+0x9bf/0x1710 +worker_thread+0x665/0x1080 +kthread+0x2e4/0x3a0 +ret_from_fork+0x1f/0x30 + + +Fixes: f856373e2f31 ("wifi: mac80211: do not wake queues on a vif that is being stopped") +Reported-by: syzbot+c6e8fca81c294fd5620a@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221026063959.177813-1-shaozhengchao@huawei.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 13249e97a069..d2c4f9226f94 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4379,6 +4379,11 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, + if (likely(!is_multicast_ether_addr(eth->h_dest))) + goto normal; + ++ if (unlikely(!ieee80211_sdata_running(sdata))) { ++ kfree_skb(skb); ++ return NETDEV_TX_OK; ++ } ++ + if (unlikely(ieee80211_multicast_to_unicast(skb, dev))) { + struct sk_buff_head queue; + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-set-twt-information-frame-disabled-bit.patch b/queue-6.0/wifi-mac80211-set-twt-information-frame-disabled-bit.patch new file mode 100644 index 00000000000..fa105c7743c --- /dev/null +++ b/queue-6.0/wifi-mac80211-set-twt-information-frame-disabled-bit.patch @@ -0,0 +1,39 @@ +From 3926c183eb0bd176a457dd394317e66904a90b59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 09:56:53 +0800 +Subject: wifi: mac80211: Set TWT Information Frame Disabled bit as 1 + +From: Howard Hsu + +[ Upstream commit 30ac96f7cc973bb850c718c9bbe1fdcedfbe826b ] + +The TWT Information Frame Disabled bit of control field of TWT Setup +frame shall be set to 1 since handling TWT Information frame is not +supported by current mac80211 implementation. + +Fixes: f5a4c24e689f ("mac80211: introduce individual TWT support in AP mode") +Signed-off-by: Howard Hsu +Link: https://lore.kernel.org/r/20221027015653.1448-1-howard-yh.hsu@mediatek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/s1g.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/s1g.c b/net/mac80211/s1g.c +index 8ca7d45d6daa..c1f964e9991c 100644 +--- a/net/mac80211/s1g.c ++++ b/net/mac80211/s1g.c +@@ -112,6 +112,9 @@ ieee80211_s1g_rx_twt_setup(struct ieee80211_sub_if_data *sdata, + goto out; + } + ++ /* TWT Information not supported yet */ ++ twt->control |= IEEE80211_TWT_CONTROL_RX_DISABLED; ++ + drv_add_twt_setup(sdata->local, sdata, &sta->sta, twt); + out: + ieee80211_s1g_send_twt_setup(sdata, mgmt->sa, sdata->vif.addr, twt); +-- +2.35.1 +