From: Sasha Levin Date: Sun, 19 Mar 2023 12:04:22 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.14.311~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2c85ebaaa2a665896d4394af401719bb4acf506;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/alsa-hda-match-only-intel-devices-with-controller_in.patch b/queue-5.15/alsa-hda-match-only-intel-devices-with-controller_in.patch new file mode 100644 index 00000000000..85c50e3aa9f --- /dev/null +++ b/queue-5.15/alsa-hda-match-only-intel-devices-with-controller_in.patch @@ -0,0 +1,50 @@ +From 3e9b614403380d27e7f4ea014c14ee55c8f49edf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 15:40:54 -0600 +Subject: ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU() + +From: Bjorn Helgaas + +[ Upstream commit ff447886e675979d66b2bc01810035d3baea1b3a ] + +CONTROLLER_IN_GPU() is clearly intended to match only Intel devices, but +previously it checked only the PCI Device ID, not the Vendor ID, so it +could match devices from other vendors that happened to use the same Device +ID. + +Update CONTROLLER_IN_GPU() so it matches only Intel devices. + +Fixes: 535115b5ff51 ("ALSA: hda - Abort the probe without i915 binding for HSW/B") +Signed-off-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20230307214054.886721-1-helgaas@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index c8042eb703c34..5fce1ca8a393a 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -331,14 +331,15 @@ enum { + #define needs_eld_notify_link(chip) false + #endif + +-#define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \ ++#define CONTROLLER_IN_GPU(pci) (((pci)->vendor == 0x8086) && \ ++ (((pci)->device == 0x0a0c) || \ + ((pci)->device == 0x0c0c) || \ + ((pci)->device == 0x0d0c) || \ + ((pci)->device == 0x160c) || \ + ((pci)->device == 0x490d) || \ + ((pci)->device == 0x4f90) || \ + ((pci)->device == 0x4f91) || \ +- ((pci)->device == 0x4f92)) ++ ((pci)->device == 0x4f92))) + + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) + +-- +2.39.2 + diff --git a/queue-5.15/block-null_blk-fix-handling-of-fake-timeout-request.patch b/queue-5.15/block-null_blk-fix-handling-of-fake-timeout-request.patch new file mode 100644 index 00000000000..08d72923746 --- /dev/null +++ b/queue-5.15/block-null_blk-fix-handling-of-fake-timeout-request.patch @@ -0,0 +1,57 @@ +From e7605940a0fcd6bfc5348963133e59f683b1495b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:11:05 +0900 +Subject: block: null_blk: Fix handling of fake timeout request + +From: Damien Le Moal + +[ Upstream commit 63f886597085f346276e3b3c8974de0100d65f32 ] + +When injecting a fake timeout into the null_blk driver using +fail_io_timeout, the request timeout handler does not execute +blk_mq_complete_request(), so the complete callback is never executed +for a timedout request. + +The null_blk driver also has a driver-specific fake timeout mechanism +which does not have this problem. Fix the problem with fail_io_timeout +by using the same meachanism as null_blk internal timeout feature, using +the fake_timeout field of null_blk commands. + +Reported-by: Akinobu Mita +Fixes: de3510e52b0a ("null_blk: fix command timeout completion handling") +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20230314041106.19173-2-damien.lemoal@opensource.wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index 4c8b4101516c3..033b0f64f2b9b 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1314,8 +1314,7 @@ static inline void nullb_complete_cmd(struct nullb_cmd *cmd) + case NULL_IRQ_SOFTIRQ: + switch (cmd->nq->dev->queue_mode) { + case NULL_Q_MQ: +- if (likely(!blk_should_fake_timeout(cmd->rq->q))) +- blk_mq_complete_request(cmd->rq); ++ blk_mq_complete_request(cmd->rq); + break; + case NULL_Q_BIO: + /* +@@ -1491,7 +1490,8 @@ static blk_status_t null_queue_rq(struct blk_mq_hw_ctx *hctx, + cmd->rq = bd->rq; + cmd->error = BLK_STS_OK; + cmd->nq = nq; +- cmd->fake_timeout = should_timeout_request(bd->rq); ++ cmd->fake_timeout = should_timeout_request(bd->rq) || ++ blk_should_fake_timeout(bd->rq->q); + + blk_mq_start_request(bd->rq); + +-- +2.39.2 + diff --git a/queue-5.15/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch b/queue-5.15/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch new file mode 100644 index 00000000000..abf768914eb --- /dev/null +++ b/queue-5.15/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch @@ -0,0 +1,38 @@ +From 055bca5c3b6b0a566364722a24cb090dd4771ac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:20:32 +0800 +Subject: block: sunvdc: add check for mdesc_grab() returning NULL + +From: Liang He + +[ Upstream commit 6030363199e3a6341afb467ddddbed56640cbf6a ] + +In vdc_port_probe(), we should check the return value of mdesc_grab() as +it may return NULL, which can cause potential NPD bug. + +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20230315062032.1741692-1-windhl@126.com +[axboe: style cleanup] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/sunvdc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index 4d4bb810c2aea..656d99faf40a2 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -964,6 +964,8 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + print_version(); + + hp = mdesc_grab(); ++ if (!hp) ++ return -ENODEV; + + err = -ENODEV; + if ((vdev->dev_no << PARTITION_SHIFT) & ~(u64)MINORMASK) { +-- +2.39.2 + diff --git a/queue-5.15/bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch b/queue-5.15/bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch new file mode 100644 index 00000000000..76749e49664 --- /dev/null +++ b/queue-5.15/bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch @@ -0,0 +1,119 @@ +From 384930ade51ad1bbc1320e7379ad7fe3f43ba70c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 13:18:41 +0200 +Subject: bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails + +From: Nikolay Aleksandrov + +[ Upstream commit e667d469098671261d558be0cd93dca4d285ce1e ] + +syzbot reported a warning[1] where the bond device itself is a slave and +we try to enslave a non-ethernet device as the first slave which fails +but then in the error path when ether_setup() restores the bond device +it also clears all flags. In my previous fix[2] I restored the +IFF_MASTER flag, but I didn't consider the case that the bond device +itself might also be a slave with IFF_SLAVE set, so we need to restore +that flag as well. Use the bond_ether_setup helper which does the right +thing and restores the bond's flags properly. + +Steps to reproduce using a nlmon dev: + $ ip l add nlmon0 type nlmon + $ ip l add bond1 type bond + $ ip l add bond2 type bond + $ ip l set bond1 master bond2 + $ ip l set dev nlmon0 master bond1 + $ ip -d l sh dev bond1 + 22: bond1: mtu 1500 qdisc noqueue master bond2 state DOWN mode DEFAULT group default qlen 1000 + (now bond1's IFF_SLAVE flag is gone and we'll hit a warning[3] if we + try to delete it) + +[1] https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef +[2] commit 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure") +[3] example warning: + [ 27.008664] bond1: (slave nlmon0): The slave device specified does not support setting the MAC address + [ 27.008692] bond1: (slave nlmon0): Error -95 calling set_mac_address + [ 32.464639] bond1 (unregistering): Released all slaves + [ 32.464685] ------------[ cut here ]------------ + [ 32.464686] WARNING: CPU: 1 PID: 2004 at net/core/dev.c:10829 unregister_netdevice_many+0x72a/0x780 + [ 32.464694] Modules linked in: br_netfilter bridge bonding virtio_net + [ 32.464699] CPU: 1 PID: 2004 Comm: ip Kdump: loaded Not tainted 5.18.0-rc3+ #47 + [ 32.464703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 + [ 32.464704] RIP: 0010:unregister_netdevice_many+0x72a/0x780 + [ 32.464707] Code: 99 fd ff ff ba 90 1a 00 00 48 c7 c6 f4 02 66 96 48 c7 c7 20 4d 35 96 c6 05 fa c7 2b 02 01 e8 be 6f 4a 00 0f 0b e9 73 fd ff ff <0f> 0b e9 5f fd ff ff 80 3d e3 c7 2b 02 00 0f 85 3b fd ff ff ba 59 + [ 32.464710] RSP: 0018:ffffa006422d7820 EFLAGS: 00010206 + [ 32.464712] RAX: ffff8f6e077140a0 RBX: ffffa006422d7888 RCX: 0000000000000000 + [ 32.464714] RDX: ffff8f6e12edbe58 RSI: 0000000000000296 RDI: ffffffff96d4a520 + [ 32.464716] RBP: ffff8f6e07714000 R08: ffffffff96d63600 R09: ffffa006422d7728 + [ 32.464717] R10: 0000000000000ec0 R11: ffffffff9698c988 R12: ffff8f6e12edb140 + [ 32.464719] R13: dead000000000122 R14: dead000000000100 R15: ffff8f6e12edb140 + [ 32.464723] FS: 00007f297c2f1740(0000) GS:ffff8f6e5d900000(0000) knlGS:0000000000000000 + [ 32.464725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 32.464726] CR2: 00007f297bf1c800 CR3: 00000000115e8000 CR4: 0000000000350ee0 + [ 32.464730] Call Trace: + [ 32.464763] + [ 32.464767] rtnl_dellink+0x13e/0x380 + [ 32.464776] ? cred_has_capability.isra.0+0x68/0x100 + [ 32.464780] ? __rtnl_unlock+0x33/0x60 + [ 32.464783] ? bpf_lsm_capset+0x10/0x10 + [ 32.464786] ? security_capable+0x36/0x50 + [ 32.464790] rtnetlink_rcv_msg+0x14e/0x3b0 + [ 32.464792] ? _copy_to_iter+0xb1/0x790 + [ 32.464796] ? post_alloc_hook+0xa0/0x160 + [ 32.464799] ? rtnl_calcit.isra.0+0x110/0x110 + [ 32.464802] netlink_rcv_skb+0x50/0xf0 + [ 32.464806] netlink_unicast+0x216/0x340 + [ 32.464809] netlink_sendmsg+0x23f/0x480 + [ 32.464812] sock_sendmsg+0x5e/0x60 + [ 32.464815] ____sys_sendmsg+0x22c/0x270 + [ 32.464818] ? import_iovec+0x17/0x20 + [ 32.464821] ? sendmsg_copy_msghdr+0x59/0x90 + [ 32.464823] ? do_set_pte+0xa0/0xe0 + [ 32.464828] ___sys_sendmsg+0x81/0xc0 + [ 32.464832] ? mod_objcg_state+0xc6/0x300 + [ 32.464835] ? refill_obj_stock+0xa9/0x160 + [ 32.464838] ? memcg_slab_free_hook+0x1a5/0x1f0 + [ 32.464842] __sys_sendmsg+0x49/0x80 + [ 32.464847] do_syscall_64+0x3b/0x90 + [ 32.464851] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 32.464865] RIP: 0033:0x7f297bf2e5e7 + [ 32.464868] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + [ 32.464869] RSP: 002b:00007ffd96c824c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 32.464872] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f297bf2e5e7 + [ 32.464874] RDX: 0000000000000000 RSI: 00007ffd96c82540 RDI: 0000000000000003 + [ 32.464875] RBP: 00000000640f19de R08: 0000000000000001 R09: 000000000000007c + [ 32.464876] R10: 00007f297bffabe0 R11: 0000000000000246 R12: 0000000000000001 + [ 32.464877] R13: 00007ffd96c82d20 R14: 00007ffd96c82610 R15: 000055bfe38a7020 + [ 32.464881] + [ 32.464882] ---[ end trace 0000000000000000 ]--- + +Fixes: 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure") +Reported-by: syzbot+9dfc3f3348729cc82277@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Michal Kubiak +Acked-by: Jonathan Toppins +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b2db30d5f1f45..e1dc94f01cb5a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2267,9 +2267,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + eth_hw_addr_random(bond_dev); + if (bond_dev->type != ARPHRD_ETHER) { + dev_close(bond_dev); +- ether_setup(bond_dev); +- bond_dev->flags |= IFF_MASTER; +- bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; ++ bond_ether_setup(bond_dev); + } + } + +-- +2.39.2 + diff --git a/queue-5.15/bonding-restore-iff_master-slave-flags-on-bond-ensla.patch b/queue-5.15/bonding-restore-iff_master-slave-flags-on-bond-ensla.patch new file mode 100644 index 00000000000..d5434bbd784 --- /dev/null +++ b/queue-5.15/bonding-restore-iff_master-slave-flags-on-bond-ensla.patch @@ -0,0 +1,80 @@ +From 2cc9a79e26cbe8eb4384ce7fa36a23e9dda31d1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 13:18:40 +0200 +Subject: bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type + change + +From: Nikolay Aleksandrov + +[ Upstream commit 9ec7eb60dcbcb6c41076defbc5df7bbd95ceaba5 ] + +Add bond_ether_setup helper which is used to fix ether_setup() calls in the +bonding driver. It takes care of both IFF_MASTER and IFF_SLAVE flags, the +former is always restored and the latter only if it was set. +If the bond enslaves non-ARPHRD_ETHER device (changes its type), then +releases it and enslaves ARPHRD_ETHER device (changes back) then we +use ether_setup() to restore the bond device type but it also resets its +flags and removes IFF_MASTER and IFF_SLAVE[1]. Use the bond_ether_setup +helper to restore both after such transition. + +[1] reproduce (nlmon is non-ARPHRD_ETHER): + $ ip l add nlmon0 type nlmon + $ ip l add bond2 type bond mode active-backup + $ ip l set nlmon0 master bond2 + $ ip l set nlmon0 nomaster + $ ip l add bond1 type bond + (we use bond1 as ARPHRD_ETHER device to restore bond2's mode) + $ ip l set bond1 master bond2 + $ ip l sh dev bond2 + 37: bond2: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether be:d7:c5:40:5b:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 1500 + (notice bond2's IFF_MASTER is missing) + +Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 456298919d541..b2db30d5f1f45 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1744,6 +1744,19 @@ void bond_lower_state_changed(struct slave *slave) + slave_err(bond_dev, slave_dev, "Error: %s\n", errmsg); \ + } while (0) + ++/* The bonding driver uses ether_setup() to convert a master bond device ++ * to ARPHRD_ETHER, that resets the target netdevice's flags so we always ++ * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE if it was set ++ */ ++static void bond_ether_setup(struct net_device *bond_dev) ++{ ++ unsigned int slave_flag = bond_dev->flags & IFF_SLAVE; ++ ++ ether_setup(bond_dev); ++ bond_dev->flags |= IFF_MASTER | slave_flag; ++ bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; ++} ++ + /* enslave device to bond device */ + int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + struct netlink_ext_ack *extack) +@@ -1835,10 +1848,8 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + + if (slave_dev->type != ARPHRD_ETHER) + bond_setup_by_slave(bond_dev, slave_dev); +- else { +- ether_setup(bond_dev); +- bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; +- } ++ else ++ bond_ether_setup(bond_dev); + + call_netdevice_notifiers(NETDEV_POST_TYPE_CHANGE, + bond_dev); +-- +2.39.2 + diff --git a/queue-5.15/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch b/queue-5.15/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch new file mode 100644 index 00000000000..fa2c2d47d63 --- /dev/null +++ b/queue-5.15/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch @@ -0,0 +1,117 @@ +From b8eaee2477d8271d7e694a215936eee4871a0d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:11:36 +0800 +Subject: cifs: Move the in_send statistic to __smb_send_rqst() + +From: Zhang Xiaoxu + +[ Upstream commit d0dc41119905f740e8d5594adce277f7c0de8c92 ] + +When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the +in_send statistic was lost. + +Let's move the in_send statistic to the send function to avoid +this scenario. + +Fixes: 7ee1af765dfa ("[CIFS]") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/transport.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index 514056605fa7a..49b7edbe34975 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -299,7 +299,7 @@ static int + __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct smb_rqst *rqst) + { +- int rc = 0; ++ int rc; + struct kvec *iov; + int n_vec; + unsigned int send_length = 0; +@@ -310,6 +310,7 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct msghdr smb_msg = {}; + __be32 rfc1002_marker; + ++ cifs_in_send_inc(server); + if (cifs_rdma_enabled(server)) { + /* return -EAGAIN when connecting or reconnecting */ + rc = -EAGAIN; +@@ -318,14 +319,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + goto smbd_done; + } + ++ rc = -EAGAIN; + if (ssocket == NULL) +- return -EAGAIN; ++ goto out; + ++ rc = -ERESTARTSYS; + if (fatal_signal_pending(current)) { + cifs_dbg(FYI, "signal pending before send request\n"); +- return -ERESTARTSYS; ++ goto out; + } + ++ rc = 0; + /* cork the socket */ + tcp_sock_set_cork(ssocket->sk, true); + +@@ -438,7 +442,8 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + rc); + else if (rc > 0) + rc = 0; +- ++out: ++ cifs_in_send_dec(server); + return rc; + } + +@@ -855,9 +860,7 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_rqst *rqst, + * I/O response may come back and free the mid entry on another thread. + */ + cifs_save_when_sent(mid); +- cifs_in_send_inc(server); + rc = smb_send_rqst(server, 1, rqst, flags); +- cifs_in_send_dec(server); + + if (rc < 0) { + revert_current_mid(server, mid->credits); +@@ -1149,9 +1152,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, + else + midQ[i]->callback = cifs_compound_last_callback; + } +- cifs_in_send_inc(server); + rc = smb_send_rqst(server, num_rqst, rqst, flags); +- cifs_in_send_dec(server); + + for (i = 0; i < num_rqst; i++) + cifs_save_when_sent(midQ[i]); +@@ -1388,9 +1389,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, + + midQ->mid_state = MID_REQUEST_SUBMITTED; + +- cifs_in_send_inc(server); + rc = smb_send(server, in_buf, len); +- cifs_in_send_dec(server); + cifs_save_when_sent(midQ); + + if (rc < 0) +@@ -1527,9 +1526,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, + } + + midQ->mid_state = MID_REQUEST_SUBMITTED; +- cifs_in_send_inc(server); + rc = smb_send(server, in_buf, len); +- cifs_in_send_dec(server); + cifs_save_when_sent(midQ); + + if (rc < 0) +-- +2.39.2 + diff --git a/queue-5.15/clk-hi655x-select-regmap-instead-of-depending-on-it.patch b/queue-5.15/clk-hi655x-select-regmap-instead-of-depending-on-it.patch new file mode 100644 index 00000000000..aee5d755d1a --- /dev/null +++ b/queue-5.15/clk-hi655x-select-regmap-instead-of-depending-on-it.patch @@ -0,0 +1,47 @@ +From b7a62ee57a7489a0fa83a38b7af6ed6175f7d176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:47 -0800 +Subject: clk: HI655X: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 0ffad67784a097beccf34d297ddd1b0773b3b8a3 ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +Fixes: 3a49afb84ca0 ("clk: enable hi655x common clk automatically") +Signed-off-by: Randy Dunlap +Cc: Riku Voipio +Cc: Stephen Boyd +Cc: Michael Turquette +Cc: linux-clk@vger.kernel.org +Link: https://lore.kernel.org/r/20230226053953.4681-3-rdunlap@infradead.