From: Sasha Levin Date: Wed, 3 Apr 2024 15:59:48 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.6.25~18^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe504f7158bcd1018ab92a765ab0cdbf2e045363;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/acpica-debugger-check-status-of-acpi_evaluate_object.patch b/queue-6.1/acpica-debugger-check-status-of-acpi_evaluate_object.patch new file mode 100644 index 00000000000..4e2156094a9 --- /dev/null +++ b/queue-6.1/acpica-debugger-check-status-of-acpi_evaluate_object.patch @@ -0,0 +1,53 @@ +From baf889f8b6349ef8268478fa63ebea1a2d41410a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 21:07:53 +0300 +Subject: ACPICA: debugger: check status of acpi_evaluate_object() in + acpi_db_walk_for_fields() + +From: Nikita Kiryushin + +[ Upstream commit 40e2710860e57411ab57a1529c5a2748abbe8a19 ] + +ACPICA commit 9061cd9aa131205657c811a52a9f8325a040c6c9 + +Errors in acpi_evaluate_object() can lead to incorrect state of buffer. + +This can lead to access to data in previously ACPI_FREEd buffer and +secondary ACPI_FREE to the same buffer later. + +Handle errors in acpi_evaluate_object the same way it is done earlier +with acpi_ns_handle_to_pathname. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://github.com/acpica/acpica/commit/9061cd9a +Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields of particular subtype") +Signed-off-by: Nikita Kiryushin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dbnames.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c +index b91155ea9c343..c9131259f717b 100644 +--- a/drivers/acpi/acpica/dbnames.c ++++ b/drivers/acpi/acpica/dbnames.c +@@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle, + ACPI_FREE(buffer.pointer); + + buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER; +- acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); +- ++ status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); ++ if (ACPI_FAILURE(status)) { ++ acpi_os_printf("Could Not evaluate object %p\n", ++ obj_handle); ++ return (AE_OK); ++ } + /* + * Since this is a field unit, surround the output in braces + */ +-- +2.43.0 + diff --git a/queue-6.1/bpf-protect-against-int-overflow-for-stack-access-si.patch b/queue-6.1/bpf-protect-against-int-overflow-for-stack-access-si.patch new file mode 100644 index 00000000000..f56d7ccea37 --- /dev/null +++ b/queue-6.1/bpf-protect-against-int-overflow-for-stack-access-si.patch @@ -0,0 +1,53 @@ +From 544247d439c2566d41ebf4ba2620a57b2802e37e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 22:42:45 -0400 +Subject: bpf: Protect against int overflow for stack access size + +From: Andrei Matei + +[ Upstream commit ecc6a2101840177e57c925c102d2d29f260d37c8 ] + +This patch re-introduces protection against the size of access to stack +memory being negative; the access size can appear negative as a result +of overflowing its signed int representation. This should not actually +happen, as there are other protections along the way, but we should +protect against it anyway. One code path was missing such protections +(fixed in the previous patch in the series), causing out-of-bounds array +accesses in check_stack_range_initialized(). This patch causes the +verification of a program with such a non-sensical access size to fail. + +This check used to exist in a more indirect way, but was inadvertendly +removed in a833a17aeac7. + +Fixes: a833a17aeac7 ("bpf: Fix verification of indirect var-off stack access") +Reported-by: syzbot+33f4297b5f927648741a@syzkaller.appspotmail.com +Reported-by: syzbot+aafd0513053a1cbf52ef@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/CAADnVQLORV5PT0iTAhRER+iLBTkByCYNBYyvBSgjN1T31K+gOw@mail.gmail.com/ +Acked-by: Andrii Nakryiko +Signed-off-by: Andrei Matei +Link: https://lore.kernel.org/r/20240327024245.318299-3-andreimatei1@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 1a29ac4db6eae..27cc6e3db5a86 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4965,6 +4965,11 @@ static int check_stack_access_within_bounds( + err = check_stack_slot_within_bounds(min_off, state, type); + if (!err && max_off > 0) + err = -EINVAL; /* out of stack access into non-negative offsets */ ++ if (!err && access_size < 0) ++ /* access_size should not be negative (or overflow an int); others checks ++ * along the way should have prevented such an access. ++ */ ++ err = -EFAULT; /* invalid negative access size; integer overflow? */ + + if (err) { + if (tnum_is_const(reg->var_off)) { +-- +2.43.0 + diff --git a/queue-6.1/cifs-fix-duplicate-fscache-cookie-warnings.patch b/queue-6.1/cifs-fix-duplicate-fscache-cookie-warnings.patch new file mode 100644 index 00000000000..9658e8c2bc6 --- /dev/null +++ b/queue-6.1/cifs-fix-duplicate-fscache-cookie-warnings.patch @@ -0,0 +1,93 @@ +From e6e043fea89745690850cc98f6f0cd8d49c1a180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 14:13:24 +0000 +Subject: cifs: Fix duplicate fscache cookie warnings + +From: David Howells + +[ Upstream commit 8876a37277cb832e1861c35f8c661825179f73f5 ] + +fscache emits a lot of duplicate cookie warnings with cifs because the +index key for the fscache cookies does not include everything that the +cifs_find_inode() function does. The latter is used with iget5_locked() to +distinguish between inodes in the local inode cache. + +Fix this by adding the creation time and file type to the fscache cookie +key. + +Additionally, add a couple of comments to note that if one is changed the +other must be also. + +Signed-off-by: David Howells +Fixes: 70431bfd825d ("cifs: Support fscache indexing rewrite") +cc: Shyam Prasad N +cc: Rohith Surabattula +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fscache.c | 16 +++++++++++++++- + fs/smb/client/inode.c | 2 ++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/fscache.c b/fs/smb/client/fscache.c +index f64bad513ba6d..6df4ab2a6e5dc 100644 +--- a/fs/smb/client/fscache.c ++++ b/fs/smb/client/fscache.c +@@ -12,6 +12,16 @@ + #include "cifs_fs_sb.h" + #include "cifsproto.h" + ++/* ++ * Key for fscache inode. [!] Contents must match comparisons in cifs_find_inode(). ++ */ ++struct cifs_fscache_inode_key { ++ ++ __le64 uniqueid; /* server inode number */ ++ __le64 createtime; /* creation time on server */ ++ u8 type; /* S_IFMT file type */ ++} __packed; ++ + static void cifs_fscache_fill_volume_coherency( + struct cifs_tcon *tcon, + struct cifs_fscache_volume_coherency_data *cd) +@@ -97,15 +107,19 @@ void cifs_fscache_release_super_cookie(struct cifs_tcon *tcon) + void cifs_fscache_get_inode_cookie(struct inode *inode) + { + struct cifs_fscache_inode_coherency_data cd; ++ struct cifs_fscache_inode_key key; + struct cifsInodeInfo *cifsi = CIFS_I(inode); + struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb); + struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); + ++ key.uniqueid = cpu_to_le64(cifsi->uniqueid); ++ key.createtime = cpu_to_le64(cifsi->createtime); ++ key.type = (inode->i_mode & S_IFMT) >> 12; + cifs_fscache_fill_coherency(&cifsi->netfs.inode, &cd); + + cifsi->netfs.cache = + fscache_acquire_cookie(tcon->fscache, 0, +- &cifsi->uniqueid, sizeof(cifsi->uniqueid), ++ &key, sizeof(key), + &cd, sizeof(cd), + i_size_read(&cifsi->netfs.inode)); + if (cifsi->netfs.cache) +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index 5343898bac8a6..634f28f0d331e 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1274,6 +1274,8 @@ cifs_find_inode(struct inode *inode, void *opaque) + { + struct cifs_fattr *fattr = opaque; + ++ /* [!] The compared values must be the same in struct cifs_fscache_inode_key. */ ++ + /* don't match inode with different uniqueid */ + if (CIFS_I(inode)->uniqueid != fattr->cf_uniqueid) + return 0; +-- +2.43.0 + diff --git a/queue-6.1/dm-integrity-fix-out-of-range-warning.patch b/queue-6.1/dm-integrity-fix-out-of-range-warning.patch new file mode 100644 index 00000000000..edf5484d4e4 --- /dev/null +++ b/queue-6.1/dm-integrity-fix-out-of-range-warning.patch @@ -0,0 +1,47 @@ +From 42515ae22ea6080afbb234b9aaaa09c4f0dd4e21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:30:39 +0100 +Subject: dm integrity: fix out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit 8e91c2342351e0f5ef6c0a704384a7f6fc70c3b2 ] + +Depending on the value of CONFIG_HZ, clang complains about a pointless +comparison: + +drivers/md/dm-integrity.c:4085:12: error: result of comparison of + constant 42949672950 with expression of type + 'unsigned int' is always false + [-Werror,-Wtautological-constant-out-of-range-compare] + if (val >= (uint64_t)UINT_MAX * 1000 / HZ) { + +As the check remains useful for other configurations, shut up the +warning by adding a second type cast to uint64_t. + +Fixes: 468dfca38b1a ("dm integrity: add a bitmap mode") +Signed-off-by: Arnd Bergmann +Reviewed-by: Mikulas Patocka +Reviewed-by: Justin Stitt +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-integrity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c +index 9c9e2b50c63c3..696365f8f3b5f 100644 +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4167,7 +4167,7 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv + } else if (sscanf(opt_string, "sectors_per_bit:%llu%c", &llval, &dummy) == 1) { + log2_sectors_per_bitmap_bit = !llval ? 0 : __ilog2_u64(llval); + } else if (sscanf(opt_string, "bitmap_flush_interval:%u%c", &val, &dummy) == 1) { +- if (val >= (uint64_t)UINT_MAX * 1000 / HZ) { ++ if ((uint64_t)val >= (uint64_t)UINT_MAX * 1000 / HZ) { + r = -EINVAL; + ti->error = "Invalid bitmap_flush_interval argument"; + goto bad; +-- +2.43.0 + diff --git a/queue-6.1/dma-buf-fix-null-pointer-dereference-in-sanitycheck.patch b/queue-6.1/dma-buf-fix-null-pointer-dereference-in-sanitycheck.patch new file mode 100644 index 00000000000..6be70a9f536 --- /dev/null +++ b/queue-6.1/dma-buf-fix-null-pointer-dereference-in-sanitycheck.patch @@ -0,0 +1,52 @@ +From 33d0109a07cef52373ec35ff88ce20173182ea6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 04:15:23 +0500 +Subject: dma-buf: Fix NULL pointer dereference in sanitycheck() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Sakharov + +[ Upstream commit 2295bd846765c766701e666ed2e4b35396be25e6 ] + +If due to a memory allocation failure mock_chain() returns NULL, it is +passed to dma_fence_enable_sw_signaling() resulting in NULL pointer +dereference there. + +Call dma_fence_enable_sw_signaling() only if mock_chain() succeeds. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d62c43a953ce ("dma-buf: Enable signaling on fence for selftests") +Signed-off-by: Pavel Sakharov +Reviewed-by: Christian König +Signed-off-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20240319231527.1821372-1-p.sakharov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/st-dma-fence-chain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma-buf/st-dma-fence-chain.c b/drivers/dma-buf/st-dma-fence-chain.c +index 0a9b099d05187..d90479d830fc3 100644 +--- a/drivers/dma-buf/st-dma-fence-chain.c ++++ b/drivers/dma-buf/st-dma-fence-chain.c +@@ -84,11 +84,11 @@ static int sanitycheck(void *arg) + return -ENOMEM; + + chain = mock_chain(NULL, f, 1); +- if (!chain) ++ if (chain) ++ dma_fence_enable_sw_signaling(chain); ++ else + err = -ENOMEM; + +- dma_fence_enable_sw_signaling(chain); +- + dma_fence_signal(f); + dma_fence_put(f); + +-- +2.43.0 + diff --git a/queue-6.1/inet-inet_defrag-prevent-sk-release-while-still-in-u.patch b/queue-6.1/inet-inet_defrag-prevent-sk-release-while-still-in-u.patch new file mode 100644 index 00000000000..4debd8beb92 --- /dev/null +++ b/queue-6.1/inet-inet_defrag-prevent-sk-release-while-still-in-u.patch @@ -0,0 +1,315 @@ +From 9a881df2bac91d1e961c4a9b919b4d517f3da7fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 11:18:41 +0100 +Subject: inet: inet_defrag: prevent sk release while still in use + +From: Florian Westphal + +[ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] + +ip_local_out() and other functions can pass skb->sk as function argument. + +If the skb is a fragment and reassembly happens before such function call +returns, the sk must not be released. + +This affects skb fragments reassembled via netfilter or similar +modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. + +Eric Dumazet made an initial analysis of this bug. Quoting Eric: + Calling ip_defrag() in output path is also implying skb_orphan(), + which is buggy because output path relies on sk not disappearing. + + A relevant old patch about the issue was : + 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") + + [..] + + net/ipv4/ip_output.c depends on skb->sk being set, and probably to an + inet socket, not an arbitrary one. + + If we orphan the packet in ipvlan, then downstream things like FQ + packet scheduler will not work properly. + + We need to change ip_defrag() to only use skb_orphan() when really + needed, ie whenever frag_list is going to be used. + +Eric suggested to stash sk in fragment queue and made an initial patch. +However there is a problem with this: + +If skb is refragmented again right after, ip_do_fragment() will copy +head->sk to the new fragments, and sets up destructor to sock_wfree. +IOW, we have no choice but to fix up sk_wmem accouting to reflect the +fully reassembled skb, else wmem will underflow. + +This change moves the orphan down into the core, to last possible moment. +As ip_defrag_offset is aliased with sk_buff->sk member, we must move the +offset into the FRAG_CB, else skb->sk gets clobbered. + +This allows to delay the orphaning long enough to learn if the skb has +to be queued or if the skb is completing the reasm queue. + +In the former case, things work as before, skb is orphaned. This is +safe because skb gets queued/stolen and won't continue past reasm engine. + +In the latter case, we will steal the skb->sk reference, reattach it to +the head skb, and fix up wmem accouting when inet_frag inflates truesize. + +Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") +Diagnosed-by: Eric Dumazet +Reported-by: xingwei lee +Reported-by: yue sun +Reported-by: syzbot+e5167d7144a62715044c@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 7 +-- + net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- + net/ipv4/ip_fragment.c | 2 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- + 4 files changed, 60 insertions(+), 21 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index c30d419ebf545..c4a8520dc748f 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -745,8 +745,6 @@ typedef unsigned char *sk_buff_data_t; + * @list: queue head + * @ll_node: anchor in an llist (eg socket defer_list) + * @sk: Socket we are owned by +- * @ip_defrag_offset: (aka @sk) alternate use of @sk, used in +- * fragmentation management + * @dev: Device we arrived on/are leaving by + * @dev_scratch: (aka @dev) alternate use of @dev when @dev would be %NULL + * @cb: Control buffer. Free for use by every layer. Put private vars here +@@ -870,10 +868,7 @@ struct sk_buff { + struct llist_node ll_node; + }; + +- union { +- struct sock *sk; +- int ip_defrag_offset; +- }; ++ struct sock *sk; + + union { + ktime_t tstamp; +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index c9f9ac5013a71..834cdc57755f7 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -24,6 +24,8 @@ + #include + #include + ++#include "../core/sock_destructor.h" ++ + /* Use skb->cb to track consecutive/adjacent fragments coming at + * the end of the queue. Nodes in the rb-tree queue will + * contain "runs" of one or more adjacent fragments. +@@ -39,6 +41,7 @@ struct ipfrag_skb_cb { + }; + struct sk_buff *next_frag; + int frag_run_len; ++ int ip_defrag_offset; + }; + + #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) +@@ -390,12 +393,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, + */ + if (!last) + fragrun_create(q, skb); /* First fragment. */ +- else if (last->ip_defrag_offset + last->len < end) { ++ else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { + /* This is the common case: skb goes to the end. */ + /* Detect and discard overlaps. */ +- if (offset < last->ip_defrag_offset + last->len) ++ if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) + return IPFRAG_OVERLAP; +- if (offset == last->ip_defrag_offset + last->len) ++ if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) + fragrun_append_to_last(q, skb); + else + fragrun_create(q, skb); +@@ -412,13 +415,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, + + parent = *rbn; + curr = rb_to_skb(parent); +- curr_run_end = curr->ip_defrag_offset + ++ curr_run_end = FRAG_CB(curr)->ip_defrag_offset + + FRAG_CB(curr)->frag_run_len; +- if (end <= curr->ip_defrag_offset) ++ if (end <= FRAG_CB(curr)->ip_defrag_offset) + rbn = &parent->rb_left; + else if (offset >= curr_run_end) + rbn = &parent->rb_right; +- else if (offset >= curr->ip_defrag_offset && ++ else if (offset >= FRAG_CB(curr)->ip_defrag_offset && + end <= curr_run_end) + return IPFRAG_DUP; + else +@@ -432,7 +435,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, + rb_insert_color(&skb->rbnode, &q->rb_fragments); + } + +- skb->ip_defrag_offset = offset; ++ FRAG_CB(skb)->ip_defrag_offset = offset; + + return IPFRAG_OK; + } +@@ -442,13 +445,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, + struct sk_buff *parent) + { + struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); +- struct sk_buff **nextp; ++ void (*destructor)(struct sk_buff *); ++ unsigned int orig_truesize = 0; ++ struct sk_buff **nextp = NULL; ++ struct sock *sk = skb->sk; + int delta; + ++ if (sk && is_skb_wmem(skb)) { ++ /* TX: skb->sk might have been passed as argument to ++ * dst->output and must remain valid until tx completes. ++ * ++ * Move sk to reassembled skb and fix up wmem accounting. ++ */ ++ orig_truesize = skb->truesize; ++ destructor = skb->destructor; ++ } ++ + if (head != skb) { + fp = skb_clone(skb, GFP_ATOMIC); +- if (!fp) +- return NULL; ++ if (!fp) { ++ head = skb; ++ goto out_restore_sk; ++ } + FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; + if (RB_EMPTY_NODE(&skb->rbnode)) + FRAG_CB(parent)->next_frag = fp; +@@ -457,6 +475,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, + &q->rb_fragments); + if (q->fragments_tail == skb) + q->fragments_tail = fp; ++ ++ if (orig_truesize) { ++ /* prevent skb_morph from releasing sk */ ++ skb->sk = NULL; ++ skb->destructor = NULL; ++ } + skb_morph(skb, head); + FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; + rb_replace_node(&head->rbnode, &skb->rbnode, +@@ -464,13 +488,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, + consume_skb(head); + head = skb; + } +- WARN_ON(head->ip_defrag_offset != 0); ++ WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); + + delta = -head->truesize; + + /* Head of list must not be cloned. */ + if (skb_unclone(head, GFP_ATOMIC)) +- return NULL; ++ goto out_restore_sk; + + delta += head->truesize; + if (delta) +@@ -486,7 +510,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, + + clone = alloc_skb(0, GFP_ATOMIC); + if (!clone) +- return NULL; ++ goto out_restore_sk; + skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; + skb_frag_list_init(head); + for (i = 0; i < skb_shinfo(head)->nr_frags; i++) +@@ -503,6 +527,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, + nextp = &skb_shinfo(head)->frag_list; + } + ++out_restore_sk: ++ if (orig_truesize) { ++ int ts_delta = head->truesize - orig_truesize; ++ ++ /* if this reassembled skb is fragmented later, ++ * fraglist skbs will get skb->sk assigned from head->sk, ++ * and each frag skb will be released via sock_wfree. ++ * ++ * Update sk_wmem_alloc. ++ */ ++ head->sk = sk; ++ head->destructor = destructor; ++ refcount_add(ts_delta, &sk->sk_wmem_alloc); ++ } ++ + return nextp; + } + EXPORT_SYMBOL(inet_frag_reasm_prepare); +@@ -510,6 +549,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); + void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, + void *reasm_data, bool try_coalesce) + { ++ struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; ++ const unsigned int head_truesize = head->truesize; + struct sk_buff **nextp = reasm_data; + struct rb_node *rbn; + struct sk_buff *fp; +@@ -573,6 +614,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, + head->prev = NULL; + head->tstamp = q->stamp; + head->mono_delivery_time = q->mono_delivery_time; ++ ++ if (sk) ++ refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); + } + EXPORT_SYMBOL(inet_frag_reasm_finish); + +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +index fb153569889ec..6c309c1ec3b0f 100644 +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -378,6 +378,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) + } + + skb_dst_drop(skb); ++ skb_orphan(skb); + return -EINPROGRESS; + + insert_error: +@@ -480,7 +481,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) + struct ipq *qp; + + __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); +- skb_orphan(skb); + + /* Lookup (or create) queue header */ + qp = ip_find(net, ip_hdr(skb), user, vif); +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index 38db0064d6613..87a394179092c 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -293,6 +293,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, + } + + skb_dst_drop(skb); ++ skb_orphan(skb); + return -EINPROGRESS; + + insert_error: +@@ -468,7 +469,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + hdr = ipv6_hdr(skb); + fhdr = (struct frag_hdr *)skb_transport_header(skb); + +- skb_orphan(skb); + fq = fq_find(net, fhdr->identification, user, hdr, + skb->dev ? skb->dev->ifindex : 0); + if (fq == NULL) { +-- +2.43.0 + diff --git a/queue-6.1/ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch b/queue-6.1/ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch new file mode 100644 index 00000000000..a739b9a0bb8 --- /dev/null +++ b/queue-6.1/ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch @@ -0,0 +1,75 @@ +From 182f6cbe02d59431eb6cbb609c80c78cae23abd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 17:02:02 +0100 +Subject: ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() + +From: Przemek Kitszel + +[ Upstream commit aec806fb4afba5fe80b09e29351379a4292baa43 ] + +Change kzalloc() flags used in ixgbe_ipsec_vf_add_sa() to GFP_ATOMIC, to +avoid sleeping in IRQ context. + +Dan Carpenter, with the help of Smatch, has found following issue: +The patch eda0333ac293: "ixgbe: add VF IPsec management" from Aug 13, +2018 (linux-next), leads to the following Smatch static checker +warning: drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c:917 ixgbe_ipsec_vf_add_sa() + warn: sleeping in IRQ context + +The call tree that Smatch is worried about is: +ixgbe_msix_other() <- IRQ handler +-> ixgbe_msg_task() + -> ixgbe_rcv_msg_from_vf() + -> ixgbe_ipsec_vf_add_sa() + +Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/intel-wired-lan/db31a0b0-4d9f-4e6b-aed8-88266eb5665c@moroto.mountain +Reviewed-by: Michal Kubiak +Signed-off-by: Przemek Kitszel +Reviewed-by: Shannon Nelson +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +index 774de63dd93a6..15fc2acffb871 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +@@ -908,7 +908,13 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) + goto err_out; + } + +- xs = kzalloc(sizeof(*xs), GFP_KERNEL); ++ algo = xfrm_aead_get_byname(aes_gcm_name, IXGBE_IPSEC_AUTH_BITS, 1); ++ if (unlikely(!algo)) { ++ err = -ENOENT; ++ goto err_out; ++ } ++ ++ xs = kzalloc(sizeof(*xs), GFP_ATOMIC); + if (unlikely(!xs)) { + err = -ENOMEM; + goto err_out; +@@ -924,14 +930,8 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) + memcpy(&xs->id.daddr.a4, sam->addr, sizeof(xs->id.daddr.a4)); + xs->xso.dev = adapter->netdev; + +- algo = xfrm_aead_get_byname(aes_gcm_name, IXGBE_IPSEC_AUTH_BITS, 1); +- if (unlikely(!algo)) { +- err = -ENOENT; +- goto err_xs; +- } +- + aead_len = sizeof(*xs->aead) + IXGBE_IPSEC_KEY_BITS / 8; +- xs->aead = kzalloc(aead_len, GFP_KERNEL); ++ xs->aead = kzalloc(aead_len, GFP_ATOMIC); + if (unlikely(!xs->aead)) { + err = -ENOMEM; + goto err_xs; +-- +2.43.0 + diff --git a/queue-6.1/mlxbf_gige-call-request_irq-after-napi-initialized.patch b/queue-6.1/mlxbf_gige-call-request_irq-after-napi-initialized.patch new file mode 100644 index 00000000000..db55854c321 --- /dev/null +++ b/queue-6.1/mlxbf_gige-call-request_irq-after-napi-initialized.patch @@ -0,0 +1,168 @@ +From 08149171a54229a66823cabae2c6e65b67322841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:36:27 -0400 +Subject: mlxbf_gige: call request_irq() after NAPI initialized + +From: David Thompson + +[ Upstream commit f7442a634ac06b953fc1f7418f307b25acd4cfbc ] + +The mlxbf_gige driver encounters a NULL pointer exception in +mlxbf_gige_open() when kdump is enabled. The sequence to reproduce +the exception is as follows: +a) enable kdump +b) trigger kdump via "echo c > /proc/sysrq-trigger" +c) kdump kernel executes +d) kdump kernel loads mlxbf_gige module +e) the mlxbf_gige module runs its open() as the + the "oob_net0" interface is brought up +f) mlxbf_gige module will experience an exception + during its open(), something like: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000086000004 + EC = 0x21: IABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000 + [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 + Internal error: Oops: 0000000086000004 [#1] SMP + CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu + Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024 + pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : 0x0 + lr : __napi_poll+0x40/0x230 + sp : ffff800008003e00 + x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff + x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8 + x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000 + x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000 + x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0 + x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c + x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398 + x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2 + x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100 + x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238 + Call trace: + 0x0 + net_rx_action+0x178/0x360 + __do_softirq+0x15c/0x428 + __irq_exit_rcu+0xac/0xec + irq_exit+0x18/0x2c + handle_domain_irq+0x6c/0xa0 + gic_handle_irq+0xec/0x1b0 + call_on_irq_stack+0x20/0x2c + do_interrupt_handler+0x5c/0x70 + el1_interrupt+0x30/0x50 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x7c/0x80 + __setup_irq+0x4c0/0x950 + request_threaded_irq+0xf4/0x1bc + mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige] + mlxbf_gige_open+0x5c/0x170 [mlxbf_gige] + __dev_open+0x100/0x220 + __dev_change_flags+0x16c/0x1f0 + dev_change_flags+0x2c/0x70 + do_setlink+0x220/0xa40 + __rtnl_newlink+0x56c/0x8a0 + rtnl_newlink+0x58/0x84 + rtnetlink_rcv_msg+0x138/0x3c4 + netlink_rcv_skb+0x64/0x130 + rtnetlink_rcv+0x20/0x30 + netlink_unicast+0x2ec/0x360 + netlink_sendmsg+0x278/0x490 + __sock_sendmsg+0x5c/0x6c + ____sys_sendmsg+0x290/0x2d4 + ___sys_sendmsg+0x84/0xd0 + __sys_sendmsg+0x70/0xd0 + __arm64_sys_sendmsg+0x2c/0x40 + invoke_syscall+0x78/0x100 + el0_svc_common.constprop.0+0x54/0x184 + do_el0_svc+0x30/0xac + el0_svc+0x48/0x160 + el0t_64_sync_handler+0xa4/0x12c + el0t_64_sync+0x1a4/0x1a8 + Code: bad PC value + ---[ end trace 7d1c3f3bf9d81885 ]--- + Kernel panic - not syncing: Oops: Fatal exception in interrupt + Kernel Offset: 0x2870a7a00000 from 0xffff800008000000 + PHYS_OFFSET: 0x80000000 + CPU features: 0x0,000005c1,a3332a5a + Memory Limit: none + ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- + +The exception happens because there is a pending RX interrupt before the +call to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires +immediately after this request_irq() completes. The RX IRQ handler runs +"napi_schedule()" before NAPI is fully initialized via "netif_napi_add()" +and "napi_enable()", both which happen later in the open() logic. + +The logic in mlxbf_gige_open() must fully initialize NAPI before any calls +to request_irq() execute. + +Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") +Signed-off-by: David Thompson +Reviewed-by: Asmaa Mnebhi +Link: https://lore.kernel.org/r/20240325183627.7641-1-davthompson@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlxbf_gige/mlxbf_gige_main.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c +index 113e3d9d33530..65e92541db6e5 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c +@@ -139,13 +139,10 @@ static int mlxbf_gige_open(struct net_device *netdev) + control |= MLXBF_GIGE_CONTROL_PORT_EN; + writeq(control, priv->base + MLXBF_GIGE_CONTROL); + +- err = mlxbf_gige_request_irqs(priv); +- if (err) +- return err; + mlxbf_gige_cache_stats(priv); + err = mlxbf_gige_clean_port(priv); + if (err) +- goto free_irqs; ++ return err; + + /* Clear driver's valid_polarity to match hardware, + * since the above call to clean_port() resets the +@@ -166,6 +163,10 @@ static int mlxbf_gige_open(struct net_device *netdev) + napi_enable(&priv->napi); + netif_start_queue(netdev); + ++ err = mlxbf_gige_request_irqs(priv); ++ if (err) ++ goto napi_deinit; ++ + /* Set bits in INT_EN that we care about */ + int_en = MLXBF_GIGE_INT_EN_HW_ACCESS_ERROR | + MLXBF_GIGE_INT_EN_TX_CHECKSUM_INPUTS | +@@ -182,14 +183,17 @@ static int mlxbf_gige_open(struct net_device *netdev) + + return 0; + ++napi_deinit: ++ netif_stop_queue(netdev); ++ napi_disable(&priv->napi); ++ netif_napi_del(&priv->napi); ++ mlxbf_gige_rx_deinit(priv); ++ + tx_deinit: + mlxbf_gige_tx_deinit(priv); + + phy_deinit: + phy_stop(phydev); +- +-free_irqs: +- mlxbf_gige_free_irqs(priv); + return err; + } + +-- +2.43.0 + diff --git a/queue-6.1/mlxbf_gige-stop-phy-during-open-error-paths.patch b/queue-6.1/mlxbf_gige-stop-phy-during-open-error-paths.patch new file mode 100644 index 00000000000..8cba15725d4 --- /dev/null +++ b/queue-6.1/mlxbf_gige-stop-phy-during-open-error-paths.patch @@ -0,0 +1,50 @@ +From 7ef84b32f9117df759cab77aa0a5044bfca1c4a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 15:31:17 -0400 +Subject: mlxbf_gige: stop PHY during open() error paths + +From: David Thompson + +[ Upstream commit d6c30c5a168f8586b8bcc0d8e42e2456eb05209b ] + +The mlxbf_gige_open() routine starts the PHY as part of normal +initialization. The mlxbf_gige_open() routine must stop the +PHY during its error paths. + +Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") +Signed-off-by: David Thompson +Reviewed-by: Asmaa Mnebhi +Reviewed-by: Andrew Lunn +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c +index 83c4659390fd5..113e3d9d33530 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c +@@ -157,7 +157,7 @@ static int mlxbf_gige_open(struct net_device *netdev) + + err = mlxbf_gige_tx_init(priv); + if (err) +- goto free_irqs; ++ goto phy_deinit; + err = mlxbf_gige_rx_init(priv); + if (err) + goto tx_deinit; +@@ -185,6 +185,9 @@ static int mlxbf_gige_open(struct net_device *netdev) + tx_deinit: + mlxbf_gige_tx_deinit(priv); + ++phy_deinit: ++ phy_stop(phydev); ++ + free_irqs: + mlxbf_gige_free_irqs(priv); + return err; +-- +2.43.0 + diff --git a/queue-6.1/net-hns3-fix-index-limit-to-support-all-queue-stats.patch b/queue-6.1/net-hns3-fix-index-limit-to-support-all-queue-stats.patch new file mode 100644 index 00000000000..b06eb5c4814 --- /dev/null +++ b/queue-6.1/net-hns3-fix-index-limit-to-support-all-queue-stats.patch @@ -0,0 +1,40 @@ +From 17407eccd87c24ccf593e440a4b395104817dc94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 20:43:09 +0800 +Subject: net: hns3: fix index limit to support all queue stats + +From: Jie Wang + +[ Upstream commit 47e39d213e09c6cae0d6b4d95e454ea404013312 ] + +Currently, hns hardware supports more than 512 queues and the index limit +in hclge_comm_tqps_update_stats is wrong. So this patch removes it. + +Fixes: 287db5c40d15 ("net: hns3: create new set of common tqp stats APIs for PF and VF reuse") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Reviewed-by: Michal Kubiak +Reviewed-by: Kalesh AP +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3_common/hclge_comm_tqp_stats.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_tqp_stats.c b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_tqp_stats.c +index f3c9395d8351c..618f66d9586b3 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_tqp_stats.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_tqp_stats.c +@@ -85,7 +85,7 @@ int hclge_comm_tqps_update_stats(struct hnae3_handle *handle, + hclge_comm_cmd_setup_basic_desc(&desc, HCLGE_OPC_QUERY_TX_STATS, + true); + +- desc.data[0] = cpu_to_le32(tqp->index & 0x1ff); ++ desc.data[0] = cpu_to_le32(tqp->index); + ret = hclge_comm_cmd_send(hw, &desc, 1); + if (ret) { + dev_err(&hw->cmq.csq.pdev->dev, +-- +2.43.0 + diff --git a/queue-6.1/net-hns3-fix-kernel-crash-when-devlink-reload-during.patch b/queue-6.1/net-hns3-fix-kernel-crash-when-devlink-reload-during.patch new file mode 100644 index 00000000000..6f125041b18 --- /dev/null +++ b/queue-6.1/net-hns3-fix-kernel-crash-when-devlink-reload-during.patch @@ -0,0 +1,57 @@ +From 099f98c3bc2e65698fcb52e20117b99e5f13bee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 20:43:10 +0800 +Subject: net: hns3: fix kernel crash when devlink reload during pf + initialization + +From: Yonglong Liu + +[ Upstream commit 93305b77ffcb042f1538ecc383505e87d95aa05a ] + +The devlink reload process will access the hardware resources, +but the register operation is done before the hardware is initialized. +So, processing the devlink reload during initialization may lead to kernel +crash. This patch fixes this by taking devl_lock during initialization. + +Fixes: b741269b2759 ("net: hns3: add support for registering devlink for PF") +Signed-off-by: Yonglong Liu +Signed-off-by: Jijie Shao +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 27037ce795902..9db363fbc34fd 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -11604,6 +11604,8 @@ static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + if (ret) + goto err_pci_uninit; + ++ devl_lock(hdev->devlink); ++ + /* Firmware command queue initialize */ + ret = hclge_comm_cmd_queue_init(hdev->pdev, &hdev->hw.hw); + if (ret) +@@ -11778,6 +11780,7 @@ static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + + hclge_task_schedule(hdev, round_jiffies_relative(HZ)); + ++ devl_unlock(hdev->devlink); + return 0; + + err_mdiobus_unreg: +@@ -11790,6 +11793,7 @@ static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + err_cmd_uninit: + hclge_comm_cmd_uninit(hdev->ae_dev, &hdev->hw.hw); + err_devlink_uninit: ++ devl_unlock(hdev->devlink); + hclge_devlink_uninit(hdev); + err_pci_uninit: + pcim_iounmap(pdev, hdev->hw.hw.io_base); +-- +2.43.0 + diff --git a/queue-6.1/net-hns3-mark-unexcuted-loopback-test-result-as-unex.patch b/queue-6.1/net-hns3-mark-unexcuted-loopback-test-result-as-unex.patch new file mode 100644 index 00000000000..a525293b653 --- /dev/null +++ b/queue-6.1/net-hns3-mark-unexcuted-loopback-test-result-as-unex.patch @@ -0,0 +1,82 @@ +From 6e7ba37554ba476afc899d04e8574405be32735d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 20:43:11 +0800 +Subject: net: hns3: mark unexcuted loopback test result as UNEXECUTED + +From: Jian Shen + +[ Upstream commit 5bd088d6c21a45ee70e6116879310e54174d75eb ] + +Currently, loopback test may be skipped when resetting, but the test +result will still show as 'PASS', because the driver doesn't set +ETH_TEST_FL_FAILED flag. Fix it by setting the flag and +initializating the value to UNEXECUTED. + +Fixes: 4c8dab1c709c ("net: hns3: reconstruct function hns3_self_test") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Reviewed-by: Michal Kubiak +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3_ethtool.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index e22835ae8a941..9fce976a08f01 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -78,6 +78,9 @@ static const struct hns3_stats hns3_rxq_stats[] = { + #define HNS3_NIC_LB_TEST_NO_MEM_ERR 1 + #define HNS3_NIC_LB_TEST_TX_CNT_ERR 2 + #define HNS3_NIC_LB_TEST_RX_CNT_ERR 3 ++#define HNS3_NIC_LB_TEST_UNEXECUTED 4 ++ ++static int hns3_get_sset_count(struct net_device *netdev, int stringset); + + static int hns3_lp_setup(struct net_device *ndev, enum hnae3_loop loop, bool en) + { +@@ -419,18 +422,26 @@ static void hns3_do_external_lb(struct net_device *ndev, + static void hns3_self_test(struct net_device *ndev, + struct ethtool_test *eth_test, u64 *data) + { ++ int cnt = hns3_get_sset_count(ndev, ETH_SS_TEST); + struct hns3_nic_priv *priv = netdev_priv(ndev); + struct hnae3_handle *h = priv->ae_handle; + int st_param[HNAE3_LOOP_NONE][2]; + bool if_running = netif_running(ndev); ++ int i; ++ ++ /* initialize the loopback test result, avoid marking an unexcuted ++ * loopback test as PASS. ++ */ ++ for (i = 0; i < cnt; i++) ++ data[i] = HNS3_NIC_LB_TEST_UNEXECUTED; + + if (hns3_nic_resetting(ndev)) { + netdev_err(ndev, "dev resetting!"); +- return; ++ goto failure; + } + + if (!(eth_test->flags & ETH_TEST_FL_OFFLINE)) +- return; ++ goto failure; + + if (netif_msg_ifdown(h)) + netdev_info(ndev, "self test start\n"); +@@ -452,6 +463,10 @@ static void hns3_self_test(struct net_device *ndev, + + if (netif_msg_ifdown(h)) + netdev_info(ndev, "self test end\n"); ++ return; ++ ++failure: ++ eth_test->flags |= ETH_TEST_FL_FAILED; + } + + static void hns3_update_limit_promisc_mode(struct net_device *netdev, +-- +2.43.0 + diff --git a/queue-6.1/net-lan743x-add-set-rfe-read-fifo-threshold-for-pci1.patch b/queue-6.1/net-lan743x-add-set-rfe-read-fifo-threshold-for-pci1.patch new file mode 100644 index 00000000000..645aa0b5a2d --- /dev/null +++ b/queue-6.1/net-lan743x-add-set-rfe-read-fifo-threshold-for-pci1.patch @@ -0,0 +1,93 @@ +From 35de4ab556e329380347ed27d930bf8306da36bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 12:28:05 +0530 +Subject: net: lan743x: Add set RFE read fifo threshold for PCI1x1x chips + +From: Raju Lakkaraju + +[ Upstream commit e4a58989f5c839316ac63675e8800b9eed7dbe96 ] + +PCI11x1x Rev B0 devices might drop packets when receiving back to back frames +at 2.5G link speed. Change the B0 Rev device's Receive filtering Engine FIFO +threshold parameter from its hardware default of 4 to 3 dwords to prevent the +problem. Rev C0 and later hardware already defaults to 3 dwords. + +Fixes: bb4f6bffe33c ("net: lan743x: Add PCI11010 / PCI11414 device IDs") +Signed-off-by: Raju Lakkaraju +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240326065805.686128-1-Raju.Lakkaraju@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 18 ++++++++++++++++++ + drivers/net/ethernet/microchip/lan743x_main.h | 4 ++++ + 2 files changed, 22 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index e804613faa1fc..d5123e8c4a9f4 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -25,6 +25,8 @@ + #define PCS_POWER_STATE_DOWN 0x6 + #define PCS_POWER_STATE_UP 0x4 + ++#define RFE_RD_FIFO_TH_3_DWORDS 0x3 ++ + static void pci11x1x_strap_get_status(struct lan743x_adapter *adapter) + { + u32 chip_rev; +@@ -3217,6 +3219,21 @@ static void lan743x_full_cleanup(struct lan743x_adapter *adapter) + lan743x_pci_cleanup(adapter); + } + ++static void pci11x1x_set_rfe_rd_fifo_threshold(struct lan743x_adapter *adapter) ++{ ++ u16 rev = adapter->csr.id_rev & ID_REV_CHIP_REV_MASK_; ++ ++ if (rev == ID_REV_CHIP_REV_PCI11X1X_B0_) { ++ u32 misc_ctl; ++ ++ misc_ctl = lan743x_csr_read(adapter, MISC_CTL_0); ++ misc_ctl &= ~MISC_CTL_0_RFE_READ_FIFO_MASK_; ++ misc_ctl |= FIELD_PREP(MISC_CTL_0_RFE_READ_FIFO_MASK_, ++ RFE_RD_FIFO_TH_3_DWORDS); ++ lan743x_csr_write(adapter, MISC_CTL_0, misc_ctl); ++ } ++} ++ + static int lan743x_hardware_init(struct lan743x_adapter *adapter, + struct pci_dev *pdev) + { +@@ -3232,6 +3249,7 @@ static int lan743x_hardware_init(struct lan743x_adapter *adapter, + pci11x1x_strap_get_status(adapter); + spin_lock_init(&adapter->eth_syslock_spinlock); + mutex_init(&adapter->sgmii_rw_lock); ++ pci11x1x_set_rfe_rd_fifo_threshold(adapter); + } else { + adapter->max_tx_channels = LAN743X_MAX_TX_CHANNELS; + adapter->used_tx_channels = LAN743X_USED_TX_CHANNELS; +diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h +index 67877d3b6dd98..d304be17b9d82 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.h ++++ b/drivers/net/ethernet/microchip/lan743x_main.h +@@ -26,6 +26,7 @@ + #define ID_REV_CHIP_REV_MASK_ (0x0000FFFF) + #define ID_REV_CHIP_REV_A0_ (0x00000000) + #define ID_REV_CHIP_REV_B0_ (0x00000010) ++#define ID_REV_CHIP_REV_PCI11X1X_B0_ (0x000000B0) + + #define FPGA_REV (0x04) + #define FPGA_REV_GET_MINOR_(fpga_rev) (((fpga_rev) >> 8) & 0x000000FF) +@@ -311,6 +312,9 @@ + #define SGMII_CTL_LINK_STATUS_SOURCE_ BIT(8) + #define SGMII_CTL_SGMII_POWER_DN_ BIT(1) + ++#define MISC_CTL_0 (0x920) ++#define MISC_CTL_0_RFE_READ_FIFO_MASK_ GENMASK(6, 4) ++ + /* Vendor Specific SGMII MMD details */ + #define SR_VSMMD_PCS_ID1 0x0004 + #define SR_VSMMD_PCS_ID2 0x0005 +-- +2.43.0 + diff --git a/queue-6.1/net-wwan-t7xx-split-64bit-accesses-to-fix-alignment-.patch b/queue-6.1/net-wwan-t7xx-split-64bit-accesses-to-fix-alignment-.patch new file mode 100644 index 00000000000..ce8120bf056 --- /dev/null +++ b/queue-6.1/net-wwan-t7xx-split-64bit-accesses-to-fix-alignment-.patch @@ -0,0 +1,162 @@ +From 9011dcc9c8aa83ddc93e1bc66f135a04530f66e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 15:40:00 +0100 +Subject: net: wwan: t7xx: Split 64bit accesses to fix alignment issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +[ Upstream commit 7d5a7dd5a35876f0ecc286f3602a88887a788217 ] + +Some of the registers are aligned on a 32bit boundary, causing +alignment faults on 64bit platforms. + + Unable to handle kernel paging request at virtual address ffffffc084a1d004 + Mem abort info: + ESR = 0x0000000096000061 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x21: alignment fault + Data abort info: + ISV = 0, ISS = 0x00000061, ISS2 = 0x00000000 + CM = 0, WnR = 1, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000046ad6000 + [ffffffc084a1d004] pgd=100000013ffff003, p4d=100000013ffff003, pud=100000013ffff003, pmd=0068000020a00711 + Internal error: Oops: 0000000096000061 [#1] SMP + Modules linked in: mtk_t7xx(+) qcserial pppoe ppp_async option nft_fib_inet nf_flow_table_inet mt7921u(O) mt7921s(O) mt7921e(O) mt7921_common(O) iwlmvm(O) iwldvm(O) usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mt7996e(O) mt792x_usb(O) mt792x_lib(O) mt7915e(O) mt76_usb(O) mt76_sdio(O) mt76_connac_lib(O) mt76(O) mac80211(O) iwlwifi(O) huawei_cdc_ncm cfg80211(O) cdc_ncm cdc_ether wwan usbserial usbnet slhc sfp rtc_pcf8563 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mt6577_auxadc mdio_i2c libcrc32c compat(O) cdc_wdm cdc_acm at24 crypto_safexcel pwm_fan i2c_gpio i2c_smbus industrialio i2c_algo_bit i2c_mux_reg i2c_mux_pca954x i2c_mux_pca9541 i2c_mux_gpio i2c_mux dummy oid_registry tun sha512_arm64 sha1_ce sha1_generic seqiv + md5 geniv des_generic libdes cbc authencesn authenc leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd nvme nvme_core gpio_button_hotplug(O) dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax usbcore usb_common ptp aquantia pps_core mii tpm encrypted_keys trusted + CPU: 3 PID: 5266 Comm: kworker/u9:1 Tainted: G O 6.6.22 #0 + Hardware name: Bananapi BPI-R4 (DT) + Workqueue: md_hk_wq t7xx_fsm_uninit [mtk_t7xx] + pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx] + lr : t7xx_cldma_start+0xac/0x13c [mtk_t7xx] + sp : ffffffc085d63d30 + x29: ffffffc085d63d30 x28: 0000000000000000 x27: 0000000000000000 + x26: 0000000000000000 x25: ffffff80c804f2c0 x24: ffffff80ca196c05 + x23: 0000000000000000 x22: ffffff80c814b9b8 x21: ffffff80c814b128 + x20: 0000000000000001 x19: ffffff80c814b080 x18: 0000000000000014 + x17: 0000000055c9806b x16: 000000007c5296d0 x15: 000000000f6bca68 + x14: 00000000dbdbdce4 x13: 000000001aeaf72a x12: 0000000000000001 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : ffffff80ca1ef6b4 x7 : ffffff80c814b818 x6 : 0000000000000018 + x5 : 0000000000000870 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : 000000010a947000 x1 : ffffffc084a1d004 x0 : ffffffc084a1d004 + Call trace: + t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx] + t7xx_fsm_uninit+0x578/0x5ec [mtk_t7xx] + process_one_work+0x154/0x2a0 + worker_thread+0x2ac/0x488 + kthread+0xe0/0xec + ret_from_fork+0x10/0x20 + Code: f9400800 91001000 8b214001 d50332bf (f9000022) + ---[ end trace 0000000000000000 ]--- + +The inclusion of io-64-nonatomic-lo-hi.h indicates that all 64bit +accesses can be replaced by pairs of nonatomic 32bit access. Fix +alignment by forcing all accesses to be 32bit on 64bit platforms. + +Link: https://forum.openwrt.org/t/fibocom-fm350-gl-support/142682/72 +Fixes: 39d439047f1d ("net: wwan: t7xx: Add control DMA interface") +Signed-off-by: Bjørn Mork +Reviewed-by: Sergey Ryazanov +Tested-by: Liviu Dudau +Link: https://lore.kernel.org/r/20240322144000.1683822-1-bjorn@mork.no +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_cldma.c | 4 ++-- + drivers/net/wwan/t7xx/t7xx_hif_cldma.c | 9 +++++---- + drivers/net/wwan/t7xx/t7xx_pcie_mac.c | 8 ++++---- + 3 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_cldma.c b/drivers/net/wwan/t7xx/t7xx_cldma.c +index 9f43f256db1d0..f0a4783baf1f3 100644 +--- a/drivers/net/wwan/t7xx/t7xx_cldma.c ++++ b/drivers/net/wwan/t7xx/t7xx_cldma.c +@@ -106,7 +106,7 @@ bool t7xx_cldma_tx_addr_is_set(struct t7xx_cldma_hw *hw_info, unsigned int qno) + { + u32 offset = REG_CLDMA_UL_START_ADDRL_0 + qno * ADDR_SIZE; + +- return ioread64(hw_info->ap_pdn_base + offset); ++ return ioread64_lo_hi(hw_info->ap_pdn_base + offset); + } + + void t7xx_cldma_hw_set_start_addr(struct t7xx_cldma_hw *hw_info, unsigned int qno, u64 address, +@@ -117,7 +117,7 @@ void t7xx_cldma_hw_set_start_addr(struct t7xx_cldma_hw *hw_info, unsigned int qn + + reg = tx_rx == MTK_RX ? hw_info->ap_ao_base + REG_CLDMA_DL_START_ADDRL_0 : + hw_info->ap_pdn_base + REG_CLDMA_UL_START_ADDRL_0; +- iowrite64(address, reg + offset); ++ iowrite64_lo_hi(address, reg + offset); + } + + void t7xx_cldma_hw_resume_queue(struct t7xx_cldma_hw *hw_info, unsigned int qno, +diff --git a/drivers/net/wwan/t7xx/t7xx_hif_cldma.c b/drivers/net/wwan/t7xx/t7xx_hif_cldma.c +index 6ff30cb8eb16f..5d6032ceb9e51 100644 +--- a/drivers/net/wwan/t7xx/t7xx_hif_cldma.c ++++ b/drivers/net/wwan/t7xx/t7xx_hif_cldma.c +@@ -139,8 +139,9 @@ static int t7xx_cldma_gpd_rx_from_q(struct cldma_queue *queue, int budget, bool + return -ENODEV; + } + +- gpd_addr = ioread64(hw_info->ap_pdn_base + REG_CLDMA_DL_CURRENT_ADDRL_0 + +- queue->index * sizeof(u64)); ++ gpd_addr = ioread64_lo_hi(hw_info->ap_pdn_base + ++ REG_CLDMA_DL_CURRENT_ADDRL_0 + ++ queue->index * sizeof(u64)); + if (req->gpd_addr == gpd_addr || hwo_polling_count++ >= 100) + return 0; + +@@ -318,8 +319,8 @@ static void t7xx_cldma_txq_empty_hndl(struct cldma_queue *queue) + struct t7xx_cldma_hw *hw_info = &md_ctrl->hw_info; + + /* Check current processing TGPD, 64-bit address is in a table by Q index */ +- ul_curr_addr = ioread64(hw_info->ap_pdn_base + REG_CLDMA_UL_CURRENT_ADDRL_0 + +- queue->index * sizeof(u64)); ++ ul_curr_addr = ioread64_lo_hi(hw_info->ap_pdn_base + REG_CLDMA_UL_CURRENT_ADDRL_0 + ++ queue->index * sizeof(u64)); + if (req->gpd_addr != ul_curr_addr) { + spin_unlock_irqrestore(&md_ctrl->cldma_lock, flags); + dev_err(md_ctrl->dev, "CLDMA%d queue %d is not empty\n", +diff --git a/drivers/net/wwan/t7xx/t7xx_pcie_mac.c b/drivers/net/wwan/t7xx/t7xx_pcie_mac.c +index 76da4c15e3de1..f071ec7ff23d5 100644 +--- a/drivers/net/wwan/t7xx/t7xx_pcie_mac.c ++++ b/drivers/net/wwan/t7xx/t7xx_pcie_mac.c +@@ -75,7 +75,7 @@ static void t7xx_pcie_mac_atr_tables_dis(void __iomem *pbase, enum t7xx_atr_src_ + for (i = 0; i < ATR_TABLE_NUM_PER_ATR; i++) { + offset = ATR_PORT_OFFSET * port + ATR_TABLE_OFFSET * i; + reg = pbase + ATR_PCIE_WIN0_T0_ATR_PARAM_SRC_ADDR + offset; +- iowrite64(0, reg); ++ iowrite64_lo_hi(0, reg); + } + } + +@@ -112,17 +112,17 @@ static int t7xx_pcie_mac_atr_cfg(struct t7xx_pci_dev *t7xx_dev, struct t7xx_atr_ + + reg = pbase + ATR_PCIE_WIN0_T0_TRSL_ADDR + offset; + value = cfg->trsl_addr & ATR_PCIE_WIN0_ADDR_ALGMT; +- iowrite64(value, reg); ++ iowrite64_lo_hi(value, reg); + + reg = pbase + ATR_PCIE_WIN0_T0_TRSL_PARAM + offset; + iowrite32(cfg->trsl_id, reg); + + reg = pbase + ATR_PCIE_WIN0_T0_ATR_PARAM_SRC_ADDR + offset; + value = (cfg->src_addr & ATR_PCIE_WIN0_ADDR_ALGMT) | (atr_size << 1) | BIT(0); +- iowrite64(value, reg); ++ iowrite64_lo_hi(value, reg); + + /* Ensure ATR is set */ +- ioread64(reg); ++ ioread64_lo_hi(reg); + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch b/queue-6.1/nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch new file mode 100644 index 00000000000..9e416d10308 --- /dev/null +++ b/queue-6.1/nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch @@ -0,0 +1,53 @@ +From 65c397316e6d07a1195c4de3d74407006ab99cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 09:54:10 +0900 +Subject: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet + +From: Ryosuke Yasuoka + +[ Upstream commit d24b03535e5eb82e025219c2f632b485409c898f ] + +syzbot reported the following uninit-value access issue [1][2]: + +nci_rx_work() parses and processes received packet. When the payload +length is zero, each message type handler reads uninitialized payload +and KMSAN detects this issue. The receipt of a packet with a zero-size +payload is considered unexpected, and therefore, such packets should be +silently discarded. + +This patch resolved this issue by checking payload size before calling +each message type handler codes. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1] +Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2] +Signed-off-by: Ryosuke Yasuoka +Reviewed-by: Jeremy Cline +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index b5071a2f597d4..f76a2d8060340 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1512,6 +1512,11 @@ static void nci_rx_work(struct work_struct *work) + nfc_send_to_raw_sock(ndev->nfc_dev, skb, + RAW_PAYLOAD_NCI, NFC_DIRECTION_RX); + ++ if (!nci_plen(skb->data)) { ++ kfree_skb(skb); ++ break; ++ } ++ + /* Process frame */ + switch (nci_mt(skb->data)) { + case NCI_MT_RSP_PKT: +-- +2.43.0 + diff --git a/queue-6.1/octeontx2-af-fix-pause-frame-configuration-in-gmp-mo.patch b/queue-6.1/octeontx2-af-fix-pause-frame-configuration-in-gmp-mo.patch new file mode 100644 index 00000000000..7ec5532d9b4 --- /dev/null +++ b/queue-6.1/octeontx2-af-fix-pause-frame-configuration-in-gmp-mo.patch @@ -0,0 +1,46 @@ +From c8d9996666f264ade16c16a7293ee1e78b23ceaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 10:57:20 +0530 +Subject: Octeontx2-af: fix pause frame configuration in GMP mode + +From: Hariprasad Kelam + +[ Upstream commit 40d4b4807cadd83fb3f46cc8cd67a945b5b25461 ] + +The Octeontx2 MAC block (CGX) has separate data paths (SMU and GMP) for +different speeds, allowing for efficient data transfer. + +The previous patch which added pause frame configuration has a bug due +to which pause frame feature is not working in GMP mode. + +This patch fixes the issue by configurating appropriate registers. + +Fixes: f7e086e754fe ("octeontx2-af: Pause frame configuration at cgx") +Signed-off-by: Hariprasad Kelam +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240326052720.4441-1-hkelam@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c +index e6fe599f7bf3a..254cad45a555f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c +@@ -814,6 +814,11 @@ static int cgx_lmac_enadis_pause_frm(void *cgxd, int lmac_id, + if (!is_lmac_valid(cgx, lmac_id)) + return -ENODEV; + ++ cfg = cgx_read(cgx, lmac_id, CGXX_GMP_GMI_RXX_FRM_CTL); ++ cfg &= ~CGX_GMP_GMI_RXX_FRM_CTL_CTL_BCK; ++ cfg |= rx_pause ? CGX_GMP_GMI_RXX_FRM_CTL_CTL_BCK : 0x0; ++ cgx_write(cgx, lmac_id, CGXX_GMP_GMI_RXX_FRM_CTL, cfg); ++ + cfg = cgx_read(cgx, lmac_id, CGXX_SMUX_RX_FRM_CTL); + cfg &= ~CGX_SMUX_RX_FRM_CTL_CTL_BCK; + cfg |= rx_pause ? CGX_SMUX_RX_FRM_CTL_CTL_BCK : 0x0; +-- +2.43.0 + diff --git a/queue-6.1/perf-x86-amd-lbr-use-freeze-based-on-availability.patch b/queue-6.1/perf-x86-amd-lbr-use-freeze-based-on-availability.patch new file mode 100644 index 00000000000..c27c06e61c7 --- /dev/null +++ b/queue-6.1/perf-x86-amd-lbr-use-freeze-based-on-availability.patch @@ -0,0 +1,130 @@ +From e6784e3c217d3500c23af4bf81d540b488178240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 13:01:45 +0530 +Subject: perf/x86/amd/lbr: Use freeze based on availability + +From: Sandipan Das + +[ Upstream commit 598c2fafc06fe5c56a1a415fb7b544b31453d637 ] + +Currently, the LBR code assumes that LBR Freeze is supported on all processors +when X86_FEATURE_AMD_LBR_V2 is available i.e. CPUID leaf 0x80000022[EAX] +bit 1 is set. This is incorrect as the availability of the feature is +additionally dependent on CPUID leaf 0x80000022[EAX] bit 2 being set, +which may not be set for all Zen 4 processors. + +Define a new feature bit for LBR and PMC freeze and set the freeze enable bit +(FLBRI) in DebugCtl (MSR 0x1d9) conditionally. + +It should still be possible to use LBR without freeze for profile-guided +optimization of user programs by using an user-only branch filter during +profiling. When the user-only filter is enabled, branches are no longer +recorded after the transition to CPL 0 upon PMI arrival. When branch +entries are read in the PMI handler, the branch stack does not change. + +E.g. + + $ perf record -j any,u -e ex_ret_brn_tkn ./workload + +Since the feature bit is visible under flags in /proc/cpuinfo, it can be +used to determine the feasibility of use-cases which require LBR Freeze +to be supported by the hardware such as profile-guided optimization of +kernels. + +Fixes: ca5b7c0d9621 ("perf/x86/amd/lbr: Add LbrExtV2 branch record support") +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/69a453c97cfd11c6f2584b19f937fe6df741510f.1711091584.git.sandipan.das@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/core.c | 4 ++-- + arch/x86/events/amd/lbr.c | 16 ++++++++++------ + arch/x86/include/asm/cpufeatures.h | 8 ++++++++ + arch/x86/kernel/cpu/scattered.c | 1 + + 4 files changed, 21 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index fd091b9dd7067..3ac069a4559b0 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -904,8 +904,8 @@ static int amd_pmu_v2_handle_irq(struct pt_regs *regs) + if (!status) + goto done; + +- /* Read branch records before unfreezing */ +- if (status & GLOBAL_STATUS_LBRS_FROZEN) { ++ /* Read branch records */ ++ if (x86_pmu.lbr_nr) { + amd_pmu_lbr_read(); + status &= ~GLOBAL_STATUS_LBRS_FROZEN; + } +diff --git a/arch/x86/events/amd/lbr.c b/arch/x86/events/amd/lbr.c +index 38a75216c12cf..b8fe74e8e0a60 100644 +--- a/arch/x86/events/amd/lbr.c ++++ b/arch/x86/events/amd/lbr.c +@@ -400,10 +400,12 @@ void amd_pmu_lbr_enable_all(void) + wrmsrl(MSR_AMD64_LBR_SELECT, lbr_select); + } + +- rdmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl); +- rdmsrl(MSR_AMD_DBG_EXTN_CFG, dbg_extn_cfg); ++ if (cpu_feature_enabled(X86_FEATURE_AMD_LBR_PMC_FREEZE)) { ++ rdmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl); ++ wrmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI); ++ } + +- wrmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI); ++ rdmsrl(MSR_AMD_DBG_EXTN_CFG, dbg_extn_cfg); + wrmsrl(MSR_AMD_DBG_EXTN_CFG, dbg_extn_cfg | DBG_EXTN_CFG_LBRV2EN); + } + +@@ -416,10 +418,12 @@ void amd_pmu_lbr_disable_all(void) + return; + + rdmsrl(MSR_AMD_DBG_EXTN_CFG, dbg_extn_cfg); +- rdmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl); +- + wrmsrl(MSR_AMD_DBG_EXTN_CFG, dbg_extn_cfg & ~DBG_EXTN_CFG_LBRV2EN); +- wrmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl & ~DEBUGCTLMSR_FREEZE_LBRS_ON_PMI); ++ ++ if (cpu_feature_enabled(X86_FEATURE_AMD_LBR_PMC_FREEZE)) { ++ rdmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl); ++ wrmsrl(MSR_IA32_DEBUGCTLMSR, dbg_ctl & ~DEBUGCTLMSR_FREEZE_LBRS_ON_PMI); ++ } + } + + __init int amd_pmu_lbr_init(void) +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 09cca23f020eb..1280daa729757 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -432,6 +432,14 @@ + #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */ + #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ + ++/* ++ * Extended auxiliary flags: Linux defined - for features scattered in various ++ * CPUID levels like 0x80000022, etc. ++ * ++ * Reuse free bits when adding new feature flags! ++ */ ++#define X86_FEATURE_AMD_LBR_PMC_FREEZE (21*32+ 0) /* AMD LBR and PMC Freeze */ ++ + /* + * BUG word(s) + */ +diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c +index fc01f81f6e2a3..94e0a42528dcb 100644 +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -46,6 +46,7 @@ static const struct cpuid_bit cpuid_bits[] = { + { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 }, + { X86_FEATURE_PERFMON_V2, CPUID_EAX, 0, 0x80000022, 0 }, + { X86_FEATURE_AMD_LBR_V2, CPUID_EAX, 1, 0x80000022, 0 }, ++ { X86_FEATURE_AMD_LBR_PMC_FREEZE, CPUID_EAX, 2, 0x80000022, 0 }, + { 0, 0, 0, 0, 0 } + }; + +-- +2.43.0 + diff --git a/queue-6.1/s390-qeth-handle-deferred-cc1.patch b/queue-6.1/s390-qeth-handle-deferred-cc1.patch new file mode 100644 index 00000000000..74c68ed24e7 --- /dev/null +++ b/queue-6.1/s390-qeth-handle-deferred-cc1.patch @@ -0,0 +1,116 @@ +From 086012c5b460df3686a2487b5fb6d68f93fc6dc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 12:53:37 +0100 +Subject: s390/qeth: handle deferred cc1 + +From: Alexandra Winter + +[ Upstream commit afb373ff3f54c9d909efc7f810dc80a9742807b2 ] + +The IO subsystem expects a driver to retry a ccw_device_start, when the +subsequent interrupt response block (irb) contains a deferred +condition code 1. + +Symptoms before this commit: +On the read channel we always trigger the next read anyhow, so no +different behaviour here. +On the write channel we may experience timeout errors, because the +expected reply will never be received without the retry. +Other callers of qeth_send_control_data() may wrongly assume that the ccw +was successful, which may cause problems later. + +Note that since +commit 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") +and +commit 5ef1dc40ffa6 ("s390/cio: fix invalid -EBUSY on ccw_device_start") +deferred CC1s are much more likely to occur. See the commit message of the +latter for more background information. + +Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") +Signed-off-by: Alexandra Winter +Co-developed-by: Thorsten Winkler +Signed-off-by: Thorsten Winkler +Reviewed-by: Peter Oberparleiter +Link: https://lore.kernel.org/r/20240321115337.3564694-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core_main.c | 38 +++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index ae4b6d24bc902..1e6340e2c2588 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -1179,6 +1179,20 @@ static int qeth_check_irb_error(struct qeth_card *card, struct ccw_device *cdev, + } + } + ++/** ++ * qeth_irq() - qeth interrupt handler ++ * @cdev: ccw device ++ * @intparm: expect pointer to iob ++ * @irb: Interruption Response Block ++ * ++ * In the good path: ++ * corresponding qeth channel is locked with last used iob as active_cmd. ++ * But this function is also called for error interrupts. ++ * ++ * Caller ensures that: ++ * Interrupts are disabled; ccw device lock is held; ++ * ++ */ + static void qeth_irq(struct ccw_device *cdev, unsigned long intparm, + struct irb *irb) + { +@@ -1220,11 +1234,10 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm, + iob = (struct qeth_cmd_buffer *) (addr_t)intparm; + } + +- qeth_unlock_channel(card, channel); +- + rc = qeth_check_irb_error(card, cdev, irb); + if (rc) { + /* IO was terminated, free its