From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 18:02:40 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v4.14.323~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5126eae583dc52a5e3974b2a6492e9eaea9b888;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch dccp-fix-data-race-around-dp-dccps_mss_cache.patch drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch drm-amd-display-don-t-show-stack-trace-for-missing-edp.patch drm-bridge-it6505-check-power-state-with-it6505-powered-in-irq-handler.patch drm-nouveau-remove-unused-tu102_gr_load-function.patch drm-rockchip-don-t-spam-logs-in-atomic-check.patch iavf-fix-potential-races-for-fdir-filters.patch ib-hfi1-fix-possible-panic-during-hotplug-remove.patch igc-add-lock-to-safeguard-global-qbv-variables.patch ionic-add-missing-err-handling-for-queue-reconfig.patch mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch net-packet-annotate-data-races-around-tp-status.patch net-smc-fix-setsockopt-and-sysctl-to-specify-same-buffer-size-again.patch net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch pci-move-of-status-disabled-detection-to-dev-match_driver.patch tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch vlan-fix-vlan-0-memory-leak.patch wifi-brcm80211-handle-params_v1-allocation-failure.patch wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch xsk-fix-refcount-underflow-in-error-path.patch --- diff --git a/queue-6.4/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch b/queue-6.4/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch new file mode 100644 index 00000000000..9449f2d1fd4 --- /dev/null +++ b/queue-6.4/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch @@ -0,0 +1,82 @@ +From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 2 Aug 2023 19:43:20 +0800 +Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves + +From: Ziyang Xuan + +commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream. + +BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with +following testcase: + + # ip netns add ns1 + # ip netns exec ns1 ip link add bond0 type bond mode 0 + # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + # ip netns exec ns1 ip link set bond_slave_1 master bond0 + # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link set bond_slave_1 nomaster + # ip netns del ns1 + +The logical analysis of the problem is as follows: + +1. create ETH_P_8021AD protocol vlan10 for bond_slave_1: +register_vlan_dev() + vlan_vid_add() + vlan_info_alloc() + __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1 + +2. create ETH_P_8021AD protocol bond0_vlan10 for bond0: +register_vlan_dev() + vlan_vid_add() + __vlan_vid_add() + vlan_add_rx_filter_info() + if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER + return 0; + + if (netif_device_present(dev)) + return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called + // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid. + +3. detach bond_slave_1 from bond0: +__bond_release_one() + vlan_vids_del_by_dev() + list_for_each_entry(vid_info, &vlan_info->vid_list, list) + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted. + // bond_slave_1->vlan_info will be assigned NULL. + +4. delete vlan10 during delete ns1: +default_device_exit_batch() + dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10 + vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1 + BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!! + +Add S-VLAN tag related features support to bond driver. So the bond driver +will always propagate the VLAN info to its slaves. + +Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support") +Suggested-by: Ido Schimmel +Signed-off-by: Ziyang Xuan +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5898,7 +5898,9 @@ void bond_setup(struct net_device *bond_ + + bond_dev->hw_features = BOND_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | +- NETIF_F_HW_VLAN_CTAG_FILTER; ++ NETIF_F_HW_VLAN_CTAG_FILTER | ++ NETIF_F_HW_VLAN_STAG_RX | ++ NETIF_F_HW_VLAN_STAG_FILTER; + + bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL; + bond_dev->features |= bond_dev->hw_features; diff --git a/queue-6.4/dccp-fix-data-race-around-dp-dccps_mss_cache.patch b/queue-6.4/dccp-fix-data-race-around-dp-dccps_mss_cache.patch new file mode 100644 index 00000000000..fb14e8aa740 --- /dev/null +++ b/queue-6.4/dccp-fix-data-race-around-dp-dccps_mss_cache.patch @@ -0,0 +1,71 @@ +From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Aug 2023 16:30:21 +0000 +Subject: dccp: fix data-race around dp->dccps_mss_cache + +From: Eric Dumazet + +commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream. + +dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. +Same thing in do_dccp_getsockopt(). + +Add READ_ONCE()/WRITE_ONCE() annotations, +and change dccp_sendmsg() to check again dccps_mss_cache +after socket is locked. + +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/output.c | 2 +- + net/dccp/proto.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/net/dccp/output.c ++++ b/net/dccp/output.c +@@ -187,7 +187,7 @@ unsigned int dccp_sync_mss(struct sock * + + /* And store cached results */ + icsk->icsk_pmtu_cookie = pmtu; +- dp->dccps_mss_cache = cur_mps; ++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps); + + return cur_mps; + } +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -630,7 +630,7 @@ static int do_dccp_getsockopt(struct soc + return dccp_getsockopt_service(sk, len, + (__be32 __user *)optval, optlen); + case DCCP_SOCKOPT_GET_CUR_MPS: +- val = dp->dccps_mss_cache; ++ val = READ_ONCE(dp->dccps_mss_cache); + break; + case DCCP_SOCKOPT_AVAILABLE_CCIDS: + return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen); +@@ -739,7 +739,7 @@ int dccp_sendmsg(struct sock *sk, struct + + trace_dccp_probe(sk, len); + +- if (len > dp->dccps_mss_cache) ++ if (len > READ_ONCE(dp->dccps_mss_cache)) + return -EMSGSIZE; + + lock_sock(sk); +@@ -772,6 +772,12 @@ int dccp_sendmsg(struct sock *sk, struct + goto out_discard; + } + ++ /* We need to check dccps_mss_cache after socket is locked. */ ++ if (len > dp->dccps_mss_cache) { ++ rc = -EMSGSIZE; ++ goto out_discard; ++ } ++ + skb_reserve(skb, sk->sk_prot->max_header); + rc = memcpy_from_msg(skb_put(skb, len), msg, len); + if (rc != 0) diff --git a/queue-6.4/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch b/queue-6.4/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch new file mode 100644 index 00000000000..117a079b239 --- /dev/null +++ b/queue-6.4/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch @@ -0,0 +1,40 @@ +From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001 +From: Andrew Kanner +Date: Thu, 3 Aug 2023 20:59:48 +0200 +Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit + +From: Andrew Kanner + +commit 59eeb232940515590de513b997539ef495faca9a upstream. + +Using the syzkaller repro with reduced packet size it was discovered +that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(), +although pad may be incremented in tun_build_skb(). This may end up +with exceeding the PAGE_SIZE limit in tun_build_skb(). + +Jason Wang proposed to count XDP_PACKET_HEADROOM +always (e.g. without rcu_access_pointer(tun->xdp_prog)) in +tun_can_build_skb() since there's a window during which XDP program +might be attached between tun_can_build_skb() and tun_build_skb(). + +Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set") +Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a +Signed-off-by: Andrew Kanner +Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1594,7 +1594,7 @@ static bool tun_can_build_skb(struct tun + if (zerocopy) + return false; + +- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + ++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE) + return false; + diff --git a/queue-6.4/drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch b/queue-6.4/drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch new file mode 100644 index 00000000000..63bc1f48b02 --- /dev/null +++ b/queue-6.4/drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch @@ -0,0 +1,60 @@ +From b1c936e9af5dd08636d568736fc6075ed9d1d529 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Fri, 4 Aug 2023 18:53:36 +0300 +Subject: drivers: vxlan: vnifilter: free percpu vni stats on error path + +From: Fedor Pchelkin + +commit b1c936e9af5dd08636d568736fc6075ed9d1d529 upstream. + +In case rhashtable_lookup_insert_fast() fails inside vxlan_vni_add(), the +allocated percpu vni stats are not freed on the error path. + +Introduce vxlan_vni_free() which would work as a nice wrapper to free +vxlan_vni_node resources properly. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 4095e0e1328a ("drivers: vxlan: vnifilter: per vni stats") +Suggested-by: Ido Schimmel +Signed-off-by: Fedor Pchelkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan/vxlan_vnifilter.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/vxlan/vxlan_vnifilter.c ++++ b/drivers/net/vxlan/vxlan_vnifilter.c +@@ -713,6 +713,12 @@ static struct vxlan_vni_node *vxlan_vni_ + return vninode; + } + ++static void vxlan_vni_free(struct vxlan_vni_node *vninode) ++{ ++ free_percpu(vninode->stats); ++ kfree(vninode); ++} ++ + static int vxlan_vni_add(struct vxlan_dev *vxlan, + struct vxlan_vni_group *vg, + u32 vni, union vxlan_addr *group, +@@ -740,7 +746,7 @@ static int vxlan_vni_add(struct vxlan_de + &vninode->vnode, + vxlan_vni_rht_params); + if (err) { +- kfree(vninode); ++ vxlan_vni_free(vninode); + return err; + } + +@@ -763,8 +769,7 @@ static void vxlan_vni_node_rcu_free(stru + struct vxlan_vni_node *v; + + v = container_of(rcu, struct vxlan_vni_node, rcu); +- free_percpu(v->stats); +- kfree(v); ++ vxlan_vni_free(v); + } + + static int vxlan_vni_del(struct vxlan_dev *vxlan, diff --git a/queue-6.4/drm-amd-display-don-t-show-stack-trace-for-missing-edp.patch b/queue-6.4/drm-amd-display-don-t-show-stack-trace-for-missing-edp.patch new file mode 100644 index 00000000000..ae6374ed6b7 --- /dev/null +++ b/queue-6.4/drm-amd-display-don-t-show-stack-trace-for-missing-edp.patch @@ -0,0 +1,35 @@ +From 7ad1dfc144cbf62702fd07838da8fd8a77921083 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 31 Jul 2023 09:22:05 -0500 +Subject: drm/amd/display: Don't show stack trace for missing eDP + +From: Mario Limonciello + +commit 7ad1dfc144cbf62702fd07838da8fd8a77921083 upstream. + +Some systems are only connected by HDMI or DP, so warning related to +missing eDP is unnecessary. Downgrade to debug instead. + +Cc: Hamza Mahfooz +Fixes: 6d9b6dceaa51 ("drm/amd/display: only warn once in dce110_edp_wait_for_hpd_ready()") +Reported-by: Mastan.Katragadda@amd.com +Signed-off-by: Mario Limonciello +Reviewed-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c +@@ -780,7 +780,8 @@ void dce110_edp_wait_for_hpd_ready( + dal_gpio_destroy_irq(&hpd); + + /* ensure that the panel is detected */ +- ASSERT(edp_hpd_high); ++ if (!edp_hpd_high) ++ DC_LOG_DC("%s: wait timed out!\n", __func__); + } + + void dce110_edp_power_control( diff --git a/queue-6.4/drm-bridge-it6505-check-power-state-with-it6505-powered-in-irq-handler.patch b/queue-6.4/drm-bridge-it6505-check-power-state-with-it6505-powered-in-irq-handler.patch new file mode 100644 index 00000000000..a2b3f35d3da --- /dev/null +++ b/queue-6.4/drm-bridge-it6505-check-power-state-with-it6505-powered-in-irq-handler.patch @@ -0,0 +1,47 @@ +From e9d699af3f65d62cf195f0e7a039400093ab2af2 Mon Sep 17 00:00:00 2001 +From: Pin-yen Lin +Date: Thu, 27 Jul 2023 18:01:10 +0800 +Subject: drm/bridge: it6505: Check power state with it6505->powered in IRQ handler + +From: Pin-yen Lin + +commit e9d699af3f65d62cf195f0e7a039400093ab2af2 upstream. + +On system resume, the driver might call it6505_poweron directly if the +runtime PM hasn't been enabled. In such case, pm_runtime_get_if_in_use +will always return 0 because dev->power.runtime_status stays at +RPM_SUSPENDED, and the IRQ will never be handled. + +Use it6505->powered from the driver struct fixes this because it always +gets updated when it6505_poweron is called. + +Fixes: 5eb9a4314053 ("drm/bridge: it6505: Guard bridge power in IRQ handler") +Signed-off-by: Pin-yen Lin +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230727100131.2338127-1-treapking@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/ite-it6505.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c +index 504d51c42f79..aadb396508c5 100644 +--- a/drivers/gpu/drm/bridge/ite-it6505.c ++++ b/drivers/gpu/drm/bridge/ite-it6505.c +@@ -2517,9 +2517,11 @@ static irqreturn_t it6505_int_threaded_handler(int unused, void *data) + }; + int int_status[3], i; + +- if (it6505->enable_drv_hold || pm_runtime_get_if_in_use(dev) <= 0) ++ if (it6505->enable_drv_hold || !it6505->powered) + return IRQ_HANDLED; + ++ pm_runtime_get_sync(dev); ++ + int_status[0] = it6505_read(it6505, INT_STATUS_01); + int_status[1] = it6505_read(it6505, INT_STATUS_02); + int_status[2] = it6505_read(it6505, INT_STATUS_03); +-- +2.41.0 + diff --git a/queue-6.4/drm-nouveau-remove-unused-tu102_gr_load-function.patch b/queue-6.4/drm-nouveau-remove-unused-tu102_gr_load-function.patch new file mode 100644 index 00000000000..677af36325c --- /dev/null +++ b/queue-6.4/drm-nouveau-remove-unused-tu102_gr_load-function.patch @@ -0,0 +1,56 @@ +From 421dabcad1c69e02a41c0d601aefbc29ee3f5368 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 3 Aug 2023 16:33:48 +0200 +Subject: drm/nouveau: remove unused tu102_gr_load() function + +From: Arnd Bergmann + +commit 421dabcad1c69e02a41c0d601aefbc29ee3f5368 upstream. + +tu102_gr_load() is completely unused and can be removed to address +this warning: + +drivers/gpu/drm/nouveau/dispnv50/disp.c:2517:1: error: no previous prototype for 'nv50_display_create' + +Another patch was sent in the meantime to mark the function static but +that would just cause a different warning about an unused function. + +Fixes: 1cd97b5490c8 ("drm/nouveau/gr/tu102-: use sw_veid_bundle_init from firmware") +Link: https://lore.kernel.org/all/CACO55tuaNOYphHyB9+ygi9AnXVuF49etsW7x2X5K5iEtFNAAyw@mail.gmail.com/ +Link: https://lore.kernel.org/all/20230417210310.2443152-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20230803143358.13563-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c +index 3b6c8100a242..a7775aa18541 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c +@@ -206,19 +206,6 @@ tu102_gr_av_to_init_veid(struct nvkm_blob *blob, struct gf100_gr_pack **ppack) + return gk20a_gr_av_to_init_(blob, 64, 0x00100000, ppack); + } + +-int +-tu102_gr_load(struct gf100_gr *gr, int ver, const struct gf100_gr_fwif *fwif) +-{ +- int ret; +- +- ret = gm200_gr_load(gr, ver, fwif); +- if (ret) +- return ret; +- +- return gk20a_gr_load_net(gr, "gr/", "sw_veid_bundle_init", ver, tu102_gr_av_to_init_veid, +- &gr->bundle_veid); +-} +- + static const struct gf100_gr_fwif + tu102_gr_fwif[] = { + { 0, gm200_gr_load, &tu102_gr, &gp108_gr_fecs_acr, &gp108_gr_gpccs_acr }, +-- +2.41.0 + diff --git a/queue-6.4/drm-rockchip-don-t-spam-logs-in-atomic-check.patch b/queue-6.4/drm-rockchip-don-t-spam-logs-in-atomic-check.patch new file mode 100644 index 00000000000..4fde6043c8c --- /dev/null +++ b/queue-6.4/drm-rockchip-don-t-spam-logs-in-atomic-check.patch @@ -0,0 +1,70 @@ +From 43dae319b50fac075ad864f84501c703ef20eb2b Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Tue, 8 Aug 2023 11:44:05 +0100 +Subject: drm/rockchip: Don't spam logs in atomic check + +From: Daniel Stone + +commit 43dae319b50fac075ad864f84501c703ef20eb2b upstream. + +Userspace should not be able to trigger DRM_ERROR messages to spam the +logs; especially not through atomic commit parameters which are +completely legitimate for userspace to attempt. + +Signed-off-by: Daniel Stone +Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc") +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20230808104405.522493-1-daniels@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -833,12 +833,12 @@ static int vop_plane_atomic_check(struct + * need align with 2 pixel. + */ + if (fb->format->is_yuv && ((new_plane_state->src.x1 >> 16) % 2)) { +- DRM_ERROR("Invalid Source: Yuv format not support odd xpos\n"); ++ DRM_DEBUG_KMS("Invalid Source: Yuv format not support odd xpos\n"); + return -EINVAL; + } + + if (fb->format->is_yuv && new_plane_state->rotation & DRM_MODE_REFLECT_Y) { +- DRM_ERROR("Invalid Source: Yuv format does not support this rotation\n"); ++ DRM_DEBUG_KMS("Invalid Source: Yuv format does not support this