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/Kconfig b/drivers/clk/Kconfig +index c5b3dc97396a6..100e474ff3dc5 100644 +--- a/drivers/clk/Kconfig ++++ b/drivers/clk/Kconfig +@@ -83,7 +83,7 @@ config COMMON_CLK_RK808 + config COMMON_CLK_HI655X + tristate "Clock driver for Hi655x" if EXPERT + depends on (MFD_HI655X_PMIC || COMPILE_TEST) +- depends on REGMAP ++ select REGMAP + default MFD_HI655X_PMIC + help + This driver supports the hi655x PMIC clock. This +-- +2.39.2 + diff --git a/queue-5.15/docs-correct-missing-d_-prefix-for-dentry_operations.patch b/queue-5.15/docs-correct-missing-d_-prefix-for-dentry_operations.patch new file mode 100644 index 00000000000..a1758435a43 --- /dev/null +++ b/queue-5.15/docs-correct-missing-d_-prefix-for-dentry_operations.patch @@ -0,0 +1,39 @@ +From 85fc3fdc8511a1a83be1052f2cee59a9128e2414 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 12:40:42 -0600 +Subject: docs: Correct missing "d_" prefix for dentry_operations member + d_weak_revalidate + +From: Glenn Washburn + +[ Upstream commit 74596085796fae0cfce3e42ee46bf4f8acbdac55 ] + +The details for struct dentry_operations member d_weak_revalidate is +missing a "d_" prefix. + +Fixes: af96c1e304f7 ("docs: filesystems: vfs: Convert vfs.txt to RST") +Signed-off-by: Glenn Washburn +Reviewed-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/r/20230227184042.2375235-1-development@efficientek.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/vfs.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst +index a99c1c338e8f4..a15527940b461 100644 +--- a/Documentation/filesystems/vfs.rst ++++ b/Documentation/filesystems/vfs.rst +@@ -1210,7 +1210,7 @@ defined: + return + -ECHILD and it will be called again in ref-walk mode. + +-``_weak_revalidate`` ++``d_weak_revalidate`` + called when the VFS needs to revalidate a "jumped" dentry. This + is called when a path-walk ends at dentry that was not acquired + by doing a lookup in the parent directory. This includes "/", +-- +2.39.2 + diff --git a/queue-5.15/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch b/queue-5.15/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch new file mode 100644 index 00000000000..8a63c4182f8 --- /dev/null +++ b/queue-5.15/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch @@ -0,0 +1,47 @@ +From 2ec24d01fefa76b8080a9723393c2a47251823d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:50:35 +0800 +Subject: drm/bridge: Fix returned array size name for + atomic_get_input_bus_fmts kdoc + +From: Liu Ying + +[ Upstream commit 0d3c9333d976af41d7dbc6bf4d9d2e95fbdf9c89 ] + +The returned array size for input formats is set through +atomic_get_input_bus_fmts()'s 'num_input_fmts' argument, so use +'num_input_fmts' to represent the array size in the function's kdoc, +not 'num_output_fmts'. + +Fixes: 91ea83306bfa ("drm/bridge: Fix the bridge kernel doc") +Fixes: f32df58acc68 ("drm/bridge: Add the necessary bits to support bus format negotiation") +Signed-off-by: Liu Ying +Reviewed-by: Robert Foss +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230314055035.3731179-1-victor.liu@nxp.com +Signed-off-by: Sasha Levin +--- + include/drm/drm_bridge.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index 1648ce265cba0..c84783cd5abd7 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -447,11 +447,11 @@ struct drm_bridge_funcs { + * + * The returned array must be allocated with kmalloc() and will be + * freed by the caller. If the allocation fails, NULL should be +- * returned. num_output_fmts must be set to the returned array size. ++ * returned. num_input_fmts must be set to the returned array size. + * Formats listed in the returned array should be listed in decreasing + * preference order (the core will try all formats until it finds one + * that works). When the format is not supported NULL should be +- * returned and num_output_fmts should be set to 0. ++ * returned and num_input_fmts should be set to 0. + * + * This method is called on all elements of the bridge chain as part of + * the bus format negotiation process that happens in +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-display-clean-up-comments.patch b/queue-5.15/drm-i915-display-clean-up-comments.patch new file mode 100644 index 00000000000..cac421ffbd7 --- /dev/null +++ b/queue-5.15/drm-i915-display-clean-up-comments.patch @@ -0,0 +1,68 @@ +From 97b6e403e95c739366197b7990e747b6b0cb53ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 16:32:36 -0400 +Subject: drm/i915/display: clean up comments + +From: Tom Rix + +[ Upstream commit 3461b040a90d723c93c9d1c7c11e3464f5cadc0e ] + +spelling changes +resoluition -> resolution +dont -> don't +commmit -> commit +Invalidade -> Invalidate + +Signed-off-by: Tom Rix +Reviewed-by: Matt Roper +Signed-off-by: Matt Roper +Link: https://patchwork.freedesktop.org/patch/msgid/20220701203236.1871668-1-trix@redhat.com +Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index 21d58d22c82ee..5f9894e3c7aa7 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -580,7 +580,7 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp) + /* + * TODO: 7 lines of IO_BUFFER_WAKE and FAST_WAKE are default + * values from BSpec. In order to setting an optimal power +- * consumption, lower than 4k resoluition mode needs to decrese ++ * consumption, lower than 4k resolution mode needs to decrease + * IO_BUFFER_WAKE and FAST_WAKE. And higher than 4K resolution + * mode needs to increase IO_BUFFER_WAKE and FAST_WAKE. + */ +@@ -986,7 +986,7 @@ void intel_psr_compute_config(struct intel_dp *intel_dp, + int psr_setup_time; + + /* +- * Current PSR panels dont work reliably with VRR enabled ++ * Current PSR panels don't work reliably with VRR enabled + * So if VRR is enabled, do not enable PSR. + */ + if (crtc_state->vrr.enable) +@@ -1619,7 +1619,7 @@ static void cursor_area_workaround(const struct intel_plane_state *new_plane_sta + * + * Plane scaling and rotation is not supported by selective fetch and both + * properties can change without a modeset, so need to be check at every +- * atomic commmit. ++ * atomic commit. + */ + static bool psr2_sel_fetch_plane_state_supported(const struct intel_plane_state *plane_state) + { +@@ -2067,7 +2067,7 @@ static void intel_psr_work(struct work_struct *work) + } + + /** +- * intel_psr_invalidate - Invalidade PSR ++ * intel_psr_invalidate - Invalidate PSR + * @dev_priv: i915 device + * @frontbuffer_bits: frontbuffer plane tracking bits + * @origin: which operation caused the invalidate +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-display-psr-handle-plane-and-pipe-restricti.patch b/queue-5.15/drm-i915-display-psr-handle-plane-and-pipe-restricti.patch new file mode 100644 index 00000000000..833ff1b9053 --- /dev/null +++ b/queue-5.15/drm-i915-display-psr-handle-plane-and-pipe-restricti.patch @@ -0,0 +1,162 @@ +From 974b629a68de59a80bd2e055be6df410d2c50ceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 17:14:01 -0700 +Subject: drm/i915/display/psr: Handle plane and pipe restrictions at every + page flip +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Roberto de Souza + +[ Upstream commit ac220f5f754b1d2f4a69428f515c3f1b10d1fad0 ] + +PSR2 selective is not supported over rotated and scaled planes. +We had the rotation check in intel_psr2_sel_fetch_config_valid() +but that code path is only execute when a modeset is needed and +those plane parameters can change without a modeset. + +Pipe selective fetch restrictions are also needed, it could be added +in intel_psr_compute_config() but pippe scaling is computed after +it is executed, so leaving as is for now. +There is no much loss in this approach as it would cause selective +fetch to not enabled as for alderlake-P and newer will cause it to +switch to PSR1 that will have the same power-savings as do full pipe +fetch. + +Also need to check those restricions in the second +for_each_oldnew_intel_plane_in_state() loop because the state could +only have a plane that is not affected by those restricitons but +the damaged area intersect with planes that has those restrictions, +so a full pipe fetch is required. + +v2: +- also handling pipe restrictions + +BSpec: 55229 +Reviewed-by: Gwan-gyeong Mun # v1 +Cc: Ville Syrjälä +Cc: Gwan-gyeong Mun +Signed-off-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20210930001409.254817-1-jose.souza@intel.com +Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 65 +++++++++++++++++------- + 1 file changed, 46 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index 5e7827b076028..21d58d22c82ee 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -756,11 +756,7 @@ tgl_dc3co_exitline_compute_config(struct intel_dp *intel_dp, + static bool intel_psr2_sel_fetch_config_valid(struct intel_dp *intel_dp, + struct intel_crtc_state *crtc_state) + { +- struct intel_atomic_state *state = to_intel_atomic_state(crtc_state->uapi.state); + struct drm_i915_private *dev_priv = dp_to_i915(intel_dp); +- struct intel_plane_state *plane_state; +- struct intel_plane *plane; +- int i; + + if (!dev_priv->params.enable_psr2_sel_fetch && + intel_dp->psr.debug != I915_PSR_DEBUG_ENABLE_SEL_FETCH) { +@@ -775,14 +771,6 @@ static bool intel_psr2_sel_fetch_config_valid(struct intel_dp *intel_dp, + return false; + } + +- for_each_new_intel_plane_in_state(state, plane, plane_state, i) { +- if (plane_state->uapi.rotation != DRM_MODE_ROTATE_0) { +- drm_dbg_kms(&dev_priv->drm, +- "PSR2 sel fetch not enabled, plane rotated\n"); +- return false; +- } +- } +- + /* Wa_14010254185 Wa_14010103792 */ + if (IS_TGL_DISPLAY_STEP(dev_priv, STEP_A0, STEP_C0)) { + drm_dbg_kms(&dev_priv->drm, +@@ -1624,6 +1612,41 @@ static void cursor_area_workaround(const struct intel_plane_state *new_plane_sta + clip_area_update(pipe_clip, damaged_area); + } + ++/* ++ * TODO: Not clear how to handle planes with negative position, ++ * also planes are not updated if they have a negative X ++ * position so for now doing a full update in this cases ++ * ++ * Plane scaling and rotation is not supported by selective fetch and both ++ * properties can change without a modeset, so need to be check at every ++ * atomic commmit. ++ */ ++static bool psr2_sel_fetch_plane_state_supported(const struct intel_plane_state *plane_state) ++{ ++ if (plane_state->uapi.dst.y1 < 0 || ++ plane_state->uapi.dst.x1 < 0 || ++ plane_state->scaler_id >= 0 || ++ plane_state->uapi.rotation != DRM_MODE_ROTATE_0) ++ return false; ++ ++ return true; ++} ++ ++/* ++ * Check for pipe properties that is not supported by selective fetch. ++ * ++ * TODO: pipe scaling causes a modeset but skl_update_scaler_crtc() is executed ++ * after intel_psr_compute_config(), so for now keeping PSR2 selective fetch ++ * enabled and going to the full update path. ++ */ ++static bool psr2_sel_fetch_pipe_state_supported(const struct intel_crtc_state *crtc_state) ++{ ++ if (crtc_state->scaler_state.scaler_id >= 0) ++ return false; ++ ++ return true; ++} ++ + int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + struct intel_crtc *crtc) + { +@@ -1637,6 +1660,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + if (!crtc_state->enable_psr2_sel_fetch) + return 0; + ++ if (!psr2_sel_fetch_pipe_state_supported(crtc_state)) { ++ full_update = true; ++ goto skip_sel_fetch_set_loop; ++ } ++ + /* + * Calculate minimal selective fetch area of each plane and calculate + * the pipe damaged area. +@@ -1656,13 +1684,7 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + !old_plane_state->uapi.visible) + continue; + +- /* +- * TODO: Not clear how to handle planes with negative position, +- * also planes are not updated if they have a negative X +- * position so for now doing a full update in this cases +- */ +- if (new_plane_state->uapi.dst.y1 < 0 || +- new_plane_state->uapi.dst.x1 < 0) { ++ if (!psr2_sel_fetch_plane_state_supported(new_plane_state)) { + full_update = true; + break; + } +@@ -1741,6 +1763,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + if (!drm_rect_intersect(&inter, &new_plane_state->uapi.dst)) + continue; + ++ if (!psr2_sel_fetch_plane_state_supported(new_plane_state)) { ++ full_update = true; ++ break; ++ } ++ + sel_fetch_area = &new_plane_state->psr2_sel_fetch_area; + sel_fetch_area->y1 = inter.y1 - new_plane_state->uapi.dst.y1; + sel_fetch_area->y2 = inter.y2 - new_plane_state->uapi.dst.y1; +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch b/queue-5.15/drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch new file mode 100644 index 00000000000..8a54423a5fb --- /dev/null +++ b/queue-5.15/drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch @@ -0,0 +1,134 @@ +From 26b5e1c756413921e72ec159dd2c436489013791 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 14:25:06 -0700 +Subject: drm/i915/display/psr: Use drm damage helpers to calculate plane + damaged area +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Roberto de Souza + +[ Upstream commit af7ea1e22afc7ce7773b2e4562df4370c8c711ea ] + +drm_atomic_helper_damage_iter_init() + drm_atomic_for_each_plane_damage() +returns the full plane area in case no damaged area was set by +userspace or it was discarted by driver. + +This is important to fix the rendering of userspace applications that +does frontbuffer rendering and notify driver about dirty areas but do +not set any dirty clips. + +With this we don't need to worry about to check and mark the whole +area as damaged in page flips. + +Another important change here is the move of +drm_atomic_add_affected_planes() call, it needs to called late +otherwise the area of all the planes would be added to pipe_clip and +not saving power. + +Cc: Daniel Vetter +Cc: Gwan-gyeong Mun +Reviewed-by: Gwan-gyeong Mun +Signed-off-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20210914212507.177511-4-jose.souza@intel.com +Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 37 +++++++++--------------- + 1 file changed, 13 insertions(+), 24 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index b4b193c2bc32e..5e7827b076028 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -22,6 +22,7 @@ + */ + + #include ++#include + + #include "display/intel_dp.h" + +@@ -1636,10 +1637,6 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + if (!crtc_state->enable_psr2_sel_fetch) + return 0; + +- ret = drm_atomic_add_affected_planes(&state->base, &crtc->base); +- if (ret) +- return ret; +- + /* + * Calculate minimal selective fetch area of each plane and calculate + * the pipe damaged area. +@@ -1649,8 +1646,8 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + for_each_oldnew_intel_plane_in_state(state, plane, old_plane_state, + new_plane_state, i) { + struct drm_rect src, damaged_area = { .y1 = -1 }; +- struct drm_mode_rect *damaged_clips; +- u32 num_clips, j; ++ struct drm_atomic_helper_damage_iter iter; ++ struct drm_rect clip; + + if (new_plane_state->uapi.crtc != crtc_state->uapi.crtc) + continue; +@@ -1670,8 +1667,6 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + break; + } + +- num_clips = drm_plane_get_damage_clips_count(&new_plane_state->uapi); +- + /* + * If visibility or plane moved, mark the whole plane area as + * damaged as it needs to be complete redraw in the new and old +@@ -1695,14 +1690,8 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + cursor_area_workaround(new_plane_state, &damaged_area, + &pipe_clip); + continue; +- } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha || +- (!num_clips && +- new_plane_state->uapi.fb != old_plane_state->uapi.fb)) { +- /* +- * If the plane don't have damaged areas but the +- * framebuffer changed or alpha changed, mark the whole +- * plane area as damaged. +- */ ++ } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha) { ++ /* If alpha changed mark the whole plane area as damaged */ + damaged_area.y1 = new_plane_state->uapi.dst.y1; + damaged_area.y2 = new_plane_state->uapi.dst.y2; + clip_area_update(&pipe_clip, &damaged_area); +@@ -1710,15 +1699,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + } + + drm_rect_fp_to_int(&src, &new_plane_state->uapi.src); +- damaged_clips = drm_plane_get_damage_clips(&new_plane_state->uapi); +- +- for (j = 0; j < num_clips; j++) { +- struct drm_rect clip; + +- clip.x1 = damaged_clips[j].x1; +- clip.y1 = damaged_clips[j].y1; +- clip.x2 = damaged_clips[j].x2; +- clip.y2 = damaged_clips[j].y2; ++ drm_atomic_helper_damage_iter_init(&iter, ++ &old_plane_state->uapi, ++ &new_plane_state->uapi); ++ drm_atomic_for_each_plane_damage(&iter, &clip) { + if (drm_rect_intersect(&clip, &src)) + clip_area_update(&damaged_area, &clip); + } +@@ -1734,6 +1719,10 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + if (full_update) + goto skip_sel_fetch_set_loop; + ++ ret = drm_atomic_add_affected_planes(&state->base, &crtc->base); ++ if (ret) ++ return ret; ++ + intel_psr2_sel_fetch_pipe_alignment(crtc_state, &pipe_clip); + + /* +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-display-workaround-cursor-left-overs-with-p.patch b/queue-5.15/drm-i915-display-workaround-cursor-left-overs-with-p.patch new file mode 100644 index 00000000000..3e4ad3645c9 --- /dev/null +++ b/queue-5.15/drm-i915-display-workaround-cursor-left-overs-with-p.patch @@ -0,0 +1,76 @@ +From 7a200aea2dbe8ef0d3517dc31bf25d4b72631075 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 14:25:05 -0700 +Subject: drm/i915/display: Workaround cursor left overs with PSR2 selective + fetch enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Roberto de Souza + +[ Upstream commit 1f3a11c341ab211d6ba55ef3d58026b7b5319945 ] + +Not sure why but when moving the cursor fast it causes some artifacts +of the cursor to be left in the cursor path, adding some pixels above +the cursor to the damaged area fixes the issue, so leaving this as a +workaround until proper fix is found. + +This is reproducile on TGL and ADL-P. + +Cc: Gwan-gyeong Mun +Reviewed-by: Gwan-gyeong Mun +Signed-off-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20210914212507.177511-3-jose.souza@intel.com +Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 25 ++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index a3d0c57ec0f0b..b4b193c2bc32e 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -1601,6 +1601,28 @@ static void intel_psr2_sel_fetch_pipe_alignment(const struct intel_crtc_state *c + drm_warn(&dev_priv->drm, "Missing PSR2 sel fetch alignment with DSC\n"); + } + ++/* ++ * FIXME: Not sure why but when moving the cursor fast it causes some artifacts ++ * of the cursor to be left in the cursor path, adding some pixels above the ++ * cursor to the damaged area fixes the issue. ++ */ ++static void cursor_area_workaround(const struct intel_plane_state *new_plane_state, ++ struct drm_rect *damaged_area, ++ struct drm_rect *pipe_clip) ++{ ++ const struct intel_plane *plane = to_intel_plane(new_plane_state->uapi.plane); ++ int height; ++ ++ if (plane->id != PLANE_CURSOR) ++ return; ++ ++ height = drm_rect_height(&new_plane_state->uapi.dst) / 2; ++ damaged_area->y1 -= height; ++ damaged_area->y1 = max(damaged_area->y1, 0); ++ ++ clip_area_update(pipe_clip, damaged_area); ++} ++ + int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + struct intel_crtc *crtc) + { +@@ -1669,6 +1691,9 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state, + damaged_area.y2 = new_plane_state->uapi.dst.y2; + clip_area_update(&pipe_clip, &damaged_area); + } ++ ++ cursor_area_workaround(new_plane_state, &damaged_area, ++ &pipe_clip); + continue; + } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha || + (!num_clips && +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch b/queue-5.15/drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch new file mode 100644 index 00000000000..7193e8db8b9 --- /dev/null +++ b/queue-5.15/drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch @@ -0,0 +1,174 @@ +From 26e915179963c5cc6271e89e536367c960b5f875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 10:53:04 +0200 +Subject: drm/i915/psr: Use calculated io and fast wake lines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +[ Upstream commit 71c602103c74b277bef3d20a308874a33ec8326d ] + +Currently we are using hardcoded 7 for io and fast wake lines. + +According to Bspec io and fast wake times are both 42us for +DISPLAY_VER >= 12 and 50us and 32us for older platforms. + +Calculate line counts for these and configure them into PSR2_CTL +accordingly + +Use 45 us for the fast wake calculation as 42 seems to be too +tight based on testing. + +Bspec: 49274, 4289 + +Cc: Mika Kahola +Cc: José Roberto de Souza +Fixes: 64cf40a125ff ("drm/i915/psr: Program default IO buffer Wake and Fast Wake") +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7725 +Signed-off-by: Jouni Högander +Reviewed-by: Stanislav Lisovskiy +Link: https://patchwork.freedesktop.org/patch/msgid/20230221085304.3382297-1-jouni.hogander@intel.com +(cherry picked from commit cb42e8ede5b475c096e473b86c356b1158b4bc3b) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + .../drm/i915/display/intel_display_types.h | 2 + + drivers/gpu/drm/i915/display/intel_psr.c | 78 +++++++++++++++---- + 2 files changed, 63 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h +index b56850d964919..90e055f056994 100644 +--- a/drivers/gpu/drm/i915/display/intel_display_types.h ++++ b/drivers/gpu/drm/i915/display/intel_display_types.h +@@ -1520,6 +1520,8 @@ struct intel_psr { + bool psr2_sel_fetch_enabled; + bool req_psr2_sdp_prior_scanline; + u8 sink_sync_latency; ++ u8 io_wake_lines; ++ u8 fast_wake_lines; + ktime_t last_entry_attempt; + ktime_t last_exit; + bool sink_not_reliable; +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index 5f9894e3c7aa7..cf1e92486cbc9 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -549,6 +549,14 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp) + val |= EDP_PSR2_FRAME_BEFORE_SU(intel_dp->psr.sink_sync_latency + 1); + val |= intel_psr2_get_tp_time(intel_dp); + ++ if (DISPLAY_VER(dev_priv) >= 12) { ++ if (intel_dp->psr.io_wake_lines < 9 && ++ intel_dp->psr.fast_wake_lines < 9) ++ val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2; ++ else ++ val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_3; ++ } ++ + /* Wa_22012278275:adl-p */ + if (IS_ADLP_DISPLAY_STEP(dev_priv, STEP_A0, STEP_E0)) { + static const u8 map[] = { +@@ -565,31 +573,21 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp) + * Still using the default IO_BUFFER_WAKE and FAST_WAKE, see + * comments bellow for more information + */ +- u32 tmp, lines = 7; ++ u32 tmp; + +- val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2; +- +- tmp = map[lines - TGL_EDP_PSR2_IO_BUFFER_WAKE_MIN_LINES]; ++ tmp = map[intel_dp->psr.io_wake_lines - TGL_EDP_PSR2_IO_BUFFER_WAKE_MIN_LINES]; + tmp = tmp << TGL_EDP_PSR2_IO_BUFFER_WAKE_SHIFT; + val |= tmp; + +- tmp = map[lines - TGL_EDP_PSR2_FAST_WAKE_MIN_LINES]; ++ tmp = map[intel_dp->psr.fast_wake_lines - TGL_EDP_PSR2_FAST_WAKE_MIN_LINES]; + tmp = tmp << TGL_EDP_PSR2_FAST_WAKE_MIN_SHIFT; + val |= tmp; + } else if (DISPLAY_VER(dev_priv) >= 12) { +- /* +- * TODO: 7 lines of IO_BUFFER_WAKE and FAST_WAKE are default +- * values from BSpec. In order to setting an optimal power +- * consumption, lower than 4k resolution mode needs to decrease +- * IO_BUFFER_WAKE and FAST_WAKE. And higher than 4K resolution +- * mode needs to increase IO_BUFFER_WAKE and FAST_WAKE. +- */ +- val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2; +- val |= TGL_EDP_PSR2_IO_BUFFER_WAKE(7); +- val |= TGL_EDP_PSR2_FAST_WAKE(7); ++ val |= TGL_EDP_PSR2_IO_BUFFER_WAKE(intel_dp->psr.io_wake_lines); ++ val |= TGL_EDP_PSR2_FAST_WAKE(intel_dp->psr.fast_wake_lines); + } else if (DISPLAY_VER(dev_priv) >= 9) { +- val |= EDP_PSR2_IO_BUFFER_WAKE(7); +- val |= EDP_PSR2_FAST_WAKE(7); ++ val |= EDP_PSR2_IO_BUFFER_WAKE(intel_dp->psr.io_wake_lines); ++ val |= EDP_PSR2_FAST_WAKE(intel_dp->psr.fast_wake_lines); + } + + if (intel_dp->psr.req_psr2_sdp_prior_scanline) +@@ -842,6 +840,46 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d + return true; + } + ++static bool _compute_psr2_wake_times(struct intel_dp *intel_dp, ++ struct intel_crtc_state *crtc_state) ++{ ++ struct drm_i915_private *i915 = dp_to_i915(intel_dp); ++ int io_wake_lines, io_wake_time, fast_wake_lines, fast_wake_time; ++ u8 max_wake_lines; ++ ++ if (DISPLAY_VER(i915) >= 12) { ++ io_wake_time = 42; ++ /* ++ * According to Bspec it's 42us, but based on testing ++ * it is not enough -> use 45 us. ++ */ ++ fast_wake_time = 45; ++ max_wake_lines = 12; ++ } else { ++ io_wake_time = 50; ++ fast_wake_time = 32; ++ max_wake_lines = 8; ++ } ++ ++ io_wake_lines = intel_usecs_to_scanlines( ++ &crtc_state->uapi.adjusted_mode, io_wake_time); ++ fast_wake_lines = intel_usecs_to_scanlines( ++ &crtc_state->uapi.adjusted_mode, fast_wake_time); ++ ++ if (io_wake_lines > max_wake_lines || ++ fast_wake_lines > max_wake_lines) ++ return false; ++ ++ if (i915->params.psr_safest_params) ++ io_wake_lines = fast_wake_lines = max_wake_lines; ++ ++ /* According to Bspec lower limit should be set as 7 lines. */ ++ intel_dp->psr.io_wake_lines = max(io_wake_lines, 7); ++ intel_dp->psr.fast_wake_lines = max(fast_wake_lines, 7); ++ ++ return true; ++} ++ + static bool intel_psr2_config_valid(struct intel_dp *intel_dp, + struct intel_crtc_state *crtc_state) + { +@@ -939,6 +977,12 @@ static bool intel_psr2_config_valid(struct intel_dp *intel_dp, + return false; + } + ++ if (!_compute_psr2_wake_times(intel_dp, crtc_state)) { ++ drm_dbg_kms(&dev_priv->drm, ++ "PSR2 not enabled, Unable to use long enough wake times\n"); ++ return false; ++ } ++ + if (HAS_PSR2_SEL_FETCH(dev_priv)) { + if (!intel_psr2_sel_fetch_config_valid(intel_dp, crtc_state) && + !HAS_PSR_HW_TRACKING(dev_priv)) { +-- +2.39.2 + diff --git a/queue-5.15/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch b/queue-5.15/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch new file mode 100644 index 00000000000..9d62db7bab7 --- /dev/null +++ b/queue-5.15/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch @@ -0,0 +1,45 @@ +From 2664ebfbe23e8584288aa134c17d30fac7182b8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 12:33:12 +0000 +Subject: drm/meson: fix 1px pink line on GXM when scaling video overlay + +From: Christian Hewitt + +[ Upstream commit 5c8cf1664f288098a971a1d1e65716a2b6a279e1 ] + +Playing media with a resolution smaller than the crtc size requires the +video overlay to be scaled for output and GXM boards display a 1px pink +line on the bottom of the scaled overlay. Comparing with the downstream +vendor driver revealed VPP_DUMMY_DATA not being set [0]. + +Setting VPP_DUMMY_DATA prevents the 1px pink line from being seen. + +[0] https://github.com/endlessm/linux-s905x/blob/master/drivers/amlogic/amports/video.c#L7869 + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Suggested-by: Martin Blumenstingl +Signed-off-by: Christian Hewitt +Acked-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230303123312.155164-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_vpp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/meson/meson_vpp.c b/drivers/gpu/drm/meson/meson_vpp.c +index 154837688ab0d..5df1957c8e41f 100644 +--- a/drivers/gpu/drm/meson/meson_vpp.c ++++ b/drivers/gpu/drm/meson/meson_vpp.c +@@ -100,6 +100,8 @@ void meson_vpp_init(struct meson_drm *priv) + priv->io_base + _REG(VPP_DOLBY_CTRL)); + writel_relaxed(0x1020080, + priv->io_base + _REG(VPP_DUMMY_DATA1)); ++ writel_relaxed(0x42020, ++ priv->io_base + _REG(VPP_DUMMY_DATA)); + } else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) + writel_relaxed(0xf, priv->io_base + _REG(DOLBY_PATH_CTRL)); + +-- +2.39.2 + diff --git a/queue-5.15/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch b/queue-5.15/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch new file mode 100644 index 00000000000..eb79199eba4 --- /dev/null +++ b/queue-5.15/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch @@ -0,0 +1,38 @@ +From 05ffa1f61c56dc52a285ba349e6d32c26b501564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:40:38 +0300 +Subject: drm/panfrost: Don't sync rpm suspension after mmu flushing + +From: Dmitry Osipenko + +[ Upstream commit ba3be66f11c3c49afaa9f49b99e21d88756229ef ] + +Lockdep warns about potential circular locking dependency of devfreq +with the fs_reclaim caused by immediate device suspension when mapping is +released by shrinker. Fix it by doing the suspension asynchronously. + +Reviewed-by: Steven Price +Fixes: ec7eba47da86 ("drm/panfrost: Rework page table flushing and runtime PM interaction") +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/all/20230108210445.3948344-3-dmitry.osipenko@collabora.com/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c +index c3292a6bd1ae8..d6dda97e2591d 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -253,7 +253,7 @@ static void panfrost_mmu_flush_range(struct panfrost_device *pfdev, + if (pm_runtime_active(pfdev->dev)) + mmu_hw_do_operation(pfdev, mmu, iova, size, AS_COMMAND_FLUSH_PT); + +- pm_runtime_put_sync_autosuspend(pfdev->dev); ++ pm_runtime_put_autosuspend(pfdev->dev); + } + + static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu, +-- +2.39.2 + diff --git a/queue-5.15/ethernet-sun-add-check-for-the-mdesc_grab.patch b/queue-5.15/ethernet-sun-add-check-for-the-mdesc_grab.patch new file mode 100644 index 00000000000..ce9cae73027 --- /dev/null +++ b/queue-5.15/ethernet-sun-add-check-for-the-mdesc_grab.patch @@ -0,0 +1,55 @@ +From ba0a2193a411e1160fcf7aca39f5e76bbfe5ec7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:00:21 +0800 +Subject: ethernet: sun: add check for the mdesc_grab() + +From: Liang He + +[ Upstream commit 90de546d9a0b3c771667af18bb3f80567eabb89b ] + +In vnet_port_probe() and vsw_port_probe(), we should +check the return value of mdesc_grab() as it may +return NULL which can caused NPD bugs. + +Fixes: 5d01fa0c6bd8 ("ldmvsw: Add ldmvsw.c driver code") +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/ldmvsw.c | 3 +++ + drivers/net/ethernet/sun/sunvnet.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/sun/ldmvsw.c b/drivers/net/ethernet/sun/ldmvsw.c +index 50bd4e3b0af9d..cde65f76e5cef 100644 +--- a/drivers/net/ethernet/sun/ldmvsw.c ++++ b/drivers/net/ethernet/sun/ldmvsw.c +@@ -290,6 +290,9 @@ static int vsw_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + rmac = mdesc_get_property(hp, vdev->mp, remote_macaddr_prop, &len); + err = -ENODEV; + if (!rmac) { +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index 58ee89223951e..dcdfc1fd3d2ca 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -431,6 +431,9 @@ static int vnet_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + vp = vnet_find_parent(hp, vdev->mp, vdev); + if (IS_ERR(vp)) { + pr_err("Cannot find port parent vnet\n"); +-- +2.39.2 + diff --git a/queue-5.15/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch b/queue-5.15/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch new file mode 100644 index 00000000000..4c6ddc31e95 --- /dev/null +++ b/queue-5.15/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch @@ -0,0 +1,91 @@ +From 3ffc0514a93780183239801c62f8c6424a3f3c71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:45:09 -0800 +Subject: i40e: Fix kernel crash during reboot when adapter is in recovery mode + +From: Ivan Vecera + +[ Upstream commit 7e4f8a0c495413a50413e8c9f1032ce1bc633bae ] + +If the driver detects during probe that firmware is in recovery +mode then i40e_init_recovery_mode() is called and the rest of +probe function is skipped including pci_set_drvdata(). Subsequent +i40e_shutdown() called during shutdown/reboot dereferences NULL +pointer as pci_get_drvdata() returns NULL. + +To fix call pci_set_drvdata() also during entering to recovery mode. + +Reproducer: +1) Lets have i40e NIC with firmware in recovery mode +2) Run reboot + +Result: +[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver +[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation. +[ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality. +[ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. +[ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] +[ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0 +[ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality. +[ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. +[ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] +[ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0 +... +[ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2 +[ 156.318330] #PF: supervisor write access in kernel mode +[ 156.323546] #PF: error_code(0x0002) - not-present page +[ 156.328679] PGD 0 P4D 0 +[ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1 +[ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022 +[ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e] +[ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00 +[ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282 +[ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001 +[ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000 +[ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40 +[ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000 +[ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000 +[ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000 +[ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0 +[ 156.438944] PKRU: 55555554 +[ 156.441647] Call Trace: +[ 156.444096] +[ 156.446199] pci_device_shutdown+0x38/0x60 +[ 156.450297] device_shutdown+0x163/0x210 +[ 156.454215] kernel_restart+0x12/0x70 +[ 156.457872] __do_sys_reboot+0x1ab/0x230 +[ 156.461789] ? vfs_writev+0xa6/0x1a0 +[ 156.465362] ? __pfx_file_free_rcu+0x10/0x10 +[ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0 +[ 156.475034] do_syscall_64+0x3e/0x90 +[ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 156.483658] RIP: 0033:0x7fe7bff37ab7 + +Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support") +Signed-off-by: Ivan Vecera +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230309184509.984639-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 5ffcd3cc989f7..85d48efce1d00 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -15338,6 +15338,7 @@ static int i40e_init_recovery_mode(struct i40e_pf *pf, struct i40e_hw *hw) + int err; + int v_idx; + ++ pci_set_drvdata(pf->pdev, pf); + pci_save_state(pf->pdev); + + /* set up periodic task facility */ +-- +2.39.2 + diff --git a/queue-5.15/ice-xsk-disable-txq-irq-before-flushing-hw.patch b/queue-5.15/ice-xsk-disable-txq-irq-before-flushing-hw.patch new file mode 100644 index 00000000000..494a5d8db32 --- /dev/null +++ b/queue-5.15/ice-xsk-disable-txq-irq-before-flushing-hw.patch @@ -0,0 +1,111 @@ +From 5642c9184dd48db3f110c542963624979ddf0310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 10:45:43 -0700 +Subject: ice: xsk: disable txq irq before flushing hw + +From: Maciej Fijalkowski + +[ Upstream commit b830c9642386867863ac64295185f896ff2928ac ] + +ice_qp_dis() intends to stop a given queue pair that is a target of xsk +pool attach/detach. One of the steps is to disable interrupts on these +queues. It currently is broken in a way that txq irq is turned off +*after* HW flush which in turn takes no effect. + +ice_qp_dis(): +-> ice_qvec_dis_irq() +--> disable rxq irq +--> flush hw +-> ice_vsi_stop_tx_ring() +-->disable txq irq + +Below splat can be triggered by following steps: +- start xdpsock WITHOUT loading xdp prog +- run xdp_rxq_info with XDP_TX action on this interface +- start traffic +- terminate xdpsock + +[ 256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[ 256.319560] #PF: supervisor read access in kernel mode +[ 256.324775] #PF: error_code(0x0000) - not-present page +[ 256.329994] PGD 0 P4D 0 +[ 256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G OE 6.2.0-rc5+ #51 +[ 256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 +[ 256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice] +[ 256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 <49> 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44 +[ 256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206 +[ 256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f +[ 256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80 +[ 256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000 +[ 256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000 +[ 256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600 +[ 256.421990] FS: 0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000 +[ 256.430207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0 +[ 256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 256.457770] PKRU: 55555554 +[ 256.460529] Call Trace: +[ 256.463015] +[ 256.465157] ? ice_xmit_zc+0x6e/0x150 [ice] +[ 256.469437] ice_napi_poll+0x46d/0x680 [ice] +[ 256.473815] ? _raw_spin_unlock_irqrestore+0x1b/0x40 +[ 256.478863] __napi_poll+0x29/0x160 +[ 256.482409] net_rx_action+0x136/0x260 +[ 256.486222] __do_softirq+0xe8/0x2e5 +[ 256.489853] ? smpboot_thread_fn+0x2c/0x270 +[ 256.494108] run_ksoftirqd+0x2a/0x50 +[ 256.497747] smpboot_thread_fn+0x1c1/0x270 +[ 256.501907] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 256.506594] kthread+0xea/0x120 +[ 256.509785] ? __pfx_kthread+0x10/0x10 +[ 256.513597] ret_from_fork+0x29/0x50 +[ 256.517238] + +In fact, irqs were not disabled and napi managed to be scheduled and run +while xsk_pool pointer was still valid, but SW ring of xdp_buff pointers +was already freed. + +To fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also +while at it, remove redundant ice_clean_rx_ring() call - this is handled +in ice_qp_clean_rings(). + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Larysa Zaremba +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Acked-by: John Fastabend +Signed-off-by: Tony Nguyen +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 60d8ef0c88595..070be30cbaa91 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -166,8 +166,6 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + } + netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx)); + +- ice_qvec_dis_irq(vsi, rx_ring, q_vector); +- + ice_fill_txq_meta(vsi, tx_ring, &txq_meta); + err = ice_vsi_stop_tx_ring(vsi, ICE_NO_RESET, 0, tx_ring, &txq_meta); + if (err) +@@ -182,6 +180,8 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + if (err) + return err; + } ++ ice_qvec_dis_irq(vsi, rx_ring, q_vector); ++ + err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true); + if (err) + return err; +-- +2.39.2 + diff --git a/queue-5.15/ipv4-fix-incorrect-table-id-in-ioctl-path.patch b/queue-5.15/ipv4-fix-incorrect-table-id-in-ioctl-path.patch new file mode 100644 index 00000000000..519d0bdef8a --- /dev/null +++ b/queue-5.15/ipv4-fix-incorrect-table-id-in-ioctl-path.patch @@ -0,0 +1,74 @@ +From 0efda240afcb902b8ad61688b9b0878e0c5f0573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:40:09 +0200 +Subject: ipv4: Fix incorrect table ID in IOCTL path + +From: Ido Schimmel + +[ Upstream commit 8a2618e14f81604a9b6ad305d57e0c8da939cd65 ] + +Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source +address is deleted") started to take the table ID field in the FIB info +structure into account when determining if two structures are identical +or not. This field is initialized using the 'fc_table' field in the +route configuration structure, which is not set when adding a route via +IOCTL. + +The above can result in user space being able to install two identical +routes that only differ in the table ID field of their associated FIB +info. + +Fix by initializing the table ID field in the route configuration +structure in the IOCTL path. + +Before the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + # ip -4 r show default + # default via 192.0.2.2 dev dummy10 + # default via 192.0.2.2 dev dummy10 + +After the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + SIOCADDRT: File exists + # ip -4 r show default + default via 192.0.2.2 dev dummy10 + +Audited the code paths to ensure there are no other paths that do not +properly initialize the route configuration structure when installing a +route. + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted") +Reported-by: gaoxingwang +Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/ +Tested-by: gaoxingwang +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230315124009.4015212-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 75c88d4863276..c21d57f02c651 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -573,6 +573,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt, + cfg->fc_scope = RT_SCOPE_UNIVERSE; + } + ++ if (!cfg->fc_table) ++ cfg->fc_table = RT_TABLE_MAIN; ++ + if (cmd == SIOCDELRT) + return 0; + +-- +2.39.2 + diff --git a/queue-5.15/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch b/queue-5.15/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch new file mode 100644 index 00000000000..7df0a9496a1 --- /dev/null +++ b/queue-5.15/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch @@ -0,0 +1,49 @@ +From f4767a66e606f8fd87fc953b3f1e372bb0d563e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:03:36 +0800 +Subject: ipvlan: Make skb->skb_iif track skb->dev for l3s mode + +From: Jianguo Wu + +[ Upstream commit 59a0b022aa249e3f5735d93de0849341722c4754 ] + +For l3s mode, skb->dev is set to ipvlan interface in ipvlan_nf_input(): + skb->dev = addr->master->dev +but, skb->skb_iif remain unchanged, this will cause socket lookup failed +if a target socket is bound to a interface, like the following example: + + ip link add ipvlan0 link eth0 type ipvlan mode l3s + ip addr add dev ipvlan0 192.168.124.111/24 + ip link set ipvlan0 up + + ping -c 1 -I ipvlan0 8.8.8.8 + 100% packet loss + +This is because there is no match sk in __raw_v4_lookup() as sk->sk_bound_dev_if != dif(skb->skb_iif). +Fix this by make skb->skb_iif track skb->dev in ipvlan_nf_input(). + +Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") +Signed-off-by: Jianguo Wu +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/29865b1f-6db7-c07a-de89-949d3721ea30@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_l3s.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c +index 943d26cbf39f5..71712ea25403d 100644 +--- a/drivers/net/ipvlan/ipvlan_l3s.c ++++ b/drivers/net/ipvlan/ipvlan_l3s.c +@@ -101,6 +101,7 @@ static unsigned int ipvlan_nf_input(void *priv, struct sk_buff *skb, + goto out; + + skb->dev = addr->master->dev; ++ skb->skb_iif = skb->dev->ifindex; + len = skb->len + ETH_HLEN; + ipvlan_count_rx(addr->master, len, true, false); + out: +-- +2.39.2 + diff --git a/queue-5.15/loop-fix-use-after-free-issues.patch b/queue-5.15/loop-fix-use-after-free-issues.patch new file mode 100644 index 00000000000..9c530d71784 --- /dev/null +++ b/queue-5.15/loop-fix-use-after-free-issues.patch @@ -0,0 +1,101 @@ +From a605e60e4aa62d5bcec4a4437feb790d8952d774 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 11:21:54 -0700 +Subject: loop: Fix use-after-free issues + +From: Bart Van Assche + +[ Upstream commit 9b0cb770f5d7b1ff40bea7ca385438ee94570eec ] + +do_req_filebacked() calls blk_mq_complete_request() synchronously or +asynchronously when using asynchronous I/O unless memory allocation fails. +Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor +'rq' after do_req_filebacked() finished unless we are sure that the request +has not yet been completed. This patch fixes the following kernel crash: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054 +Call trace: + css_put.42938+0x1c/0x1ac + loop_process_work+0xc8c/0xfd4 + loop_rootcg_workfn+0x24/0x34 + process_one_work+0x244/0x558 + worker_thread+0x400/0x8fc + kthread+0x16c/0x1e0 + ret_from_fork+0x10/0x20 + +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Jan Kara +Cc: Johannes Weiner +Cc: Dan Schatzberg +Fixes: c74d40e8b5e2 ("loop: charge i/o to mem and blk cg") +Fixes: bc07c10a3603 ("block: loop: support DIO & AIO") +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20230314182155.80625-1-bvanassche@acm.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 58a38e61de535..07cf7a35ae502 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -2188,35 +2188,44 @@ static blk_status_t loop_queue_rq(struct blk_mq_hw_ctx *hctx, + + static void loop_handle_cmd(struct loop_cmd *cmd) + { ++ struct cgroup_subsys_state *cmd_blkcg_css = cmd->blkcg_css; ++ struct cgroup_subsys_state *cmd_memcg_css = cmd->memcg_css; + struct request *rq = blk_mq_rq_from_pdu(cmd); + const bool write = op_is_write(req_op(rq)); + struct loop_device *lo = rq->q->queuedata; + int ret = 0; + struct mem_cgroup *old_memcg = NULL; ++ const bool use_aio = cmd->use_aio; + + if (write && (lo->lo_flags & LO_FLAGS_READ_ONLY)) { + ret = -EIO; + goto failed; + } + +- if (cmd->blkcg_css) +- kthread_associate_blkcg(cmd->blkcg_css); +- if (cmd->memcg_css) ++ if (cmd_blkcg_css) ++ kthread_associate_blkcg(cmd_blkcg_css); ++ if (cmd_memcg_css) + old_memcg = set_active_memcg( +- mem_cgroup_from_css(cmd->memcg_css)); ++ mem_cgroup_from_css(cmd_memcg_css)); + ++ /* ++ * do_req_filebacked() may call blk_mq_complete_request() synchronously ++ * or asynchronously if using aio. Hence, do not touch 'cmd' after ++ * do_req_filebacked() has returned unless we are sure that 'cmd' has ++ * not yet been completed. ++ */ + ret = do_req_filebacked(lo, rq); + +- if (cmd->blkcg_css) ++ if (cmd_blkcg_css) + kthread_associate_blkcg(NULL); + +- if (cmd->memcg_css) { ++ if (cmd_memcg_css) { + set_active_memcg(old_memcg); +- css_put(cmd->memcg_css); ++ css_put(cmd_memcg_css); + } + failed: + /* complete non-aio request */ +- if (!cmd->use_aio || ret) { ++ if (!use_aio || ret) { + if (ret == -EOPNOTSUPP) + cmd->ret = ret; + else +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch b/queue-5.15/net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch new file mode 100644 index 00000000000..ed39aa28bb5 --- /dev/null +++ b/queue-5.15/net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch @@ -0,0 +1,41 @@ +From 696045c9575a5adc13a672c716ab966471868f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 10:33:37 +0300 +Subject: net: dsa: mt7530: remove now incorrect comment regarding port 5 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit feb03fd11c5616f3a47e4714d2f9917d0f1a2edd ] + +Remove now incorrect comment regarding port 5 as GMAC5. This is supposed to +be supported since commit 38f790a80560 ("net: dsa: mt7530: Add support for +port 5") under mt7530_setup_port5(). + +Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5") +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20230310073338.5836-1-arinc.unal@arinc9.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 7bcfa3be95e29..22a09a11d8749 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -2168,7 +2168,7 @@ mt7530_setup(struct dsa_switch *ds) + + mt7530_pll_setup(priv); + +- /* Enable Port 6 only; P5 as GMAC5 which currently is not supported */ ++ /* Enable port 6 */ + val = mt7530_read(priv, MT7530_MHWTRAP); + val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS; + val |= MHWTRAP_MANUAL; +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch b/queue-5.15/net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch new file mode 100644 index 00000000000..b1c802f86ed --- /dev/null +++ b/queue-5.15/net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch @@ -0,0 +1,120 @@ +From 560642604e3e4fdfbc6109ce32ec30188384e96f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 10:33:38 +0300 +Subject: net: dsa: mt7530: set PLL frequency and trgmii only when trgmii is + used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 0b086d76e7b011772b0ac214c6e5fd5816eff2df ] + +As my testing on the MCM MT7530 switch on MT7621 SoC shows, setting the PLL +frequency does not affect MII modes other than trgmii on port 5 and port 6. +So the assumption is that the operation here called "setting the PLL +frequency" actually sets the frequency of the TRGMII TX clock. + +Make it so that it and the rest of the trgmii setup run only when the +trgmii mode is used. + +Tested rgmii and trgmii modes of port 6 on MCM MT7530 on MT7621AT Unielec +U7621-06 and standalone MT7530 on MT7623NI Bananapi BPI-R2. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Tested-by: Arınç ÜNAL +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20230310073338.5836-2-arinc.unal@arinc9.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 62 ++++++++++++++++++++-------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 22a09a11d8749..793992c378559 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -425,8 +425,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + switch (interface) { + case PHY_INTERFACE_MODE_RGMII: + trgint = 0; +- /* PLL frequency: 125MHz */ +- ncpo1 = 0x0c80; + break; + case PHY_INTERFACE_MODE_TRGMII: + trgint = 1; +@@ -457,38 +455,40 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + mt7530_rmw(priv, MT7530_P6ECR, P6_INTF_MODE_MASK, + P6_INTF_MODE(trgint)); + +- /* Lower Tx Driving for TRGMII path */ +- for (i = 0 ; i < NUM_TRGMII_CTRL ; i++) +- mt7530_write(priv, MT7530_TRGMII_TD_ODT(i), +- TD_DM_DRVP(8) | TD_DM_DRVN(8)); +- +- /* Disable MT7530 core and TRGMII Tx clocks */ +- core_clear(priv, CORE_TRGMII_GSW_CLK_CG, +- REG_GSWCK_EN | REG_TRGMIICK_EN); +- +- /* Setup the MT7530 TRGMII Tx Clock */ +- core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1)); +- core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0)); +- core_write(priv, CORE_PLL_GROUP10, RG_LCDDS_SSC_DELTA(ssc_delta)); +- core_write(priv, CORE_PLL_GROUP11, RG_LCDDS_SSC_DELTA1(ssc_delta)); +- core_write(priv, CORE_PLL_GROUP4, +- RG_SYSPLL_DDSFBK_EN | RG_SYSPLL_BIAS_EN | +- RG_SYSPLL_BIAS_LPF_EN); +- core_write(priv, CORE_PLL_GROUP2, +- RG_SYSPLL_EN_NORMAL | RG_SYSPLL_VODEN | +- RG_SYSPLL_POSDIV(1)); +- core_write(priv, CORE_PLL_GROUP7, +- RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) | +- RG_LCDDS_PWDB | RG_LCDDS_ISO_EN); +- +- /* Enable MT7530 core and TRGMII Tx clocks */ +- core_set(priv, CORE_TRGMII_GSW_CLK_CG, +- REG_GSWCK_EN | REG_TRGMIICK_EN); +- +- if (!trgint) ++ if (trgint) { ++ /* Lower Tx Driving for TRGMII path */ ++ for (i = 0 ; i < NUM_TRGMII_CTRL ; i++) ++ mt7530_write(priv, MT7530_TRGMII_TD_ODT(i), ++ TD_DM_DRVP(8) | TD_DM_DRVN(8)); ++ ++ /* Disable MT7530 core and TRGMII Tx clocks */ ++ core_clear(priv, CORE_TRGMII_GSW_CLK_CG, ++ REG_GSWCK_EN | REG_TRGMIICK_EN); ++ ++ /* Setup the MT7530 TRGMII Tx Clock */ ++ core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1)); ++ core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0)); ++ core_write(priv, CORE_PLL_GROUP10, RG_LCDDS_SSC_DELTA(ssc_delta)); ++ core_write(priv, CORE_PLL_GROUP11, RG_LCDDS_SSC_DELTA1(ssc_delta)); ++ core_write(priv, CORE_PLL_GROUP4, ++ RG_SYSPLL_DDSFBK_EN | RG_SYSPLL_BIAS_EN | ++ RG_SYSPLL_BIAS_LPF_EN); ++ core_write(priv, CORE_PLL_GROUP2, ++ RG_SYSPLL_EN_NORMAL | RG_SYSPLL_VODEN | ++ RG_SYSPLL_POSDIV(1)); ++ core_write(priv, CORE_PLL_GROUP7, ++ RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) | ++ RG_LCDDS_PWDB | RG_LCDDS_ISO_EN); ++ ++ /* Enable