resources. */ ++ qeth_unlock_channel(card, channel); + if (iob) + qeth_cancel_cmd(iob, rc); + return; +@@ -1268,6 +1281,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm, + rc = qeth_get_problem(card, cdev, irb); + if (rc) { + card->read_or_write_problem = 1; ++ qeth_unlock_channel(card, channel); + if (iob) + qeth_cancel_cmd(iob, rc); + qeth_clear_ipacmd_list(card); +@@ -1276,6 +1290,26 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm, + } + } + ++ if (scsw_cmd_is_valid_cc(&irb->scsw) && irb->scsw.cmd.cc == 1 && iob) { ++ /* channel command hasn't started: retry. ++ * active_cmd is still set to last iob ++ */ ++ QETH_CARD_TEXT(card, 2, "irqcc1"); ++ rc = ccw_device_start_timeout(cdev, __ccw_from_cmd(iob), ++ (addr_t)iob, 0, 0, iob->timeout); ++ if (rc) { ++ QETH_DBF_MESSAGE(2, ++ "ccw retry on %x failed, rc = %i\n", ++ CARD_DEVID(card), rc); ++ QETH_CARD_TEXT_(card, 2, " err%d", rc); ++ qeth_unlock_channel(card, channel); ++ qeth_cancel_cmd(iob, rc); ++ } ++ return; ++ } ++ ++ qeth_unlock_channel(card, channel); ++ + if (iob) { + /* sanity check: */ + if (irb->scsw.cmd.count > iob->length) { +-- +2.43.0 + diff --git a/queue-6.1/scripts-bpf_doc-use-silent-mode-when-exec-make-cmd.patch b/queue-6.1/scripts-bpf_doc-use-silent-mode-when-exec-make-cmd.patch new file mode 100644 index 00000000000..b80f4b8fc67 --- /dev/null +++ b/queue-6.1/scripts-bpf_doc-use-silent-mode-when-exec-make-cmd.patch @@ -0,0 +1,60 @@ +From 1be8b32a349c56d2ddd7f042eca6a79d5e1c0ccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 10:34:43 +0800 +Subject: scripts/bpf_doc: Use silent mode when exec make cmd + +From: Hangbin Liu + +[ Upstream commit 5384cc0d1a88c27448a6a4e65b8abe6486de8012 ] + +When getting kernel version via make, the result may be polluted by other +output, like directory change info. e.g. + + $ export MAKEFLAGS="-w" + $ make kernelversion + make: Entering directory '/home/net' + 6.8.0 + make: Leaving directory '/home/net' + +This will distort the reStructuredText output and make latter rst2man +failed like: + + [...] + bpf-helpers.rst:20: (WARNING/2) Field list ends without a blank line; unexpected unindent. + [...] + +Using silent mode would help. e.g. + + $ make -s --no-print-directory kernelversion + 6.8.0 + +Fixes: fd0a38f9c37d ("scripts/bpf: Set version attribute for bpf-helpers(7) man page") +Signed-off-by: Michael Hofmann +Signed-off-by: Hangbin Liu +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Acked-by: Alejandro Colomar +Link: https://lore.kernel.org/bpf/20240315023443.2364442-1-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + scripts/bpf_doc.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/bpf_doc.py b/scripts/bpf_doc.py +index 4de98b7bbea95..c2da6ed32104f 100755 +--- a/scripts/bpf_doc.py ++++ b/scripts/bpf_doc.py +@@ -396,8 +396,8 @@ class PrinterRST(Printer): + version = version.stdout.decode().rstrip() + except: + try: +- version = subprocess.run(['make', 'kernelversion'], cwd=linuxRoot, +- capture_output=True, check=True) ++ version = subprocess.run(['make', '-s', '--no-print-directory', 'kernelversion'], ++ cwd=linuxRoot, capture_output=True, check=True) + version = version.stdout.decode().rstrip() + except: + return 'Linux' +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 00000000000..05f1a0e8f46 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,25 @@ +scripts-bpf_doc-use-silent-mode-when-exec-make-cmd.patch +dma-buf-fix-null-pointer-dereference-in-sanitycheck.patch +nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch +mlxbf_gige-stop-phy-during-open-error-paths.patch +wifi-iwlwifi-mvm-rfi-fix-potential-response-leaks.patch +ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch +s390-qeth-handle-deferred-cc1.patch +tcp-properly-terminate-timers-for-kernel-sockets.patch +net-wwan-t7xx-split-64bit-accesses-to-fix-alignment-.patch +acpica-debugger-check-status-of-acpi_evaluate_object.patch +net-hns3-fix-index-limit-to-support-all-queue-stats.patch +net-hns3-fix-kernel-crash-when-devlink-reload-during.patch +net-hns3-mark-unexcuted-loopback-test-result-as-unex.patch +tls-recv-process_rx_list-shouldn-t-use-an-offset-wit.patch +tls-adjust-recv-return-with-async-crypto-and-failed-.patch +tls-get-psock-ref-after-taking-rxlock-to-avoid-leak.patch +mlxbf_gige-call-request_irq-after-napi-initialized.patch +bpf-protect-against-int-overflow-for-stack-access-si.patch +cifs-fix-duplicate-fscache-cookie-warnings.patch +net-lan743x-add-set-rfe-read-fifo-threshold-for-pci1.patch +octeontx2-af-fix-pause-frame-configuration-in-gmp-mo.patch +inet-inet_defrag-prevent-sk-release-while-still-in-u.patch +dm-integrity-fix-out-of-range-warning.patch +x86-cpufeatures-add-new-word-for-scattered-features.patch +perf-x86-amd-lbr-use-freeze-based-on-availability.patch diff --git a/queue-6.1/tcp-properly-terminate-timers-for-kernel-sockets.patch b/queue-6.1/tcp-properly-terminate-timers-for-kernel-sockets.patch new file mode 100644 index 00000000000..dc60be46735 --- /dev/null +++ b/queue-6.1/tcp-properly-terminate-timers-for-kernel-sockets.patch @@ -0,0 +1,138 @@ +From ae3b075c262f0db1f8e6cc954990be83f7f6a2d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 13:57:32 +0000 +Subject: tcp: properly terminate timers for kernel sockets + +From: Eric Dumazet + +[ Upstream commit 151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada ] + +We had various syzbot reports about tcp timers firing after +the corresponding netns has been dismantled. + +Fortunately Josef Bacik could trigger the issue more often, +and could test a patch I wrote two years ago. + +When TCP sockets are closed, we call inet_csk_clear_xmit_timers() +to 'stop' the timers. + +inet_csk_clear_xmit_timers() can be called from any context, +including when socket lock is held. +This is the reason it uses sk_stop_timer(), aka del_timer(). +This means that ongoing timers might finish much later. + +For user sockets, this is fine because each running timer +holds a reference on the socket, and the user socket holds +a reference on the netns. + +For kernel sockets, we risk that the netns is freed before +timer can complete, because kernel sockets do not hold +reference on the netns. + +This patch adds inet_csk_clear_xmit_timers_sync() function +that using sk_stop_timer_sync() to make sure all timers +are terminated before the kernel socket is released. +Modules using kernel sockets close them in their netns exit() +handler. + +Also add sock_not_owned_by_me() helper to get LOCKDEP +support : inet_csk_clear_xmit_timers_sync() must not be called +while socket lock is held. + +It is very possible we can revert in the future commit +3a58f13a881e ("net: rds: acquire refcount on TCP sockets") +which attempted to solve the issue in rds only. +(net/smc/af_smc.c and net/mptcp/subflow.c have similar code) + +We probably can remove the check_net() tests from +tcp_out_of_resources() and __tcp_close() in the future. + +Reported-by: Josef Bacik +Closes: https://lore.kernel.org/netdev/20240314210740.GA2823176@perftesting/ +Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.") +Fixes: 8a68173691f0 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket") +Link: https://lore.kernel.org/bpf/CANn89i+484ffqb93aQm1N-tjxxvb3WDKX0EbD7318RwRgsatjw@mail.gmail.com/ +Signed-off-by: Eric Dumazet +Tested-by: Josef Bacik +Cc: Tetsuo Handa +Link: https://lore.kernel.org/r/20240322135732.1535772-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 1 + + include/net/sock.h | 7 +++++++ + net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ + net/ipv4/tcp.c | 2 ++ + 4 files changed, 24 insertions(+) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 080968d6e6c53..8132f330306db 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -172,6 +172,7 @@ void inet_csk_init_xmit_timers(struct sock *sk, + void (*delack_handler)(struct timer_list *), + void (*keepalive_handler)(struct timer_list *)); + void inet_csk_clear_xmit_timers(struct sock *sk); ++void inet_csk_clear_xmit_timers_sync(struct sock *sk); + + static inline void inet_csk_schedule_ack(struct sock *sk) + { +diff --git a/include/net/sock.h b/include/net/sock.h +index 579732d47dfc4..60577751ea9e8 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1833,6 +1833,13 @@ static inline void sock_owned_by_me(const struct sock *sk) + #endif + } + ++static inline void sock_not_owned_by_me(const struct sock *sk) ++{ ++#ifdef CONFIG_LOCKDEP ++ WARN_ON_ONCE(lockdep_sock_is_held(sk) && debug_locks); ++#endif ++} ++ + static inline bool sock_owned_by_user(const struct sock *sk) + { + sock_owned_by_me(sk); +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 79fa19a36bbd1..f7832d4253820 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -771,6 +771,20 @@ void inet_csk_clear_xmit_timers(struct sock *sk) + } + EXPORT_SYMBOL(inet_csk_clear_xmit_timers); + ++void inet_csk_clear_xmit_timers_sync(struct sock *sk) ++{ ++ struct inet_connection_sock *icsk = inet_csk(sk); ++ ++ /* ongoing timer handlers need to acquire socket lock. */ ++ sock_not_owned_by_me(sk); ++ ++ icsk->icsk_pending = icsk->icsk_ack.pending = 0; ++ ++ sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer); ++ sk_stop_timer_sync(sk, &icsk->icsk_delack_timer); ++ sk_stop_timer_sync(sk, &sk->sk_timer); ++} ++ + void inet_csk_delete_keepalive_timer(struct sock *sk) + { + sk_stop_timer(sk, &sk->sk_timer); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 5a165e29f7be4..f01c0a5d2c37b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3052,6 +3052,8 @@ void tcp_close(struct sock *sk, long timeout) + lock_sock(sk); + __tcp_close(sk, timeout); + release_sock(sk); ++ if (!sk->sk_net_refcnt) ++ inet_csk_clear_xmit_timers_sync(sk); + sock_put(sk); + } + EXPORT_SYMBOL(tcp_close); +-- +2.43.0 + diff --git a/queue-6.1/tls-adjust-recv-return-with-async-crypto-and-failed-.patch b/queue-6.1/tls-adjust-recv-return-with-async-crypto-and-failed-.patch new file mode 100644 index 00000000000..607921d9187 --- /dev/null +++ b/queue-6.1/tls-adjust-recv-return-with-async-crypto-and-failed-.patch @@ -0,0 +1,50 @@ +From 1c17092e2498b6810feda46be03e34704b174920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 16:56:46 +0100 +Subject: tls: adjust recv return with async crypto and failed copy to + userspace + +From: Sabrina Dubroca + +[ Upstream commit 85eef9a41d019b59be7bc91793f26251909c0710 ] + +process_rx_list may not copy as many bytes as we want to the userspace +buffer, for example in case we hit an EFAULT during the copy. If this +happens, we should only count the bytes that were actually copied, +which may be 0. + +Subtracting async_copy_bytes is correct in both peek and !peek cases, +because decrypted == async_copy_bytes + peeked for the peek case: peek +is always !ZC, and we can go through either the sync or async path. In +the async case, we add chunk to both decrypted and +async_copy_bytes. In the sync case, we add chunk to both decrypted and +peeked. I missed that in commit 6caaf104423d ("tls: fix peeking with +sync+async decryption"). + +Fixes: 4d42cd6bc2ac ("tls: rx: fix return value for async crypto") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/1b5a1eaab3c088a9dd5d9f1059ceecd7afe888d1.1711120964.