From 26d0d02944dcbccdf82cd3d63e3a946cbf2845c9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 22 Oct 2024 13:39:28 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...cs8409-fix-possible-null-dereference.patch | 45 ++ ...37-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch | 42 ++ ...s-fix-uprobes-for-big-endian-kernels.patch | 176 ++++++ ...x-the-uprobe-swbp_insn-in-big-endian.patch | 96 +++ ...ix-wild-memory-access-in-proto_unreg.patch | 50 ++ ...pf-devmap-provide-rxq-after-redirect.patch | 156 +++++ ...ternal-and-uapi-bpf_redirect-flags-d.patch | 103 +++ ...-memory-for-disp-snapshot-with-kvzal.patch | 57 ++ ...ll-dereference-in-msm_disp_state_pri.patch | 79 +++ ...32-bit-signed-integer-extension-in-p.patch | 47 ++ .../genetlink-hold-rcu-in-genlmsg_mcast.patch | 242 +++++++ ...give-an-ipv4-dev-to-blackhole_netdev.patch | 112 ++++ ...-check-if-guest-address-is-in-memslo.patch | 125 ++++ ...access-cleanup-access-to-guest-pages.patch | 75 +++ ...-refactor-access-address-range-check.patch | 233 +++++++ ...-refactor-gpa-and-length-calculation.patch | 93 +++ ...crement-counters-for-an-unrelated-sa.patch | 83 +++ ...oflex-fix-potential-memory-leak-in-g.patch | 47 ++ ...ching-in-list-of-known-pnetids-in-sm.patch | 41 ++ ...ix-potential-memory-leak-in-bcm_sysp.patch | 36 ++ ...usb-usbnet-fix-race-in-probe-failure.patch | 37 ++ ...et-fix-potential-memory-leak-in-axie.patch | 46 ++ ...-potential-integer-overflows-on-inte.patch | 49 ++ ...re-add-a-check-for-memory-allocation.patch | 40 ++ ...-a-bug-while-setting-up-level-2-pbl-.patch | 59 ++ ...-incorrect-avid-type-in-wqe-structur.patch | 47 ++ ...bnxt_re-return-more-meaningful-error.patch | 41 ++ ...dma_cm_event_unreachable-error-for-i.patch | 65 ++ ...rdma-irdma-fix-misspelling-of-accept.patch | 37 ++ ...psw-mask-in-perf_arch_fetch_caller_r.patch | 38 ++ ...-fix-null-ptr-deref-in-target_alloc_.patch | 54 ++ queue-5.15/series | 38 ++ ...obs-when-building-smb2_ioctl-request.patch | 107 ++++ ...se-timer_pending-in-reqsk_queue_unli.patch | 180 ++++++ ...x-system-suspend-on-ti-am62-platform.patch | 111 ++++ ...b-gadget-add-function-wakeup-support.patch | 126 ++++ ...mode-should-keep-reference-to-parent.patch | 130 ++++ ...d-overflow-in-mb-settings-in-bw_vali.patch | 102 +++ ...rt-and-caps-macros-into-dedicated-fi.patch | 589 ++++++++++++++++++ 39 files changed, 3834 insertions(+) create mode 100644 queue-5.15/alsa-hda-cs8409-fix-possible-null-dereference.patch create mode 100644 queue-5.15/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch create mode 100644 queue-5.15/arm64-probes-fix-uprobes-for-big-endian-kernels.patch create mode 100644 queue-5.15/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch create mode 100644 queue-5.15/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch create mode 100644 queue-5.15/bpf-devmap-provide-rxq-after-redirect.patch create mode 100644 queue-5.15/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch create mode 100644 queue-5.15/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch create mode 100644 queue-5.15/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch create mode 100644 queue-5.15/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch create mode 100644 queue-5.15/genetlink-hold-rcu-in-genlmsg_mcast.patch create mode 100644 queue-5.15/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch create mode 100644 queue-5.15/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch create mode 100644 queue-5.15/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch create mode 100644 queue-5.15/kvm-s390-gaccess-refactor-access-address-range-check.patch create mode 100644 queue-5.15/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch create mode 100644 queue-5.15/macsec-don-t-increment-counters-for-an-unrelated-sa.patch create mode 100644 queue-5.15/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch create mode 100644 queue-5.15/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch create mode 100644 queue-5.15/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch create mode 100644 queue-5.15/net-usb-usbnet-fix-race-in-probe-failure.patch create mode 100644 queue-5.15/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch create mode 100644 queue-5.15/octeontx2-af-fix-potential-integer-overflows-on-inte.patch create mode 100644 queue-5.15/rdma-bnxt_re-add-a-check-for-memory-allocation.patch create mode 100644 queue-5.15/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch create mode 100644 queue-5.15/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch create mode 100644 queue-5.15/rdma-bnxt_re-return-more-meaningful-error.patch create mode 100644 queue-5.15/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch create mode 100644 queue-5.15/rdma-irdma-fix-misspelling-of-accept.patch create mode 100644 queue-5.15/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch create mode 100644 queue-5.15/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch create mode 100644 queue-5.15/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch create mode 100644 queue-5.15/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch create mode 100644 queue-5.15/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch create mode 100644 queue-5.15/usb-gadget-add-function-wakeup-support.patch create mode 100644 queue-5.15/usb-typec-altmode-should-keep-reference-to-parent.patch create mode 100644 queue-5.15/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch create mode 100644 queue-5.15/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch diff --git a/queue-5.15/alsa-hda-cs8409-fix-possible-null-dereference.patch b/queue-5.15/alsa-hda-cs8409-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..e9d240fc7dc --- /dev/null +++ b/queue-5.15/alsa-hda-cs8409-fix-possible-null-dereference.patch @@ -0,0 +1,45 @@ +From 1c738cd095058e6140fd2096eb5be54e62e417a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 01:16:45 +0300 +Subject: ALSA: hda/cs8409: Fix possible NULL dereference + +From: Murad Masimov + +[ Upstream commit c9bd4a82b4ed32c6d1c90500a52063e6e341517f ] + +If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then +NULL pointer dereference will occur in the next line. + +Since dolphin_fixups function is a hda_fixup function which is not supposed +to return any errors, add simple check before dereference, ignore the fail. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin") +Signed-off-by: Murad Masimov +Link: https://patch.msgid.link/20241010221649.1305-1-m.masimov@maxima.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_cs8409.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c +index abf4eef9afa08..7285220c36f01 100644 +--- a/sound/pci/hda/patch_cs8409.c ++++ b/sound/pci/hda/patch_cs8409.c +@@ -1237,8 +1237,9 @@ void dolphin_fixups(struct hda_codec *codec, const struct hda_fixup *fix, int ac + kctrl = snd_hda_gen_add_kctl(&spec->gen, "Line Out Playback Volume", + &cs42l42_dac_volume_mixer); + /* Update Line Out kcontrol template */ +- kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1, +- HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE; ++ if (kctrl) ++ kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1, ++ HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE; + cs8409_enable_ur(codec, 0); + snd_hda_codec_set_name(codec, "CS8409/CS42L42"); + break; +-- +2.43.0 + diff --git a/queue-5.15/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch b/queue-5.15/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch new file mode 100644 index 00000000000..f3ffd123bdf --- /dev/null +++ b/queue-5.15/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch @@ -0,0 +1,42 @@ +From f83d026e40eebb8c78bd9c41ddf7e1f1d891ebfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 02:03:11 +0300 +Subject: ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin + +From: Florian Klink + +[ Upstream commit dc7785e4723510616d776862ddb4c08857a1bdb2 ] + +HDMI_HPD_N_1V8 is connected to GPIO pin 0, not 1. + +This fixes HDMI hotplug/output detection. + +See https://datasheets.raspberrypi.com/cm/cm3-schematics.pdf + +Signed-off-by: Florian Klink +Reviewed-by: Stefan Wahren +Link: https://lore.kernel.org/r/20240715230311.685641-1-flokli@flokli.de +Reviewed-by: Stefan Wahren +Fixes: a54fe8a6cf66 ("ARM: dts: add Raspberry Pi Compute Module 3 and IO board") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts b/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts +index 3dfce4312dfc4..a2ef43c2105aa 100644 +--- a/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts ++++ b/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts +@@ -77,7 +77,7 @@ + }; + + &hdmi { +- hpd-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>; ++ hpd-gpios = <&expgpio 0 GPIO_ACTIVE_LOW>; + power-domains = <&power RPI_POWER_DOMAIN_HDMI>; + status = "okay"; + }; +-- +2.43.0 + diff --git a/queue-5.15/arm64-probes-fix-uprobes-for-big-endian-kernels.patch b/queue-5.15/arm64-probes-fix-uprobes-for-big-endian-kernels.patch new file mode 100644 index 00000000000..2b67962c787 --- /dev/null +++ b/queue-5.15/arm64-probes-fix-uprobes-for-big-endian-kernels.patch @@ -0,0 +1,176 @@ +From fb48f1ca482f9243cfb09dced55626fbc9ed11f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:58:48 +0100 +Subject: arm64: probes: Fix uprobes for big-endian kernels + +From: Mark Rutland + +[ Upstream commit 13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7 ] + +The arm64 uprobes code is broken for big-endian kernels as it doesn't +convert the in-memory instruction encoding (which is always +little-endian) into the kernel's native endianness before analyzing and +simulating instructions. This may result in a few distinct problems: + +* The kernel may may erroneously reject probing an instruction which can + safely be probed. + +* The kernel may erroneously erroneously permit stepping an + instruction out-of-line when that instruction cannot be stepped + out-of-line safely. + +* The kernel may erroneously simulate instruction incorrectly dur to + interpretting the byte-swapped encoding. + +The endianness mismatch isn't caught by the compiler or sparse because: + +* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so + the compiler and sparse have no idea these contain a little-endian + 32-bit value. The core uprobes code populates these with a memcpy() + which similarly does not handle endianness. + +* While the uprobe_opcode_t type is an alias for __le32, both + arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[] + to the similarly-named probe_opcode_t, which is an alias for u32. + Hence there is no endianness conversion warning. + +Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and +adding the appropriate __le32_to_cpu() conversions prior to consuming +the instruction encoding. The core uprobes copies these fields as opaque +ranges of bytes, and so is unaffected by this change. + +At the same time, remove MAX_UINSN_BYTES and consistently use +AARCH64_INSN_SIZE for clarity. + +Tested with the following: + +| #include +| #include +| +| #define noinline __attribute__((noinline)) +| +| static noinline void *adrp_self(void) +| { +| void *addr; +| +| asm volatile( +| " adrp %x0, adrp_self\n" +| " add %x0, %x0, :lo12:adrp_self\n" +| : "=r" (addr)); +| } +| +| +| int main(int argc, char *argv) +| { +| void *ptr = adrp_self(); +| bool equal = (ptr == adrp_self); +| +| printf("adrp_self => %p\n" +| "adrp_self() => %p\n" +| "%s\n", +| adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL"); +| +| return 0; +| } + +.... where the adrp_self() function was compiled to: + +| 00000000004007e0 : +| 4007e0: 90000000 adrp x0, 400000 <__ehdr_start> +| 4007e4: 911f8000 add x0, x0, #0x7e0 +| 4007e8: d65f03c0 ret + +Before this patch, the ADRP is not recognized, and is assumed to be +steppable, resulting in corruption of the result: + +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0x4007e0 +| EQUAL +| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events +| # echo 1 > /sys/kernel/tracing/events/uprobes/enable +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0xffffffffff7e0 +| NOT EQUAL + +After this patch, the ADRP is correctly recognized and simulated: + +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0x4007e0 +| EQUAL +| # +| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events +| # echo 1 > /sys/kernel/tracing/events/uprobes/enable +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0x4007e0 +| EQUAL + +Fixes: 9842ceae9fa8 ("arm64: Add uprobe support") +Cc: stable@vger.kernel.org +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Link: https://lore.kernel.org/r/20241008155851.801546-4-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/uprobes.h | 8 +++----- + arch/arm64/kernel/probes/uprobes.c | 4 ++-- + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h +index ba4bff5ca6749..98f29a43bfe89 100644 +--- a/arch/arm64/include/asm/uprobes.h ++++ b/arch/arm64/include/asm/uprobes.h +@@ -10,11 +10,9 @@ + #include + #include + +-#define MAX_UINSN_BYTES AARCH64_INSN_SIZE +- + #define UPROBE_SWBP_INSN cpu_to_le32(BRK64_OPCODE_UPROBES) + #define UPROBE_SWBP_INSN_SIZE AARCH64_INSN_SIZE +-#define UPROBE_XOL_SLOT_BYTES MAX_UINSN_BYTES ++#define UPROBE_XOL_SLOT_BYTES AARCH64_INSN_SIZE + + typedef u32 uprobe_opcode_t; + +@@ -23,8 +21,8 @@ struct arch_uprobe_task { + + struct arch_uprobe { + union { +- u8 insn[MAX_UINSN_BYTES]; +- u8 ixol[MAX_UINSN_BYTES]; ++ __le32 insn; ++ __le32 ixol; + }; + struct arch_probe_insn api; + bool simulate; +diff --git a/arch/arm64/kernel/probes/uprobes.c b/arch/arm64/kernel/probes/uprobes.c +index d49aef2657cdf..a2f137a595fc1 100644 +--- a/arch/arm64/kernel/probes/uprobes.c ++++ b/arch/arm64/kernel/probes/uprobes.c +@@ -42,7 +42,7 @@ int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm, + else if (!IS_ALIGNED(addr, AARCH64_INSN_SIZE)) + return -EINVAL; + +- insn = *(probe_opcode_t *)(&auprobe->insn[0]); ++ insn = le32_to_cpu(auprobe->insn); + + switch (arm_probe_decode_insn(insn, &auprobe->api)) { + case INSN_REJECTED: +@@ -108,7 +108,7 @@ bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs) + if (!auprobe->simulate) + return false; + +- insn = *(probe_opcode_t *)(&auprobe->insn[0]); ++ insn = le32_to_cpu(auprobe->insn); + addr = instruction_pointer(regs); + + if (auprobe->api.handler) +-- +2.43.0 + diff --git a/queue-5.15/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch b/queue-5.15/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch new file mode 100644 index 00000000000..ed1bb76e9ee --- /dev/null +++ b/queue-5.15/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch @@ -0,0 +1,96 @@ +From ab141de638297f05763cf026de740125ee54cb08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 15:11:10 +0800 +Subject: arm64:uprobe fix the uprobe SWBP_INSN in big-endian +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: junhua huang + +[ Upstream commit 60f07e22a73d318cddaafa5ef41a10476807cc07 ] + +We use uprobe in aarch64_be, which we found the tracee task would exit +due to SIGILL when we enable the uprobe trace. +We can see the replace inst from uprobe is not correct in aarch big-endian. +As in Armv8-A, instruction fetches are always treated as little-endian, +we should treat the UPROBE_SWBP_INSN as little-endian。 + +The test case is as following。 +bash-4.4# ./mqueue_test_aarchbe 1 1 2 1 10 > /dev/null & +bash-4.4# cd /sys/kernel/debug/tracing/ +bash-4.4# echo 'p:test /mqueue_test_aarchbe:0xc30 %x0 %x1' > uprobe_events +bash-4.4# echo 1 > events/uprobes/enable +bash-4.4# +bash-4.4# ps + PID TTY TIME CMD + 140 ? 00:00:01 bash + 237 ? 00:00:00 ps +[1]+ Illegal instruction ./mqueue_test_aarchbe 1 1 2 1 100 > /dev/null + +which we debug use gdb as following: + +bash-4.4# gdb attach 155 +(gdb) disassemble send +Dump of assembler code for function send: + 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined + 0x0000000000400c34 <+4>: mov x29, sp + 0x0000000000400c38 <+8>: str w0, [sp, #28] + 0x0000000000400c3c <+12>: strb w1, [sp, #27] + 0x0000000000400c40 <+16>: str xzr, [sp, #40] + 0x0000000000400c44 <+20>: str xzr, [sp, #48] + 0x0000000000400c48 <+24>: add x0, sp, #0x1b + 0x0000000000400c4c <+28>: mov w3, #0x0 // #0 + 0x0000000000400c50 <+32>: mov x2, #0x1 // #1 + 0x0000000000400c54 <+36>: mov x1, x0 + 0x0000000000400c58 <+40>: ldr w0, [sp, #28] + 0x0000000000400c5c <+44>: bl 0x405e10 + 0x0000000000400c60 <+48>: str w0, [sp, #60] + 0x0000000000400c64 <+52>: ldr w0, [sp, #60] + 0x0000000000400c68 <+56>: ldp x29, x30, [sp], #64 + 0x0000000000400c6c <+60>: ret +End of assembler dump. +(gdb) info b +No breakpoints or watchpoints. +(gdb) c +Continuing. + +Program received signal SIGILL, Illegal instruction. +0x0000000000400c30 in send () +(gdb) x/10x 0x400c30 +0x400c30 : 0xd42000a0 0xfd030091 0xe01f00b9 0xe16f0039 +0x400c40 : 0xff1700f9 0xff1b00f9 0xe06f0091 0x03008052 +0x400c50 : 0x220080d2 0xe10300aa +(gdb) disassemble 0x400c30 +Dump of assembler code for function send: +=> 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined + 0x0000000000400c34 <+4>: mov x29, sp + 0x0000000000400c38 <+8>: str w0, [sp, #28] + 0x0000000000400c3c <+12>: strb w1, [sp, #27] + 0x0000000000400c40 <+16>: str xzr, [sp, #40] + +Signed-off-by: junhua huang +Link: https://lore.kernel.org/r/202212021511106844809@zte.com.cn +Signed-off-by: Will Deacon +Stable-dep-of: 13f8f1e05f1d ("arm64: probes: Fix uprobes for big-endian kernels") +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/uprobes.