MT7530 core and TRGMII Tx clocks */ ++ core_set(priv, CORE_TRGMII_GSW_CLK_CG, ++ REG_GSWCK_EN | REG_TRGMIICK_EN); ++ } else { + for (i = 0 ; i < NUM_TRGMII_CTRL; i++) + mt7530_rmw(priv, MT7530_TRGMII_RD(i), + RD_TAP_MASK, RD_TAP(16)); ++ } ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch b/queue-5.15/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch new file mode 100644 index 00000000000..3244414e0bd --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch @@ -0,0 +1,110 @@ +From 8519a56f3475ddf9cf1f0cfe8223701105b59ed7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 20:24:05 +0200 +Subject: net: dsa: mv88e6xxx: fix max_mtu of 1492 on 6165, 6191, 6220, 6250, + 6290 + +From: Vladimir Oltean + +[ Upstream commit 7e9517375a14f44ee830ca1c3278076dd65fcc8f ] + +There are 3 classes of switch families that the driver is aware of, as +far as mv88e6xxx_change_mtu() is concerned: + +- MTU configuration is available per port. Here, the + chip->info->ops->port_set_jumbo_size() method will be present. + +- MTU configuration is global to the switch. Here, the + chip->info->ops->set_max_frame_size() method will be present. + +- We don't know how to change the MTU. Here, none of the above methods + will be present. + +Switch families MV88E6165, MV88E6191, MV88E6220, MV88E6250 and MV88E6290 +fall in category 3. + +The blamed commit has adjusted the MTU for all 3 categories by EDSA_HLEN +(8 bytes), resulting in a new maximum MTU of 1492 being reported by the +driver for these switches. + +I don't have the hardware to test, but I do have a MV88E6390 switch on +which I can simulate this by commenting out its .port_set_jumbo_size +definition from mv88e6390_ops. The result is this set of messages at +probe time: + +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 1 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 2 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 3 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 4 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 5 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 6 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 7 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 8 + +It is highly implausible that there exist Ethernet switches which don't +support the standard MTU of 1500 octets, and this is what the DSA +framework says as well - the error comes from dsa_slave_create() -> +dsa_slave_change_mtu(slave_dev, ETH_DATA_LEN). + +But the error messages are alarming, and it would be good to suppress +them. + +As a consequence of this unlikeliness, we reimplement mv88e6xxx_get_max_mtu() +and mv88e6xxx_change_mtu() on switches from the 3rd category as follows: +the maximum supported MTU is 1500, and any request to set the MTU to a +value larger than that fails in dev_validate_mtu(). + +Fixes: b9c587fed61c ("dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index f9efd0c8bab8d..99c4e45c62e33 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3054,7 +3054,7 @@ static int mv88e6xxx_get_max_mtu(struct dsa_switch *ds, int port) + return 10240 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN; + else if (chip->info->ops->set_max_frame_size) + return 1632 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN; +- return 1522 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN; ++ return ETH_DATA_LEN; + } + + static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) +@@ -3062,6 +3062,17 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) + struct mv88e6xxx_chip *chip = ds->priv; + int ret = 0; + ++ /* For families where we don't know how to alter the MTU, ++ * just accept any value up to ETH_DATA_LEN ++ */ ++ if (!chip->info->ops->port_set_jumbo_size && ++ !chip->info->ops->set_max_frame_size) { ++ if (new_mtu > ETH_DATA_LEN) ++ return -EINVAL; ++ ++ return 0; ++ } ++ + if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port)) + new_mtu += EDSA_HLEN; + +@@ -3070,9 +3081,6 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) + ret = chip->info->ops->port_set_jumbo_size(chip, port, new_mtu); + else if (chip->info->ops->set_max_frame_size) + ret = chip->info->ops->set_max_frame_size(chip, new_mtu); +- else +- if (new_mtu > 1522) +- ret = -EINVAL; + mv88e6xxx_reg_unlock(chip); + + return ret; +-- +2.39.2 + diff --git a/queue-5.15/net-iucv-fix-size-of-interrupt-data.patch b/queue-5.15/net-iucv-fix-size-of-interrupt-data.patch new file mode 100644 index 00000000000..22391fefae3 --- /dev/null +++ b/queue-5.15/net-iucv-fix-size-of-interrupt-data.patch @@ -0,0 +1,105 @@ +From 92dea5ece8b3ee5f1b03af9a229721e0f43d3cf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:14:35 +0100 +Subject: net/iucv: Fix size of interrupt data + +From: Alexandra Winter + +[ Upstream commit 3d87debb8ed2649608ff432699e7c961c0c6f03b ] + +iucv_irq_data needs to be 4 bytes larger. +These bytes are not used by the iucv module, but written by +the z/VM hypervisor in case a CPU is deconfigured. + +Reported as: +BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten +----------------------------------------------------------------------------- +0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc +Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1 +__kmem_cache_alloc_node+0x166/0x450 +kmalloc_node_trace+0x3a/0x70 +iucv_cpu_prepare+0x44/0xd0 +cpuhp_invoke_callback+0x156/0x2f0 +cpuhp_issue_call+0xf0/0x298 +__cpuhp_setup_state_cpuslocked+0x136/0x338 +__cpuhp_setup_state+0xf4/0x288 +iucv_init+0xf4/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1 +__kmem_cache_free+0x308/0x358 +iucv_init+0x92/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0| +Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000 +Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................ +Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................ +Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........ +Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ +CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1 +Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) +Call Trace: +[<000000032aa034ec>] dump_stack_lvl+0xac/0x100 +[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140 +[<0000000329f5aa78>] check_object+0x370/0x3c0 +[<0000000329f5ede6>] free_debug_processing+0x15e/0x348 +[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0 +[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8 +[<0000000329f61768>] __kmem_cache_free+0x308/0x358 +[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88 +[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0 +[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0 +[<0000000329c3243e>] cpu_device_down+0x4e/0x78 +[<000000032a61dee0>] device_offline+0xc8/0x118 +[<000000032a61e048>] online_store+0x60/0xe0 +[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8 +[<0000000329fab65c>] vfs_write+0x174/0x360 +[<0000000329fab9fc>] ksys_write+0x74/0x100 +[<000000032aa03a5a>] __do_syscall+0x1da/0x208 +[<000000032aa177b2>] system_call+0x82/0xb0 +INFO: lockdep is turned off. +FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc +FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed + +Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2") +Signed-off-by: Alexandra Winter +Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index f3343a8541a57..8efc369934fc7 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -83,7 +83,7 @@ struct iucv_irq_data { + u16 ippathid; + u8 ipflags1; + u8 iptype; +- u32 res2[8]; ++ u32 res2[9]; + }; + + struct iucv_irq_list { +-- +2.39.2 + diff --git a/queue-5.15/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch b/queue-5.15/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch new file mode 100644 index 00000000000..be4f706aca5 --- /dev/null +++ b/queue-5.15/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch @@ -0,0 +1,44 @@ +From b2d9bee0367c8157ce73c72ac5288e5e8bbe839e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Mar 2023 19:34:45 +0100 +Subject: net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + +From: Heiner Kallweit + +[ Upstream commit c22c3bbf351e4ce905f082649cffa1ff893ea8c1 ] + +If genphy_read_status fails then further access to the PHY may result +in unpredictable behavior. To prevent this bail out immediately if +genphy_read_status fails. + +Fixes: 4223dbffed9f ("net: phy: smsc: Re-enable EDPD mode for LAN87xx") +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/026aa4f2-36f5-1c10-ab9f-cdb17dda6ac4@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index 04e628788f1b5..36dcf6c7f445d 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -206,8 +206,11 @@ static int lan95xx_config_aneg_ext(struct phy_device *phydev) + static int lan87xx_read_status(struct phy_device *phydev) + { + struct smsc_phy_priv *priv = phydev->priv; ++ int err; + +- int err = genphy_read_status(phydev); ++ err = genphy_read_status(phydev); ++ if (err) ++ return err; + + if (!phydev->link && priv->energy_enable && phydev->irq == PHY_POLL) { + /* Disable EDPD to wake up PHY */ +-- +2.39.2 + diff --git a/queue-5.15/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch b/queue-5.15/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch new file mode 100644 index 00000000000..5b424596d32 --- /dev/null +++ b/queue-5.15/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch @@ -0,0 +1,164 @@ +From 302552c7cceb5c40da15c2b73237e947ae5d061b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 11:08:28 +0100 +Subject: net/smc: fix deadlock triggered by cancel_delayed_work_syn() + +From: Wenjia Zhang + +[ Upstream commit 13085e1b5cab8ad802904d72e6a6dae85ae0cd20 ] + +The following LOCKDEP was detected: + Workqueue: events smc_lgr_free_work [smc] + WARNING: possible circular locking dependency detected + 6.1.0-20221027.rc2.git8.56bc5b569087.300.fc36.s390x+debug #1 Not tainted + ------------------------------------------------------ + kworker/3:0/176251 is trying to acquire lock: + 00000000f1467148 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}, + at: __flush_workqueue+0x7a/0x4f0 + but task is already holding lock: + 0000037fffe97dc8 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}, + at: process_one_work+0x232/0x730 + which lock already depends on the new lock. + the existing dependency chain (in reverse order) is: + -> #4 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + __flush_work+0x76/0xf0 + __cancel_work_timer+0x170/0x220 + __smc_lgr_terminate.part.0+0x34/0x1c0 [smc] + smc_connect_rdma+0x15e/0x418 [smc] + __smc_connect+0x234/0x480 [smc] + smc_connect+0x1d6/0x230 [smc] + __sys_connect+0x90/0xc0 + __do_sys_socketcall+0x186/0x370 + __do_syscall+0x1da/0x208 + system_call+0x82/0xb0 + -> #3 (smc_client_lgr_pending){+.+.}-{3:3}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + __mutex_lock+0x96/0x8e8 + mutex_lock_nested+0x32/0x40 + smc_connect_rdma+0xa4/0x418 [smc] + __smc_connect+0x234/0x480 [smc] + smc_connect+0x1d6/0x230 [smc] + __sys_connect+0x90/0xc0 + __do_sys_socketcall+0x186/0x370 + __do_syscall+0x1da/0x208 + system_call+0x82/0xb0 + -> #2 (sk_lock-AF_SMC){+.+.}-{0:0}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + lock_sock_nested+0x46/0xa8 + smc_tx_work+0x34/0x50 [smc] + process_one_work+0x30c/0x730 + worker_thread+0x62/0x420 + kthread+0x138/0x150 + __ret_from_fork+0x3c/0x58 + ret_from_fork+0xa/0x40 + -> #1 ((work_completion)(&(&smc->conn.tx_work)->work)){+.+.}-{0:0}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + process_one_work+0x2bc/0x730 + worker_thread+0x62/0x420 + kthread+0x138/0x150 + __ret_from_fork+0x3c/0x58 + ret_from_fork+0xa/0x40 + -> #0 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}: + check_prev_add+0xd8/0xe88 + validate_chain+0x70c/0xb20 + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + __flush_workqueue+0xaa/0x4f0 + drain_workqueue+0xaa/0x158 + destroy_workqueue+0x44/0x2d8 + smc_lgr_free+0x9e/0xf8 [smc] + process_one_work+0x30c/0x730 + worker_thread+0x62/0x420 + kthread+0x138/0x150 + __ret_from_fork+0x3c/0x58 + ret_from_fork+0xa/0x40 + other info that might help us debug this: + Chain exists of: + (wq_completion)smc_tx_wq-00000000#2 + --> smc_client_lgr_pending + --> (work_completion)(&(&lgr->free_work)->work) + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock((work_completion)(&(&lgr->free_work)->work)); + lock(smc_client_lgr_pending); + lock((work_completion) + (&(&lgr->free_work)->work)); + lock((wq_completion)smc_tx_wq-00000000#2); + *** DEADLOCK *** + 2 locks held by kworker/3:0/176251: + #0: 0000000080183548 + ((wq_completion)events){+.+.}-{0:0}, + at: process_one_work+0x232/0x730 + #1: 0000037fffe97dc8 + ((work_completion) + (&(&lgr->free_work)->work)){+.+.}-{0:0}, + at: process_one_work+0x232/0x730 + stack backtrace: + CPU: 3 PID: 176251 Comm: kworker/3:0 Not tainted + Hardware name: IBM 8561 T01 701 (z/VM 7.2.0) + Call Trace: + [<000000002983c3e4>] dump_stack_lvl+0xac/0x100 + [<0000000028b477ae>] check_noncircular+0x13e/0x160 + [<0000000028b48808>] check_prev_add+0xd8/0xe88 + [<0000000028b49cc4>] validate_chain+0x70c/0xb20 + [<0000000028b4bd26>] __lock_acquire+0x58e/0xbd8 + [<0000000028b4cf6a>] lock_acquire.part.0+0xe2/0x248 + [<0000000028b4d17c>] lock_acquire+0xac/0x1c8 + [<0000000028addaaa>] __flush_workqueue+0xaa/0x4f0 + [<0000000028addf9a>] drain_workqueue+0xaa/0x158 + [<0000000028ae303c>] destroy_workqueue+0x44/0x2d8 + [<000003ff8029af26>] smc_lgr_free+0x9e/0xf8 [smc] + [<0000000028adf3d4>] process_one_work+0x30c/0x730 + [<0000000028adf85a>] worker_thread+0x62/0x420 + [<0000000028aeac50>] kthread+0x138/0x150 + [<0000000028a63914>] __ret_from_fork+0x3c/0x58 + [<00000000298503da>] ret_from_fork+0xa/0x40 + INFO: lockdep is turned off. +=================================================================== + +This deadlock occurs because cancel_delayed_work_sync() waits for +the work(&lgr->free_work) to finish, while the &lgr->free_work +waits for the work(lgr->tx_wq), which needs the sk_lock-AF_SMC, that +is already used under the mutex_lock. + +The solution is to use cancel_delayed_work() instead, which kills +off a pending work. + +Fixes: a52bcc919b14 ("net/smc: improve termination processing") +Signed-off-by: Wenjia Zhang +Reviewed-by: Jan Karcher +Reviewed-by: Karsten Graul +Reviewed-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index 2eafefa15a1ae..f08fcc50fad3c 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -1297,7 +1297,7 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft) + if (lgr->terminating) + return; /* lgr already terminating */ + /* cancel free_work sync, will terminate when lgr->freeing is set */ +- cancel_delayed_work_sync(&lgr->free_work); ++ cancel_delayed_work(&lgr->free_work); + lgr->terminating = 1; + + /* kill remaining link group connections */ +-- +2.39.2 + diff --git a/queue-5.15/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch b/queue-5.15/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch new file mode 100644 index 00000000000..3e2f4174b84 --- /dev/null +++ b/queue-5.15/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch @@ -0,0 +1,68 @@ +From c9107c3b0c19fe346f954558b96818295a64f466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 16:17:12 +0800 +Subject: net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler() + +From: D. Wythe + +[ Upstream commit 22a825c541d775c1dbe7b2402786025acad6727b ] + +When performing a stress test on SMC-R by rmmod mlx5_ib driver +during the wrk/nginx test, we found that there is a probability +of triggering a panic while terminating all link groups. + +This issue dues to the race between smc_smcr_terminate_all() +and smc_buf_create(). + + smc_smcr_terminate_all + +smc_buf_create +/* init */ +conn->sndbuf_desc = NULL; +... + + __smc_lgr_terminate + smc_conn_kill + smc_close_abort + smc_cdc_get_slot_and_msg_send + + __softirqentry_text_start + smc_wr_tx_process_cqe + smc_cdc_tx_handler + READ(conn->sndbuf_desc->len); + /* panic dues to NULL sndbuf_desc */ + +conn->sndbuf_desc = xxx; + +This patch tries to fix the issue by always to check the sndbuf_desc +before send any cdc msg, to make sure that no null pointer is +seen during cqe processing. + +Fixes: 0b29ec643613 ("net/smc: immediate termination for SMCR link groups") +Signed-off-by: D. Wythe +Reviewed-by: Tony Lu +Reviewed-by: Wenjia Zhang +Link: https://lore.kernel.org/r/1678263432-17329-1-git-send-email-alibuda@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_cdc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c +index 5d180d24cbf1c..41b23f71c29a2 100644 +--- a/net/smc/smc_cdc.c ++++ b/net/smc/smc_cdc.c +@@ -104,6 +104,9 @@ int smc_cdc_msg_send(struct smc_connection *conn, + union smc_host_cursor cfed; + int rc; + ++ if (unlikely(!READ_ONCE(conn->sndbuf_desc))) ++ return -ENOBUFS; ++ + smc_cdc_add_pending_send(conn, pend); + + conn->tx_cdc_seq++; +-- +2.39.2 + diff --git a/queue-5.15/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch b/queue-5.15/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch new file mode 100644 index 00000000000..78485678714 --- /dev/null +++ b/queue-5.15/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch @@ -0,0 +1,252 @@ +From 49f1a26862cac23505f10d699a7561f170fa56da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 19:11:09 +0000 +Subject: net: tunnels: annotate lockless accesses to dev->needed_headroom + +From: Eric Dumazet + +[ Upstream commit 4b397c06cb987935b1b097336532aa6b4210e091 ] + +IP tunnels can apparently update dev->needed_headroom +in their xmit path. + +This patch takes care of three tunnels xmit, and also the +core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA() +helpers. + +More changes might be needed for completeness. + +BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit + +read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1: +ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 + +write to 0xffff88815b9da0ec of 2 bytes by task 2379 on cpu 0: +ip_tunnel_xmit+0x1294/0x1730 net/ipv4/ip_tunnel.c:804 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip6_finish_output2+0x9bc/0xc50 net/ipv6/ip6_output.c:134 +__ip6_finish_output net/ipv6/ip6_output.c:195 [inline] +ip6_finish_output+0x39a/0x4e0 net/ipv6/ip6_output.c:206 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:227 +dst_output include/net/dst.h:444 [inline] +NF_HOOK include/linux/netfilter.h:302 [inline] +mld_sendpack+0x438/0x6a0 net/ipv6/mcast.c:1820 +mld_send_cr net/ipv6/mcast.c:2121 [inline] +mld_ifc_work+0x519/0x7b0 net/ipv6/mcast.c:2653 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2390 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2537 +kthread+0x1ac/0x1e0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0dd4 -> 0x0e14 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 2379 Comm: kworker/0:0 Not tainted 6.3.0-rc1-syzkaller-00002-g8ca09d5fa354-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +Workqueue: mld mld_ifc_work + +Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230310191109.2384387-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 6 ++++-- + net/ipv4/ip_tunnel.c | 12 ++++++------ + net/ipv6/ip6_tunnel.c | 4 ++-- + 3 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 3a75d644a1204..5b6c38f748076 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -275,9 +275,11 @@ struct hh_cache { + * relationship HH alignment <= LL alignment. + */ + #define LL_RESERVED_SPACE(dev) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom)&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + #define LL_RESERVED_SPACE_EXTRA(dev,extra) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom+(extra))&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom) + (extra)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + + struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index fe9101d3d69e0..426dc910aaf87 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -613,10 +613,10 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + } + + headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len; +- if (headroom > dev->needed_headroom) +- dev->needed_headroom = headroom; ++ if (headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + goto tx_dropped; + } +@@ -797,10 +797,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + + max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr) + + rt->dst.header_len + ip_encap_hlen(&tunnel->encap); +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + dev->stats.tx_dropped++; + kfree_skb(skb); +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index ea50779428711..bc5d3188454d0 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1237,8 +1237,8 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, + */ + max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr) + + dst->header_len + t->hlen; +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + + err = ip6_tnl_encap(skb, t, &proto, fl6); + if (err) +-- +2.39.2 + diff --git a/queue-5.15/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch b/queue-5.15/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch new file mode 100644 index 00000000000..b4326007871 --- /dev/null +++ b/queue-5.15/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch @@ -0,0 +1,39 @@ +From 89246e4edc25d7362b4bb5389e75d3dfd416f695 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 23:00:45 +0100 +Subject: net: usb: smsc75xx: Limit packet length to skb->len + +From: Szymon Heidrich + +[ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ] + +Packet length retrieved from skb data may be larger than +the actual socket buffer length (up to 9026 bytes). In such +case the cloned skb passed up the network stack will leak +kernel memory contents. + +Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") +Signed-off-by: Szymon Heidrich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 76f7af1613139..705bd31b18787 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2211,7 +2211,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || ++ size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-5.15/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch b/queue-5.15/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch new file mode 100644 index 00000000000..e8bb7993e18 --- /dev/null +++ b/queue-5.15/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch @@ -0,0 +1,54 @@ +From ed894f4fb0eb6bb4bc8b48ad0e199cccc36a1779 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 12:05:40 +0100 +Subject: net: usb: smsc75xx: Move packet length check to prevent kernel panic + in skb_pull + +From: Szymon Heidrich + +[ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ] + +Packet length check needs to be located after size and align_count +calculation to prevent kernel panic in skb_pull() in case +rx_cmd_a & RX_CMD_A_RED evaluates to true. + +Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 705bd31b18787..7c3e866514199 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2199,6 +2199,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING; + align_count = (4 - ((size + RXW_PADDING) % 4)) % 4; + ++ if (unlikely(size > skb->len)) { ++ netif_dbg(dev, rx_err, dev->net, ++ "size err rx_cmd_a=0x%08x\n", ++ rx_cmd_a); ++ return 0; ++ } ++ + if (unlikely(rx_cmd_a & RX_CMD_A_RED)) { + netif_dbg(dev, rx_err, dev->net, + "Error rx_cmd_a=0x%08x\n", rx_cmd_a); +@@ -2211,8 +2218,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || +- size > skb->len)) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-5.15/netfilter-nft_masq-correct-length-for-loading-protoc.patch b/queue-5.15/netfilter-nft_masq-correct-length-for-loading-protoc.patch new file mode 100644 index 00000000000..b00386f79ac --- /dev/null +++ b/queue-5.15/netfilter-nft_masq-correct-length-for-loading-protoc.patch @@ -0,0 +1,39 @@ +From 3ffb3eb0186ac6d2b3e70f1198a0e94eeaecb12d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:57 +0000 +Subject: netfilter: nft_masq: correct length for loading protocol registers + +From: Jeremy Sowden + +[ Upstream commit ec2c5917eb858428b2083d1c74f445aabbe8316b ] + +The values in the protocol registers are two bytes wide. However, when +parsing the register loads, the code currently uses the larger 16-byte +size of a `union nf_inet_addr`. Change it to use the (correct) size of +a `union nf_conntrack_man_proto` instead. + +Fixes: 8a6bf5da1aef ("netfilter: nft_masq: support port range") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_masq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c +index 9953e80537536..1818dbf089cad 100644 +--- a/net/netfilter/nft_masq.c ++++ b/net/netfilter/nft_masq.c +@@ -43,7 +43,7 @@ static int nft_masq_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) + { +- u32 plen = sizeof_field(struct nf_nat_range, min_addr.all); ++ u32 plen = sizeof_field(struct nf_nat_range, min_proto.all); + struct nft_masq *priv = nft_expr_priv(expr); + int err; + +-- +2.39.2 + diff --git a/queue-5.15/netfilter-nft_nat-correct-length-for-loading-protoco.patch b/queue-5.15/netfilter-nft_nat-correct-length-for-loading-protoco.patch new file mode 100644 index 00000000000..aa04d64273e --- /dev/null +++ b/queue-5.15/netfilter-nft_nat-correct-length-for-loading-protoco.patch @@ -0,0 +1,39 @@ +From de0e0ace38b1709e899158563216e071d7458cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:56 +0000 +Subject: netfilter: nft_nat: correct length for loading protocol registers + +From: Jeremy Sowden + +[ Upstream commit 068d82e75d537b444303b8c449a11e51ea659565 ] + +The values in the protocol registers are two bytes wide. However, when +parsing the register loads, the code currently uses the larger 16-byte +size of a `union nf_inet_addr`. Change it to use the (correct) size of +a `union nf_conntrack_man_proto` instead. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index db8f9116eeb43..cd4eb4996aff3 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -226,7 +226,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + priv->flags |= NF_NAT_RANGE_MAP_IPS; + } + +- plen = sizeof_field(struct nf_nat_range, min_addr.all); ++ plen = sizeof_field(struct nf_nat_range, min_proto.all); + if (tb[NFTA_NAT_REG_PROTO_MIN]) { + err = nft_parse_register_load(tb[NFTA_NAT_REG_PROTO_MIN], + &priv->sreg_proto_min, plen); +-- +2.39.2 + diff --git a/queue-5.15/netfilter-nft_redir-correct-length-for-loading-proto.patch b/queue-5.15/netfilter-nft_redir-correct-length-for-loading-proto.patch new file mode 100644 index 00000000000..f463161886f --- /dev/null +++ b/queue-5.15/netfilter-nft_redir-correct-length-for-loading-proto.patch @@ -0,0 +1,39 @@ +From a1d2c5520cea55d492003d519a0e52c9208be35d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:58 +0000 +Subject: netfilter: nft_redir: correct length for loading protocol registers + +From: Jeremy Sowden + +[ Upstream commit 1f617b6b4c7a3d5ea7a56abb83a4c27733b60c2f ] + +The values in the protocol registers are two bytes wide. However, when +parsing the register loads, the code currently uses the larger 16-byte +size of a `union nf_inet_addr`. Change it to use the (correct) size of +a `union nf_conntrack_man_proto` instead. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_redir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c +index ba09890dddb50..deb7e65c8d82b 100644 +--- a/net/netfilter/nft_redir.c ++++ b/net/netfilter/nft_redir.c +@@ -48,7 +48,7 @@ static int nft_redir_init(const struct nft_ctx *ctx, + unsigned int plen; + int err; + +- plen = sizeof_field(struct nf_nat_range, min_addr.all); ++ plen = sizeof_field(struct nf_nat_range, min_proto.all); + if (tb[NFTA_REDIR_REG_PROTO_MIN]) { + err = nft_parse_register_load(tb[NFTA_REDIR_REG_PROTO_MIN], + &priv->sreg_proto_min, plen); +-- +2.39.2 + diff --git a/queue-5.15/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch b/queue-5.15/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch new file mode 100644 index 00000000000..9c3694cbf4d --- /dev/null +++ b/queue-5.15/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch @@ -0,0 +1,37 @@ +From c1aabe988cde5d881f400fd21f8180535151d966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:59 +0000 +Subject: netfilter: nft_redir: correct value of inet type `.maxattrs` + +From: Jeremy Sowden + +[ Upstream commit 493924519b1fe3faab13ee621a43b0d0939abab1 ] + +`nft_redir_inet_type.maxattrs` was being set, presumably because of a +cut-and-paste error, to `NFTA_MASQ_MAX`, instead of `NFTA_REDIR_MAX`. + +Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_redir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c +index deb7e65c8d82b..e64f531d66cfc 100644 +--- a/net/netfilter/nft_redir.c ++++ b/net/netfilter/nft_redir.c +@@ -232,7 +232,7 @@ static struct nft_expr_type nft_redir_inet_type __read_mostly = { + .name = "redir", + .ops = &nft_redir_inet_ops, + .policy = nft_redir_policy, +- .maxattr = NFTA_MASQ_MAX, ++ .maxattr = NFTA_REDIR_MAX, + .owner = THIS_MODULE, + }; + +-- +2.39.2 + diff --git a/queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch b/queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch new file mode 100644 index 00000000000..c7b723ee097 --- /dev/null +++ b/queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch @@ -0,0 +1,65 @@ +From 6177fa47ae5a51122b43d4a1776f68fa7eba7f7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 19:50:50 +0300 +Subject: nfc: pn533: initialize struct pn533_out_arg properly + +From: Fedor Pchelkin + +[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ] + +struct pn533_out_arg used as a temporary context for out_urb is not +initialized properly. Its uninitialized 'phy' field can be dereferenced in +error cases inside pn533_out_complete() callback function. It causes the +following failure: + +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441 +Call Trace: + + __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671 + usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754 + dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700 + expire_timers+0x234/0x330 kernel/time/timer.c:1751 + __run_timers kernel/time/timer.c:2022 [inline] + __run_timers kernel/time/timer.c:1995 [inline] + run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 + __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571 + invoke_softirq kernel/softirq.c:445 [inline] + __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 + irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107 + +Initialize the field with the pn533_usb_phy currently used. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()") +Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c +index 62ad26e4299d1..47d423cc26081 100644 +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -175,6 +175,7 @@ static int pn533_usb_send_frame(struct pn533 *dev, + print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1, + out->data, out->len, false); + ++ arg.phy = phy; + init_completion(&arg.done); + cntx = phy->out_urb->context; + phy->out_urb->context = &arg; +-- +2.39.2 + diff --git a/queue-5.15/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch b/queue-5.15/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 00000000000..48a18ded84b --- /dev/null +++ b/queue-5.15/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,72 @@ +From e8bc14d29826d4436853cf9782035202887e68bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ] + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index e9dc313b333e2..3564e3335a988 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -286,13 +286,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.39.2 + diff --git a/queue-5.15/nvme-fix-handling-single-range-discard-request.patch b/queue-5.15/nvme-fix-handling-single-range-discard-request.patch new file mode 100644 index 00000000000..ac70c9bbde4 --- /dev/null +++ b/queue-5.15/nvme-fix-handling-single-range-discard-request.patch @@ -0,0 +1,70 @@ +From fa961558b66be9d64fa53df3d52e06e8de04fce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 07:13:45 +0800 +Subject: nvme: fix handling single range discard request + +From: Ming Lei + +[ Upstream commit 37f0dc2ec78af0c3f35dd05578763de059f6fe77 ] + +When investigating one customer report on warning in nvme_setup_discard, +we observed the controller(nvme/tcp) actually exposes +queue_max_discard_segments(req->q) == 1. + +Obviously the current code can't handle this situation, since contiguity +merge like normal RW request is taken. + +Fix the issue by building range from request sector/nr_sectors directly. + +Fixes: b35ba01ea697 ("nvme: support ranged discard requests") +Signed-off-by: Ming Lei +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 06750f3d52745..ef9d7a795b007 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -853,16 +853,26 @@ static blk_status_t nvme_setup_discard(struct nvme_ns *ns, struct request *req, + range = page_address(ns->ctrl->discard_page); + } + +- __rq_for_each_bio(bio, req) { +- u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector); +- u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift; +- +- if (n < segments) { +- range[n].cattr = cpu_to_le32(0); +- range[n].nlb = cpu_to_le32(nlb); +- range[n].slba = cpu_to_le64(slba); ++ if (queue_max_discard_segments(req->q) == 1) { ++ u64 slba = nvme_sect_to_lba(ns, blk_rq_pos(req)); ++ u32 nlb = blk_rq_sectors(req) >> (ns->lba_shift - 9); ++ ++ range[0].cattr = cpu_to_le32(0); ++ range[0].nlb = cpu_to_le32(nlb); ++ range[0].slba = cpu_to_le64(slba); ++ n = 1; ++ } else { ++ __rq_for_each_bio(bio, req) { ++ u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector); ++ u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift; ++ ++ if (n < segments) { ++ range[n].cattr = cpu_to_le32(0); ++ range[n].nlb = cpu_to_le32(nlb); ++ range[n].slba = cpu_to_le64(slba); ++ } ++ n++; + } +- n++; + } + + if (WARN_ON_ONCE(n != segments)) { +-- +2.39.2 + diff --git a/queue-5.15/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch b/queue-5.15/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch new file mode 100644 index 00000000000..2ac19b54c89 --- /dev/null +++ b/queue-5.15/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch @@ -0,0 +1,46 @@ +From e5a7c801771882d6bf407cfe732688b9299f3099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 10:13:13 +0900 +Subject: nvmet: avoid potential UAF in nvmet_req_complete() + +From: Damien Le Moal + +[ Upstream commit 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286 ] + +An nvme target ->queue_response() operation implementation may free the +request passed as argument. Such implementation potentially could result +in a use after free of the request pointer when percpu_ref_put() is +called in nvmet_req_complete(). + +Avoid such problem