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index e40f6ed65e6a2..7166c0606527f 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2244,6 +2244,9 @@ int tls_sw_recvmsg(struct sock *sk, + else + err = process_rx_list(ctx, msg, &control, 0, + async_copy_bytes, is_peek, NULL); ++ ++ /* we could have copied less than we wanted, and possibly nothing */ ++ decrypted += max(err, 0) - async_copy_bytes; + } + + copied += decrypted; +-- +2.43.0 + diff --git a/queue-6.1/tls-get-psock-ref-after-taking-rxlock-to-avoid-leak.patch b/queue-6.1/tls-get-psock-ref-after-taking-rxlock-to-avoid-leak.patch new file mode 100644 index 00000000000..1614506c035 --- /dev/null +++ b/queue-6.1/tls-get-psock-ref-after-taking-rxlock-to-avoid-leak.patch @@ -0,0 +1,45 @@ +From 6d17d60a6b7dad13646a0391cfc83e866d68d072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 16:56:48 +0100 +Subject: tls: get psock ref after taking rxlock to avoid leak + +From: Sabrina Dubroca + +[ Upstream commit 417e91e856099e9b8a42a2520e2255e6afe024be ] + +At the start of tls_sw_recvmsg, we take a reference on the psock, and +then call tls_rx_reader_lock. If that fails, we return directly +without releasing the reference. + +Instead of adding a new label, just take the reference after locking +has succeeded, since we don't need it before. + +Fixes: 4cbc325ed6b4 ("tls: rx: allow only one reader at a time") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/fe2ade22d030051ce4c3638704ed58b67d0df643.1711120964.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 7166c0606527f..348abadbc2d82 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2062,10 +2062,10 @@ int tls_sw_recvmsg(struct sock *sk, + if (unlikely(flags & MSG_ERRQUEUE)) + return sock_recv_errqueue(sk, msg, len, SOL_IP, IP_RECVERR); + +- psock = sk_psock_get(sk); + err = tls_rx_reader_lock(sk, ctx, flags & MSG_DONTWAIT); + if (err < 0) + return err; ++ psock = sk_psock_get(sk); + bpf_strp_enabled = sk_psock_strp_enabled(psock); + + /* If crypto failed the connection is broken */ +-- +2.43.0 + diff --git a/queue-6.1/tls-recv-process_rx_list-shouldn-t-use-an-offset-wit.patch b/queue-6.1/tls-recv-process_rx_list-shouldn-t-use-an-offset-wit.patch new file mode 100644 index 00000000000..47b17599c54 --- /dev/null +++ b/queue-6.1/tls-recv-process_rx_list-shouldn-t-use-an-offset-wit.patch @@ -0,0 +1,41 @@ +From 24d361b6691c1b6492e589613dfac6292975d0c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 16:56:45 +0100 +Subject: tls: recv: process_rx_list shouldn't use an offset with kvec + +From: Sabrina Dubroca + +[ Upstream commit 7608a971fdeb4c3eefa522d1bfe8d4bc6b2481cc ] + +Only MSG_PEEK needs to copy from an offset during the final +process_rx_list call, because the bytes we copied at the beginning of +tls_sw_recvmsg were left on the rx_list. In the KVEC case, we removed +data from the rx_list as we were copying it, so there's no need to use +an offset, just like in the normal case. + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/e5487514f828e0347d2b92ca40002c62b58af73d.1711120964.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index bdb5153f3788a..e40f6ed65e6a2 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2238,7 +2238,7 @@ int tls_sw_recvmsg(struct sock *sk, + } + + /* Drain records from the rx_list & copy if required */ +- if (is_peek || is_kvec) ++ if (is_peek) + err = process_rx_list(ctx, msg, &control, copied + peeked, + decrypted - peeked, is_peek, NULL); + else +-- +2.43.0 + diff --git a/queue-6.1/wifi-iwlwifi-mvm-rfi-fix-potential-response-leaks.patch b/queue-6.1/wifi-iwlwifi-mvm-rfi-fix-potential-response-leaks.patch new file mode 100644 index 00000000000..4c948bfd2b0 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-mvm-rfi-fix-potential-response-leaks.patch @@ -0,0 +1,51 @@ +From 23eba8d9f669af5a5c4d648e6062949d919d41b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 10:10:17 +0200 +Subject: wifi: iwlwifi: mvm: rfi: fix potential response leaks + +From: Johannes Berg + +[ Upstream commit 06a093807eb7b5c5b29b6cff49f8174a4e702341 ] + +If the rx payload length check fails, or if kmemdup() fails, +we still need to free the command response. Fix that. + +Fixes: 21254908cbe9 ("iwlwifi: mvm: add RFI-M support") +Co-authored-by: Anjaneyulu +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240319100755.db2fa0196aa7.I116293b132502ac68a65527330fa37799694b79c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rfi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rfi.c b/drivers/net/wireless/intel/iwlwifi/mvm/rfi.c +index bb77bc9aa8218..fb2408c0551d2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rfi.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rfi.c +@@ -122,14 +122,18 @@ struct iwl_rfi_freq_table_resp_cmd *iwl_rfi_get_freq_table(struct iwl_mvm *mvm) + if (ret) + return ERR_PTR(ret); + +- if (WARN_ON_ONCE(iwl_rx_packet_payload_len(cmd.resp_pkt) != resp_size)) ++ if (WARN_ON_ONCE(iwl_rx_packet_payload_len(cmd.resp_pkt) != ++ resp_size)) { ++ iwl_free_resp(&cmd); + return ERR_PTR(-EIO); ++ } + + resp = kmemdup(cmd.resp_pkt->data, resp_size, GFP_KERNEL); ++ iwl_free_resp(&cmd); ++ + if (!resp) + return ERR_PTR(-ENOMEM); + +- iwl_free_resp(&cmd); + return resp; + } + +-- +2.43.0 + diff --git a/queue-6.1/x86-cpufeatures-add-new-word-for-scattered-features.patch b/queue-6.1/x86-cpufeatures-add-new-word-for-scattered-features.patch new file mode 100644 index 00000000000..594936dbeb8 --- /dev/null +++ b/queue-6.1/x86-cpufeatures-add-new-word-for-scattered-features.patch @@ -0,0 +1,92 @@ +From 4c15aa29593db1b0b7258766a58e520319a55aee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 13:01:44 +0530 +Subject: x86/cpufeatures: Add new word for scattered features + +From: Sandipan Das + +[ Upstream commit 7f274e609f3d5f45c22b1dd59053f6764458b492 ] + +Add a new word for scattered features because all free bits among the +existing Linux-defined auxiliary flags have been exhausted. + +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/8380d2a0da469a1f0ad75b8954a79fb689599ff6.1711091584.git.sandipan.das@amd.com +Stable-dep-of: 598c2fafc06f ("perf/x86/amd/lbr: Use freeze based on availability") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/cpufeature.h | 6 ++++-- + arch/x86/include/asm/cpufeatures.h | 2 +- + arch/x86/include/asm/disabled-features.h | 3 ++- + arch/x86/include/asm/required-features.h | 3 ++- + 4 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index f835b328ba24f..578c3020be7b4 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -96,8 +96,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 19, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 20, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 21, feature_bit) || \ + REQUIRED_MASK_CHECK || \ +- BUILD_BUG_ON_ZERO(NCAPINTS != 21)) ++ BUILD_BUG_ON_ZERO(NCAPINTS != 22)) + + #define DISABLED_MASK_BIT_SET(feature_bit) \ + ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 0, feature_bit) || \ +@@ -121,8 +122,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 19, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 20, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 21, feature_bit) || \ + DISABLED_MASK_CHECK || \ +- BUILD_BUG_ON_ZERO(NCAPINTS != 21)) ++ BUILD_BUG_ON_ZERO(NCAPINTS != 22)) + + #define cpu_has(c, bit) \ + (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \ +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 9a157942ae3dd..09cca23f020eb 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -13,7 +13,7 @@ + /* + * Defines x86 CPU feature bits + */ +-#define NCAPINTS 21 /* N 32-bit words worth of info */ ++#define NCAPINTS 22 /* N 32-bit words worth of info */ + #define NBUGINTS 2 /* N 32-bit bug flags */ + + /* +diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h +index 000037078db43..380e963149cc7 100644 +--- a/arch/x86/include/asm/disabled-features.h ++++ b/arch/x86/include/asm/disabled-features.h +@@ -112,6 +112,7 @@ + #define DISABLED_MASK18 0 + #define DISABLED_MASK19 0 + #define DISABLED_MASK20 0 +-#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 21) ++#define DISABLED_MASK21 0 ++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 22) + + #endif /* _ASM_X86_DISABLED_FEATURES_H */ +diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h +index 7ba1726b71c7b..e9187ddd3d1fd 100644 +--- a/arch/x86/include/asm/required-features.h ++++ b/arch/x86/include/asm/required-features.h +@@ -99,6 +99,7 @@ + #define REQUIRED_MASK18 0 + #define REQUIRED_MASK19 0 + #define REQUIRED_MASK20 0 +-#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 21) ++#define REQUIRED_MASK21 0 ++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 22) + + #endif /* _ASM_X86_REQUIRED_FEATURES_H */ +-- +2.43.0 +