rotation\n"); + return -EINVAL; + } + +@@ -846,7 +846,7 @@ static int vop_plane_atomic_check(struct + struct vop *vop = to_vop(crtc); + + if (!vop->data->afbc) { +- DRM_ERROR("vop does not support AFBC\n"); ++ DRM_DEBUG_KMS("vop does not support AFBC\n"); + return -EINVAL; + } + +@@ -855,15 +855,16 @@ static int vop_plane_atomic_check(struct + return ret; + + if (new_plane_state->src.x1 || new_plane_state->src.y1) { +- DRM_ERROR("AFBC does not support offset display, xpos=%d, ypos=%d, offset=%d\n", +- new_plane_state->src.x1, +- new_plane_state->src.y1, fb->offsets[0]); ++ DRM_DEBUG_KMS("AFBC does not support offset display, " \ ++ "xpos=%d, ypos=%d, offset=%d\n", ++ new_plane_state->src.x1, new_plane_state->src.y1, ++ fb->offsets[0]); + return -EINVAL; + } + + if (new_plane_state->rotation && new_plane_state->rotation != DRM_MODE_ROTATE_0) { +- DRM_ERROR("No rotation support in AFBC, rotation=%d\n", +- new_plane_state->rotation); ++ DRM_DEBUG_KMS("No rotation support in AFBC, rotation=%d\n", ++ new_plane_state->rotation); + return -EINVAL; + } + } diff --git a/queue-6.4/iavf-fix-potential-races-for-fdir-filters.patch b/queue-6.4/iavf-fix-potential-races-for-fdir-filters.patch new file mode 100644 index 00000000000..db1d0d78a07 --- /dev/null +++ b/queue-6.4/iavf-fix-potential-races-for-fdir-filters.patch @@ -0,0 +1,92 @@ +From 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 Mon Sep 17 00:00:00 2001 +From: Piotr Gardocki +Date: Mon, 7 Aug 2023 13:50:11 -0700 +Subject: iavf: fix potential races for FDIR filters + +From: Piotr Gardocki + +commit 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 upstream. + +Add fdir_fltr_lock locking in unprotected places. + +The change in iavf_fdir_is_dup_fltr adds a spinlock around a loop which +iterates over all filters and looks for a duplicate. The filter can be +removed from list and freed from memory at the same time it's being +compared. All other places where filters are deleted are already +protected with spinlock. + +The remaining changes protect adapter->fdir_active_fltr variable so now +all its uses are under a spinlock. + +Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters") +Signed-off-by: Piotr Gardocki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230807205011.3129224-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 5 ++++- + drivers/net/ethernet/intel/iavf/iavf_fdir.c | 11 ++++++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1401,14 +1401,15 @@ static int iavf_add_fdir_ethtool(struct + if (fsp->flow_type & FLOW_MAC_EXT) + return -EINVAL; + ++ spin_lock_bh(&adapter->fdir_fltr_lock); + if (adapter->fdir_active_fltr >= IAVF_MAX_FDIR_FILTERS) { ++ spin_unlock_bh(&adapter->fdir_fltr_lock); + dev_err(&adapter->pdev->dev, + "Unable to add Flow Director filter because VF reached the limit of max allowed filters (%u)\n", + IAVF_MAX_FDIR_FILTERS); + return -ENOSPC; + } + +- spin_lock_bh(&adapter->fdir_fltr_lock); + if (iavf_find_fdir_fltr_by_loc(adapter, fsp->location)) { + dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, it already exists\n"); + spin_unlock_bh(&adapter->fdir_fltr_lock); +@@ -1781,7 +1782,9 @@ static int iavf_get_rxnfc(struct net_dev + case ETHTOOL_GRXCLSRLCNT: + if (!FDIR_FLTR_SUPPORT(adapter)) + break; ++ spin_lock_bh(&adapter->fdir_fltr_lock); + cmd->rule_cnt = adapter->fdir_active_fltr; ++ spin_unlock_bh(&adapter->fdir_fltr_lock); + cmd->data = IAVF_MAX_FDIR_FILTERS; + ret = 0; + break; +--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c +@@ -722,7 +722,9 @@ void iavf_print_fdir_fltr(struct iavf_ad + bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr) + { + struct iavf_fdir_fltr *tmp; ++ bool ret = false; + ++ spin_lock_bh(&adapter->fdir_fltr_lock); + list_for_each_entry(tmp, &adapter->fdir_list_head, list) { + if (tmp->flow_type != fltr->flow_type) + continue; +@@ -732,11 +734,14 @@ bool iavf_fdir_is_dup_fltr(struct iavf_a + !memcmp(&tmp->ip_data, &fltr->ip_data, + sizeof(fltr->ip_data)) && + !memcmp(&tmp->ext_data, &fltr->ext_data, +- sizeof(fltr->ext_data))) +- return true; ++ sizeof(fltr->ext_data))) { ++ ret = true; ++ break; ++ } + } ++ spin_unlock_bh(&adapter->fdir_fltr_lock); + +- return false; ++ return ret; + } + + /** diff --git a/queue-6.4/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch b/queue-6.4/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch new file mode 100644 index 00000000000..8e904654a76 --- /dev/null +++ b/queue-6.4/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch @@ -0,0 +1,33 @@ +From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001 +From: Douglas Miller +Date: Wed, 2 Aug 2023 13:32:41 -0400 +Subject: IB/hfi1: Fix possible panic during hotplug remove + +From: Douglas Miller + +commit 4fdfaef71fced490835145631a795497646f4555 upstream. + +During hotplug remove it is possible that the update counters work +might be pending, and may run after memory has been freed. +Cancel the update counters work before freeing memory. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Signed-off-by: Douglas Miller +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -12307,6 +12307,7 @@ static void free_cntrs(struct hfi1_devda + + if (dd->synth_stats_timer.function) + del_timer_sync(&dd->synth_stats_timer); ++ cancel_work_sync(&dd->update_cntr_work); + ppd = (struct hfi1_pportdata *)(dd + 1); + for (i = 0; i < dd->num_pports; i++, ppd++) { + kfree(ppd->cntrs); diff --git a/queue-6.4/igc-add-lock-to-safeguard-global-qbv-variables.patch b/queue-6.4/igc-add-lock-to-safeguard-global-qbv-variables.patch new file mode 100644 index 00000000000..48d4cabbc52 --- /dev/null +++ b/queue-6.4/igc-add-lock-to-safeguard-global-qbv-variables.patch @@ -0,0 +1,146 @@ +From 06b412589eef780b792e73df131d35dc43cc4a49 Mon Sep 17 00:00:00 2001 +From: Muhammad Husaini Zulkifli +Date: Mon, 7 Aug 2023 13:51:29 -0700 +Subject: igc: Add lock to safeguard global Qbv variables + +From: Muhammad Husaini Zulkifli + +commit 06b412589eef780b792e73df131d35dc43cc4a49 upstream. + +Access to shared variables through hrtimer requires locking in order +to protect the variables because actions to write into these variables +(oper_gate_closed, admin_gate_closed, and qbv_transition) might potentially +occur simultaneously. This patch provides a locking mechanisms to avoid +such scenarios. + +Fixes: 175c241288c0 ("igc: Fix TX Hang issue when QBV Gate is closed") +Suggested-by: Leon Romanovsky +Signed-off-by: Muhammad Husaini Zulkifli +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230807205129.3129346-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igc/igc.h | 4 +++ + drivers/net/ethernet/intel/igc/igc_main.c | 34 ++++++++++++++++++++++++++++-- + 2 files changed, 36 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -195,6 +195,10 @@ struct igc_adapter { + u32 qbv_config_change_errors; + bool qbv_transition; + unsigned int qbv_count; ++ /* Access to oper_gate_closed, admin_gate_closed and qbv_transition ++ * are protected by the qbv_tx_lock. ++ */ ++ spinlock_t qbv_tx_lock; + + /* OS defined structs */ + struct pci_dev *pdev; +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -4799,6 +4799,7 @@ static int igc_sw_init(struct igc_adapte + adapter->nfc_rule_count = 0; + + spin_lock_init(&adapter->stats64_lock); ++ spin_lock_init(&adapter->qbv_tx_lock); + /* Assume MSI-X interrupts, will be checked during IRQ allocation */ + adapter->flags |= IGC_FLAG_HAS_MSIX; + +@@ -6117,15 +6118,15 @@ static int igc_tsn_enable_launchtime(str + return igc_tsn_offload_apply(adapter); + } + +-static int igc_tsn_clear_schedule(struct igc_adapter *adapter) ++static int igc_qbv_clear_schedule(struct igc_adapter *adapter) + { ++ unsigned long flags; + int i; + + adapter->base_time = 0; + adapter->cycle_time = NSEC_PER_SEC; + adapter->taprio_offload_enable = false; + adapter->qbv_config_change_errors = 0; +- adapter->qbv_transition = false; + adapter->qbv_count = 0; + + for (i = 0; i < adapter->num_tx_queues; i++) { +@@ -6134,10 +6135,28 @@ static int igc_tsn_clear_schedule(struct + ring->start_time = 0; + ring->end_time = NSEC_PER_SEC; + ring->max_sdu = 0; ++ } ++ ++ spin_lock_irqsave(&adapter->qbv_tx_lock, flags); ++ ++ adapter->qbv_transition = false; ++ ++ for (i = 0; i < adapter->num_tx_queues; i++) { ++ struct igc_ring *ring = adapter->tx_ring[i]; ++ + ring->oper_gate_closed = false; + ring->admin_gate_closed = false; + } + ++ spin_unlock_irqrestore(&adapter->qbv_tx_lock, flags); ++ ++ return 0; ++} ++ ++static int igc_tsn_clear_schedule(struct igc_adapter *adapter) ++{ ++ igc_qbv_clear_schedule(adapter); ++ + return 0; + } + +@@ -6148,6 +6167,7 @@ static int igc_save_qbv_schedule(struct + struct igc_hw *hw = &adapter->hw; + u32 start_time = 0, end_time = 0; + struct timespec64 now; ++ unsigned long flags; + size_t n; + int i; + +@@ -6215,6 +6235,8 @@ static int igc_save_qbv_schedule(struct + start_time += e->interval; + } + ++ spin_lock_irqsave(&adapter->qbv_tx_lock, flags); ++ + /* Check whether a queue gets configured. + * If not, set the start and end time to be end time. + */ +@@ -6239,6 +6261,8 @@ static int igc_save_qbv_schedule(struct + } + } + ++ spin_unlock_irqrestore(&adapter->qbv_tx_lock, flags); ++ + for (i = 0; i < adapter->num_tx_queues; i++) { + struct igc_ring *ring = adapter->tx_ring[i]; + struct net_device *dev = adapter->netdev; +@@ -6603,8 +6627,11 @@ static enum hrtimer_restart igc_qbv_sche + { + struct igc_adapter *adapter = container_of(timer, struct igc_adapter, + hrtimer); ++ unsigned long flags; + unsigned int i; + ++ spin_lock_irqsave(&adapter->qbv_tx_lock, flags); ++ + adapter->qbv_transition = true; + for (i = 0; i < adapter->num_tx_queues; i++) { + struct igc_ring *tx_ring = adapter->tx_ring[i]; +@@ -6617,6 +6644,9 @@ static enum hrtimer_restart igc_qbv_sche + } + } + adapter->qbv_transition = false; ++ ++ spin_unlock_irqrestore(&adapter->qbv_tx_lock, flags); ++ + return HRTIMER_NORESTART; + } + diff --git a/queue-6.4/ionic-add-missing-err-handling-for-queue-reconfig.patch b/queue-6.4/ionic-add-missing-err-handling-for-queue-reconfig.patch new file mode 100644 index 00000000000..bb5c9695c96 --- /dev/null +++ b/queue-6.4/ionic-add-missing-err-handling-for-queue-reconfig.patch @@ -0,0 +1,82 @@ +From 52417a95ff2d810dc31a68ae71102e741efea772 Mon Sep 17 00:00:00 2001 +From: Nitya Sunkad +Date: Fri, 4 Aug 2023 13:56:22 -0700 +Subject: ionic: Add missing err handling for queue reconfig + +From: Nitya Sunkad + +commit 52417a95ff2d810dc31a68ae71102e741efea772 upstream. + +ionic_start_queues_reconfig returns an error code if txrx_init fails. +Handle this error code in the relevant places. + +This fixes a corner case where the device could get left in a detached +state if the CMB reconfig fails and the attempt to clean up the mess +also fails. Note that calling netif_device_attach when the netdev is +already attached does not lead to unexpected behavior. + +Change goto name "errout" to "err_out" to maintain consistency across +goto statements. + +Fixes: 40bc471dc714 ("ionic: add tx/rx-push support with device Component Memory Buffers") +Fixes: 6f7d6f0fd7a3 ("ionic: pull reset_queues into tx_timeout handler") +Signed-off-by: Nitya Sunkad +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -1816,6 +1816,7 @@ static int ionic_change_mtu(struct net_d + static void ionic_tx_timeout_work(struct work_struct *ws) + { + struct ionic_lif *lif = container_of(ws, struct ionic_lif, tx_timeout_work); ++ int err; + + if (test_bit(IONIC_LIF_F_FW_RESET, lif->state)) + return; +@@ -1828,8 +1829,11 @@ static void ionic_tx_timeout_work(struct + + mutex_lock(&lif->queue_lock); + ionic_stop_queues_reconfig(lif); +- ionic_start_queues_reconfig(lif); ++ err = ionic_start_queues_reconfig(lif); + mutex_unlock(&lif->queue_lock); ++ ++ if (err) ++ dev_err(lif->ionic->dev, "%s: Restarting queues failed\n", __func__); + } + + static void ionic_tx_timeout(struct net_device *netdev, unsigned int txqueue) +@@ -2799,17 +2803,22 @@ static int ionic_cmb_reconfig(struct ion + if (err) { + dev_err(lif->ionic->dev, + "CMB restore failed: %d\n", err); +- goto errout; ++ goto err_out; + } + } + +- ionic_start_queues_reconfig(lif); +- } else { +- /* This was detached in ionic_stop_queues_reconfig() */ +- netif_device_attach(lif->netdev); ++ err = ionic_start_queues_reconfig(lif); ++ if (err) { ++ dev_err(lif->ionic->dev, ++ "CMB reconfig failed: %d\n", err); ++ goto err_out; ++ } + } + +-errout: ++err_out: ++ /* This was detached in ionic_stop_queues_reconfig() */ ++ netif_device_attach(lif->netdev); ++ + return err; + } + diff --git a/queue-6.4/mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch b/queue-6.4/mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch new file mode 100644 index 00000000000..1ab7dda70cf --- /dev/null +++ b/queue-6.4/mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch @@ -0,0 +1,37 @@ +From 17ebf8a4c38b5481c29623f5e003fdf7583947f9 Mon Sep 17 00:00:00 2001 +From: Xiang Yang +Date: Thu, 3 Aug 2023 07:24:38 +0000 +Subject: mptcp: fix the incorrect judgment for msk->cb_flags + +From: Xiang Yang + +commit 17ebf8a4c38b5481c29623f5e003fdf7583947f9 upstream. + +Coccicheck reports the error below: +net/mptcp/protocol.c:3330:15-28: ERROR: test of a variable/field address + +Since the address of msk->cb_flags is used in __test_and_clear_bit, the +address should not be NULL. The judgment for if (unlikely(msk->cb_flags)) +will always be true, we should check the real value of msk->cb_flags here. + +Fixes: 65a569b03ca8 ("mptcp: optimize release_cb for the common case") +Signed-off-by: Xiang Yang +Reviewed-by: Matthieu Baerts +Link: https://lore.kernel.org/r/20230803072438.1847500-1-xiangyang3@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3321,7 +3321,7 @@ static void mptcp_release_cb(struct sock + + if (__test_and_clear_bit(MPTCP_CLEAN_UNA, &msk->cb_flags)) + __mptcp_clean_una_wakeup(sk); +- if (unlikely(&msk->cb_flags)) { ++ if (unlikely(msk->cb_flags)) { + /* be sure to set the current sk state before tacking actions + * depending on sk_state, that is processing MPTCP_ERROR_REPORT + */ diff --git a/queue-6.4/net-packet-annotate-data-races-around-tp-status.patch b/queue-6.4/net-packet-annotate-data-races-around-tp-status.patch new file mode 100644 index 00000000000..f9e83744c81 --- /dev/null +++ b/queue-6.4/net-packet-annotate-data-races-around-tp-status.patch @@ -0,0 +1,125 @@ +From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Aug 2023 14:56:00 +0000 +Subject: net/packet: annotate data-races around tp->status + +From: Eric Dumazet + +commit 8a9896177784063d01068293caea3f74f6830ff6 upstream. + +Another syzbot report [1] is about tp->status lockless reads +from __packet_get_status() + +[1] +BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status + +write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0: +__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407 +tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483 +deliver_skb net/core/dev.c:2173 [inline] +__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337 +__netif_receive_skb_one_core net/core/dev.c:5491 [inline] +__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +invoke_softirq kernel/softirq.c:445 [inline] +__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650 +sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106 +asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645 +smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1: +__packet_get_status net/packet/af_packet.c:436 [inline] +packet_lookup_frame net/packet/af_packet.c:524 [inline] +__tpacket_has_room net/packet/af_packet.c:1255 [inline] +__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298 +tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285 +deliver_skb net/core/dev.c:2173 [inline] +dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243 +xmit_one net/core/dev.c:3574 [inline] +dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594 +__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +can_send+0x4eb/0x5d0 net/can/af_can.c:276 +bcm_can_tx+0x314/0x410 net/can/bcm.c:302 +bcm_tx_timeout_handler+0xdb/0x260 +__run_hrtimer kernel/time/hrtimer.c:1685 [inline] +__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749 +hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0000000000000000 -> 0x0000000020000081 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 + +Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -401,18 +401,20 @@ static void __packet_set_status(struct