by using a local variable to save the sq pointer +before calling __nvmet_req_complete(), thus avoiding dereferencing the +req pointer after that function call. + +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index cfd0385511564..4c6d56dd29adc 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -756,8 +756,10 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + + void nvmet_req_complete(struct nvmet_req *req, u16 status) + { ++ struct nvmet_sq *sq = req->sq; ++ + __nvmet_req_complete(req, status); +- percpu_ref_put(&req->sq->ref); ++ percpu_ref_put(&sq->ref); + } + EXPORT_SYMBOL_GPL(nvmet_req_complete); + +-- +2.39.2 + diff --git a/queue-5.15/pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch b/queue-5.15/pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch new file mode 100644 index 00000000000..871f8155074 --- /dev/null +++ b/queue-5.15/pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch @@ -0,0 +1,197 @@ +From bfddf28ab03d2c30943f2e6acf3f45f9bc83e677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 16:10:11 +0100 +Subject: PCI: s390: Fix use-after-free of PCI resources with per-function + hotplug + +From: Niklas Schnelle + +[ Upstream commit ab909509850b27fd39b8ba99e44cda39dbc3858c ] + +On s390 PCI functions may be hotplugged individually even when they +belong to a multi-function device. In particular on an SR-IOV device VFs +may be removed and later re-added. + +In commit a50297cf8235 ("s390/pci: separate zbus creation from +scanning") it was missed however that struct pci_bus and struct +zpci_bus's resource list retained a reference to the PCI functions MMIO +resources even though those resources are released and freed on +hot-unplug. These stale resources may subsequently be claimed when the +PCI function re-appears resulting in use-after-free. + +One idea of fixing this use-after-free in s390 specific code that was +investigated was to simply keep resources around from the moment a PCI +function first appeared until the whole virtual PCI bus created for +a multi-function device disappears. The problem with this however is +that due to the requirement of artificial MMIO addreesses (address +cookies) extra logic is then needed to keep the address cookies +compatible on re-plug. At the same time the MMIO resources semantically +belong to the PCI function so tying their lifecycle to the function +seems more logical. + +Instead a simpler approach is to remove the resources of an individually +hot-unplugged PCI function from the PCI bus's resource list while +keeping the resources of other PCI functions on the PCI bus untouched. + +This is done by introducing pci_bus_remove_resource() to remove an +individual resource. Similarly the resource also needs to be removed +from the struct zpci_bus's resource list. It turns out however, that +there is really no need to add the MMIO resources to the struct +zpci_bus's resource list at all and instead we can simply use the +zpci_bar_struct's resource pointer directly. + +Fixes: a50297cf8235 ("s390/pci: separate zbus creation from scanning") +Signed-off-by: Niklas Schnelle +Reviewed-by: Matthew Rosato +Acked-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20230306151014.60913-2-schnelle@linux.ibm.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci.c | 16 ++++++++++------ + arch/s390/pci/pci_bus.c | 12 +++++------- + arch/s390/pci/pci_bus.h | 3 +-- + drivers/pci/bus.c | 21 +++++++++++++++++++++ + include/linux/pci.h | 1 + + 5 files changed, 38 insertions(+), 15 deletions(-) + +diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c +index 639924d983315..56c4cecdbbf9e 100644 +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -503,8 +503,7 @@ static struct resource *__alloc_res(struct zpci_dev *zdev, unsigned long start, + return r; + } + +-int zpci_setup_bus_resources(struct zpci_dev *zdev, +- struct list_head *resources) ++int zpci_setup_bus_resources(struct zpci_dev *zdev) + { + unsigned long addr, size, flags; + struct resource *res; +@@ -540,7 +539,6 @@ int zpci_setup_bus_resources(struct zpci_dev *zdev, + return -ENOMEM; + } + zdev->bars[i].res = res; +- pci_add_resource(resources, res); + } + zdev->has_resources = 1; + +@@ -549,17 +547,23 @@ int zpci_setup_bus_resources(struct zpci_dev *zdev, + + static void zpci_cleanup_bus_resources(struct zpci_dev *zdev) + { ++ struct resource *res; + int i; + ++ pci_lock_rescan_remove(); + for (i = 0; i < PCI_STD_NUM_BARS; i++) { +- if (!zdev->bars[i].size || !zdev->bars[i].res) ++ res = zdev->bars[i].res; ++ if (!res) + continue; + ++ release_resource(res); ++ pci_bus_remove_resource(zdev->zbus->bus, res); + zpci_free_iomap(zdev, zdev->bars[i].map_idx); +- release_resource(zdev->bars[i].res); +- kfree(zdev->bars[i].res); ++ zdev->bars[i].res = NULL; ++ kfree(res); + } + zdev->has_resources = 0; ++ pci_unlock_rescan_remove(); + } + + int pcibios_add_device(struct pci_dev *pdev) +diff --git a/arch/s390/pci/pci_bus.c b/arch/s390/pci/pci_bus.c +index 5d77acbd1c872..cc7e5b22ccfb3 100644 +--- a/arch/s390/pci/pci_bus.c ++++ b/arch/s390/pci/pci_bus.c +@@ -41,9 +41,7 @@ static int zpci_nb_devices; + */ + static int zpci_bus_prepare_device(struct zpci_dev *zdev) + { +- struct resource_entry *window, *n; +- struct resource *res; +- int rc; ++ int rc, i; + + if (!zdev_enabled(zdev)) { + rc = zpci_enable_device(zdev); +@@ -57,10 +55,10 @@ static int zpci_bus_prepare_device(struct zpci_dev *zdev) + } + + if (!zdev->has_resources) { +- zpci_setup_bus_resources(zdev, &zdev->zbus->resources); +- resource_list_for_each_entry_safe(window, n, &zdev->zbus->resources) { +- res = window->res; +- pci_bus_add_resource(zdev->zbus->bus, res, 0); ++ zpci_setup_bus_resources(zdev); ++ for (i = 0; i < PCI_STD_NUM_BARS; i++) { ++ if (zdev->bars[i].res) ++ pci_bus_add_resource(zdev->zbus->bus, zdev->bars[i].res, 0); + } + } + +diff --git a/arch/s390/pci/pci_bus.h b/arch/s390/pci/pci_bus.h +index ecef3a9e16c00..c5aa9a2e5e3e5 100644 +--- a/arch/s390/pci/pci_bus.h ++++ b/arch/s390/pci/pci_bus.h +@@ -30,8 +30,7 @@ static inline void zpci_zdev_get(struct zpci_dev *zdev) + + int zpci_alloc_domain(int domain); + void zpci_free_domain(int domain); +-int zpci_setup_bus_resources(struct zpci_dev *zdev, +- struct list_head *resources); ++int zpci_setup_bus_resources(struct zpci_dev *zdev); + + static inline struct zpci_dev *get_zdev_by_bus(struct pci_bus *bus, + unsigned int devfn) +diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c +index 3cef835b375fd..feafa378bf8ea 100644 +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -76,6 +76,27 @@ struct resource *pci_bus_resource_n(const struct pci_bus *bus, int n) + } + EXPORT_SYMBOL_GPL(pci_bus_resource_n); + ++void pci_bus_remove_resource(struct pci_bus *bus, struct resource *res) ++{ ++ struct pci_bus_resource *bus_res, *tmp; ++ int i; ++ ++ for (i = 0; i < PCI_BRIDGE_RESOURCE_NUM; i++) { ++ if (bus->resource[i] == res) { ++ bus->resource[i] = NULL; ++ return; ++ } ++ } ++ ++ list_for_each_entry_safe(bus_res, tmp, &bus->resources, list) { ++ if (bus_res->res == res) { ++ list_del(&bus_res->list); ++ kfree(bus_res); ++ return; ++ } ++ } ++} ++ + void pci_bus_remove_resources(struct pci_bus *bus) + { + int i; +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 34dd24c991804..7e471432a998c 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1390,6 +1390,7 @@ void pci_bus_add_resource(struct pci_bus *bus, struct resource *res, + unsigned int flags); + struct resource *pci_bus_resource_n(const struct pci_bus *bus, int n); + void pci_bus_remove_resources(struct pci_bus *bus); ++void pci_bus_remove_resource(struct pci_bus *bus, struct resource *res); + int devm_request_pci_bus_resources(struct device *dev, + struct list_head *resources); + +-- +2.39.2 + diff --git a/queue-5.15/qed-qed_dev-guard-against-a-possible-division-by-zer.patch b/queue-5.15/qed-qed_dev-guard-against-a-possible-division-by-zer.patch new file mode 100644 index 00000000000..23d05bd507a --- /dev/null +++ b/queue-5.15/qed-qed_dev-guard-against-a-possible-division-by-zer.patch @@ -0,0 +1,46 @@ +From 995ef4c5f49b3f9d8aaf1b698abfdc5881b81ec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 23:15:56 +0300 +Subject: qed/qed_dev: guard against a possible division by zero + +From: Daniil Tatianin + +[ Upstream commit 1a9dc5610ef89d807acdcfbff93a558f341a44da ] + +Previously we would divide total_left_rate by zero if num_vports +happened to be 1 because non_requested_count is calculated as +num_vports - req_count. Guard against this by validating num_vports at +the beginning and returning an error otherwise. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: bcd197c81f63 ("qed: Add vport WFQ configuration APIs") +Signed-off-by: Daniil Tatianin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309201556.191392-1-d-tatianin@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 0410c3604abdb..ba445724ee65e 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -5022,6 +5022,11 @@ static int qed_init_wfq_param(struct qed_hwfn *p_hwfn, + + num_vports = p_hwfn->qm_info.num_vports; + ++ if (num_vports < 2) { ++ DP_NOTICE(p_hwfn, "Unexpected num_vports: %d\n", num_vports); ++ return -EINVAL; ++ } ++ + /* Accounting for the vports which are configured for WFQ explicitly */ + for (i = 0; i < num_vports; i++) { + u32 tmp_speed; +-- +2.39.2 + diff --git a/queue-5.15/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch b/queue-5.15/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch new file mode 100644 index 00000000000..d33625b8f2c --- /dev/null +++ b/queue-5.15/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch @@ -0,0 +1,40 @@ +From cd123de902fcc2c5f4d4b15ccaba8761f521090c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 22:46:18 +0300 +Subject: qed/qed_mng_tlv: correctly zero out ->min instead of ->hour + +From: Daniil Tatianin + +[ Upstream commit 470efd68a4653d9819d391489886432cd31bcd0b ] + +This fixes an issue where ->hour would erroneously get zeroed out +instead of ->min because of a bad copy paste. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: f240b6882211 ("qed: Add support for processing fcoe tlv request.") +Signed-off-by: Daniil Tatianin +Link: https://lore.kernel.org/r/20230315194618.579286-1-d-tatianin@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c +index 6190adf965bca..f55eed092f25d 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c +@@ -422,7 +422,7 @@ qed_mfw_get_tlv_time_value(struct qed_mfw_tlv_time *p_time, + if (p_time->hour > 23) + p_time->hour = 0; + if (p_time->min > 59) +- p_time->hour = 0; ++ p_time->min = 0; + if (p_time->msec > 999) + p_time->msec = 0; + if (p_time->usec > 999) +-- +2.39.2 + diff --git a/queue-5.15/ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch b/queue-5.15/ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch new file mode 100644 index 00000000000..9811123dd2f --- /dev/null +++ b/queue-5.15/ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch @@ -0,0 +1,66 @@ +From af357035893cf088f95e0560d80123802ad58b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:41:14 +0100 +Subject: ravb: avoid PHY being resumed when interface is not up + +From: Wolfram Sang + +[ Upstream commit 7f5ebf5dae42e710162f1c481ebcf28ab7b741c7 ] + +RAVB doesn't need mdiobus suspend/resume, that's why it sets +'mac_managed_pm'. However, setting it needs to be moved from init to +probe, so mdiobus PM functions will really never be called (e.g. when +the interface is not up yet during suspend/resume). + +Fixes: 4924c0cdce75 ("net: ravb: Fix PHY state warning splat during system resume") +Suggested-by: Heiner Kallweit +Signed-off-by: Wolfram Sang +Reviewed-by: Michal Kubiak +Reviewed-by: Sergey Shtylyov +Reviewed-by: Florian Fainelli +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index c6fe1cda7b889..12548eeef4f8a 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1115,8 +1115,6 @@ static int ravb_phy_init(struct net_device *ndev) + phy_remove_link_mode(phydev, ETHTOOL_LINK_MODE_1000baseT_Half_BIT); + phy_remove_link_mode(phydev, ETHTOOL_LINK_MODE_100baseT_Half_BIT); + +- /* Indicate that the MAC is responsible for managing PHY PM */ +- phydev->mac_managed_pm = true; + phy_attached_info(phydev); + + return 0; +@@ -1961,6 +1959,8 @@ static int ravb_mdio_init(struct ravb_private *priv) + { + struct platform_device *pdev = priv->pdev; + struct device *dev = &pdev->dev; ++ struct phy_device *phydev; ++ struct device_node *pn; + int error; + + /* Bitbang init */ +@@ -1982,6 +1982,14 @@ static int ravb_mdio_init(struct ravb_private *priv) + if (error) + goto out_free_bus; + ++ pn = of_parse_phandle(dev->of_node, "phy-handle", 0); ++ phydev = of_phy_find_device(pn); ++ if (phydev) { ++ phydev->mac_managed_pm = true; ++ put_device(&phydev->mdio.dev); ++ } ++ of_node_put(pn); ++ + return 0; + + out_free_bus: +-- +2.39.2 + diff --git a/queue-5.15/scsi-core-fix-a-procfs-host-directory-removal-regres.patch b/queue-5.15/scsi-core-fix-a-procfs-host-directory-removal-regres.patch new file mode 100644 index 00000000000..f0c30e856bf --- /dev/null +++ b/queue-5.15/scsi-core-fix-a-procfs-host-directory-removal-regres.patch @@ -0,0 +1,47 @@ +From 707fe20fe0ab2d5f3e5a0e003aaad4fb6b092cb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:44:28 -0800 +Subject: scsi: core: Fix a procfs host directory removal regression + +From: Bart Van Assche + +[ Upstream commit be03df3d4bfe7e8866d4aa43d62e648ffe884f5f ] + +scsi_proc_hostdir_rm() decreases a reference counter and hence must only be +called once per host that is removed. This change does not require a +scsi_add_host_with_dma() change since scsi_add_host_with_dma() will return +0 (success) if scsi_proc_host_add() is called. + +Fixes: fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") +Cc: John Garry +Reported-by: John Garry +Link: https://lore.kernel.org/all/ed6b8027-a9d9-1b45-be8e-df4e8c6c4605@oracle.com/ +Reported-by: syzbot+645a4616b87a2f10e398@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-scsi/000000000000890fab05f65342b6@google.com/ +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230307214428.3703498-1-bvanassche@acm.org +Tested-by: John Garry +Tested-by: Shin'ichiro Kawasaki +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 28b201c443267..7dc42d0e2a0dd 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -322,9 +322,6 @@ static void scsi_host_dev_release(struct device *dev) + struct Scsi_Host *shost = dev_to_shost(dev); + struct device *parent = dev->parent; + +- /* In case scsi_remove_host() has not been called. */ +- scsi_proc_hostdir_rm(shost->hostt); +- + /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */ + rcu_barrier(); + +-- +2.39.2 + diff --git a/queue-5.15/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch b/queue-5.15/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch new file mode 100644 index 00000000000..0a1b1f6d085 --- /dev/null +++ b/queue-5.15/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch @@ -0,0 +1,77 @@ +From e6ccb893834cce9a2eb583a54a08e2c59535fb2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 18:01:36 +0800 +Subject: scsi: mpt3sas: Fix NULL pointer access in + mpt3sas_transport_port_add() + +From: Wenchao Hao + +[ Upstream commit d3c57724f1569311e4b81e98fad0931028b9bdcd ] + +Port is allocated by sas_port_alloc_num() and rphy is allocated by either +sas_end_device_alloc() or sas_expander_alloc(), all of which may return +NULL. So we need to check the rphy to avoid possible NULL pointer access. + +If sas_rphy_add() returned with failure, rphy is set to NULL. We would +access the rphy in the following lines which would also result NULL pointer +access. + +Fixes: 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()") +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20230225100135.2109330-1-haowenchao2@huawei.com +Acked-by: Sathya Prakash Veerichetty +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c +index e5ecd6ada6cdd..e8a4750f6ec47 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c +@@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + goto out_fail; + } + port = sas_port_alloc_num(sas_node->parent_dev); +- if ((sas_port_add(port))) { ++ if (!port || (sas_port_add(port))) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_fail; +@@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + mpt3sas_port->remote_identify.sas_address; + } + ++ if (!rphy) { ++ ioc_err(ioc, "failure at %s:%d/%s()!