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h +index 315eef654e39a..ba4bff5ca6749 100644 +--- a/arch/arm64/include/asm/uprobes.h ++++ b/arch/arm64/include/asm/uprobes.h +@@ -12,7 +12,7 @@ + + #define MAX_UINSN_BYTES AARCH64_INSN_SIZE + +-#define UPROBE_SWBP_INSN BRK64_OPCODE_UPROBES ++#define UPROBE_SWBP_INSN cpu_to_le32(BRK64_OPCODE_UPROBES) + #define UPROBE_SWBP_INSN_SIZE AARCH64_INSN_SIZE + #define UPROBE_XOL_SLOT_BYTES MAX_UINSN_BYTES + +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch b/queue-5.15/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch new file mode 100644 index 00000000000..72e57d60daa --- /dev/null +++ b/queue-5.15/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch @@ -0,0 +1,50 @@ +From 12b1c3f50b4af104f31795cf17945ef26f34e80c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 17:07:08 +0800 +Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister + +From: Ye Bin + +[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ] + +There's issue as follows: + KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] + CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W + RIP: 0010:proto_unregister+0xee/0x400 + Call Trace: + + __do_sys_delete_module+0x318/0x580 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() +will cleanup all resource. Then when remove bnep module will call +bnep_sock_cleanup() to cleanup sock's resource. +To solve above issue just return bnep_sock_init()'s return value in +bnep_exit(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ye Bin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index 8bb6c8ad11313..ca46441d0657b 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -745,8 +745,7 @@ static int __init bnep_init(void) + if (flt[0]) + BT_INFO("BNEP filters: %s", flt); + +- bnep_sock_init(); +- return 0; ++ return bnep_sock_init(); + } + + static void __exit bnep_exit(void) +-- +2.43.0 + diff --git a/queue-5.15/bpf-devmap-provide-rxq-after-redirect.patch b/queue-5.15/bpf-devmap-provide-rxq-after-redirect.patch new file mode 100644 index 00000000000..7b3bb3d0dc1 --- /dev/null +++ b/queue-5.15/bpf-devmap-provide-rxq-after-redirect.patch @@ -0,0 +1,156 @@ +From 9a5ddeb0a6d44d536becbc85b5b9e77351e51035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:41:18 +0200 +Subject: bpf: devmap: provide rxq after redirect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Kauer + +[ Upstream commit ca9984c5f0ab3690d98b13937b2485a978c8dd73 ] + +rxq contains a pointer to the device from where +the redirect happened. Currently, the BPF program +that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* +does not have it set. + +This is particularly bad since accessing ingress_ifindex, e.g. + +SEC("xdp") +int prog(struct xdp_md *pkt) +{ + return bpf_redirect_map(&dev_redirect_map, 0, 0); +} + +SEC("xdp/devmap") +int prog_after_redirect(struct xdp_md *pkt) +{ + bpf_printk("ifindex %i", pkt->ingress_ifindex); + return XDP_PASS; +} + +depends on access to rxq, so a NULL pointer gets dereferenced: + +<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 +<1>[ 574.475188] #PF: supervisor read access in kernel mode +<1>[ 574.475194] #PF: error_code(0x0000) - not-present page +<6>[ 574.475199] PGD 0 P4D 0 +<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 +<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 +<4>[ 574.475231] Workqueue: mld mld_ifc_work +<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c +<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b +<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 +<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 +<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 +<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 +<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 +<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 +<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 +<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 +<4>[ 574.475303] PKRU: 55555554 +<4>[ 574.475306] Call Trace: +<4>[ 574.475313] +<4>[ 574.475318] ? __die+0x23/0x70 +<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 +<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 +<4>[ 574.475346] ? kmem_cache_free+0x257/0x280 +<4>[ 574.475357] ? exc_page_fault+0x67/0x150 +<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30 +<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c +<4>[ 574.475386] bq_xmit_all+0x158/0x420 +<4>[ 574.475397] __dev_flush+0x30/0x90 +<4>[ 574.475407] veth_poll+0x216/0x250 [veth] +<4>[ 574.475421] __napi_poll+0x28/0x1c0 +<4>[ 574.475430] net_rx_action+0x32d/0x3a0 +<4>[ 574.475441] handle_softirqs+0xcb/0x2c0 +<4>[ 574.475451] do_softirq+0x40/0x60 +<4>[ 574.475458] +<4>[ 574.475461] +<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70 +<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40 +<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420 +<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0 +<4>[ 574.475502] ip6_finish_output2+0x2be/0x640 +<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0 +<4>[ 574.475521] ip6_finish_output+0x194/0x300 +<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 +<4>[ 574.475538] mld_sendpack+0x17c/0x240 +<4>[ 574.475548] mld_ifc_work+0x192/0x410 +<4>[ 574.475557] process_one_work+0x15d/0x380 +<4>[ 574.475566] worker_thread+0x29d/0x3a0 +<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10 +<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10 +<4>[ 574.475587] kthread+0xcd/0x100 +<4>[ 574.475597] ? __pfx_kthread+0x10/0x10 +<4>[ 574.475606] ret_from_fork+0x31/0x50 +<4>[ 574.475615] ? __pfx_kthread+0x10/0x10 +<4>[ 574.475623] ret_from_fork_asm+0x1a/0x30 +<4>[ 574.475635] +<4>[ 574.475637] Modules linked in: veth br_netfilter bridge stp llc iwlmvm x86_pkg_temp_thermal iwlwifi efivarfs nvme nvme_core +<4>[ 574.475662] CR2: 0000000000000000 +<4>[ 574.475668] ---[ end trace 0000000000000000 ]--- + +Therefore, provide it to the program by setting rxq properly. + +Fixes: cb261b594b41 ("bpf: Run devmap xdp_prog on flush instead of bulk enqueue") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Florian Kauer +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20240911-devel-koalo-fix-ingress-ifindex-v4-1-5c643ae10258@linutronix.de +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index bbf3ec03aa591..4118978951bb4 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -325,9 +325,11 @@ static int dev_map_hash_get_next_key(struct bpf_map *map, void *key, + + static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + struct xdp_frame **frames, int n, +- struct net_device *dev) ++ struct net_device *tx_dev, ++ struct net_device *rx_dev) + { +- struct xdp_txq_info txq = { .dev = dev }; ++ struct xdp_txq_info txq = { .dev = tx_dev }; ++ struct xdp_rxq_info rxq = { .dev = rx_dev }; + struct xdp_buff xdp; + int i, nframes = 0; + +@@ -338,6 +340,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + + xdp_convert_frame_to_buff(xdpf, &xdp); + xdp.txq = &txq; ++ xdp.rxq = &rxq; + + act = bpf_prog_run_xdp(xdp_prog, &xdp); + switch (act) { +@@ -352,7 +355,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: +- trace_xdp_exception(dev, xdp_prog, act); ++ trace_xdp_exception(tx_dev, xdp_prog, act); + fallthrough; + case XDP_DROP: + xdp_return_frame_rx_napi(xdpf); +@@ -380,7 +383,7 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags) + } + + if (bq->xdp_prog) { +- to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev); ++ to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev, bq->dev_rx); + if (!to_send) + goto out; + } +-- +2.43.0 + diff --git a/queue-5.15/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch b/queue-5.15/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch new file mode 100644 index 00000000000..54568995e26 --- /dev/null +++ b/queue-5.15/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch @@ -0,0 +1,103 @@ +From 1cd277650c4b2d8c724adf780af943ae83da48fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2024 14:56:24 +0200 +Subject: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 09d88791c7cd888d5195c84733caf9183dcfbd16 ] + +The bpf_redirect_info is shared between the SKB and XDP redirect paths, +and the two paths use the same numeric flag values in the ri->flags +field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that +if skb bpf_redirect_neigh() is used with a non-NULL params argument and, +subsequently, an XDP redirect is performed using the same +bpf_redirect_info struct, the XDP path will get confused and end up +crashing, which syzbot managed to trigger. + +With the stack-allocated bpf_redirect_info, the structure is no longer +shared between the SKB and XDP paths, so the crash doesn't happen +anymore. However, different code paths using identically-numbered flag +values in the same struct field still seems like a bit of a mess, so +this patch cleans that up by moving the flag definitions together and +redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap +with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make +sure the overlap is not re-introduced by mistake. + +Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support") +Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6 +Link: https://lore.kernel.org/bpf/20240920125625.59465-1-toke@redhat.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 13 +++++-------- + net/core/filter.c | 8 +++++--- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 6bfb510656abe..0bdeeabbc5a84 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -5108,11 +5108,6 @@ enum { + BPF_F_MARK_ENFORCE = (1ULL << 6), + }; + +-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */ +-enum { +- BPF_F_INGRESS = (1ULL << 0), +-}; +- + /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */ + enum { + BPF_F_TUNINFO_IPV6 = (1ULL << 0), +@@ -5251,10 +5246,12 @@ enum { + BPF_F_BPRM_SECUREEXEC = (1ULL << 0), + }; + +-/* Flags for bpf_redirect_map helper */ ++/* Flags for bpf_redirect and bpf_redirect_map helpers */ + enum { +- BPF_F_BROADCAST = (1ULL << 3), +- BPF_F_EXCLUDE_INGRESS = (1ULL << 4), ++ BPF_F_INGRESS = (1ULL << 0), /* used for skb path */ ++ BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */ ++ BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */ ++#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS) + }; + + #define __bpf_md_ptr(type, name) \ +diff --git a/net/core/filter.c b/net/core/filter.c +index a92a35c0f1e72..b5e1e087a2b92 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2405,9 +2405,9 @@ static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *dev, + + /* Internal, non-exposed redirect flags. */ + enum { +- BPF_F_NEIGH = (1ULL << 1), +- BPF_F_PEER = (1ULL << 2), +- BPF_F_NEXTHOP = (1ULL << 3), ++ BPF_F_NEIGH = (1ULL << 16), ++ BPF_F_PEER = (1ULL << 17), ++ BPF_F_NEXTHOP = (1ULL << 18), + #define BPF_F_REDIRECT_INTERNAL (BPF_F_NEIGH | BPF_F_PEER | BPF_F_NEXTHOP) + }; + +@@ -2417,6 +2417,8 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags) + struct sk_buff *clone; + int ret; + ++ BUILD_BUG_ON(BPF_F_REDIRECT_INTERNAL & BPF_F_REDIRECT_FLAGS); ++ + if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL))) + return -EINVAL; + +-- +2.43.0 + diff --git a/queue-5.15/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch b/queue-5.15/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch new file mode 100644 index 00000000000..1388e4dc86f --- /dev/null +++ b/queue-5.15/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch @@ -0,0 +1,57 @@ +From 595231f7646be5b2abd834492d9a83af0a3899a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:36:09 -0700 +Subject: drm/msm: Allocate memory for disp snapshot with kvzalloc() + +From: Douglas Anderson + +[ Upstream commit e4a45582db1b792c57bdb52c45958264f7fcfbdc ] + +With the "drm/msm: add a display mmu fault handler" series [1] we saw +issues in the field where memory allocation was failing when +allocating space for registers in msm_disp_state_dump_regs(). +Specifically we were seeing an order 5 allocation fail. It's not +surprising that order 5 allocations will sometimes fail after the +system has been up and running for a while. + +There's no need here for contiguous memory. Change the allocation to +kvzalloc() which should make it much less likely to fail. + +[1] https://lore.kernel.org/r/20240628214848.4075651-1-quic_abhinavk@quicinc.com/ + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/619658/ +Link: https://lore.kernel.org/r/20241014093605.2.I72441365ffe91f3dceb17db0a8ec976af8139590@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index 06f2f5a5e267e..badafcd61998f 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -24,7 +24,7 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b + end_addr = base_addr + aligned_len; + + if (!(*reg)) +- *reg = kzalloc(len_padded, GFP_KERNEL); ++ *reg = kvzalloc(len_padded, GFP_KERNEL); + + if (*reg) + dump_addr = *reg; +@@ -155,7 +155,7 @@ void msm_disp_state_free(void *data) + + list_for_each_entry_safe(block, tmp, &disp_state->blocks, node) { + list_del(&block->node); +- kfree(block->state); ++ kvfree(block->state); + kfree(block); + } + +-- +2.43.0 + diff --git a/queue-5.15/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch b/queue-5.15/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch new file mode 100644 index 00000000000..176aa9d7161 --- /dev/null +++ b/queue-5.15/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch @@ -0,0 +1,79 @@ +From 4faf93136ee4c636ce67fbf2954c16feb0ffa1fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:36:08 -0700 +Subject: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() + +From: Douglas Anderson + +[ Upstream commit 293f53263266bc4340d777268ab4328a97f041fa ] + +If the allocation in msm_disp_state_dump_regs() failed then +`block->state` can be NULL. The msm_disp_state_print_regs() function +_does_ have code to try to handle it with: + + if (*reg) + dump_addr = *reg; + +...but since "dump_addr" is initialized to NULL the above is actually +a noop. The code then goes on to dereference `dump_addr`. + +Make the function print "Registers not stored" when it sees a NULL to +solve this. Since we're touching the code, fix +msm_disp_state_print_regs() not to pointlessly take a double-pointer +and properly mark the pointer as `const`. + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/619657/ +Link: https://lore.kernel.org/r/20241014093605.1.Ia1217cecec9ef09eb3c6d125360cc6c8574b0e73@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index 8746ceae8fca9..06f2f5a5e267e 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -46,20 +46,21 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b + } + } + +-static void msm_disp_state_print_regs(u32 **reg, u32 len, void __iomem *base_addr, +- struct drm_printer *p) ++static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len, ++ void __iomem *base_addr, struct drm_printer *p) + { + int i; +- u32 *dump_addr = NULL; + void __iomem *addr; + u32 num_rows; + ++ if (!dump_addr) { ++ drm_printf(p, "Registers not stored\n"); ++ return; ++ } ++ + addr = base_addr; + num_rows = len / REG_DUMP_ALIGN; + +- if (*reg) +- dump_addr = *reg; +- + for (i = 0; i < num_rows; i++) { + drm_printf(p, "0x%lx : %08x %08x %08x %08x\n", + (unsigned long)(addr - base_addr), +@@ -86,7 +87,7 @@ void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p) + + list_for_each_entry_safe(block, tmp, &state->blocks, node) { + drm_printf(p, "====================%s================\n", block->name); +- msm_disp_state_print_regs(&block->state, block->size, block->base_addr, p); ++ msm_disp_state_print_regs(block->state, block->size, block->base_addr, p); + } + + drm_printf(p, "===================dpu drm state================\n"); +-- +2.43.0 + diff --git a/queue-5.15/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch b/queue-5.15/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch new file mode 100644 index 00000000000..4201738f693 --- /dev/null +++ b/queue-5.15/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch @@ -0,0 +1,47 @@ +From d06384cf89edda7eafd3b22065e78361bbed0f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 01:01:49 -0400 +Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate + calculation + +From: Jonathan Marek + +[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ] + +When (mode->clock * 1000) is larger than (1<<31), int to unsigned long +conversion will sign extend the int to 64 bits and the pclk_rate value +will be incorrect. + +Fix this by making the result of the multiplication unsigned. + +Note that above (1<<32) would still be broken and require more changes, but +its unlikely anyone will need that anytime soon. + +Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions") +Signed-off-by: Jonathan Marek +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/618434/ +Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index c563ecf6e7b94..eb7cd96d9ece1 