p + { + union tpacket_uhdr h; + ++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */ ++ + h.raw = frame; + switch (po->tp_version) { + case TPACKET_V1: +- h.h1->tp_status = status; ++ WRITE_ONCE(h.h1->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h1->tp_status)); + break; + case TPACKET_V2: +- h.h2->tp_status = status; ++ WRITE_ONCE(h.h2->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h2->tp_status)); + break; + case TPACKET_V3: +- h.h3->tp_status = status; ++ WRITE_ONCE(h.h3->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h3->tp_status)); + break; + default: +@@ -429,17 +431,19 @@ static int __packet_get_status(const str + + smp_rmb(); + ++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */ ++ + h.raw = frame; + switch (po->tp_version) { + case TPACKET_V1: + flush_dcache_page(pgv_to_page(&h.h1->tp_status)); +- return h.h1->tp_status; ++ return READ_ONCE(h.h1->tp_status); + case TPACKET_V2: + flush_dcache_page(pgv_to_page(&h.h2->tp_status)); +- return h.h2->tp_status; ++ return READ_ONCE(h.h2->tp_status); + case TPACKET_V3: + flush_dcache_page(pgv_to_page(&h.h3->tp_status)); +- return h.h3->tp_status; ++ return READ_ONCE(h.h3->tp_status); + default: + WARN(1, "TPACKET version not supported.\n"); + BUG(); diff --git a/queue-6.4/net-smc-fix-setsockopt-and-sysctl-to-specify-same-buffer-size-again.patch b/queue-6.4/net-smc-fix-setsockopt-and-sysctl-to-specify-same-buffer-size-again.patch new file mode 100644 index 00000000000..4141c07e769 --- /dev/null +++ b/queue-6.4/net-smc-fix-setsockopt-and-sysctl-to-specify-same-buffer-size-again.patch @@ -0,0 +1,226 @@ +From 833bac7ec392bf75053c8a4fa4c36d4148dac77d Mon Sep 17 00:00:00 2001 +From: Gerd Bayer +Date: Fri, 4 Aug 2023 19:06:23 +0200 +Subject: net/smc: Fix setsockopt and sysctl to specify same buffer size again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gerd Bayer + +commit 833bac7ec392bf75053c8a4fa4c36d4148dac77d upstream. + +Commit 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock +and make them tunable") introduced the net.smc.rmem and net.smc.wmem +sysctls to specify the size of buffers to be used for SMC type +connections. This created a regression for users that specified the +buffer size via setsockopt() as the effective buffer size was now +doubled. + +Re-introduce the division by 2 in the SMC buffer create code and level +this out by duplicating the net.smc.[rw]mem values used for initializing +sk_rcvbuf/sk_sndbuf at socket creation time. This gives users of both +methods (setsockopt or sysctl) the effective buffer size that they +expect. + +Initialize net.smc.[rw]mem from its own constant of 64kB, respectively. +Internal performance tests show that this value is a good compromise +between throughput/latency and memory consumption. Also, this decouples +it from any tuning that was done to net.ipv4.tcp_[rw]mem[1] before the +module for SMC protocol was loaded. Check that no more than INT_MAX / 2 +is assigned to net.smc.[rw]mem, in order to avoid any overflow condition +when that is doubled for use in sk_sndbuf or sk_rcvbuf. + +While at it, drop the confusing sk_buf_size variable from +__smc_buf_create and name "compressed" buffer size variables more +consistently. + +Background: + +Before the commit mentioned above, SMC's buffer allocator in +__smc_buf_create() always used half of the sockets' sk_rcvbuf/sk_sndbuf +value as initial value to search for appropriate buffers. If the search +resorted to using a bigger buffer when all buffers of the specified +size were busy, the duplicate of the used effective buffer size is +stored back to sk_rcvbuf/sk_sndbuf. + +When available, buffers of exactly the size that a user had specified as +input to setsockopt() were used, despite setsockopt()'s documentation in +"man 7 socket" talking of a mandatory duplication: + +[...] + SO_SNDBUF + Sets or gets the maximum socket send buffer in bytes. + The kernel doubles this value (to allow space for book‐ + keeping overhead) when it is set using setsockopt(2), + and this doubled value is returned by getsockopt(2). + The default value is set by the + /proc/sys/net/core/wmem_default file and the maximum + allowed value is set by the /proc/sys/net/core/wmem_max + file. The minimum (doubled) value for this option is + 2048. +[...] + +Fixes: 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and make them tunable") +Co-developed-by: Jan Karcher +Signed-off-by: Jan Karcher +Reviewed-by: Wenjia Zhang +Reviewed-by: Tony Lu +Signed-off-by: Gerd Bayer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 4 ++-- + net/smc/smc.h | 2 +- + net/smc/smc_clc.c | 4 ++-- + net/smc/smc_core.c | 25 ++++++++++++------------- + net/smc/smc_sysctl.c | 10 ++++++++-- + 5 files changed, 25 insertions(+), 20 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -378,8 +378,8 @@ static struct sock *smc_sock_alloc(struc + sk->sk_state = SMC_INIT; + sk->sk_destruct = smc_destruct; + sk->sk_protocol = protocol; +- WRITE_ONCE(sk->sk_sndbuf, READ_ONCE(net->smc.sysctl_wmem)); +- WRITE_ONCE(sk->sk_rcvbuf, READ_ONCE(net->smc.sysctl_rmem)); ++ WRITE_ONCE(sk->sk_sndbuf, 2 * READ_ONCE(net->smc.sysctl_wmem)); ++ WRITE_ONCE(sk->sk_rcvbuf, 2 * READ_ONCE(net->smc.sysctl_rmem)); + smc = smc_sk(sk); + INIT_WORK(&smc->tcp_listen_work, smc_tcp_listen_work); + INIT_WORK(&smc->connect_work, smc_connect_work); +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -161,7 +161,7 @@ struct smc_connection { + + struct smc_buf_desc *sndbuf_desc; /* send buffer descriptor */ + struct smc_buf_desc *rmb_desc; /* RMBE descriptor */ +- int rmbe_size_short;/* compressed notation */ ++ int rmbe_size_comp; /* compressed notation */ + int rmbe_update_limit; + /* lower limit for consumer + * cursor update +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -1007,7 +1007,7 @@ static int smc_clc_send_confirm_accept(s + clc->d0.gid = + conn->lgr->smcd->ops->get_local_gid(conn->lgr->smcd); + clc->d0.token = conn->rmb_desc->token; +- clc->d0.dmbe_size = conn->rmbe_size_short; ++ clc->d0.dmbe_size = conn->rmbe_size_comp; + clc->d0.dmbe_idx = 0; + memcpy(&clc->d0.linkid, conn->lgr->id, SMC_LGR_ID_SIZE); + if (version == SMC_V1) { +@@ -1050,7 +1050,7 @@ static int smc_clc_send_confirm_accept(s + clc->r0.qp_mtu = min(link->path_mtu, link->peer_mtu); + break; + } +- clc->r0.rmbe_size = conn->rmbe_size_short; ++ clc->r0.rmbe_size = conn->rmbe_size_comp; + clc->r0.rmb_dma_addr = conn->rmb_desc->is_vm ? + cpu_to_be64((uintptr_t)conn->rmb_desc->cpu_addr) : + cpu_to_be64((u64)sg_dma_address +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -2309,31 +2309,30 @@ static int __smc_buf_create(struct smc_s + struct smc_connection *conn = &smc->conn; + struct smc_link_group *lgr = conn->lgr; + struct list_head *buf_list; +- int bufsize, bufsize_short; ++ int bufsize, bufsize_comp; + struct rw_semaphore *lock; /* lock buffer list */ + bool is_dgraded = false; +- int sk_buf_size; + + if (is_rmb) + /* use socket recv buffer size (w/o overhead) as start value */ +- sk_buf_size = smc->sk.sk_rcvbuf; ++ bufsize = smc->sk.sk_rcvbuf / 2; + else + /* use socket send buffer size (w/o overhead) as start value */ +- sk_buf_size = smc->sk.sk_sndbuf; ++ bufsize = smc->sk.sk_sndbuf / 2; + +- for (bufsize_short = smc_compress_bufsize(sk_buf_size, is_smcd, is_rmb); +- bufsize_short >= 0; bufsize_short--) { ++ for (bufsize_comp = smc_compress_bufsize(bufsize, is_smcd, is_rmb); ++ bufsize_comp >= 0; bufsize_comp--) { + if (is_rmb) { + lock = &lgr->rmbs_lock; +- buf_list = &lgr->rmbs[bufsize_short]; ++ buf_list = &lgr->rmbs[bufsize_comp]; + } else { + lock = &lgr->sndbufs_lock; +- buf_list = &lgr->sndbufs[bufsize_short]; ++ buf_list = &lgr->sndbufs[bufsize_comp]; + } +- bufsize = smc_uncompress_bufsize(bufsize_short); ++ bufsize = smc_uncompress_bufsize(bufsize_comp); + + /* check for reusable slot in the link group */ +- buf_desc = smc_buf_get_slot(bufsize_short, lock, buf_list); ++ buf_desc = smc_buf_get_slot(bufsize_comp, lock, buf_list); + if (buf_desc) { + buf_desc->is_dma_need_sync = 0; + SMC_STAT_RMB_SIZE(smc, is_smcd, is_rmb, bufsize); +@@ -2377,8 +2376,8 @@ static int __smc_buf_create(struct smc_s + + if (is_rmb) { + conn->rmb_desc = buf_desc; +- conn->rmbe_size_short = bufsize_short; +- smc->sk.sk_rcvbuf = bufsize; ++ conn->rmbe_size_comp = bufsize_comp; ++ smc->sk.sk_rcvbuf = bufsize * 2; + atomic_set(&conn->bytes_to_rcv, 0); + conn->rmbe_update_limit = + smc_rmb_wnd_update_limit(buf_desc->len); +@@ -2386,7 +2385,7 @@ static int __smc_buf_create(struct smc_s + smc_ism_set_conn(conn); /* map RMB/smcd_dev to conn */ + } else { + conn->sndbuf_desc = buf_desc; +- smc->sk.sk_sndbuf = bufsize; ++ smc->sk.sk_sndbuf = bufsize * 2; + atomic_set(&conn->sndbuf_space, bufsize); + } + return 0; +--- a/net/smc/smc_sysctl.c ++++ b/net/smc/smc_sysctl.c +@@ -21,6 +21,10 @@ + + static int min_sndbuf = SMC_BUF_MIN_SIZE; + static int min_rcvbuf = SMC_BUF_MIN_SIZE; ++static int max_sndbuf = INT_MAX / 2; ++static int max_rcvbuf = INT_MAX / 2; ++static const int net_smc_wmem_init = (64 * 1024); ++static const int net_smc_rmem_init = (64 * 1024); + + static struct ctl_table smc_table[] = { + { +@@ -53,6 +57,7 @@ static struct ctl_table smc_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = &min_sndbuf, ++ .extra2 = &max_sndbuf, + }, + { + .procname = "rmem", +@@ -61,6 +66,7 @@ static struct ctl_table smc_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = &min_rcvbuf, ++ .extra2 = &max_rcvbuf, + }, + { } + }; +@@ -88,8 +94,8 @@ int __net_init smc_sysctl_net_init(struc + net->smc.sysctl_autocorking_size = SMC_AUTOCORKING_DEFAULT_SIZE; + net->smc.sysctl_smcr_buf_type = SMCR_PHYS_CONT_BUFS; + net->smc.sysctl_smcr_testlink_time = SMC_LLC_TESTLINK_DEFAULT_TIME; +- WRITE_ONCE(net->smc.sysctl_wmem, READ_ONCE(net->ipv4.sysctl_tcp_wmem[1])); +- WRITE_ONCE(net->smc.sysctl_rmem, READ_ONCE(net->ipv4.sysctl_tcp_rmem[1])); ++ WRITE_ONCE(net->smc.sysctl_wmem, net_smc_wmem_init); ++ WRITE_ONCE(net->smc.sysctl_rmem, net_smc_rmem_init); + + return 0; + diff --git a/queue-6.4/net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch b/queue-6.4/net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch new file mode 100644 index 00000000000..077c9d453b4 --- /dev/null +++ b/queue-6.4/net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch @@ -0,0 +1,141 @@ +From 30c3c4a4497c3765bf6b298f5072c8165aeaf7cc Mon Sep 17 00:00:00 2001 +From: Gerd Bayer +Date: Fri, 4 Aug 2023 19:06:24 +0200 +Subject: net/smc: Use correct buffer sizes when switching between TCP and SMC + +From: Gerd Bayer + +commit 30c3c4a4497c3765bf6b298f5072c8165aeaf7cc upstream. + +Tuning of the effective buffer size through setsockopts was working for +SMC traffic only but not for TCP fall-back connections even before +commit 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and +make them tunable"). That change made it apparent that TCP fall-back +connections would use net.smc.[rw]mem as buffer size instead of +net.ipv4_tcp_[rw]mem. + +Amend the code that copies attributes between the (TCP) clcsock and the +SMC socket and adjust buffer sizes appropriately: +- Copy over sk_userlocks so that both sockets agree on whether tuning + via setsockopt is active. +- When falling back to TCP use sk_sndbuf or sk_rcvbuf as specified with + setsockopt. Otherwise, use the sysctl value for TCP/IPv4. +- Likewise, use either values from setsockopt or from sysctl for SMC + (duplicated) on successful SMC connect. + +In smc_tcp_listen_work() drop the explicit copy of buffer sizes as that +is taken care of by the attribute copy. + +Fixes: 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and make them tunable") +Reviewed-by: Wenjia Zhang +Reviewed-by: Tony Lu +Signed-off-by: Gerd Bayer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 73 ++++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 51 insertions(+), 22 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -436,13 +436,60 @@ out: + return rc; + } + ++/* copy only relevant settings and flags of SOL_SOCKET level from smc to ++ * clc socket (since smc is not called for these options from net/core) ++ */ ++ ++#define SK_FLAGS_SMC_TO_CLC ((1UL << SOCK_URGINLINE) | \ ++ (1UL << SOCK_KEEPOPEN) | \ ++ (1UL << SOCK_LINGER) | \ ++ (1UL << SOCK_BROADCAST) | \ ++ (1UL << SOCK_TIMESTAMP) | \ ++ (1UL << SOCK_DBG) | \ ++ (1UL << SOCK_RCVTSTAMP) | \ ++ (1UL << SOCK_RCVTSTAMPNS) | \ ++ (1UL << SOCK_LOCALROUTE) | \ ++ (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE) | \ ++ (1UL << SOCK_RXQ_OVFL) | \ ++ (1UL << SOCK_WIFI_STATUS) | \ ++ (1UL << SOCK_NOFCS) | \ ++ (1UL << SOCK_FILTER_LOCKED) | \ ++ (1UL << SOCK_TSTAMP_NEW)) ++ ++/* if set, use value set by setsockopt() - else use IPv4 or SMC sysctl value */ ++static void smc_adjust_sock_bufsizes(struct sock *nsk, struct sock *osk, ++ unsigned long mask) ++{ ++ struct net *nnet = sock_net(nsk); ++ ++ nsk->sk_userlocks = osk->sk_userlocks; ++ if (osk->sk_userlocks & SOCK_SNDBUF_LOCK) { ++ nsk->sk_sndbuf = osk->sk_sndbuf; ++ } else { ++ if (mask == SK_FLAGS_SMC_TO_CLC) ++ WRITE_ONCE(nsk->sk_sndbuf, ++ READ_ONCE(nnet->ipv4.sysctl_tcp_wmem[1])); ++ else ++ WRITE_ONCE(nsk->sk_sndbuf, ++ 2 * READ_ONCE(nnet->smc.sysctl_wmem)); ++ } ++ if (osk->sk_userlocks & SOCK_RCVBUF_LOCK) { ++ nsk->sk_rcvbuf = osk->sk_rcvbuf; ++ } else { ++ if (mask == SK_FLAGS_SMC_TO_CLC) ++ WRITE_ONCE(nsk->sk_rcvbuf, ++ READ_ONCE(nnet->ipv4.sysctl_tcp_rmem[1])); ++ else ++ WRITE_ONCE(nsk->sk_rcvbuf, ++ 2 * READ_ONCE(nnet->smc.sysctl_rmem)); ++ } ++} ++ + static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk, + unsigned long mask) + { + /* options we don't get control via setsockopt for */ + nsk->sk_type = osk->sk_type; +- nsk->sk_sndbuf = osk->sk_sndbuf; +- nsk->sk_rcvbuf = osk->sk_rcvbuf; + nsk->sk_sndtimeo = osk->sk_sndtimeo; + nsk->sk_rcvtimeo = osk->sk_rcvtimeo; + nsk->sk_mark = READ_ONCE(osk->sk_mark); +@@ -453,26 +500,10 @@ static void smc_copy_sock_settings(struc + + nsk->sk_flags &= ~mask; + nsk->sk_flags |= osk->sk_flags & mask; ++ ++ smc_adjust_sock_bufsizes(nsk, osk, mask); + } + +-#define SK_FLAGS_SMC_TO_CLC ((1UL << SOCK_URGINLINE) | \ +- (1UL << SOCK_KEEPOPEN) | \ +- (1UL << SOCK_LINGER) | \ +- (1UL << SOCK_BROADCAST) | \ +- (1UL << SOCK_TIMESTAMP) | \ +- (1UL << SOCK_DBG) | \ +- (1UL << SOCK_RCVTSTAMP) | \ +- (1UL << SOCK_RCVTSTAMPNS) | \ +- (1UL << SOCK_LOCALROUTE) | \ +- (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE) | \ +- (1UL << SOCK_RXQ_OVFL) | \ +- (1UL << SOCK_WIFI_STATUS) | \ +- (1UL << SOCK_NOFCS) | \ +- (1UL << SOCK_FILTER_LOCKED) | \ +- (1UL << SOCK_TSTAMP_NEW)) +-/* copy only relevant settings and flags of SOL_SOCKET level from smc to +- * clc socket (since smc is not called for these options from net/core) +- */ + static void smc_copy_sock_settings_to_clc(struct smc_sock *smc) + { + smc_copy_sock_settings(smc->clcsock->sk, &smc->sk, SK_FLAGS_SMC_TO_CLC); +@@ -2479,8 +2510,6 @@ static void smc_tcp_listen_work(struct w + sock_hold(lsk); /* sock_put in smc_listen_work */ + INIT_WORK(&new_smc->smc_listen_work, smc_listen_work); + smc_copy_sock_settings_to_smc(new_smc); +- new_smc->sk.sk_sndbuf = lsmc->sk.sk_sndbuf; +- new_smc->sk.sk_rcvbuf = lsmc->sk.sk_rcvbuf; + sock_hold(&new_smc->sk); /* sock_put in passive closing */ + if (!queue_work(smc_hs_wq, &new_smc->smc_listen_work)) + sock_put(&new_smc->sk); diff --git a/queue-6.4/pci-move-of-status-disabled-detection-to-dev-match_driver.patch b/queue-6.4/pci-move-of-status-disabled-detection-to-dev-match_driver.patch new file mode 100644 index 00000000000..815e0e664eb --- /dev/null +++ b/queue-6.4/pci-move-of-status-disabled-detection-to-dev-match_driver.patch @@ -0,0 +1,93 @@ +From 1a8c251cff2052b60009a070173308322e9600d3 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Thu, 3 Aug 2023 16:58:56 +0300 +Subject: PCI: move OF status = "disabled" detection to dev->match_driver + +From: Vladimir Oltean + +commit 1a8c251cff2052b60009a070173308322e9600d3 upstream. + +The blamed commit has broken probing on +arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi when &enetc_port0 +(PCI function 0) has status = "disabled". + +Background: pci_scan_slot() has logic to say that if the function 0 of a +device is absent, the entire device is absent and we can skip the other +functions entirely. Traditionally, this has meant that +pci_bus_read_dev_vendor_id() returns an error code for that function. + +However, since the blamed commit, there is an extra confounding +condition: function 0 of the device