\n", ++ __FILE__, __LINE__, __func__); ++ goto out_delete_port; ++ } ++ + rphy->identify = mpt3sas_port->remote_identify; + + if ((sas_rphy_add(rphy))) { +@@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + __FILE__, __LINE__, __func__); + sas_rphy_free(rphy); + rphy = NULL; ++ goto out_delete_port; + } + + if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { +@@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + rphy_to_expander_device(rphy), hba_port->port_id); + return mpt3sas_port; + +- out_fail: ++out_delete_port: ++ sas_port_delete(port); ++ ++out_fail: + list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, + port_siblings) + list_del(&mpt3sas_phy->port_siblings); +-- +2.39.2 + diff --git a/queue-5.15/selftests-net-devlink_port_split.py-skip-test-if-no-.patch b/queue-5.15/selftests-net-devlink_port_split.py-skip-test-if-no-.patch new file mode 100644 index 00000000000..a90b63f09ca --- /dev/null +++ b/queue-5.15/selftests-net-devlink_port_split.py-skip-test-if-no-.patch @@ -0,0 +1,120 @@ +From 03e8d4d6d377ce04db6c79b0127dddcc46df737c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 00:53:53 +0800 +Subject: selftests: net: devlink_port_split.py: skip test if no suitable + device available + +From: Po-Hsu Lin + +[ Upstream commit 24994513ad13ff2c47ba91d2b5df82c3d496c370 ] + +The `devlink -j port show` command output may not contain the "flavour" +key, an example from Ubuntu 22.10 s390x LPAR(5.19.0-37-generic), with +mlx4 driver and iproute2-5.15.0: + {"port":{"pci/0001:00:00.0/1":{"type":"eth","netdev":"ens301"}, + "pci/0001:00:00.0/2":{"type":"eth","netdev":"ens301d1"}, + "pci/0002:00:00.0/1":{"type":"eth","netdev":"ens317"}, + "pci/0002:00:00.0/2":{"type":"eth","netdev":"ens317d1"}}} + +This will cause a KeyError exception. + +Create a validate_devlink_output() to check for this "flavour" from +devlink command output to avoid this KeyError exception. Also let +it handle the check for `devlink -j dev show` output in main(). + +Apart from this, if the test was not started because the max lanes of +the designated device is 0. The script will still return 0 and thus +causing a false-negative test result. + +Use a found_max_lanes flag to determine if these tests were skipped +due to this reason and return KSFT_SKIP to make it more clear. + +Link: https://bugs.launchpad.net/bugs/1937133 +Fixes: f3348a82e727 ("selftests: net: Add port split test") +Signed-off-by: Po-Hsu Lin +Link: https://lore.kernel.org/r/20230315165353.229590-1-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/net/devlink_port_split.py | 36 ++++++++++++++++--- + 1 file changed, 31 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/net/devlink_port_split.py b/tools/testing/selftests/net/devlink_port_split.py +index 2b5d6ff873738..2d84c7a0be6b2 100755 +--- a/tools/testing/selftests/net/devlink_port_split.py ++++ b/tools/testing/selftests/net/devlink_port_split.py +@@ -59,6 +59,8 @@ class devlink_ports(object): + assert stderr == "" + ports = json.loads(stdout)['port'] + ++ validate_devlink_output(ports, 'flavour') ++ + for port in ports: + if dev in port: + if ports[port]['flavour'] == 'physical': +@@ -220,6 +222,27 @@ def split_splittable_port(port, k, lanes, dev): + unsplit(port.bus_info) + + ++def validate_devlink_output(devlink_data, target_property=None): ++ """ ++ Determine if test should be skipped by checking: ++ 1. devlink_data contains values ++ 2. The target_property exist in devlink_data ++ """ ++ skip_reason = None ++ if any(devlink_data.values()): ++ if target_property: ++ skip_reason = "{} not found in devlink output, test skipped".format(target_property) ++ for key in devlink_data: ++ if target_property in devlink_data[key]: ++ skip_reason = None ++ else: ++ skip_reason = 'devlink output is empty, test skipped' ++ ++ if skip_reason: ++ print(skip_reason) ++ sys.exit(KSFT_SKIP) ++ ++ + def make_parser(): + parser = argparse.ArgumentParser(description='A test for port splitting.') + parser.add_argument('--dev', +@@ -240,12 +263,9 @@ def main(cmdline=None): + stdout, stderr = run_command(cmd) + assert stderr == "" + ++ validate_devlink_output(json.loads(stdout)) + devs = json.loads(stdout)['dev'] +- if devs: +- dev = list(devs.keys())[0] +- else: +- print("no devlink device was found, test skipped") +- sys.exit(KSFT_SKIP) ++ dev = list(devs.keys())[0] + + cmd = "devlink dev show %s" % dev + stdout, stderr = run_command(cmd) +@@ -255,6 +275,7 @@ def main(cmdline=None): + + ports = devlink_ports(dev) + ++ found_max_lanes = False + for port in ports.if_names: + max_lanes = get_max_lanes(port.name) + +@@ -277,6 +298,11 @@ def main(cmdline=None): + split_splittable_port(port, lane, max_lanes, dev) + + lane //= 2 ++ found_max_lanes = True ++ ++ if not found_max_lanes: ++ print(f"Test not started, no port of device {dev} reports max_lanes") ++ sys.exit(KSFT_SKIP) + + + if __name__ == "__main__": +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 00000000000..968bda28ad2 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,52 @@ +xfrm-allow-transport-mode-states-with-af_unspec-sele.patch +drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch +cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch +drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch +clk-hi655x-select-regmap-instead-of-depending-on-it.patch +docs-correct-missing-d_-prefix-for-dentry_operations.patch +scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch +alsa-hda-match-only-intel-devices-with-controller_in.patch +netfilter-nft_nat-correct-length-for-loading-protoco.patch +netfilter-nft_masq-correct-length-for-loading-protoc.patch +netfilter-nft_redir-correct-length-for-loading-proto.patch +netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch +scsi-core-fix-a-procfs-host-directory-removal-regres.patch +tcp-tcp_make_synack-can-be-called-from-process-conte.patch +nfc-pn533-initialize-struct-pn533_out_arg-properly.patch +ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch +i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch +vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch +vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch +pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch +drm-i915-display-workaround-cursor-left-overs-with-p.patch +drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch +drm-i915-display-psr-handle-plane-and-pipe-restricti.patch +drm-i915-display-clean-up-comments.patch +drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch +net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch +qed-qed_dev-guard-against-a-possible-division-by-zer.patch +net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch +net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch +loop-fix-use-after-free-issues.patch +net-tunnels-annotate-lockless-accesses-to-dev-needed.patch +net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch +nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch +net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch +net-usb-smsc75xx-limit-packet-length-to-skb-len.patch +drm-bridge-fix-returned-array-size-name-for-atomic_g.patch +block-null_blk-fix-handling-of-fake-timeout-request.patch +nvme-fix-handling-single-range-discard-request.patch +nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch +block-sunvdc-add-check-for-mdesc_grab-returning-null.patch +ice-xsk-disable-txq-irq-before-flushing-hw.patch +net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch +ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch +sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch +ipv4-fix-incorrect-table-id-in-ioctl-path.patch +net-usb-smsc75xx-move-packet-length-check-to-prevent.patch +net-iucv-fix-size-of-interrupt-data.patch +selftests-net-devlink_port_split.py-skip-test-if-no-.patch +qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch +ethernet-sun-add-check-for-the-mdesc_grab.patch +bonding-restore-iff_master-slave-flags-on-bond-ensla.patch +bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch diff --git a/queue-5.15/sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch b/queue-5.15/sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch new file mode 100644 index 00000000000..6cd41f21d5a --- /dev/null +++ b/queue-5.15/sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch @@ -0,0 +1,65 @@ +From 63d065306188ac77af896fc84973ac107714046d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:41:15 +0100 +Subject: sh_eth: avoid PHY being resumed when interface is not up + +From: Wolfram Sang + +[ Upstream commit c6be7136afb224a01d4cde2983ddebac8da98693 ] + +SH_ETH doesn't need mdiobus suspend/resume, that's why it sets +'mac_managed_pm'. However, setting it needs to be moved from init to +probe, so mdiobus PM functions will really never be called (e.g. when +the interface is not up yet during suspend/resume). + +Fixes: 6a1dbfefdae4 ("net: sh_eth: Fix PHY state warning splat during system resume") +Suggested-by: Heiner Kallweit +Signed-off-by: Wolfram Sang +Reviewed-by: Michal Kubiak +Reviewed-by: Sergey Shtylyov +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 4e190f5e32c3d..b6e426d8014d1 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2033,8 +2033,6 @@ static int sh_eth_phy_init(struct net_device *ndev) + } + } + +- /* Indicate that the MAC is responsible for managing PHY PM */ +- phydev->mac_managed_pm = true; + phy_attached_info(phydev); + + return 0; +@@ -3074,6 +3072,8 @@ static int sh_mdio_init(struct sh_eth_private *mdp, + struct bb_info *bitbang; + struct platform_device *pdev = mdp->pdev; + struct device *dev = &mdp->pdev->dev; ++ struct phy_device *phydev; ++ struct device_node *pn; + + /* create bit control struct for PHY */ + bitbang = devm_kzalloc(dev, sizeof(struct bb_info), GFP_KERNEL); +@@ -3108,6 +3108,14 @@ static int sh_mdio_init(struct sh_eth_private *mdp, + if (ret) + goto out_free_bus; + ++ pn = of_parse_phandle(dev->of_node, "phy-handle", 0); ++ phydev = of_phy_find_device(pn); ++ if (phydev) { ++ phydev->mac_managed_pm = true; ++ put_device(&phydev->mdio.dev); ++ } ++ of_node_put(pn); ++ + return 0; + + out_free_bus: +-- +2.39.2 + diff --git a/queue-5.15/tcp-tcp_make_synack-can-be-called-from-process-conte.patch b/queue-5.15/tcp-tcp_make_synack-can-be-called-from-process-conte.patch new file mode 100644 index 00000000000..f24dcaa6c28 --- /dev/null +++ b/queue-5.15/tcp-tcp_make_synack-can-be-called-from-process-conte.patch @@ -0,0 +1,64 @@ +From 261a323db33a7860b21c974ca0c05a15a0561bf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 11:07:45 -0800 +Subject: tcp: tcp_make_synack() can be called from process context + +From: Breno Leitao + +[ Upstream commit bced3f7db95ff2e6ca29dc4d1c9751ab5e736a09 ] + +tcp_rtx_synack() now could be called in process context as explained in +0a375c822497 ("tcp: tcp_rtx_synack() can be called from process +context"). + +tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU +variables with preemption enabled. This causes the following BUG: + + BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464 + caller is tcp_make_synack+0x841/0xac0 + Call Trace: + + dump_stack_lvl+0x10d/0x1a0 + check_preemption_disabled+0x104/0x110 + tcp_make_synack+0x841/0xac0 + tcp_v6_send_synack+0x5c/0x450 + tcp_rtx_synack+0xeb/0x1f0 + inet_rtx_syn_ack+0x34/0x60 + tcp_check_req+0x3af/0x9e0 + tcp_rcv_state_process+0x59b/0x2030 + tcp_v6_do_rcv+0x5f5/0x700 + release_sock+0x3a/0xf0 + tcp_sendmsg+0x33/0x40 + ____sys_sendmsg+0x2f2/0x490 + __sys_sendmsg+0x184/0x230 + do_syscall_64+0x3d/0x90 + +Avoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use +TCP_INC_STATS() which is safe to be called from context switch. + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Signed-off-by: Breno Leitao +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230308190745.780221-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 33ba1268a111f..1f39b56bbab32 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3610,7 +3610,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + th->window = htons(min(req->rsk_rcv_wnd, 65535U)); + tcp_options_write((__be32 *)(th + 1), NULL, &opts); + th->doff = (tcp_header_size >> 2); +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); + + #ifdef CONFIG_TCP_MD5SIG + /* Okay, we have all we need - do the md5 hash if needed */ +-- +2.39.2 + diff --git a/queue-5.15/vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch b/queue-5.15/vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch new file mode 100644 index 00000000000..12854326a67 --- /dev/null +++ b/queue-5.15/vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch @@ -0,0 +1,54 @@ +From 08759aa26e261c88e56bdedd0da58c17c4b1e055 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 17:43:58 +0100 +Subject: vdpa_sim: not reset state in vdpasim_queue_ready +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eugenio Pérez + +[ Upstream commit 0e84f918fac8ae61dcb790534fad5e3555ca2930 ] + +vdpasim_queue_ready calls vringh_init_iotlb, which resets split indexes. +But it can be called after setting a ring base with +vdpasim_set_vq_state. + +Fix it by stashing them. They're still resetted in vdpasim_vq_reset. + +This was discovered and tested live migrating the vdpa_sim_net device. + +Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator") +Signed-off-by: Eugenio Pérez +Message-Id: <20230118164359.1523760-2-eperezma@redhat.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c +index 4d9e3fdae5f6c..eeda45fbba258 100644 +--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c ++++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c +@@ -65,6 +65,7 @@ static void vdpasim_vq_notify(struct vringh *vring) + static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx) + { + struct vdpasim_virtqueue *vq = &vdpasim->vqs[idx]; ++ uint16_t last_avail_idx = vq->vring.last_avail_idx; + + vringh_init_iotlb(&vq->vring, vdpasim->features, vq->num, false, + (struct vring_desc *)(uintptr_t)vq->desc_addr, +@@ -73,6 +74,7 @@ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx) + (struct vring_used *) + (uintptr_t)vq->device_addr); + ++ vq->vring.last_avail_idx = last_avail_idx; + vq->vring.notify = vdpasim_vq_notify; + } + +-- +2.39.2 + diff --git a/queue-5.15/vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch b/queue-5.15/vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch new file mode 100644 index 00000000000..c470baaa18a --- /dev/null +++ b/queue-5.15/vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch @@ -0,0 +1,66 @@ +From c188aff218d15f8a3f9d24ab6f3b7dc7e08199a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 19:18:57 +0100 +Subject: vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eugenio Pérez + +[ Upstream commit b4cca6d48eb3fa6f0d9caba4329b1a2b0ff67a77 ] + +Starting from an used_idx different than 0 is needed in use cases like +virtual machine migration. Not doing so and letting the caller set an +avail idx different than 0 causes destination device to try to use old +buffers that source driver already recover and are not available +anymore. + +Since vdpa_sim does not support receive inflight descriptors as a +destination of a migration, let's set both avail_idx and used_idx the +same at vq start. This is how vhost-user works in a +VHOST_SET_VRING_BASE call. + +Although the simple fix is to set last_used_idx at vdpasim_set_vq_state, +it would be reset at vdpasim_queue_ready. The last_avail_idx case is +fixed with commit 0e84f918fac8 ("vdpa_sim: not reset state in +vdpasim_queue_ready"). Since the only option is to make it equal to +last_avail_idx, adding the only change needed here. + +This was discovered and tested live migrating the vdpa_sim_net device. + +Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator") +Reviewed-by: Stefano Garzarella +Signed-off-by: Eugenio Pérez +Message-Id: <20230302181857.925374-1-eperezma@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_sim/vdpa_sim.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c +index eeda45fbba258..3ccefa58e405c 100644 +--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c ++++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c +@@ -75,6 +75,17 @@ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx) + (uintptr_t)vq->device_addr); + + vq->vring.last_avail_idx = last_avail_idx; ++ ++ /* ++ * Since vdpa_sim does not support receive inflight descriptors as a ++ * destination of a migration, let's set both avail_idx and used_idx ++ * the same at vq start. This is how vhost-user works in a ++ * VHOST_SET_VRING_BASE call. ++ * ++ * Although the simple fix is to set last_used_idx at ++ * vdpasim_set_vq_state, it would be reset at vdpasim_queue_ready. ++ */ ++ vq->vring.last_used_idx = last_avail_idx; + vq->vring.notify = vdpasim_vq_notify; + } + +-- +2.39.2 + diff --git a/queue-5.15/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch b/queue-5.15/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch new file mode 100644 index 00000000000..a2273536621 --- /dev/null +++ b/queue-5.15/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch @@ -0,0 +1,44 @@ +From 159137983a8cd371cf2da5c16d485401e0dd9153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 13:54:00 +0800 +Subject: xfrm: Allow transport-mode states with AF_UNSPEC selector + +From: Herbert Xu + +[ Upstream commit c276a706ea1f51cf9723ed8484feceaf961b8f89 ] + +xfrm state selectors are matched against the inner-most flow +which can be of any address family. Therefore middle states +in nested configurations need to carry a wildcard selector in +order to work at all. + +However, this is currently forbidden for transport-mode states. + +Fix this by removing the unnecessary check. + +Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode") +Reported-by: David George +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 15132b080614c..60f3ea5561ddf 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2643,9 +2643,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) + if (inner_mode == NULL) + goto error; + +- if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) +- goto error; +- + x->inner_mode = *inner_mode; + + if (x->props.family == AF_INET) +-- +2.39.2 +