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -678,7 +678,7 @@ static unsigned long dsi_get_pclk_rate(struct msm_dsi_host *msm_host, bool is_bo + struct drm_display_mode *mode = msm_host->mode; + unsigned long pclk_rate; + +- pclk_rate = mode->clock * 1000; ++ pclk_rate = mode->clock * 1000u; + + /* + * For bonded DSI mode, the current DRM mode has the complete width of the +-- +2.43.0 + diff --git a/queue-5.15/genetlink-hold-rcu-in-genlmsg_mcast.patch b/queue-5.15/genetlink-hold-rcu-in-genlmsg_mcast.patch new file mode 100644 index 00000000000..759d5471cad --- /dev/null +++ b/queue-5.15/genetlink-hold-rcu-in-genlmsg_mcast.patch @@ -0,0 +1,242 @@ +From 05f5a160aaa2496d102edf279a6a5787408b11e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:12:17 +0000 +Subject: genetlink: hold RCU in genlmsg_mcast() + +From: Eric Dumazet + +[ Upstream commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db ] + +While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw +one lockdep splat [1]. + +genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU. + +Instead of letting all callers guard genlmsg_multicast_allns() +with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast(). + +This also means the @flags parameter is useless, we need to always use +GFP_ATOMIC. + +[1] +[10882.424136] ============================= +[10882.424166] WARNING: suspicious RCU usage +[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted +[10882.424400] ----------------------------- +[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!! +[10882.424469] +other info that might help us debug this: + +[10882.424500] +rcu_scheduler_active = 2, debug_locks = 1 +[10882.424744] 2 locks held by ip/15677: +[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219) +[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209) +[10882.426465] +stack backtrace: +[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156 +[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[10882.427046] Call Trace: +[10882.427131] +[10882.427244] dump_stack_lvl (lib/dump_stack.c:123) +[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) +[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7)) +[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink +[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink +[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115) +[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210) +[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink +[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201) +[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551) +[10882.428069] genl_rcv (net/netlink/genetlink.c:1220) +[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357) +[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901) +[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1)) + +Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners") +Signed-off-by: Eric Dumazet +Cc: James Chapman +Cc: Tom Parkin +Cc: Johannes Berg +Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + include/net/genetlink.h | 3 +-- + net/l2tp/l2tp_netlink.c | 4 ++-- + net/netlink/genetlink.c | 28 ++++++++++++++-------------- + net/wireless/nl80211.c | 8 ++------ + 5 files changed, 20 insertions(+), 25 deletions(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 1e8e9dd3f482c..7a467b1f9099b 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -2129,7 +2129,7 @@ static int tcmu_netlink_event_send(struct tcmu_dev *udev, + } + + ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0, +- TCMU_MCGRP_CONFIG, GFP_KERNEL); ++ TCMU_MCGRP_CONFIG); + + /* Wait during an add as the listener may not be up yet */ + if (ret == 0 || +diff --git a/include/net/genetlink.h b/include/net/genetlink.h +index 8043594a7f84a..3cfa33a0aa169 100644 +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -336,13 +336,12 @@ static inline int genlmsg_multicast(const struct genl_family *family, + * @skb: netlink message as socket buffer + * @portid: own netlink portid to avoid sending to yourself + * @group: offset of multicast group in groups array +- * @flags: allocation flags + * + * This function must hold the RTNL or rcu_read_lock(). + */ + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags); ++ unsigned int group); + + /** + * genlmsg_unicast - unicast a netlink message +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index 96eb91be9238b..f34ca225c2199 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -115,7 +115,7 @@ static int l2tp_tunnel_notify(struct genl_family *family, + NLM_F_ACK, tunnel, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +@@ -143,7 +143,7 @@ static int l2tp_session_notify(struct genl_family *family, + NLM_F_ACK, session, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index 69b3a6b82f680..789cdc1dbcdf6 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1089,15 +1089,11 @@ static int genl_ctrl_event(int event, const struct genl_family *family, + if (IS_ERR(msg)) + return PTR_ERR(msg); + +- if (!family->netnsok) { ++ if (!family->netnsok) + genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0, + 0, GFP_KERNEL); +- } else { +- rcu_read_lock(); +- genlmsg_multicast_allns(&genl_ctrl, msg, 0, +- 0, GFP_ATOMIC); +- rcu_read_unlock(); +- } ++ else ++ genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0); + + return 0; + } +@@ -1441,23 +1437,23 @@ static int __init genl_init(void) + + core_initcall(genl_init); + +-static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, +- gfp_t flags) ++static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group) + { + struct sk_buff *tmp; + struct net *net, *prev = NULL; + bool delivered = false; + int err; + ++ rcu_read_lock(); + for_each_net_rcu(net) { + if (prev) { +- tmp = skb_clone(skb, flags); ++ tmp = skb_clone(skb, GFP_ATOMIC); + if (!tmp) { + err = -ENOMEM; + goto error; + } + err = nlmsg_multicast(prev->genl_sock, tmp, +- portid, group, flags); ++ portid, group, GFP_ATOMIC); + if (!err) + delivered = true; + else if (err != -ESRCH) +@@ -1466,27 +1462,31 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + + prev = net; + } ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC); ++ ++ rcu_read_unlock(); + +- err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); + if (!err) + delivered = true; + else if (err != -ESRCH) + return err; + return delivered ? 0 : -ESRCH; + error: ++ rcu_read_unlock(); ++ + kfree_skb(skb); + return err; + } + + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags) ++ unsigned int group) + { + if (WARN_ON_ONCE(group >= family->n_mcgrps)) + return -EINVAL; + + group = family->mcgrp_offset + group; +- return genlmsg_mcast(skb, portid, group, flags); ++ return genlmsg_mcast(skb, portid, group); + } + EXPORT_SYMBOL(genlmsg_multicast_allns); + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index d286a10f35522..457b197e31722 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -16262,10 +16262,8 @@ void nl80211_common_reg_change_event(enum nl80211_commands cmd_id, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +@@ -16779,10 +16777,8 @@ void nl80211_send_beacon_hint_event(struct wiphy *wiphy, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +-- +2.43.0 + diff --git a/queue-5.15/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch b/queue-5.15/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch new file mode 100644 index 00000000000..1cce7a96120 --- /dev/null +++ b/queue-5.15/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch @@ -0,0 +1,112 @@ +From 62e8cfa84f4b222c8978053fb3f961456a885b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:47:13 -0400 +Subject: ipv4: give an IPv4 dev to blackhole_netdev + +From: Xin Long + +[ Upstream commit 22600596b6756b166fd052d5facb66287e6f0bad ] + +After commit 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to +invalidate dst entries"), blackhole_netdev was introduced to invalidate +dst cache entries on the TX path whenever the cache times out or is +flushed. + +When two UDP sockets (sk1 and sk2) send messages to the same destination +simultaneously, they are using the same dst cache. If the dst cache is +invalidated on one path (sk2) while the other (sk1) is still transmitting, +sk1 may try to use the invalid dst entry. + + CPU1 CPU2 + + udp_sendmsg(sk1) udp_sendmsg(sk2) + udp_send_skb() + ip_output() + <--- dst timeout or flushed + dst_dev_put() + ip_finish_output2() + ip_neigh_for_gw() + +This results in a scenario where ip_neigh_for_gw() returns -EINVAL because +blackhole_dev lacks an in_dev, which is needed to initialize the neigh in +arp_constructor(). This error is then propagated back to userspace, +breaking the UDP application. + +The patch fixes this issue by assigning an in_dev to blackhole_dev for +IPv4, similar to what was done for IPv6 in commit e5f80fcf869a ("ipv6: +give an IPv6 dev to blackhole_netdev"). This ensures that even when the +dst entry is invalidated with blackhole_dev, it will not fail to create +the neigh entry. + +As devinet_init() is called ealier than blackhole_netdev_init() in system +booting, it can not assign the in_dev to blackhole_dev in devinet_init(). +As Paolo suggested, add a separate late_initcall() in devinet.c to ensure +inet_blackhole_dev_init() is called after blackhole_netdev_init(). + +Fixes: 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to invalidate dst entries") +Signed-off-by: Xin Long +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/3000792d45ca44e16c785ebe2b092e610e5b3df1.1728499633.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index da0f49d77c011..dcbc087fff179 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -273,17 +273,19 @@ static struct in_device *inetdev_init(struct net_device *dev) + /* Account for reference dev->ip_ptr (below) */ + refcount_set(&in_dev->refcnt, 1); + +- err = devinet_sysctl_register(in_dev); +- if (err) { +- in_dev->dead = 1; +- neigh_parms_release(&arp_tbl, in_dev->arp_parms); +- in_dev_put(in_dev); +- in_dev = NULL; +- goto out; ++ if (dev != blackhole_netdev) { ++ err = devinet_sysctl_register(in_dev); ++ if (err) { ++ in_dev->dead = 1; ++ neigh_parms_release(&arp_tbl, in_dev->arp_parms); ++ in_dev_put(in_dev); ++ in_dev = NULL; ++ goto out; ++ } ++ ip_mc_init_dev(in_dev); ++ if (dev->flags & IFF_UP) ++ ip_mc_up(in_dev); + } +- ip_mc_init_dev(in_dev); +- if (dev->flags & IFF_UP) +- ip_mc_up(in_dev); + + /* we can receive as soon as ip_ptr is set -- do this last */ + rcu_assign_pointer(dev->ip_ptr, in_dev); +@@ -328,6 +330,19 @@ static void inetdev_destroy(struct in_device *in_dev) + call_rcu(&in_dev->rcu_head, in_dev_rcu_put); + } + ++static int __init inet_blackhole_dev_init(void) ++{ ++ int err = 0; ++ ++ rtnl_lock(); ++ if (!inetdev_init(blackhole_netdev)) ++ err = -ENOMEM; ++ rtnl_unlock(); ++ ++ return err; ++} ++late_initcall(inet_blackhole_dev_init); ++ + int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b) + { + const struct in_ifaddr *ifa; +-- +2.43.0 + diff --git a/queue-5.15/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch b/queue-5.15/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch new file mode 100644 index 00000000000..d89563aee34 --- /dev/null +++ b/queue-5.15/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch @@ -0,0 +1,125 @@ +From ff734d11eced11548474db0d02bcafca30567785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Sep 2024 17:18:33 +0200 +Subject: KVM: s390: gaccess: Check if guest address is in memslot + +From: Nico Boehr + +[ Upstream commit e8061f06185be0a06a73760d6526b8b0feadfe52 ] + +Previously, access_guest_page() did not check whether the given guest +address is inside of a memslot. This is not a problem, since +kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case. + +However, -EFAULT is also returned when copy_to/from_user fails. + +When emulating a guest instruction, the address being outside a memslot +usually means that an addressing exception should be injected into the +guest. + +Failure in copy_to/from_user however indicates that something is wrong +in userspace and hence should be handled there. + +To be able to distinguish these two cases, return PGM_ADDRESSING in +access_guest_page() when the guest address is outside guest memory. In +access_guest_real(), populate vcpu->arch.pgm.code such that +kvm_s390_inject_prog_cond() can be used in the caller for injecting into +the guest (if applicable). + +Since this adds a new return value to access_guest_page(), we need to make +sure that other callers are not confused by the new positive return value. + +There are the following users of access_guest_page(): +- access_guest_with_key() does the checking itself (in + guest_range_to_gpas()), so this case should never happen. Even if, the + handling is set up properly. +- access_guest_real() just passes the return code to its callers, which + are: + - read_guest_real() - see below + - write_guest_real() - see below + +There are the following users of read_guest_real(): +- ar_translation() in gaccess.c which already returns PGM_* +- setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always + return -EFAULT on read_guest_read() nonzero return - no change +- shadow_crycb(), handle_stfle() always present this as validity, this + could be handled better but doesn't change current behaviour - no change + +There are the following users of write_guest_real(): +- kvm_s390_store_status_unloaded() always returns -EFAULT on + write_guest_real() failure. + +Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions") +Cc: stable@vger.kernel.org +Signed-off-by: Nico Boehr +Reviewed-by: Heiko Carstens +Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com +Acked-by: Janosch Frank +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 4 ++++ + arch/s390/kvm/gaccess.h | 14 ++++++++------ + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index 4460808c3b9a0..98979db1cde76 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -873,6 +873,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, + const gfn_t gfn = gpa_to_gfn(gpa); + int rc; + ++ if (!gfn_to_memslot(kvm, gfn)) ++ return PGM_ADDRESSING; + if (mode == GACC_STORE) + rc = kvm_write_guest_page(kvm, gfn, data, offset, len); + else +@@ -936,6 +938,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + gra += fragment_len; + data += fragment_len; + } ++ if (rc > 0) ++ vcpu->arch.pgm.code = rc; + return rc; + } + +diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h +index 7c72a5e3449f8..8ed2d6c7404ff 100644 +--- a/arch/s390/kvm/gaccess.h ++++ b/arch/s390/kvm/gaccess.h +@@ -344,11 +344,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data, + * @len: number of bytes to copy + * + * Copy @len bytes from @data (kernel space) to @gra (guest real address). +- * It is up to the caller to ensure that the entire guest memory range is +- * valid memory before calling this function. + * Guest low address and key protection are not checked. + * +- * Returns zero on success or -EFAULT on error. ++ * Returns zero on success, -EFAULT when copying from @data failed, or ++ * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info ++ * is also stored to allow injecting into the guest (if applicable) using ++ * kvm_s390_inject_prog_cond(). + * + * If an error occurs data may have been copied partially to guest memory. + */ +@@ -367,11 +368,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data, + * @len: number of bytes to copy + * + * Copy @len bytes from @gra (guest real address) to @data (kernel space). +- * It is up to the caller to ensure that the entire guest memory range is +- * valid memory before calling this function. + * Guest key protection is not checked. + * +- * Returns zero on success or -EFAULT on error. ++ * Returns zero on success, -EFAULT when copying to @data failed, or ++ * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info ++ * is also stored to allow injecting into the guest (if applicable) using ++ * kvm_s390_inject_prog_cond(). + * + * If an error occurs data may have been copied partially to kernel space. + */ +-- +2.43.0 + diff --git a/queue-5.15/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch b/queue-5.15/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch new file mode 100644 index 00000000000..73a80d0062b --- /dev/null +++ b/queue-5.15/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch @@ -0,0 +1,75 @@ +From 35d9808149680060b1b6308aa5c3fa3508f4e8db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:45:49 +0100 +Subject: KVM: s390: gaccess: Cleanup access to guest pages + +From: Janis Schoetterl-Glausch + +[ Upstream commit bad13799e0305deb258372b7298a86be4c78aaba ] + +Introduce a helper function for guest frame access. + +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Message-Id: <20211126164549.7046-4-scgl@linux.ibm.com> +Signed-off-by: Janosch Frank +Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot") +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index ca7f22a9e0c57..4460808c3b9a0 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -866,6 +866,20 @@ static int guest_range_to_gpas(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, + return 0; + } + ++static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, ++ void *data, unsigned int len) ++{ ++ const unsigned int offset = offset_in_page(gpa); ++ const gfn_t gfn = gpa_to_gfn(gpa); ++ int rc; ++ ++ if (mode == GACC_STORE) ++ rc = kvm_write_guest_page(kvm, gfn, data, offset, len); ++ else ++ rc = kvm_read_guest_page(kvm, gfn, data, offset, len); ++ return rc; ++} ++ + int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + unsigned long len, enum gacc_mode mode) + { +@@ -896,10 +910,7 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + rc = guest_range_to_gpas(vcpu, ga, ar, gpas, len, asce, mode); + for (idx = 0; idx < nr_pages && !rc; idx++) { + fragment_len = min(PAGE_SIZE - offset_in_page(gpas[idx]), len); +- if (mode == GACC_STORE) +- rc = kvm_write_guest(vcpu->kvm, gpas[idx], data, fragment_len); +- else +- rc = kvm_read_guest(vcpu->kvm, gpas[idx], data, fragment_len); ++ rc = access_guest_page(vcpu->kvm, mode, gpas[idx], data, fragment_len); + len -= fragment_len; + data += fragment_len; + } +@@ -920,10 +931,7 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + while (len && !rc) { + gpa = kvm_s390_real_to_abs(vcpu, gra); + fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); +- if (mode) +- rc = write_guest_abs(vcpu, gpa, data, fragment_len); +- else +- rc = read_guest_abs(vcpu, gpa, data, fragment_len); ++ rc = access_guest_page(vcpu->kvm, mode, gpa, data, fragment_len); + len -= fragment_len; + gra += fragment_len; + data += fragment_len; +-- +2.43.0 + diff --git a/queue-5.15/kvm-s390-gaccess-refactor-access-address-range-check.patch b/queue-5.15/kvm-s390-gaccess-refactor-access-address-range-check.patch new file mode 100644 index 00000000000..1e70a2763d6 --- /dev/null +++ b/queue-5.15/kvm-s390-gaccess-refactor-access-address-range-check.patch @@ -0,0 +1,233 @@ +From 82adb7011d7b7f7b6ffe46e72696b9e8fe7fcf53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:45:48 +0100 +Subject: KVM: s390: gaccess: Refactor access address range check + +From: Janis Schoetterl-Glausch + +[ Upstream commit 7faa543df19bf62d4583a64d3902705747f2ad29 ] + +Do not round down the first address to the page boundary, just translate +it normally, which gives the value we care about in the first place. +Given this, translating a single address is just the special case of +translating a range spanning a single page. + +Make the output optional, so the function can be used to just check a +range. + +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Janosch Frank +Reviewed-by: Claudio Imbrenda +Message-Id: <20211126164549.7046-3-scgl@linux.ibm.com> +Signed-off-by: Janosch Frank +Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot") +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 122 +++++++++++++++++++++++----------------- + 1 file changed, 69 insertions(+), 53 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index 45966fbba1820..ca7f22a9e0c57 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -794,35 +794,74 @@ static int low_address_protection_enabled(struct kvm_vcpu *vcpu, + return 1; + } + +-static int guest_page_range(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, +- unsigned long *pages, unsigned long nr_pages, +- const union asce asce, enum gacc_mode mode) ++/** ++ * guest_range_to_gpas() - Calculate guest physical addresses of page fragments ++ * covering a logical range ++ * @vcpu: virtual cpu ++ * @ga: guest address, start of range ++ * @ar: access register ++ * @gpas: output argument, may be NULL ++ * @len: length of range in bytes ++ * @asce: address-space-control element to use for translation ++ * @mode: access mode ++ * ++ * Translate a logical range to a series of guest absolute addresses, ++ * such that the concatenation of page fragments starting at each gpa make up ++ * the whole range. ++ * The translation is performed as if done by the cpu for the given @asce, @ar, ++ * @mode and state of the @vcpu. ++ * If the translation causes an exception, its program interruption code is ++ * returned and the &struct kvm_s390_pgm_info pgm member of @vcpu is modified ++ * such that a subsequent call to kvm_s390_inject_prog_vcpu() will inject ++ * a correct exception into the guest. ++ * The resulting gpas are stored into @gpas, unless it is NULL. ++ * ++ * Note: All fragments except the first one start at the beginning of a page. ++ * When deriving the boundaries of a fragment from a gpa, all but the last ++ * fragment end at the end of the page. ++ * ++ * Return: ++ * * 0 - success ++ * * <0 - translation could not be performed, for example if guest ++ * memory could not be accessed ++ * * >0 - an access exception occurred. In this case the returned value ++ * is the program interruption code and the contents of pgm may ++ * be used to inject an exception into the guest. ++ */ ++static int guest_range_to_gpas(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, ++ unsigned long *gpas, unsigned long len, ++ const union asce asce, enum gacc_mode mode) + { + psw_t *psw = &vcpu->arch.sie_block->gpsw; ++ unsigned int offset = offset_in_page(ga); ++ unsigned int fragment_len; + int lap_enabled, rc = 0; + enum prot_type prot; ++ unsigned long gpa; + + lap_enabled = low_address_protection_enabled(vcpu, asce); +- while (nr_pages) { ++ while (min(PAGE_SIZE - offset, len) > 0) { ++ fragment_len = min(PAGE_SIZE - offset, len); + ga = kvm_s390_logical_to_effective(vcpu, ga); + if (mode == GACC_STORE && lap_enabled && is_low_address(ga)) + return trans_exc(vcpu, PGM_PROTECTION, ga, ar, mode, + PROT_TYPE_LA); +- ga &= PAGE_MASK; + if (psw_bits(*psw).dat) { +- rc = guest_translate(vcpu, ga, pages, asce, mode, &prot); ++ rc = guest_translate(vcpu, ga, &gpa, asce, mode, &prot); + if (rc < 0) + return rc; + } else { +- *pages = kvm_s390_real_to_abs(vcpu, ga); +- if (kvm_is_error_gpa(vcpu->kvm, *pages)) ++ gpa = kvm_s390_real_to_abs(vcpu, ga); ++ if (kvm_is_error_gpa(vcpu->kvm, gpa)) + rc = PGM_ADDRESSING; + } + if (rc) + return trans_exc(vcpu, rc, ga, ar, mode, prot); +- ga += PAGE_SIZE; +- pages++; +- nr_pages--; ++ if (gpas) ++ *gpas++ = gpa; ++ offset = 0; ++ ga += fragment_len; ++ len -= fragment_len; + } + return 0; + } +@@ -831,10 +870,10 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + unsigned long len, enum gacc_mode mode) + { + psw_t *psw = &vcpu->arch.sie_block->gpsw; +- unsigned long nr_pages, gpa, idx; +- unsigned long pages_array[2]; ++ unsigned long nr_pages, idx; ++ unsigned long gpa_array[2]; + unsigned int fragment_len; +- unsigned long *pages; ++ unsigned long *gpas; + int need_ipte_lock; + union asce asce; + int rc; +@@ -846,30 +885,28 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + if (rc) + return rc; + nr_pages = (((ga & ~PAGE_MASK) + len - 1) >> PAGE_SHIFT) + 1; +- pages = pages_array; +- if (nr_pages > ARRAY_SIZE(pages_array)) +- pages = vmalloc(array_size(nr_pages, sizeof(unsigned long))); +- if (!pages) ++ gpas = gpa_array; ++ if (nr_pages > ARRAY_SIZE(gpa_array)) ++ gpas = vmalloc(array_size(nr_pages, sizeof(unsigned long))); ++ if (!gpas) + return -ENOMEM; + need_ipte_lock = psw_bits(*psw).dat && !asce.r; + if (need_ipte_lock) + ipte_lock(vcpu); +- rc = guest_page_range(vcpu, ga, ar, pages, nr_pages, asce, mode); ++ rc = guest_range_to_gpas(vcpu, ga, ar, gpas, len, asce, mode); + for (idx = 0; idx < nr_pages && !rc; idx++) { +- gpa = pages[idx] + offset_in_page(ga); +- fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); ++ fragment_len = min(PAGE_SIZE - offset_in_page(gpas[idx]), len); + if (mode == GACC_STORE) +- rc = kvm_write_guest(vcpu->kvm, gpa, data, fragment_len); ++ rc = kvm_write_guest(vcpu->kvm, gpas[idx], data, fragment_len); + else +- rc = kvm_read_guest(vcpu->kvm, gpa, data, fragment_len); ++ rc = kvm_read_guest(vcpu->kvm, gpas[idx], data, fragment_len); + len -= fragment_len; +- ga += fragment_len; + data += fragment_len; + } + if (need_ipte_lock) + ipte_unlock(vcpu); +- if (nr_pages > ARRAY_SIZE(pages_array)) +- vfree(pages); ++ if (nr_pages > ARRAY_SIZE(gpa_array)) ++ vfree(gpas); + return rc; + } + +@@ -911,8 +948,6 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + unsigned long *gpa, enum gacc_mode mode) + { +- psw_t *psw = &vcpu->arch.sie_block->gpsw; +- enum prot_type prot; + union asce asce; + int rc; + +@@ -920,23 +955,7 @@ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + rc = get_vcpu_asce(vcpu, &asce, gva, ar, mode); + if (rc) + return rc; +- if (is_low_address(gva) && low_address_protection_enabled(vcpu, asce)) { +- if (mode == GACC_STORE) +- return trans_exc(vcpu, PGM_PROTECTION, gva, 0, +- mode, PROT_TYPE_LA); +- } +- +- if (psw_bits(*psw).dat && !asce.r) { /* Use DAT? */ +- rc = guest_translate(vcpu, gva, gpa, asce, mode, &prot); +- if (rc > 0) +- return trans_exc(vcpu, rc, gva, 0, mode, prot); +- } else { +- *gpa = kvm_s390_real_to_abs(vcpu, gva); +- if (kvm_is_error_gpa(vcpu->kvm, *gpa)) +- return trans_exc(vcpu, rc, gva, PGM_ADDRESSING, mode, 0); +- } +- +- return rc; ++ return guest_range_to_gpas(vcpu, gva, ar, gpa, 1, asce, mode); + } + + /** +@@ -950,17 +969,14 @@ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + int check_gva_range(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + unsigned long length, enum gacc_mode mode) + { +- unsigned long gpa; +- unsigned long currlen; ++ union asce asce; + int rc = 0; + ++ rc = get_vcpu_asce(vcpu, &asce, gva, ar, mode); ++ if (rc) ++ return rc; + ipte_lock(vcpu); +- while (length > 0 && !rc) { +- currlen = min(length, PAGE_SIZE - (gva % PAGE_SIZE)); +- rc = guest_translate_address(vcpu, gva, ar, &gpa, mode); +- gva += currlen; +- length -= currlen; +- } ++ rc = guest_range_to_gpas(vcpu, gva, ar, NULL, length, asce, mode); + ipte_unlock(vcpu); + + return rc; +-- +2.43.0 + diff --git a/queue-5.15/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch b/queue-5.15/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch new file mode 100644 index 00000000000..b54d6910e20 --- /dev/null +++ b/queue-5.15/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch @@ -0,0 +1,93 @@ +From 0175e7986e1a8a1dc7eed583722e80b65cbe5e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:45:47 +0100 +Subject: KVM: s390: gaccess: Refactor gpa and length calculation + +From: Janis Schoetterl-Glausch + +[ Upstream commit 416e7f0c9d613bf84e182eba9547ae8f9f5bfa4c ] + +Improve readability by renaming the length variable and +not calculating the offset manually. + +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Message-Id: <20211126164549.7046-2-scgl@linux.ibm.com> +Signed-off-by: Janosch Frank +Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot") +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index 6af59c59cc1b8..45966fbba1820 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -831,8 +831,9 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + unsigned long len, enum gacc_mode mode) + { + psw_t *psw = &vcpu->arch.sie_block->gpsw; +- unsigned long _len, nr_pages, gpa, idx; ++ unsigned long nr_pages, gpa, idx; + unsigned long pages_array[2]; ++ unsigned int fragment_len; + unsigned long *pages; + int need_ipte_lock; + union asce asce; +@@ -855,15 +856,15 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + ipte_lock(vcpu); + rc = guest_page_range(vcpu, ga, ar, pages, nr_pages, asce, mode); + for (idx = 0; idx < nr_pages && !rc; idx++) { +- gpa = *(pages + idx) + (ga & ~PAGE_MASK); +- _len = min(PAGE_SIZE - (gpa & ~PAGE_MASK), len); ++ gpa = pages[idx] + offset_in_page(ga); ++ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); + if (mode == GACC_STORE) +- rc = kvm_write_guest(vcpu->kvm, gpa, data, _len); ++ rc = kvm_write_guest(vcpu->kvm, gpa, data, fragment_len); + else +- rc = kvm_read_guest(vcpu->kvm, gpa, data, _len); +- len -= _len; +- ga += _len; +- data += _len; ++ rc = kvm_read_guest(vcpu->kvm, gpa, data, fragment_len); ++ len -= fragment_len; ++ ga += fragment_len; ++ data += fragment_len; + } + if (need_ipte_lock) + ipte_unlock(vcpu); +@@ -875,19 +876,20 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + void *data, unsigned long len, enum gacc_mode mode) + { +- unsigned long _len, gpa; ++ unsigned int fragment_len; ++ unsigned long gpa; + int rc = 0; + + while (len && !rc) { + gpa = kvm_s390_real_to_abs(vcpu, gra); +- _len = min(PAGE_SIZE - (gpa & ~PAGE_MASK), len); ++ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); + if (mode) +- rc = write_guest_abs(vcpu, gpa, data, _len); ++ rc = write_guest_abs(vcpu, gpa, data, fragment_len); + else +- rc = read_guest_abs(vcpu, gpa, data, _len); +- len -= _len; +- gra += _len; +- data += _len; ++ rc = read_guest_abs(vcpu, gpa, data, fragment_len); ++ len -= fragment_len; ++ gra += fragment_len; ++ data += fragment_len; + } + return rc; + } +-- +2.43.0 + diff --git a/queue-5.15/macsec-don-t-increment-counters-for-an-unrelated-sa.patch b/queue-5.15/macsec-don-t-increment-counters-for-an-unrelated-sa.patch new file mode 100644 index 00000000000..7ae9de2b4ae --- /dev/null +++ b/queue-5.15/macsec-don-t-increment-counters-for-an-unrelated-sa.patch @@ -0,0 +1,83 @@ +From 2dde9fde37defaac2c9edd762f07f28d00998167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:16:37 +0200 +Subject: macsec: don't increment counters for an unrelated SA + +From: Sabrina Dubroca + +[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ] + +On RX, we shouldn't be incrementing the stats for an arbitrary SA in +case the actual SA hasn't been set up. Those counters are intended to +track packets for their respective AN when the SA isn't currently +configured. Due to the way MACsec is implemented, we don't keep +counters unless the SA is configured, so we can't track those packets, +and those counters will remain at 0. + +The RXSC's stats keeps track of those packets without telling us which +AN they belonged to. We could add counters for non-existent SAs, and +then find a way to integrate them in the dump to userspace, but I +don't think it's worth the effort. + +Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics") +Reported-by: Paolo Abeni +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index ab134fe1fda62..a91c409958ff2 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -160,19 +160,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) + return sa; + } + +-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc) +-{ +- struct macsec_rx_sa *sa = NULL; +- int an; +- +- for (an = 0; an < MACSEC_NUM_AN; an++) { +- sa = macsec_rxsa_get(rx_sc->sa[an]); +- if (sa) +- break; +- } +- return sa; +-} +- + static void free_rx_sc_rcu(struct rcu_head *head) + { + struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); +@@ -1192,15 +1179,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + /* If validateFrames is Strict or the C bit in the + * SecTAG is set, discard + */ +- struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc); + if (hdr->tci_an & MACSEC_TCI_C || + secy->validate_frames == MACSEC_VALIDATE_STRICT) { + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotUsingSA++; + u64_stats_update_end(&rxsc_stats->syncp); + DEV_STATS_INC(secy->netdev, rx_errors); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); + goto drop_nosa; + } + +@@ -1210,8 +1194,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsUnusedSA++; + u64_stats_update_end(&rxsc_stats->syncp); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA); + goto deliver; + } + +-- +2.43.0 + diff --git a/queue-5.15/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch b/queue-5.15/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch new file mode 100644 index 00000000000..f08939da371 --- /dev/null +++ b/queue-5.15/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch @@ -0,0 +1,47 @@ +From 8481f47e15730c4d79d120eeff95fb316e7f3b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 19:04:34 +0800 +Subject: net: ethernet: aeroflex: fix potential memory leak in + greth_start_xmit_gbit() + +From: Wang Hai + +[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ] + +The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb +in case of skb->len being too long, add dev_kfree_skb() to fix it. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Wang Hai +Reviewed-by: Gerhard Engleder +Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index a95bac4e14f6a..538043cd9e24c 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -484,7 +484,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + + if (unlikely(skb->len > MAX_FRAME_SIZE)) { + dev->stats.tx_errors++; +- goto out; ++ goto len_error; + } + + /* Save skb pointer. */ +@@ -575,6 +575,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + map_error: + if (net_ratelimit()) + dev_warn(greth->dev, "Could not create TX DMA mapping\n"); ++len_error: + dev_kfree_skb(skb); + out: + return err; +-- +2.43.0 + diff --git a/queue-5.15/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch b/queue-5.15/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch new file mode 100644 index 00000000000..f6f78a12b83 --- /dev/null +++ b/queue-5.15/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch @@ -0,0 +1,41 @@ +From 00463b6180f3ded2b787fc63914997749e720676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 19:53:21 +0800 +Subject: net/smc: Fix searching in list of known pnetids in + smc_pnet_add_pnetid + +From: Li RongQing + +[ Upstream commit 82ac39ebd6db0c9f7a97a934bda1e3e101a9d201 ] + +pnetid of pi (not newly allocated pe) should be compared + +Fixes: e888a2e8337c ("net/smc: introduce list of pnetids for Ethernet devices") +Reviewed-by: D. Wythe +Reviewed-by: Wen Gu +Signed-off-by: Li RongQing +Reviewed-by: Simon Horman +Reviewed-by: Gerd Bayer +Link: https://patch.msgid.link/20241014115321.33234-1-lirongqing@baidu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_pnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c +index c9e4b37e65777..a895d13798014 100644 +--- a/net/smc/smc_pnet.c ++++ b/net/smc/smc_pnet.c +@@ -743,7 +743,7 @@ static int smc_pnet_add_pnetid(struct net *net, u8 *pnetid) + + write_lock(&sn->pnetids_ndev.lock); + list_for_each_entry(pi, &sn->pnetids_ndev.list, list) { +- if (smc_pnet_match(pnetid, pe->pnetid)) { ++ if (smc_pnet_match(pnetid, pi->pnetid)) { + refcount_inc(&pi->refcnt); + kfree(pe); + goto unlock; +-- +2.43.0 + diff --git a/queue-5.15/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch b/queue-5.15/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch new file mode 100644 index 00000000000..2b0175248b0 --- /dev/null +++ b/queue-5.15/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch @@ -0,0 +1,36 @@ +From ddd1b57d09c92e154c46e7e578526163b6681f9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:51:15 +0800 +Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit() + +From: Wang Hai + +[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ] + +The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb() to fix it. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Wang Hai +Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 93c965bcdb6cf..8962bd6349d4b 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1348,6 +1348,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb, + netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n", + skb->data, skb_len); + ret = NETDEV_TX_OK; ++ dev_kfree_skb_any(skb); + goto out; + } + +-- +2.43.0 + diff --git a/queue-5.15/net-usb-usbnet-fix-race-in-probe-failure.patch b/queue-5.15/net-usb-usbnet-fix-race-in-probe-failure.patch new file mode 100644 index 00000000000..571d6735f1e --- /dev/null +++ b/queue-5.15/net-usb-usbnet-fix-race-in-probe-failure.patch @@ -0,0 +1,37 @@ +From bde4f4f24002e5a25274520a0676235be8f25f14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 15:19:14 +0200 +Subject: net: usb: usbnet: fix race in probe failure + +From: Oliver Neukum + +[ Upstream commit b62f4c186c70aa235fef2da68d07325d85ca3ade ] + +The same bug as in the disconnect code path also exists +in the case of a failure late during the probe process. +The flag must also be set. + +Signed-off-by: Oliver Neukum +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/20241010131934.1499695-1-oneukum@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 47a587dae7463..2945e336505bf 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1872,6 +1872,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + * may trigger an error resubmitting itself and, worse, + * schedule a timer. So we kill it all just in case. + */ ++ usbnet_mark_going_away(dev); + cancel_work_sync(&dev->kevent); + del_timer_sync(&dev->delay); + free_percpu(net->tstats); +-- +2.43.0 + diff --git a/queue-5.15/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch b/queue-5.15/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch new file mode 100644 index 00000000000..c63c7d53996 --- /dev/null +++ b/queue-5.15/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch @@ -0,0 +1,46 @@ +From ae7afbade5c619526a382e098f18f10cfb3e3594 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:37:04 +0800 +Subject: net: xilinx: axienet: fix potential memory leak in + axienet_start_xmit() + +From: Wang Hai + +[ Upstream commit 99714e37e8333bbc22496fe80f241d5b35380e83 ] + +The axienet_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb_any() to fix it. + +Fixes: 71791dc8bdea ("net: axienet: Check for DMA mapping errors") +Signed-off-by: Wang Hai +Reviewed-by: Radhey Shyam Pandey +Link: https://patch.msgid.link/20241014143704.31938-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index f9921e372a2f4..56a970357f450 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -868,6 +868,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + if (net_ratelimit()) + netdev_err(ndev, "TX DMA mapping error\n"); + ndev->stats.tx_dropped++; ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + desc_set_phys_addr(lp, phys, cur_p); +@@ -888,6 +889,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + ndev->stats.tx_dropped++; + axienet_free_tx_chain(lp, orig_tail_ptr, ii + 1, + true, NULL, 0); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + desc_set_phys_addr(lp, phys, cur_p); +-- +2.43.0 + diff --git a/queue-5.15/octeontx2-af-fix-potential-integer-overflows-on-inte.patch b/queue-5.15/octeontx2-af-fix-potential-integer-overflows-on-inte.patch new file mode 100644 index 00000000000..5b2dbd08687 --- /dev/null +++ b/queue-5.15/octeontx2-af-fix-potential-integer-overflows-on-inte.patch @@ -0,0 +1,49 @@ +From d212f106f9b3a8437729f0e2beb06f980d7da4ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 16:45:19 +0100 +Subject: octeontx2-af: Fix potential integer overflows on integer shifts + +From: Colin Ian King + +[ Upstream commit 637c4f6fe40befa04f19c38b5d15429cbb9191d9 ] + +The left shift int 32 bit integer constants 1 is evaluated using 32 bit +arithmetic and then assigned to a 64 bit unsigned integer. In the case +where the shift is 32 or more this can lead to an overflow. Avoid this +by shifting using the BIT_ULL macro instead. + +Fixes: 019aba04f08c ("octeontx2-af: Modify SMQ flush sequence to drop packets") +Signed-off-by: Colin Ian King +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20241010154519.768785-1-colin.i.king@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index f2e1c63035e85..8bdde74b34b6d 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -2239,7 +2239,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link)); + if (!(cfg & BIT_ULL(12))) + continue; +- bmap |= (1 << i); ++ bmap |= BIT_ULL(i); + cfg &= ~BIT_ULL(12); + rvu_write64(rvu, blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link), cfg); +@@ -2260,7 +2260,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr, + + /* Set NIX_AF_TL3_TL2_LINKX_CFG[ENA] for the TL3/TL2 queue */ + for (i = 0; i < (rvu->hw->cgx_links + rvu->hw->lbk_links); i++) { +- if (!(bmap & (1 << i))) ++ if (!(bmap & BIT_ULL(i))) + continue; + cfg = rvu_read64(rvu, blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link)); +-- +2.43.0 + diff --git a/queue-5.15/rdma-bnxt_re-add-a-check-for-memory-allocation.patch b/queue-5.15/rdma-bnxt_re-add-a-check-for-memory-allocation.patch new file mode 100644 index 00000000000..394ded947bb --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-add-a-check-for-memory-allocation.patch @@ -0,0 +1,40 @@ +From ed33bc1abb0349abcc769bb36d374230e07a7b2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:58 -0700 +Subject: RDMA/bnxt_re: Add a check for memory allocation + +From: Kalesh AP + +[ Upstream commit c5c1ae73b7741fa3b58e6e001b407825bb971225 ] + +__alloc_pbl() can return error when memory allocation fails. +Driver is not checking the status on one of the instances. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Link: https://patch.msgid.link/r/1726715161-18941-4-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 384d41072c63c..00ef5f99929c4 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -243,6 +243,8 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + sginfo.pgsize = npde * pg_size; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); ++ if (rc) ++ goto fail; + + /* Alloc PBL pages */ + sginfo.npages = npbl; +-- +2.43.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch b/queue-5.15/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch new file mode 100644 index 00000000000..7829233e12a --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch @@ -0,0 +1,59 @@ +From 731a7c719fb793e6753609ca62464aa8a487edfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:41 -0700 +Subject: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages + +From: Bhargava Chenna Marreddy + +[ Upstream commit 7988bdbbb85ac85a847baf09879edcd0f70521dc ] + +Avoid memory corruption while setting up Level-2 PBL pages for the non MR +resources when num_pages > 256K. + +There will be a single PDE page address (contiguous pages in the case of > +PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid +memory access after 256K PBL entries in the PDE. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Link: https://patch.msgid.link/r/1728373302-19530-10-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Bhargava Chenna Marreddy +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 00ef5f99929c4..401cb3e22f310 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -256,22 +256,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + dst_virt_ptr = + (dma_addr_t **)hwq->pbl[PBL_LVL_0].pg_arr; + src_phys_ptr = hwq->pbl[PBL_LVL_1].pg_map_arr; +- if (hwq_attr->type == HWQ_TYPE_MR) { +- /* For MR it is expected that we supply only 1 contigous +- * page i.e only 1 entry in the PDL that will contain +- * all the PBLs for the user supplied memory region +- */ +- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; +- i++) +- dst_virt_ptr[0][i] = src_phys_ptr[i] | +- flag; +- } else { +- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; +- i++) +- dst_virt_ptr[PTR_PG(i)][PTR_IDX(i)] = +- src_phys_ptr[i] | +- PTU_PDE_VALID; +- } ++ for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; i++) ++ dst_virt_ptr[0][i] = src_phys_ptr[i] | flag; ++ + /* Alloc or init PTEs */ + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_2], + hwq_attr->sginfo); +-- +2.43.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch b/queue-5.15/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch new file mode 100644 index 00000000000..3e185bdfeb5 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch @@ -0,0 +1,47 @@ +From 598e4133a83b5e6362f33866414e97addc907147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:57 -0700 +Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure + +From: Saravanan Vajravel + +[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ] + +Driver uses internal data structure to construct WQE frame. +It used avid type as u16 which can accommodate up to 64K AVs. +When outstanding AVID crosses 64K, driver truncates AVID and +hence it uses incorrect AVID to WR. This leads to WR failure +due to invalid AV ID and QP is moved to error state with reason +set to 19 (INVALID AVID). When RDMA CM path is used, this issue +hits QP1 and it is moved to error state + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Reviewed-by: Chandramohan Akula +Signed-off-by: Saravanan Vajravel +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +index 4f1a845f9be6c..57a3dae87f659 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +@@ -169,7 +169,7 @@ struct bnxt_qplib_swqe { + }; + u32 q_key; + u32 dst_qp; +- u16 avid; ++ u32 avid; + } send; + + /* Send Raw Ethernet and QP1 */ +-- +2.43.0 + diff --git a/queue-5.15/rdma-bnxt_re-return-more-meaningful-error.patch b/queue-5.15/rdma-bnxt_re-return-more-meaningful-error.patch new file mode 100644 index 00000000000..a9bae0a63fc --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-return-more-meaningful-error.patch @@ -0,0 +1,41 @@ +From 7193944e223c14986a7ba87ef4db8ebed1362764 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:36 -0700 +Subject: RDMA/bnxt_re: Return more meaningful error + +From: Kalesh AP + +[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ] + +When the HWRM command fails, driver currently returns -EFAULT(Bad +address). This does not look correct. + +Modified to return -EIO(I/O error). + +Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling") +Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command") +Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 3b8cb46551bf2..8d5557e3056c4 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -249,7 +249,7 @@ int bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw, + /* failed with status */ + dev_err(&rcfw->pdev->dev, "cmdq[%#x]=%#x status %#x\n", + cookie, opcode, evnt->status); +- rc = -EFAULT; ++ rc = -EIO; + } + + return rc; +-- +2.43.0 + diff --git a/queue-5.15/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch b/queue-5.15/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch new file mode 100644 index 00000000000..1eb3cccf2a6 --- /dev/null +++ b/queue-5.15/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch @@ -0,0 +1,65 @@ +From 83de70e62cb02a7a6709da095eba819ac80650eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:53:11 +0530 +Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP + +From: Anumula Murali Mohan Reddy + +[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ] + +ip_dev_find() always returns real net_device address, whether traffic is +running on a vlan or real device, if traffic is over vlan, filling +endpoint struture with real ndev and an attempt to send a connect request +will results in RDMA_CM_EVENT_UNREACHABLE error. This patch fixes the +issue by using vlan_dev_real_dev(). + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index e6343c89c892e..3efd06d5f7e70 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2086,7 +2086,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENOMEM; + if (n->dev->flags & IFF_LOOPBACK) { + if (iptype == 4) +- pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip); ++ pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false); + else if (IS_ENABLED(CONFIG_IPV6)) + for_each_netdev(&init_net, pdev) { + if (ipv6_chk_addr(&init_net, +@@ -2101,12 +2101,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENODEV; + goto out; + } ++ if (is_vlan_dev(pdev)) ++ pdev = vlan_dev_real_dev(pdev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, + n, pdev, rt_tos2priority(tos)); +- if (!ep->l2t) { +- dev_put(pdev); ++ if (!ep->l2t) + goto out; +- } + ep->mtu = pdev->mtu; + ep->tx_chan = cxgb4_port_chan(pdev); + ep->smac_idx = ((struct port_info *)netdev_priv(pdev))->smt_idx; +@@ -2119,7 +2119,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + ep->rss_qid = cdev->rdev.lldi.rxq_ids[ + cxgb4_port_idx(pdev) * step]; + set_tcp_window(ep, (struct port_info *)netdev_priv(pdev)); +- dev_put(pdev); + } else { + pdev = get_real_dev(n->dev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, +-- +2.43.0 + diff --git a/queue-5.15/rdma-irdma-fix-misspelling-of-accept.patch b/queue-5.15/rdma-irdma-fix-misspelling-of-accept.patch new file mode 100644 index 00000000000..2ea2a704b4b --- /dev/null +++ b/queue-5.15/rdma-irdma-fix-misspelling-of-accept.patch @@ -0,0 +1,37 @@ +From 636f6f1e2c2e52a99091efb527ebf380a595b6c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 18:19:13 +0200 +Subject: RDMA/irdma: Fix misspelling of "accept*" + +From: Alexander Zubkov + +[ Upstream commit 8cddfa535c931b8d8110c73bfed7354a94cbf891 ] + +There is "accept*" misspelled as "accpet*" in the comments. Fix the +spelling. + +Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") +Link: https://patch.msgid.link/r/20241008161913.19965-1-green@qrator.net +Signed-off-by: Alexander Zubkov +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c +index 64d4bb0e9a12f..d2c6a1bcf1de9 100644 +--- a/drivers/infiniband/hw/irdma/cm.c ++++ b/drivers/infiniband/hw/irdma/cm.c +@@ -3582,7 +3582,7 @@ void irdma_free_lsmm_rsrc(struct irdma_qp *iwqp) + /** + * irdma_accept - registered call for connection to be accepted + * @cm_id: cm information for passive connection +- * @conn_param: accpet parameters ++ * @conn_param: accept parameters + */ + int irdma_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + { +-- +2.43.0 + diff --git a/queue-5.15/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch b/queue-5.15/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch new file mode 100644 index 00000000000..310bc92865d --- /dev/null +++ b/queue-5.15/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch @@ -0,0 +1,38 @@ +From 1e9b9f1039c5df8e832d1c35bd6c8f6344919fc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 17:52:39 +0200 +Subject: s390: Initialize psw mask in perf_arch_fetch_caller_regs() + +From: Heiko Carstens + +[ Upstream commit 223e7fb979fa06934f1595b6ad0ae1d4ead1147f ] + +Also initialize regs->psw.mask in perf_arch_fetch_caller_regs(). +This way user_mode(regs) will return false, like it should. + +It looks like all current users initialize regs to zero, so that this +doesn't fix a bug currently. However it is better to not rely on callers +to do this. + +Fixes: 914d52e46490 ("s390: implement perf_arch_fetch_caller_regs") +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/perf_event.