exists and has a valid vendor id, +but it is disabled in the device tree. In that case, pci_scan_slot() +would incorrectly skip the entire device instead of just that function. + +In the case of NXP LS1028A, status = "disabled" does not mean that the +PCI function's config space is not available for reading. It is, but the +Ethernet port is just not functionally useful with a particular SerDes +protocol configuration (0x9999) due to pinmuxing constraints of the Soc. +So, pci_scan_slot() skips all other functions on the ENETC ECAM +(enetc_port1, enetc_port2, enetc_mdio_pf3 etc) when just enetc_port0 had +to not be probed. + +There is an additional regression introduced by the change, caused by +its fundamental premise. The enetc driver needs to run code for all PCI +functions, regardless of whether they're enabled or not in the device +tree. That is no longer possible if the driver's probe function is no +longer called. But Rob recommends that we move the of_device_is_available() +detection to dev->match_driver, and this makes the PCI fixups still run +on all functions, while just probing drivers for those functions that +are enabled. So, a separate change in the enetc driver will have to move +the workarounds to a PCI fixup. + +Fixes: 6fffbc7ae137 ("PCI: Honor firmware's device disabled status") +Link: https://lore.kernel.org/netdev/CAL_JsqLsVYiPLx2kcHkDQ4t=hQVCR7NHziDwi9cCFUFhx48Qow@mail.gmail.com/ +Suggested-by: Rob Herring +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/bus.c | 4 +++- + drivers/pci/of.c | 5 ----- + 2 files changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -332,6 +333,7 @@ void __weak pcibios_bus_add_device(struc + */ + void pci_bus_add_device(struct pci_dev *dev) + { ++ struct device_node *dn = dev->dev.of_node; + int retval; + + /* +@@ -344,7 +346,7 @@ void pci_bus_add_device(struct pci_dev * + pci_proc_attach_device(dev); + pci_bridge_d3_update(dev); + +- dev->match_driver = true; ++ dev->match_driver = !dn || of_device_is_available(dn); + retval = device_attach(&dev->dev); + if (retval < 0 && retval != -EPROBE_DEFER) + pci_warn(dev, "device attach failed (%d)\n", retval); +--- a/drivers/pci/of.c ++++ b/drivers/pci/of.c +@@ -34,11 +34,6 @@ int pci_set_of_node(struct pci_dev *dev) + if (!node) + return 0; + +- if (!of_device_is_available(node)) { +- of_node_put(node); +- return -ENODEV; +- } +- + dev->dev.of_node = node; + dev->dev.fwnode = &node->fwnode; + return 0; diff --git a/queue-6.4/series b/queue-6.4/series index 8b4e2eedae6..861a3c29b1c 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -124,3 +124,26 @@ bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch hwmon-aquacomputer_d5next-add-selective-200ms-delay-after-sending-ctrl-report.patch misdn-update-parameter-type-of-dsp_cmx_send.patch macsec-use-dev_stats_inc.patch +mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch +igc-add-lock-to-safeguard-global-qbv-variables.patch +ionic-add-missing-err-handling-for-queue-reconfig.patch +net-packet-annotate-data-races-around-tp-status.patch +net-smc-fix-setsockopt-and-sysctl-to-specify-same-buffer-size-again.patch +net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch +pci-move-of-status-disabled-detection-to-dev-match_driver.patch +tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch +tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch +vlan-fix-vlan-0-memory-leak.patch +xsk-fix-refcount-underflow-in-error-path.patch +bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch +dccp-fix-data-race-around-dp-dccps_mss_cache.patch +drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch +drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch +iavf-fix-potential-races-for-fdir-filters.patch +ib-hfi1-fix-possible-panic-during-hotplug-remove.patch +drm-amd-display-don-t-show-stack-trace-for-missing-edp.patch +drm-bridge-it6505-check-power-state-with-it6505-powered-in-irq-handler.patch +drm-nouveau-remove-unused-tu102_gr_load-function.patch +drm-rockchip-don-t-spam-logs-in-atomic-check.patch +wifi-brcm80211-handle-params_v1-allocation-failure.patch +wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch diff --git a/queue-6.4/tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch b/queue-6.4/tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch new file mode 100644 index 00000000000..5dbe67370dc --- /dev/null +++ b/queue-6.4/tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch @@ -0,0 +1,52 @@ +From 8a70ed9520c5fafaac91053cacdd44625c39e188 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 8 Aug 2023 08:49:23 +0000 +Subject: tcp: add missing family to tcp_set_ca_state() tracepoint + +From: Eric Dumazet + +commit 8a70ed9520c5fafaac91053cacdd44625c39e188 upstream. + +Before this code is copied, add the missing family, as we did in +commit 3dd344ea84e1 ("net: tracepoint: exposing sk_family in all tcp:tracepoints") + +Fixes: 15fcdf6ae116 ("tcp: Add tracepoint for tcp_set_ca_state") +Signed-off-by: Eric Dumazet +Cc: Ping Gan +Cc: Manjusaka +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230808084923.2239142-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/tcp.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/trace/events/tcp.h ++++ b/include/trace/events/tcp.h +@@ -381,6 +381,7 @@ TRACE_EVENT(tcp_cong_state_set, + __field(const void *, skaddr) + __field(__u16, sport) + __field(__u16, dport) ++ __field(__u16, family) + __array(__u8, saddr, 4) + __array(__u8, daddr, 4) + __array(__u8, saddr_v6, 16) +@@ -396,6 +397,7 @@ TRACE_EVENT(tcp_cong_state_set, + + __entry->sport = ntohs(inet->inet_sport); + __entry->dport = ntohs(inet->inet_dport); ++ __entry->family = sk->sk_family; + + p32 = (__be32 *) __entry->saddr; + *p32 = inet->inet_saddr; +@@ -409,7 +411,8 @@ TRACE_EVENT(tcp_cong_state_set, + __entry->cong_state = ca_state; + ), + +- TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c cong_state=%u", ++ TP_printk("family=%s sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c cong_state=%u", ++ show_family_name(__entry->family), + __entry->sport, __entry->dport, + __entry->saddr, __entry->daddr, + __entry->saddr_v6, __entry->daddr_v6, diff --git a/queue-6.4/tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch b/queue-6.4/tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch new file mode 100644 index 00000000000..e291f698531 --- /dev/null +++ b/queue-6.4/tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch @@ -0,0 +1,48 @@ +From 6a7ac3d20593865209dceb554d8b3f094c6bd940 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 3 Aug 2023 17:26:49 +0200 +Subject: tunnels: fix kasan splat when generating ipv4 pmtu error + +From: Florian Westphal + +commit 6a7ac3d20593865209dceb554d8b3f094c6bd940 upstream. + +If we try to emit an icmp error in response to a nonliner skb, we get + +BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220 +Read of size 4 at addr ffff88811c50db00 by task iperf3/1691 +CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309 +[..] + kasan_report+0x105/0x140 + ip_compute_csum+0x134/0x220 + iptunnel_pmtud_build_icmp+0x554/0x1020 + skb_tunnel_check_pmtu+0x513/0xb80 + vxlan_xmit_one+0x139e/0x2ef0 + vxlan_xmit+0x1867/0x2760 + dev_hard_start_xmit+0x1ee/0x4f0 + br_dev_queue_push_xmit+0x4d1/0x660 + [..] + +ip_compute_csum() cannot deal with nonlinear skbs, so avoid it. +After this change, splat is gone and iperf3 is no longer stuck. + +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Signed-off-by: Florian Westphal +Link: https://lore.kernel.org/r/20230803152653.29535-2-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -224,7 +224,7 @@ static int iptunnel_pmtud_build_icmp(str + .un.frag.