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/include/asm/perf_event.h b/arch/s390/include/asm/perf_event.h +index b9da71632827f..ea340b9018398 100644 +--- a/arch/s390/include/asm/perf_event.h ++++ b/arch/s390/include/asm/perf_event.h +@@ -75,6 +75,7 @@ struct perf_sf_sde_regs { + #define SAMPLE_FREQ_MODE(hwc) (SAMPL_FLAGS(hwc) & PERF_CPUM_SF_FREQ_MODE) + + #define perf_arch_fetch_caller_regs(regs, __ip) do { \ ++ (regs)->psw.mask = 0; \ + (regs)->psw.addr = (__ip); \ + (regs)->gprs[15] = (unsigned long)__builtin_frame_address(0) - \ + offsetof(struct stack_frame, back_chain); \ +-- +2.43.0 + diff --git a/queue-5.15/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch b/queue-5.15/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch new file mode 100644 index 00000000000..33a51d7bfb3 --- /dev/null +++ b/queue-5.15/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch @@ -0,0 +1,54 @@ +From dbfc7797847f1ca6334ce3d936a72fd810d9a8f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 19:34:44 +0800 +Subject: scsi: target: core: Fix null-ptr-deref in target_alloc_device() + +From: Wang Hai + +[ Upstream commit fca6caeb4a61d240f031914413fcc69534f6dc03 ] + +There is a null-ptr-deref issue reported by KASAN: + +BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] +... + kasan_report+0xb9/0xf0 + target_alloc_device+0xbc4/0xbe0 [target_core_mod] + core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] + target_core_init_configfs+0x205/0x420 [target_core_mod] + do_one_initcall+0xdd/0x4e0 +... + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +In target_alloc_device(), if allocing memory for dev queues fails, then +dev will be freed by dev->transport->free_device(), but dev->transport +is not initialized at that time, which will lead to a null pointer +reference problem. + +Fixing this bug by freeing dev with hba->backend->ops->free_device(). + +Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU") +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index d4185c1bed8a8..1fcac654cfaa4 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -724,7 +724,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + + dev->queues = kcalloc(nr_cpu_ids, sizeof(*dev->queues), GFP_KERNEL); + if (!dev->queues) { +- dev->transport->free_device(dev); ++ hba->backend->ops->free_device(dev); + return NULL; + } + +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index e69de29bb2d..34669e63883 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -0,0 +1,38 @@ +bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch +bpf-devmap-provide-rxq-after-redirect.patch +rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch +rdma-bnxt_re-add-a-check-for-memory-allocation.patch +x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch +arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch +alsa-hda-cs8409-fix-possible-null-dereference.patch +rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch +rdma-irdma-fix-misspelling-of-accept.patch +ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch +rdma-bnxt_re-return-more-meaningful-error.patch +rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch +drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch +drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch +drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch +net-usb-usbnet-fix-race-in-probe-failure.patch +octeontx2-af-fix-potential-integer-overflows-on-inte.patch +macsec-don-t-increment-counters-for-an-unrelated-sa.patch +net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch +net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch +net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch +net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch +tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch +genetlink-hold-rcu-in-genlmsg_mcast.patch +scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch +smb-client-fix-oobs-when-building-smb2_ioctl-request.patch +usb-typec-altmode-should-keep-reference-to-parent.patch +s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch +bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch +arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch +arm64-probes-fix-uprobes-for-big-endian-kernels.patch +kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch +kvm-s390-gaccess-refactor-access-address-range-check.patch +kvm-s390-gaccess-cleanup-access-to-guest-pages.patch +kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch +usb-gadget-add-function-wakeup-support.patch +xhci-separate-port-and-caps-macros-into-dedicated-fi.patch +usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch diff --git a/queue-5.15/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch b/queue-5.15/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch new file mode 100644 index 00000000000..3fc4395fb39 --- /dev/null +++ b/queue-5.15/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch @@ -0,0 +1,107 @@ +From 7fb90e3a0e4c049c654570bcd0586f443fcdfafb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 19:04:04 -0300 +Subject: smb: client: fix OOBs when building SMB2_IOCTL request + +From: Paulo Alcantara + +[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ] + +When using encryption, either enforced by the server or when using +'seal' mount option, the client will squash all compound request buffers +down for encryption into a single iov in smb2_set_next_command(). + +SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the +SMB2_IOCTL request in the first iov, and if the user passes an input +buffer that is greater than 328 bytes, smb2_set_next_command() will +end up writing off the end of @rqst->iov[0].iov_base as shown below: + + mount.cifs //srv/share /mnt -o ...,seal + ln -s $(perl -e "print('a')for 1..1024") /mnt/link + + BUG: KASAN: slab-out-of-bounds in + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + Write of size 4116 at addr ffff8881148fcab8 by task ln/859 + + CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + 1.16.3-2.fc40 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + print_report+0x156/0x4d9 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + ? __virt_addr_valid+0x145/0x310 + ? __phys_addr+0x46/0x90 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_report+0xda/0x110 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_check_range+0x10f/0x1f0 + __asan_memcpy+0x3c/0x60 + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + smb2_compound_op+0x238c/0x3840 [cifs] + ? kasan_save_track+0x14/0x30 + ? kasan_save_free_info+0x3b/0x70 + ? vfs_symlink+0x1a1/0x2c0 + ? do_symlinkat+0x108/0x1c0 + ? __pfx_smb2_compound_op+0x10/0x10 [cifs] + ? kmem_cache_free+0x118/0x3e0 + ? cifs_get_writable_path+0xeb/0x1a0 [cifs] + smb2_get_reparse_inode+0x423/0x540 [cifs] + ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] + ? rcu_is_watching+0x20/0x50 + ? __kmalloc_noprof+0x37c/0x480 + ? smb2_create_reparse_symlink+0x257/0x490 [cifs] + ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] + smb2_create_reparse_symlink+0x38f/0x490 [cifs] + ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] + ? find_held_lock+0x8a/0xa0 + ? hlock_class+0x32/0xb0 + ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] + cifs_symlink+0x24f/0x960 [cifs] + ? __pfx_make_vfsuid+0x10/0x10 + ? __pfx_cifs_symlink+0x10/0x10 [cifs] + ? make_vfsgid+0x6b/0xc0 + ? generic_permission+0x96/0x2d0 + vfs_symlink+0x1a1/0x2c0 + do_symlinkat+0x108/0x1c0 + ? __pfx_do_symlinkat+0x10/0x10 + ? strncpy_from_user+0xaa/0x160 + __x64_sys_symlinkat+0xb9/0xf0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f08d75c13bb + +Reported-by: David Howells +Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 61b18f802048f..bd7aeb4dcacfc 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3028,6 +3028,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, + return rc; + + if (indatalen) { ++ unsigned int len; ++ ++ if (WARN_ON_ONCE(smb3_encryption_required(tcon) && ++ (check_add_overflow(total_len - 1, ++ ALIGN(indatalen, 8), &len) || ++ len > MAX_CIFS_SMALL_BUFFER_SIZE))) { ++ cifs_small_buf_release(req); ++ return -EIO; ++ } + /* + * indatalen is usually small at a couple of bytes max, so + * just allocate through generic pool +-- +2.43.0 + diff --git a/queue-5.15/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch b/queue-5.15/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch new file mode 100644 index 00000000000..388c228e505 --- /dev/null +++ b/queue-5.15/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch @@ -0,0 +1,180 @@ +From a2f243da97056c2f51b5d30d770ce10544bc40c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 15:33:12 -0700 +Subject: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). + +From: Kuniyuki Iwashima + +[ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ] + +Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). + + """ + We are seeing a use-after-free from a bpf prog attached to + trace_tcp_retransmit_synack. The program passes the req->sk to the + bpf_sk_storage_get_tracing kernel helper which does check for null + before using it. + """ + +The commit 83fccfc3940c ("inet: fix potential deadlock in +reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not +to call del_timer_sync() from reqsk_timer_handler(), but it introduced a +small race window. + +Before the timer is called, expire_timers() calls detach_timer(timer, true) +to clear timer->entry.pprev and marks it as not pending. + +If reqsk_queue_unlink() checks timer_pending() just after expire_timers() +calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will +continue running and send multiple SYN+ACKs until it expires. + +The reported UAF could happen if req->sk is close()d earlier than the timer +expiration, which is 63s by default. + +The scenario would be + + 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), + but del_timer_sync() is missed + + 2. reqsk timer is executed and scheduled again + + 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but + reqsk timer still has another one, and inet_csk_accept() does not + clear req->sk for non-TFO sockets + + 4. sk is close()d + + 5. reqsk timer is executed again, and BPF touches req->sk + +Let's not use timer_pending() by passing the caller context to +__inet_csk_reqsk_queue_drop(). + +Note that reqsk timer is pinned, so the issue does not happen in most +use cases. [1] + +[0] +BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 + +Use-after-free read at 0x00000000a891fb3a (in kfence-#1): +bpf_sk_storage_get_tracing+0x2e/0x1b0 +bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda +bpf_trace_run2+0x4c/0xc0 +tcp_rtx_synack+0xf9/0x100 +reqsk_timer_handler+0xda/0x3d0 +run_timer_softirq+0x292/0x8a0 +irq_exit_rcu+0xf5/0x320 +sysvec_apic_timer_interrupt+0x6d/0x80 +asm_sysvec_apic_timer_interrupt+0x16/0x20 +intel_idle_irq+0x5a/0xa0 +cpuidle_enter_state+0x94/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 + +allocated by task 0 on cpu 9 at 260507.901592s: +sk_prot_alloc+0x35/0x140 +sk_clone_lock+0x1f/0x3f0 +inet_csk_clone_lock+0x15/0x160 +tcp_create_openreq_child+0x1f/0x410 +tcp_v6_syn_recv_sock+0x1da/0x700 +tcp_check_req+0x1fb/0x510 +tcp_v6_rcv+0x98b/0x1420 +ipv6_list_rcv+0x2258/0x26e0 +napi_complete_done+0x5b1/0x2990 +mlx5e_napi_poll+0x2ae/0x8d0 +net_rx_action+0x13e/0x590 +irq_exit_rcu+0xf5/0x320 +common_interrupt+0x80/0x90 +asm_common_interrupt+0x22/0x40 +cpuidle_enter_state+0xfb/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +freed by task 0 on cpu 9 at 260507.927527s: +rcu_core_si+0x4ff/0xf10 +irq_exit_rcu+0xf5/0x320 +sysvec_apic_timer_interrupt+0x6d/0x80 +asm_sysvec_apic_timer_interrupt+0x16/0x20 +cpuidle_enter_state+0xfb/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") +Reported-by: Martin KaFai Lau +Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.dev/ +Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.dev/ [1] +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Martin KaFai Lau +Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 75c2f7ffe5be4..63e5aa6d4b0bc 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -791,21 +791,31 @@ static bool reqsk_queue_unlink(struct request_sock *req) + found = __sk_nulls_del_node_init_rcu(req_to_sk(req)); + spin_unlock(lock); + } +- if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) +- reqsk_put(req); ++ + return found; + } + +-bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++static bool __inet_csk_reqsk_queue_drop(struct sock *sk, ++ struct request_sock *req, ++ bool from_timer) + { + bool unlinked = reqsk_queue_unlink(req); + ++ if (!from_timer && timer_delete_sync(&req->rsk_timer)) ++ reqsk_put(req); ++ + if (unlinked) { + reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req); + reqsk_put(req); + } ++ + return unlinked; + } ++ ++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++{ ++ return __inet_csk_reqsk_queue_drop(sk, req, false); ++} + EXPORT_SYMBOL(inet_csk_reqsk_queue_drop); + + void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req) +@@ -898,7 +908,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) { + /* delete timer */ +- inet_csk_reqsk_queue_drop(sk_listener, nreq); ++ __inet_csk_reqsk_queue_drop(sk_listener, nreq, true); + goto no_ownership; + } + +@@ -924,7 +934,8 @@ static void reqsk_timer_handler(struct timer_list *t) + } + + drop: +- inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq); ++ __inet_csk_reqsk_queue_drop(sk_listener, oreq, true); ++ reqsk_put(req); + } + + static bool reqsk_queue_hash_req(struct request_sock *req, +-- +2.43.0 + diff --git a/queue-5.15/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch b/queue-5.15/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch new file mode 100644 index 00000000000..f9ed80a9cda --- /dev/null +++ b/queue-5.15/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch @@ -0,0 +1,111 @@ +From d841ea02c8b97e3b3c55c580911a2d2aea4b1720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 13:53:24 +0300 +Subject: usb: dwc3: core: Fix system suspend on TI AM62 platforms + +From: Roger Quadros + +[ Upstream commit 705e3ce37bccdf2ed6f848356ff355f480d51a91 ] + +Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), +system suspend is broken on AM62 TI platforms. + +Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY +bits (hence forth called 2 SUSPHY bits) were being set during core +initialization and even during core re-initialization after a system +suspend/resume. + +These bits are required to be set for system suspend/resume to work correctly +on AM62 platforms. + +Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget +driver is not loaded and started. +For Host mode, the 2 SUSPHY bits are set before the first system suspend but +get cleared at system resume during core re-init and are never set again. + +This patch resovles these two issues by ensuring the 2 SUSPHY bits are set +before system suspend and restored to the original state during system resume. + +Cc: stable@vger.kernel.org # v6.9+ +Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") +Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ +Signed-off-by: Roger Quadros +Acked-by: Thinh Nguyen +Tested-by: Markus Schneider-Pargmann +Reviewed-by: Dhruva Gole +Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 19 +++++++++++++++++++ + drivers/usb/dwc3/core.h | 3 +++ + 2 files changed, 22 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 6c740dc633e7c..0ca06a3ab7179 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1796,6 +1796,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + { + u32 reg; + ++ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & ++ DWC3_GUSB2PHYCFG_SUSPHY) || ++ (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & ++ DWC3_GUSB3PIPECTL_SUSPHY); ++ + switch (dwc->current_dr_role) { + case DWC3_GCTL_PRTCAP_DEVICE: + if (pm_runtime_suspended(dwc->dev)) +@@ -1843,6 +1848,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + break; + } + ++ if (!PMSG_IS_AUTO(msg)) { ++ /* ++ * TI AM62 platform requires SUSPHY to be ++ * enabled for system suspend to work. ++ */ ++ if (!dwc->susphy_state) ++ dwc3_enable_susphy(dwc, true); ++ } ++ + return 0; + } + +@@ -1905,6 +1919,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) + break; + } + ++ if (!PMSG_IS_AUTO(msg)) { ++ /* restore SUSPHY state to that before system suspend. */ ++ dwc3_enable_susphy(dwc, dwc->susphy_state); ++ } ++ + return 0; + } + +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 7e7820ce21bf5..3d434c110bdb6 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -1085,6 +1085,8 @@ struct dwc3_scratchpad_array { + * @dis_metastability_quirk: set to disable metastability quirk. + * @dis_split_quirk: set to disable split boundary. + * @suspended: set to track suspend event due to U3/L2. ++ * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY ++ * before PM suspend. + * @imod_interval: set the interrupt moderation interval in 250ns + * increments or 0 to disable. + * @max_cfg_eps: current max number of IN eps used across all USB configs. +@@ -1300,6 +1302,7 @@ struct dwc3 { + unsigned dis_split_quirk:1; + unsigned async_callbacks:1; + unsigned suspended:1; ++ unsigned susphy_state:1; + + u16 imod_interval; + +-- +2.43.0 + diff --git a/queue-5.15/usb-gadget-add-function-wakeup-support.patch b/queue-5.15/usb-gadget-add-function-wakeup-support.patch new file mode 100644 index 00000000000..3784703dfa6 --- /dev/null +++ b/queue-5.15/usb-gadget-add-function-wakeup-support.patch @@ -0,0 +1,126 @@ +From 486fc15c2e0fb17e139d15c8379ad36d7d70694b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 14:47:59 -0700 +Subject: usb: gadget: Add function wakeup support + +From: Elson Roy Serrao + +[ Upstream commit f0db885fb05d35befa81896db6b19eb3ee9ccdfe ] + +USB3.2 spec section 9.2.5.4 quotes that a function may signal that +it wants to exit from Function Suspend by sending a Function +Wake Notification to the host if it is enabled for function +remote wakeup. Add an api in composite layer that can be used +by the function drivers to support this feature. Also expose +a gadget op so that composite layer can trigger a wakeup request +to the UDC driver. + +Reviewed-by: Thinh Nguyen +Signed-off-by: Elson Roy Serrao +Link: https://lore.kernel.org/r/1679694482-16430-4-git-send-email-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 40 ++++++++++++++++++++++++++++++++++ + include/linux/usb/composite.h | 6 +++++ + include/linux/usb/gadget.h | 1 + + 3 files changed, 47 insertions(+) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 3f035e905b242..1052ca4e29bc1 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -477,6 +477,46 @@ int usb_interface_id(struct usb_configuration *config, + } + EXPORT_SYMBOL_GPL(usb_interface_id); + ++/** ++ * usb_func_wakeup - sends function wake notification to the host. ++ * @func: function that sends the remote wakeup notification. ++ * ++ * Applicable to devices operating at enhanced superspeed when usb ++ * functions are put in function suspend state and armed for function ++ * remote wakeup. On completion, function wake notification is sent. If ++ * the device is in low power state it tries to bring the device to active ++ * state before sending the wake notification. Since it is a synchronous ++ * call, caller must take care of not calling it in interrupt context. ++ * For devices operating at lower speeds returns negative errno. ++ * ++ * Returns zero on success, else negative errno. ++ */ ++int usb_func_wakeup(struct usb_function *func) ++{ ++ struct usb_gadget *gadget = func->config->cdev->gadget; ++ int id; ++ ++ if (!gadget->ops->func_wakeup) ++ return -EOPNOTSUPP; ++ ++ if (!func->func_wakeup_armed) { ++ ERROR(func->config->cdev, "not armed for func remote wakeup\n"); ++ return -EINVAL; ++ } ++ ++ for (id = 0; id < MAX_CONFIG_INTERFACES; id++) ++ if (func->config->interface[id] == func) ++ break; ++ ++ if (id == MAX_CONFIG_INTERFACES) { ++ ERROR(func->config->cdev, "Invalid function\n"); ++ return -EINVAL; ++ } ++ ++ return gadget->ops->func_wakeup(gadget, id); ++} ++EXPORT_SYMBOL_GPL(usb_func_wakeup); ++ + static u8 encode_bMaxPower(enum usb_device_speed speed, + struct usb_configuration *c) + { +diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h +index 0399d1226323b..456fca4d6a253 100644 +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -163,6 +163,9 @@ struct usb_os_desc_table { + * GetStatus() request when the recipient is Interface. + * @func_suspend: callback to be called when + * SetFeature(FUNCTION_SUSPEND) is reseived ++ * @func_suspended: Indicates whether the function is in function suspend state. ++ * @func_wakeup_armed: Indicates whether the function is armed by the host for ++ * wakeup signaling. + * + * A single USB function uses one or more interfaces, and should in most + * cases support operation at both full and high speeds. Each function is +@@ -233,6 +236,8 @@ struct usb_function { + int (*get_status)(struct usb_function *); + int (*func_suspend)(struct usb_function *, + u8 suspend_opt); ++ bool func_suspended; ++ bool func_wakeup_armed; + /* private: */ + /* internals */ + struct list_head list; +@@ -254,6 +259,7 @@ int config_ep_by_speed_and_alt(struct usb_gadget *g, struct usb_function *f, + + int config_ep_by_speed(struct usb_gadget *g, struct usb_function *f, + struct usb_ep *_ep); ++int usb_func_wakeup(struct usb_function *func); + + #define MAX_CONFIG_INTERFACES 16 /* arbitrary; max 255 */ + +diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h +index c5bc739266ed6..e4feeaa8bab30 100644 +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -311,6 +311,7 @@ struct usb_udc; + struct usb_gadget_ops { + int (*get_frame)(struct usb_gadget *); + int (*wakeup)(struct usb_gadget *); ++ int (*func_wakeup)(struct usb_gadget *gadget, int intf_id); + int (*set_remote_wakeup)(struct usb_gadget *, int set); + int (*set_selfpowered) (struct usb_gadget *, int is_selfpowered); + int (*vbus_session) (struct usb_gadget *, int is_active); +-- +2.43.0 + diff --git a/queue-5.15/usb-typec-altmode-should-keep-reference-to-parent.patch b/queue-5.15/usb-typec-altmode-should-keep-reference-to-parent.patch new file mode 100644 index 00000000000..e93a11e193a --- /dev/null +++ b/queue-5.15/usb-typec-altmode-should-keep-reference-to-parent.patch @@ -0,0 +1,130 @@ +From 168a01d137c04a4728f49bc5f5a6f215cef72b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 09:37:38 -0300 +Subject: usb: typec: altmode should keep reference to parent + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ] + +The altmode device release refers to its parent device, but without keeping +a reference to it. + +When registering the altmode, get a reference to the parent and put it in +the release function. + +Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues +like this: + +[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) +[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 46.612867] ================================================================== +[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 +[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 +[ 46.614538] +[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 +[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 46.616042] Workqueue: events kobject_delayed_cleanup +[ 46.616446] Call Trace: +[ 46.616648] +[ 46.616820] dump_stack_lvl+0x5b/0x7c +[ 46.617112] ? typec_altmode_release+0x38/0x129 +[ 46.617470] print_report+0x14c/0x49e +[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 +[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab +[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d +[ 46.618807] ? typec_altmode_release+0x38/0x129 +[ 46.619161] kasan_report+0x8d/0xb4 +[ 46.619447] ? typec_altmode_release+0x38/0x129 +[ 46.619809] ? process_scheduled_works+0x3cb/0x85f +[ 46.620185] typec_altmode_release+0x38/0x129 +[ 46.620537] ? process_scheduled_works+0x3cb/0x85f +[ 46.620907] device_release+0xaf/0xf2 +[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a +[ 46.621584] process_scheduled_works+0x4f6/0x85f +[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 +[ 46.622353] ? hlock_class+0x31/0x9a +[ 46.622647] ? lock_acquired+0x361/0x3c3 +[ 46.622956] ? move_linked_works+0x46/0x7d +[ 46.623277] worker_thread+0x1ce/0x291 +[ 46.623582] ? __kthread_parkme+0xc8/0xdf +[ 46.623900] ? __pfx_worker_thread+0x10/0x10 +[ 46.624236] kthread+0x17e/0x190 +[ 46.624501] ? kthread+0xfb/0x190 +[ 46.624756] ? __pfx_kthread+0x10/0x10 +[ 46.625015] ret_from_fork+0x20/0x40 +[ 46.625268] ? __pfx_kthread+0x10/0x10 +[ 46.625532] ret_from_fork_asm+0x1a/0x30 +[ 46.625805] +[ 46.625953] +[ 46.626056] Allocated by task 678: +[ 46.626287] kasan_save_stack+0x24/0x44 +[ 46.626555] kasan_save_track+0x14/0x2d +[ 46.626811] __kasan_kmalloc+0x3f/0x4d +[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 +[ 46.627362] typec_register_port+0x23/0x491 +[ 46.627698] cros_typec_probe+0x634/0xbb6 +[ 46.628026] platform_probe+0x47/0x8c +[ 46.628311] really_probe+0x20a/0x47d +[ 46.628605] device_driver_attach+0x39/0x72 +[ 46.628940] bind_store+0x87/0xd7 +[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 +[ 46.629574] vfs_write+0x1d6/0x29b +[ 46.629856] ksys_write+0xcd/0x13b +[ 46.630128] do_syscall_64+0xd4/0x139 +[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 46.630820] +[ 46.630946] Freed by task 48: +[ 46.631182] kasan_save_stack+0x24/0x44 +[ 46.631493] kasan_save_track+0x14/0x2d +[ 46.631799] kasan_save_free_info+0x3f/0x4d +[ 46.632144] __kasan_slab_free+0x37/0x45 +[ 46.632474] kfree+0x1d4/0x252 +[ 46.632725] device_release+0xaf/0xf2 +[ 46.633017] kobject_delayed_cleanup+0x13b/0x17a +[ 46.633388] process_scheduled_works+0x4f6/0x85f +[ 46.633764] worker_thread+0x1ce/0x291 +[ 46.634065] kthread+0x17e/0x190 +[ 46.634324] ret_from_fork+0x20/0x40 +[ 46.634621] ret_from_fork_asm+0x1a/0x30 + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Heikki Krogerus +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/class.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c +index 173d86d120daf..af75911899f53 100644 +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -501,6 +501,7 @@ static void typec_altmode_release(struct device *dev) + typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); ++ put_device(alt->adev.dev.parent); + kfree(alt); + } + +@@ -550,6 +551,8 @@ typec_register_altmode(struct device *parent, + alt->adev.dev.type = &typec_altmode_dev_type; + dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id); + ++ get_device(alt->adev.dev.parent); ++ + /* Link partners and plugs with the ports */ + if (!is_port) + typec_altmode_set_partner(alt); +-- +2.43.0 + diff --git a/queue-5.15/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch b/queue-5.15/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch new file mode 100644 index 00000000000..874f61c62ca --- /dev/null +++ b/queue-5.15/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch @@ -0,0 +1,102 @@ +From 8883d7371e8312733c30b4559a9683d5d83bfab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 13:43:56 +0200 +Subject: x86/resctrl: Avoid overflow in MB settings in bw_validate() + +From: Martin Kletzander + +[ Upstream commit 2b5648416e47933939dc310c4ea1e29404f35630 ] + +The resctrl schemata file supports specifying memory bandwidth associated with +the Memory Bandwidth Allocation (MBA) feature via a percentage (this is the +default) or bandwidth in MiBps (when resctrl is mounted with the "mba_MBps" +option). + +The allowed range for the bandwidth percentage is from +/sys/fs/resctrl/info/MB/min_bandwidth to 100, using a granularity of +/sys/fs/resctrl/info/MB/bandwidth_gran. The supported range for the MiBps +bandwidth is 0 to U32_MAX. + +There are two issues with parsing of MiBps memory bandwidth: + +* The user provided MiBps is mistakenly rounded up to the granularity + that is unique to percentage input. + +* The user provided MiBps is parsed using unsigned long (thus accepting + values up to ULONG_MAX), and then assigned to u32 that could result in + overflow. + +Do not round up the MiBps value and parse user provided bandwidth as the u32 +it is intended to be. Use the appropriate kstrtou32() that can detect out of +range values. + +Fixes: 8205a078ba78 ("x86/intel_rdt/mba_sc: Add schemata support") +Fixes: 6ce1560d35f6 ("x86/resctrl: Switch over to the resctrl mbps_val list") +Co-developed-by: Reinette Chatre +Signed-off-by: Reinette Chatre +Signed-off-by: Martin Kletzander +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +index 000e1467b4cde..d00909428b435 100644 +--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c ++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +@@ -27,10 +27,10 @@ + * hardware. The allocated bandwidth percentage is rounded to the next + * control step available on the hardware. + */ +-static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r) ++static bool bw_validate(char *buf, u32 *data, struct rdt_resource *r) + { +- unsigned long bw; + int ret; ++ u32 bw; + + /* + * Only linear delay values is supported for current Intel SKUs. +@@ -40,16 +40,21 @@ static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r) + return false; + } + +- ret = kstrtoul(buf, 10, &bw); ++ ret = kstrtou32(buf, 10, &bw); + if (ret) { +- rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf); ++ rdt_last_cmd_printf("Invalid MB value %s\n", buf); + return false; + } + +- if ((bw < r->membw.min_bw || bw > r->default_ctrl) && +- !is_mba_sc(r)) { +- rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", bw, +- r->membw.min_bw, r->default_ctrl); ++ /* Nothing else to do if software controller is enabled. */ ++ if (is_mba_sc(r)) { ++ *data = bw; ++ return true; ++ } ++ ++ if (bw < r->membw.min_bw || bw > r->default_ctrl) { ++ rdt_last_cmd_printf("MB value %u out of range [%d,%d]\n", ++ bw, r->membw.min_bw, r->default_ctrl); + return false; + } + +@@ -62,7 +67,7 @@ int parse_bw(struct rdt_parse_data *data, struct resctrl_schema *s, + { + struct resctrl_staged_config *cfg; + struct rdt_resource *r = s->res; +- unsigned long bw_val; ++ u32 bw_val; + + cfg = &d->staged_config[s->conf_type]; + if (cfg->have_new_ctrl) { +-- +2.43.0 + diff --git a/queue-5.15/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch b/queue-5.15/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch new file mode 100644 index 00000000000..f2eb9755675 --- /dev/null +++ b/queue-5.15/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch @@ -0,0 +1,589 @@ +From b622f15ed967676a63264bc0111cb8dc3d3d6925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 10:25:23 -0500 +Subject: XHCI: Separate PORT and CAPs macros into dedicated file + +From: Frank Li + +[ Upstream commit c35ba0ac48355df1d11fcce85945f76c42d250ac ] + +Split the PORT and CAPs macro definitions into a separate file to +facilitate sharing with other files without the need to include the entire +xhci.h. + +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240124152525.3910311-2-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-caps.h | 85 ++++++++++++ + drivers/usb/host/xhci-port.h | 176 +++++++++++++++++++++++ + drivers/usb/host/xhci.h | 262 +---------------------------------- + 3 files changed, 264 insertions(+), 259 deletions(-) + create mode 100644 drivers/usb/host/xhci-caps.h + create mode 100644 drivers/usb/host/xhci-port.h + +diff --git a/drivers/usb/host/xhci-caps.h b/drivers/usb/host/xhci-caps.h +new file mode 100644 +index 0000000000000..9e94cebf4a56d +--- /dev/null ++++ b/drivers/usb/host/xhci-caps.h +@@ -0,0 +1,85 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++/* hc_capbase bitmasks */ ++/* bits 7:0 - how long is the Capabilities register */ ++#define HC_LENGTH(p) XHCI_HC_LENGTH(p) ++/* bits 31:16 */ ++#define HC_VERSION(p) (((p) >> 16) & 0xffff) ++ ++/* HCSPARAMS1 - hcs_params1 - bitmasks */ ++/* bits 0:7, Max Device Slots */ ++#define HCS_MAX_SLOTS(p) (((p) >> 0) & 0xff) ++#define HCS_SLOTS_MASK 0xff ++/* bits 8:18, Max Interrupters */ ++#define HCS_MAX_INTRS(p) (((p) >> 8) & 0x7ff) ++/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */ ++#define HCS_MAX_PORTS(p) (((p) >> 24) & 0x7f) ++ ++/* HCSPARAMS2 - hcs_params2 - bitmasks */ ++/* bits 0:3, frames or uframes that SW needs to queue transactions ++ * ahead of the HW to meet periodic deadlines */ ++#define HCS_IST(p) (((p) >> 0) & 0xf) ++/* bits 4:7, max number of Event Ring segments */ ++#define HCS_ERST_MAX(p) (((p) >> 4) & 0xf) ++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */ ++/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */ ++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */ ++#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f)) ++ ++/* HCSPARAMS3 - hcs_params3 - bitmasks */ ++/* bits 0:7, Max U1 to U0 latency for the roothub ports */ ++#define HCS_U1_LATENCY(p) (((p) >> 0) & 0xff) ++/* bits 16:31, Max U2 to U0 latency for the roothub ports */ ++#define HCS_U2_LATENCY(p) (((p) >> 16) & 0xffff) ++ ++/* HCCPARAMS - hcc_params - bitmasks */ ++/* true: HC can use 64-bit address pointers */ ++#define HCC_64BIT_ADDR(p) ((p) & (1 << 0)) ++/* true: HC can do bandwidth negotiation */ ++#define HCC_BANDWIDTH_NEG(p) ((p) & (1 << 1)) ++/* true: HC uses 64-byte Device Context structures ++ * FIXME 64-byte context structures aren't supported yet. ++ */ ++#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2)) ++/* true: HC has port power switches */ ++#define HCC_PPC(p) ((p) & (1 << 3)) ++/* true: HC has port indicators */ ++#define HCS_INDICATOR(p) ((p) & (1 << 4)) ++/* true: HC has Light HC Reset Capability */ ++#define HCC_LIGHT_RESET(p) ((p) & (1 << 5)) ++/* true: HC supports latency tolerance messaging */ ++#define HCC_LTC(p) ((p) & (1 << 6)) ++/* true: no secondary Stream ID Support */ ++#define HCC_NSS(p) ((p) & (1 << 7)) ++/* true: HC supports Stopped - Short Packet */ ++#define HCC_SPC(p) ((p) & (1 << 9)) ++/* true: HC has Contiguous Frame ID Capability */ ++#define HCC_CFC(p) ((p) & (1 << 11)) ++/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */ ++#define HCC_MAX_PSA(p) (1 << ((((p) >> 12) & 0xf) + 1)) ++/* Extended Capabilities pointer from PCI base - section 5.3.6 */ ++#define HCC_EXT_CAPS(p) XHCI_HCC_EXT_CAPS(p) ++ ++#define CTX_SIZE(_hcc) (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32) ++ ++/* db_off bitmask - bits 0:1 reserved */ ++#define DBOFF_MASK (~0x3) ++ ++/* run_regs_off bitmask - bits 0:4 reserved */ ++#define RTSOFF_MASK (~0x1f) ++ ++/* HCCPARAMS2 - hcc_params2 - bitmasks */ ++/* true: HC supports U3 entry Capability */ ++#define HCC2_U3C(p) ((p) & (1 << 0)) ++/* true: HC supports Configure endpoint command Max exit latency too large */ ++#define HCC2_CMC(p) ((p) & (1 << 1)) ++/* true: HC supports Force