__unused = 0, + .un.frag.mtu = htons(mtu), + }; +- icmph->checksum = ip_compute_csum(icmph, len); ++ icmph->checksum = csum_fold(skb_checksum(skb, 0, len, 0)); + skb_reset_transport_header(skb); + + niph = skb_push(skb, sizeof(*niph)); diff --git a/queue-6.4/vlan-fix-vlan-0-memory-leak.patch b/queue-6.4/vlan-fix-vlan-0-memory-leak.patch new file mode 100644 index 00000000000..9df62c6d138 --- /dev/null +++ b/queue-6.4/vlan-fix-vlan-0-memory-leak.patch @@ -0,0 +1,90 @@ +From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Tue, 8 Aug 2023 11:35:21 +0200 +Subject: vlan: Fix VLAN 0 memory leak + +From: Vlad Buslov + +commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream. + +The referenced commit intended to fix memleak of VLAN 0 that is implicitly +created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it +doesn't take into account that the feature can be re-set during the +netdevice lifetime which will cause memory leak if feature is disabled +during the device deletion as illustrated by [0]. Fix the leak by +unconditionally deleting VLAN 0 on NETDEV_DOWN event. + +[0]: +> modprobe 8021q +> ip l set dev eth2 up +> ethtool -K eth2 rx-vlan-filter off +> modprobe -r mlx5_ib +> modprobe -r mlx5_core +> cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff888103dcd900 (size 256): + comm "ip", pid 1490, jiffies 4294907305 (age 325.364s) + hex dump (first 32 bytes): + 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..]............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000899f3bb9>] kmalloc_trace+0x25/0x80 + [<000000002889a7a2>] vlan_vid_add+0xa0/0x210 + [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q] + [<000000009a0716b1>] notifier_call_chain+0x35/0xb0 + [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0 + [<0000000053d2b05d>] dev_change_flags+0x4d/0x60 + [<00000000982807e9>] do_setlink+0x28d/0x10a0 + [<0000000058c1be00>] __rtnl_newlink+0x545/0x980 + [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70 + [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390 + [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100 + [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0 + [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0 + [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60 + [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200 + [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0 +unreferenced object 0xffff88813354fde0 (size 32): + comm "ip", pid 1490, jiffies 4294907305 (age 325.364s) + hex dump (first 32 bytes): + a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................ + 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000899f3bb9>] kmalloc_trace+0x25/0x80 + [<000000002da64724>] vlan_vid_add+0xdf/0x210 + [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q] + [<000000009a0716b1>] notifier_call_chain+0x35/0xb0 + [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0 + [<0000000053d2b05d>] dev_change_flags+0x4d/0x60 + [<00000000982807e9>] do_setlink+0x28d/0x10a0 + [<0000000058c1be00>] __rtnl_newlink+0x545/0x980 + [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70 + [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390 + [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100 + [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0 + [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0 + [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60 + [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200 + [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0 + +Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct") +Reviewed-by: Ido Schimmel +Signed-off-by: Vlad Buslov +Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -384,8 +384,7 @@ static int vlan_device_event(struct noti + dev->name); + vlan_vid_add(dev, htons(ETH_P_8021Q), 0); + } +- if (event == NETDEV_DOWN && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) ++ if (event == NETDEV_DOWN) + vlan_vid_del(dev, htons(ETH_P_8021Q), 0); + + vlan_info = rtnl_dereference(dev->vlan_info); diff --git a/queue-6.4/wifi-brcm80211-handle-params_v1-allocation-failure.patch b/queue-6.4/wifi-brcm80211-handle-params_v1-allocation-failure.patch new file mode 100644 index 00000000000..17ad83cbc9e --- /dev/null +++ b/queue-6.4/wifi-brcm80211-handle-params_v1-allocation-failure.patch @@ -0,0 +1,46 @@ +From 07d698324110339b420deebab7a7805815340b4f Mon Sep 17 00:00:00 2001 +From: Petr Tesarik +Date: Wed, 2 Aug 2023 18:34:30 +0200 +Subject: wifi: brcm80211: handle params_v1 allocation failure + +From: Petr Tesarik + +commit 07d698324110339b420deebab7a7805815340b4f upstream. + +Return -ENOMEM from brcmf_run_escan() if kzalloc() fails for v1 params. + +Fixes: 398ce273d6b1 ("wifi: brcmfmac: cfg80211: Add support for scan params v2") +Signed-off-by: Petr Tesarik +Link: https://lore.kernel.org/r/20230802163430.1656-1-petrtesarik@huaweicloud.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index de8a2e27f49c..2a90bb24ba77 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -1456,6 +1456,10 @@ brcmf_run_escan(struct brcmf_cfg80211_info *cfg, struct brcmf_if *ifp, + params_size -= BRCMF_SCAN_PARAMS_V2_FIXED_SIZE; + params_size += BRCMF_SCAN_PARAMS_FIXED_SIZE; + params_v1 = kzalloc(params_size, GFP_KERNEL); ++ if (!params_v1) { ++ err = -ENOMEM; ++ goto exit_params; ++ } + params_v1->version = cpu_to_le32(BRCMF_ESCAN_REQ_VERSION); + brcmf_scan_params_v2_to_v1(¶ms->params_v2_le, ¶ms_v1->params_le); + kfree(params); +@@ -1473,6 +1477,7 @@ brcmf_run_escan(struct brcmf_cfg80211_info *cfg, struct brcmf_if *ifp, + bphy_err(drvr, "error (%d)\n", err); + } + ++exit_params: + kfree(params); + exit: + return err; +-- +2.41.0 + diff --git a/queue-6.4/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch b/queue-6.4/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch new file mode 100644 index 00000000000..3e105c311ef --- /dev/null +++ b/queue-6.4/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch @@ -0,0 +1,33 @@ +From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 22 Jun 2023 18:59:19 +0200 +Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN + +From: Felix Fietkau + +commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream. + +AP_VLAN interfaces are virtual, so doesn't really exist as a type for +capabilities. When passed in as a type, AP is the one that's really intended. + +Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cfg80211.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -562,6 +562,9 @@ ieee80211_get_sband_iftype_data(const st + if (WARN_ON(iftype >= NL80211_IFTYPE_MAX)) + return NULL; + ++ if (iftype == NL80211_IFTYPE_AP_VLAN) ++ iftype = NL80211_IFTYPE_AP; ++ + for (i = 0; i < sband->n_iftype_data; i++) { + const struct ieee80211_sband_iftype_data *data = + &sband->iftype_data[i]; diff --git a/queue-6.4/xsk-fix-refcount-underflow-in-error-path.patch b/queue-6.4/xsk-fix-refcount-underflow-in-error-path.patch new file mode 100644 index 00000000000..1cd9458b8b8 --- /dev/null +++ b/queue-6.4/xsk-fix-refcount-underflow-in-error-path.patch @@ -0,0 +1,46 @@ +From 85c2c79a07302fe68a1ad5cc449458cc559e314d Mon Sep 17 00:00:00 2001 +From: Magnus Karlsson +Date: Wed, 9 Aug 2023 16:28:43 +0200 +Subject: xsk: fix refcount underflow in error path + +From: Magnus Karlsson + +commit 85c2c79a07302fe68a1ad5cc449458cc559e314d upstream. + +Fix a refcount underflow problem reported by syzbot that can happen +when a system is running out of memory. If xp_alloc_tx_descs() fails, +and it can only fail due to not having enough memory, then the error +path is triggered. In this error path, the refcount of the pool is +decremented as it has incremented before. However, the reference to +the pool in the socket was not nulled. This means that when the socket +is closed later, the socket teardown logic will think that there is a +pool attached to the socket and try to decrease the refcount again, +leading to a refcount underflow. + +I chose this fix as it involved adding just a single line. Another +option would have been to move xp_get_pool() and the assignment of +xs->pool to after the if-statement and using xs_umem->pool instead of +xs->pool in the whole if-statement resulting in somewhat simpler code, +but this would have led to much more churn in the code base perhaps +making it harder to backport. + +Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created") +Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com +Signed-off-by: Magnus Karlsson +Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Greg Kroah-Hartman +--- + net/xdp/xsk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -994,6 +994,7 @@ static int xsk_bind(struct socket *sock, + err = xp_alloc_tx_descs(xs->pool, xs); + if (err) { + xp_put_pool(xs->pool); ++ xs->pool = NULL; + sockfd_put(sock); + goto out_unlock; + }