Save context Capability */ ++#define HCC2_FSC(p) ((p) & (1 << 2)) ++/* true: HC supports Compliance Transition Capability */ ++#define HCC2_CTC(p) ((p) & (1 << 3)) ++/* true: HC support Large ESIT payload Capability > 48k */ ++#define HCC2_LEC(p) ((p) & (1 << 4)) ++/* true: HC support Configuration Information Capability */ ++#define HCC2_CIC(p) ((p) & (1 << 5)) ++/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */ ++#define HCC2_ETC(p) ((p) & (1 << 6)) +diff --git a/drivers/usb/host/xhci-port.h b/drivers/usb/host/xhci-port.h +new file mode 100644 +index 0000000000000..f19efb966d180 +--- /dev/null ++++ b/drivers/usb/host/xhci-port.h +@@ -0,0 +1,176 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++/* PORTSC - Port Status and Control Register - port_status_base bitmasks */ ++/* true: device connected */ ++#define PORT_CONNECT (1 << 0) ++/* true: port enabled */ ++#define PORT_PE (1 << 1) ++/* bit 2 reserved and zeroed */ ++/* true: port has an over-current condition */ ++#define PORT_OC (1 << 3) ++/* true: port reset signaling asserted */ ++#define PORT_RESET (1 << 4) ++/* Port Link State - bits 5:8 ++ * A read gives the current link PM state of the port, ++ * a write with Link State Write Strobe set sets the link state. ++ */ ++#define PORT_PLS_MASK (0xf << 5) ++#define XDEV_U0 (0x0 << 5) ++#define XDEV_U1 (0x1 << 5) ++#define XDEV_U2 (0x2 << 5) ++#define XDEV_U3 (0x3 << 5) ++#define XDEV_DISABLED (0x4 << 5) ++#define XDEV_RXDETECT (0x5 << 5) ++#define XDEV_INACTIVE (0x6 << 5) ++#define XDEV_POLLING (0x7 << 5) ++#define XDEV_RECOVERY (0x8 << 5) ++#define XDEV_HOT_RESET (0x9 << 5) ++#define XDEV_COMP_MODE (0xa << 5) ++#define XDEV_TEST_MODE (0xb << 5) ++#define XDEV_RESUME (0xf << 5) ++ ++/* true: port has power (see HCC_PPC) */ ++#define PORT_POWER (1 << 9) ++/* bits 10:13 indicate device speed: ++ * 0 - undefined speed - port hasn't be initialized by a reset yet ++ * 1 - full speed ++ * 2 - low speed ++ * 3 - high speed ++ * 4 - super speed ++ * 5-15 reserved ++ */ ++#define DEV_SPEED_MASK (0xf << 10) ++#define XDEV_FS (0x1 << 10) ++#define XDEV_LS (0x2 << 10) ++#define XDEV_HS (0x3 << 10) ++#define XDEV_SS (0x4 << 10) ++#define XDEV_SSP (0x5 << 10) ++#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0<<10)) ++#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS) ++#define DEV_LOWSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_LS) ++#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS) ++#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS) ++#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP) ++#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS) ++#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f) ++ ++/* Bits 20:23 in the Slot Context are the speed for the device */ ++#define SLOT_SPEED_FS (XDEV_FS << 10) ++#define SLOT_SPEED_LS (XDEV_LS << 10) ++#define SLOT_SPEED_HS (XDEV_HS << 10) ++#define SLOT_SPEED_SS (XDEV_SS << 10) ++#define SLOT_SPEED_SSP (XDEV_SSP << 10) ++/* Port Indicator Control */ ++#define PORT_LED_OFF (0 << 14) ++#define PORT_LED_AMBER (1 << 14) ++#define PORT_LED_GREEN (2 << 14) ++#define PORT_LED_MASK (3 << 14) ++/* Port Link State Write Strobe - set this when changing link state */ ++#define PORT_LINK_STROBE (1 << 16) ++/* true: connect status change */ ++#define PORT_CSC (1 << 17) ++/* true: port enable change */ ++#define PORT_PEC (1 << 18) ++/* true: warm reset for a USB 3.0 device is done. A "hot" reset puts the port ++ * into an enabled state, and the device into the default state. A "warm" reset ++ * also resets the link, forcing the device through the link training sequence. ++ * SW can also look at the Port Reset register to see when warm reset is done. ++ */ ++#define PORT_WRC (1 << 19) ++/* true: over-current change */ ++#define PORT_OCC (1 << 20) ++/* true: reset change - 1 to 0 transition of PORT_RESET */ ++#define PORT_RC (1 << 21) ++/* port link status change - set on some port link state transitions: ++ * Transition Reason ++ * ------------------------------------------------------------------------------ ++ * - U3 to Resume Wakeup signaling from a device ++ * - Resume to Recovery to U0 USB 3.0 device resume ++ * - Resume to U0 USB 2.0 device resume ++ * - U3 to Recovery to U0 Software resume of USB 3.0 device complete ++ * - U3 to U0 Software resume of USB 2.0 device complete ++ * - U2 to U0 L1 resume of USB 2.1 device complete ++ * - U0 to U0 (???) L1 entry rejection by USB 2.1 device ++ * - U0 to disabled L1 entry error with USB 2.1 device ++ * - Any state to inactive Error on USB 3.0 port ++ */ ++#define PORT_PLC (1 << 22) ++/* port configure error change - port failed to configure its link partner */ ++#define PORT_CEC (1 << 23) ++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ ++ PORT_RC | PORT_PLC | PORT_CEC) ++ ++ ++/* Cold Attach Status - xHC can set this bit to report device attached during ++ * Sx state. Warm port reset should be perfomed to clear this bit and move port ++ * to connected state. ++ */ ++#define PORT_CAS (1 << 24) ++/* wake on connect (enable) */ ++#define PORT_WKCONN_E (1 << 25) ++/* wake on disconnect (enable) */ ++#define PORT_WKDISC_E (1 << 26) ++/* wake on over-current (enable) */ ++#define PORT_WKOC_E (1 << 27) ++/* bits 28:29 reserved */ ++/* true: device is non-removable - for USB 3.0 roothub emulation */ ++#define PORT_DEV_REMOVE (1 << 30) ++/* Initiate a warm port reset - complete when PORT_WRC is '1' */ ++#define PORT_WR (1 << 31) ++ ++/* We mark duplicate entries with -1 */ ++#define DUPLICATE_ENTRY ((u8)(-1)) ++ ++/* Port Power Management Status and Control - port_power_base bitmasks */ ++/* Inactivity timer value for transitions into U1, in microseconds. ++ * Timeout can be up to 127us. 0xFF means an infinite timeout. ++ */ ++#define PORT_U1_TIMEOUT(p) ((p) & 0xff) ++#define PORT_U1_TIMEOUT_MASK 0xff ++/* Inactivity timer value for transitions into U2 */ ++#define PORT_U2_TIMEOUT(p) (((p) & 0xff) << 8) ++#define PORT_U2_TIMEOUT_MASK (0xff << 8) ++/* Bits 24:31 for port testing */ ++ ++/* USB2 Protocol PORTSPMSC */ ++#define PORT_L1S_MASK 7 ++#define PORT_L1S_SUCCESS 1 ++#define PORT_RWE (1 << 3) ++#define PORT_HIRD(p) (((p) & 0xf) << 4) ++#define PORT_HIRD_MASK (0xf << 4) ++#define PORT_L1DS_MASK (0xff << 8) ++#define PORT_L1DS(p) (((p) & 0xff) << 8) ++#define PORT_HLE (1 << 16) ++#define PORT_TEST_MODE_SHIFT 28 ++ ++/* USB3 Protocol PORTLI Port Link Information */ ++#define PORT_RX_LANES(p) (((p) >> 16) & 0xf) ++#define PORT_TX_LANES(p) (((p) >> 20) & 0xf) ++ ++/* USB2 Protocol PORTHLPMC */ ++#define PORT_HIRDM(p)((p) & 3) ++#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2) ++#define PORT_BESLD(p)(((p) & 0xf) << 10) ++ ++/* use 512 microseconds as USB2 LPM L1 default timeout. */ ++#define XHCI_L1_TIMEOUT 512 ++ ++/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency. ++ * Safe to use with mixed HIRD and BESL systems (host and device) and is used ++ * by other operating systems. ++ * ++ * XHCI 1.0 errata 8/14/12 Table 13 notes: ++ * "Software should choose xHC BESL/BESLD field values that do not violate a ++ * device's resume latency requirements, ++ * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached, ++ * or not program values < '4' if BLC = '0' and a BESL device is attached. ++ */ ++#define XHCI_DEFAULT_BESL 4 ++ ++/* ++ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports ++ * to complete link training. usually link trainig completes much faster ++ * so check status 10 times with 36ms sleep in places we need to wait for ++ * polling to complete. ++ */ ++#define XHCI_PORT_POLLING_LFPS_TIME 36 +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index f2133f2a1767a..298938eca1636 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -23,6 +23,9 @@ + #include "xhci-ext-caps.h" + #include "pci-quirks.h" + ++#include "xhci-port.h" ++#include "xhci-caps.h" ++ + /* max buffer size for trace and debug messages */ + #define XHCI_MSG_MAX 500 + +@@ -63,90 +66,6 @@ struct xhci_cap_regs { + /* Reserved up to (CAPLENGTH - 0x1C) */ + }; + +-/* hc_capbase bitmasks */ +-/* bits 7:0 - how long is the Capabilities register */ +-#define HC_LENGTH(p) XHCI_HC_LENGTH(p) +-/* bits 31:16 */ +-#define HC_VERSION(p) (((p) >> 16) & 0xffff) +- +-/* HCSPARAMS1 - hcs_params1 - bitmasks */ +-/* bits 0:7, Max Device Slots */ +-#define HCS_MAX_SLOTS(p) (((p) >> 0) & 0xff) +-#define HCS_SLOTS_MASK 0xff +-/* bits 8:18, Max Interrupters */ +-#define HCS_MAX_INTRS(p) (((p) >> 8) & 0x7ff) +-/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */ +-#define HCS_MAX_PORTS(p) (((p) >> 24) & 0x7f) +- +-/* HCSPARAMS2 - hcs_params2 - bitmasks */ +-/* bits 0:3, frames or uframes that SW needs to queue transactions +- * ahead of the HW to meet periodic deadlines */ +-#define HCS_IST(p) (((p) >> 0) & 0xf) +-/* bits 4:7, max number of Event Ring segments */ +-#define HCS_ERST_MAX(p) (((p) >> 4) & 0xf) +-/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */ +-/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */ +-/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */ +-#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f)) +- +-/* HCSPARAMS3 - hcs_params3 - bitmasks */ +-/* bits 0:7, Max U1 to U0 latency for the roothub ports */ +-#define HCS_U1_LATENCY(p) (((p) >> 0) & 0xff) +-/* bits 16:31, Max U2 to U0 latency for the roothub ports */ +-#define HCS_U2_LATENCY(p) (((p) >> 16) & 0xffff) +- +-/* HCCPARAMS - hcc_params - bitmasks */ +-/* true: HC can use 64-bit address pointers */ +-#define HCC_64BIT_ADDR(p) ((p) & (1 << 0)) +-/* true: HC can do bandwidth negotiation */ +-#define HCC_BANDWIDTH_NEG(p) ((p) & (1 << 1)) +-/* true: HC uses 64-byte Device Context structures +- * FIXME 64-byte context structures aren't supported yet. +- */ +-#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2)) +-/* true: HC has port power switches */ +-#define HCC_PPC(p) ((p) & (1 << 3)) +-/* true: HC has port indicators */ +-#define HCS_INDICATOR(p) ((p) & (1 << 4)) +-/* true: HC has Light HC Reset Capability */ +-#define HCC_LIGHT_RESET(p) ((p) & (1 << 5)) +-/* true: HC supports latency tolerance messaging */ +-#define HCC_LTC(p) ((p) & (1 << 6)) +-/* true: no secondary Stream ID Support */ +-#define HCC_NSS(p) ((p) & (1 << 7)) +-/* true: HC supports Stopped - Short Packet */ +-#define HCC_SPC(p) ((p) & (1 << 9)) +-/* true: HC has Contiguous Frame ID Capability */ +-#define HCC_CFC(p) ((p) & (1 << 11)) +-/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */ +-#define HCC_MAX_PSA(p) (1 << ((((p) >> 12) & 0xf) + 1)) +-/* Extended Capabilities pointer from PCI base - section 5.3.6 */ +-#define HCC_EXT_CAPS(p) XHCI_HCC_EXT_CAPS(p) +- +-#define CTX_SIZE(_hcc) (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32) +- +-/* db_off bitmask - bits 0:1 reserved */ +-#define DBOFF_MASK (~0x3) +- +-/* run_regs_off bitmask - bits 0:4 reserved */ +-#define RTSOFF_MASK (~0x1f) +- +-/* HCCPARAMS2 - hcc_params2 - bitmasks */ +-/* true: HC supports U3 entry Capability */ +-#define HCC2_U3C(p) ((p) & (1 << 0)) +-/* true: HC supports Configure endpoint command Max exit latency too large */ +-#define HCC2_CMC(p) ((p) & (1 << 1)) +-/* true: HC supports Force Save context Capability */ +-#define HCC2_FSC(p) ((p) & (1 << 2)) +-/* true: HC supports Compliance Transition Capability */ +-#define HCC2_CTC(p) ((p) & (1 << 3)) +-/* true: HC support Large ESIT payload Capability > 48k */ +-#define HCC2_LEC(p) ((p) & (1 << 4)) +-/* true: HC support Configuration Information Capability */ +-#define HCC2_CIC(p) ((p) & (1 << 5)) +-/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */ +-#define HCC2_ETC(p) ((p) & (1 << 6)) +- + /* Number of registers per port */ + #define NUM_PORT_REGS 4 + +@@ -292,181 +211,6 @@ struct xhci_op_regs { + #define CONFIG_CIE (1 << 9) + /* bits 10:31 - reserved and should be preserved */ + +-/* PORTSC - Port Status and Control Register - port_status_base bitmasks */ +-/* true: device connected */ +-#define PORT_CONNECT (1 << 0) +-/* true: port enabled */ +-#define PORT_PE (1 << 1) +-/* bit 2 reserved and zeroed */ +-/* true: port has an over-current condition */ +-#define PORT_OC (1 << 3) +-/* true: port reset signaling asserted */ +-#define PORT_RESET (1 << 4) +-/* Port Link State - bits 5:8 +- * A read gives the current link PM state of the port, +- * a write with Link State Write Strobe set sets the link state. +- */ +-#define PORT_PLS_MASK (0xf << 5) +-#define XDEV_U0 (0x0 << 5) +-#define XDEV_U1 (0x1 << 5) +-#define XDEV_U2 (0x2 << 5) +-#define XDEV_U3 (0x3 << 5) +-#define XDEV_DISABLED (0x4 << 5) +-#define XDEV_RXDETECT (0x5 << 5) +-#define XDEV_INACTIVE (0x6 << 5) +-#define XDEV_POLLING (0x7 << 5) +-#define XDEV_RECOVERY (0x8 << 5) +-#define XDEV_HOT_RESET (0x9 << 5) +-#define XDEV_COMP_MODE (0xa << 5) +-#define XDEV_TEST_MODE (0xb << 5) +-#define XDEV_RESUME (0xf << 5) +- +-/* true: port has power (see HCC_PPC) */ +-#define PORT_POWER (1 << 9) +-/* bits 10:13 indicate device speed: +- * 0 - undefined speed - port hasn't be initialized by a reset yet +- * 1 - full speed +- * 2 - low speed +- * 3 - high speed +- * 4 - super speed +- * 5-15 reserved +- */ +-#define DEV_SPEED_MASK (0xf << 10) +-#define XDEV_FS (0x1 << 10) +-#define XDEV_LS (0x2 << 10) +-#define XDEV_HS (0x3 << 10) +-#define XDEV_SS (0x4 << 10) +-#define XDEV_SSP (0x5 << 10) +-#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0<<10)) +-#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS) +-#define DEV_LOWSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_LS) +-#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS) +-#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS) +-#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP) +-#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS) +-#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f) +- +-/* Bits 20:23 in the Slot Context are the speed for the device */ +-#define SLOT_SPEED_FS (XDEV_FS << 10) +-#define SLOT_SPEED_LS (XDEV_LS << 10) +-#define SLOT_SPEED_HS (XDEV_HS << 10) +-#define SLOT_SPEED_SS (XDEV_SS << 10) +-#define SLOT_SPEED_SSP (XDEV_SSP << 10) +-/* Port Indicator Control */ +-#define PORT_LED_OFF (0 << 14) +-#define PORT_LED_AMBER (1 << 14) +-#define PORT_LED_GREEN (2 << 14) +-#define PORT_LED_MASK (3 << 14) +-/* Port Link State Write Strobe - set this when changing link state */ +-#define PORT_LINK_STROBE (1 << 16) +-/* true: connect status change */ +-#define PORT_CSC (1 << 17) +-/* true: port enable change */ +-#define PORT_PEC (1 << 18) +-/* true: warm reset for a USB 3.0 device is done. A "hot" reset puts the port +- * into an enabled state, and the device into the default state. A "warm" reset +- * also resets the link, forcing the device through the link training sequence. +- * SW can also look at the Port Reset register to see when warm reset is done. +- */ +-#define PORT_WRC (1 << 19) +-/* true: over-current change */ +-#define PORT_OCC (1 << 20) +-/* true: reset change - 1 to 0 transition of PORT_RESET */ +-#define PORT_RC (1 << 21) +-/* port link status change - set on some port link state transitions: +- * Transition Reason +- * ------------------------------------------------------------------------------ +- * - U3 to Resume Wakeup signaling from a device +- * - Resume to Recovery to U0 USB 3.0 device resume +- * - Resume to U0 USB 2.0 device resume +- * - U3 to Recovery to U0 Software resume of USB 3.0 device complete +- * - U3 to U0 Software resume of USB 2.0 device complete +- * - U2 to U0 L1 resume of USB 2.1 device complete +- * - U0 to U0 (???) L1 entry rejection by USB 2.1 device +- * - U0 to disabled L1 entry error with USB 2.1 device +- * - Any state to inactive Error on USB 3.0 port +- */ +-#define PORT_PLC (1 << 22) +-/* port configure error change - port failed to configure its link partner */ +-#define PORT_CEC (1 << 23) +-#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ +- PORT_RC | PORT_PLC | PORT_CEC) +- +- +-/* Cold Attach Status - xHC can set this bit to report device attached during +- * Sx state. Warm port reset should be perfomed to clear this bit and move port +- * to connected state. +- */ +-#define PORT_CAS (1 << 24) +-/* wake on connect (enable) */ +-#define PORT_WKCONN_E (1 << 25) +-/* wake on disconnect (enable) */ +-#define PORT_WKDISC_E (1 << 26) +-/* wake on over-current (enable) */ +-#define PORT_WKOC_E (1 << 27) +-/* bits 28:29 reserved */ +-/* true: device is non-removable - for USB 3.0 roothub emulation */ +-#define PORT_DEV_REMOVE (1 << 30) +-/* Initiate a warm port reset - complete when PORT_WRC is '1' */ +-#define PORT_WR (1 << 31) +- +-/* We mark duplicate entries with -1 */ +-#define DUPLICATE_ENTRY ((u8)(-1)) +- +-/* Port Power Management Status and Control - port_power_base bitmasks */ +-/* Inactivity timer value for transitions into U1, in microseconds. +- * Timeout can be up to 127us. 0xFF means an infinite timeout. +- */ +-#define PORT_U1_TIMEOUT(p) ((p) & 0xff) +-#define PORT_U1_TIMEOUT_MASK 0xff +-/* Inactivity timer value for transitions into U2 */ +-#define PORT_U2_TIMEOUT(p) (((p) & 0xff) << 8) +-#define PORT_U2_TIMEOUT_MASK (0xff << 8) +-/* Bits 24:31 for port testing */ +- +-/* USB2 Protocol PORTSPMSC */ +-#define PORT_L1S_MASK 7 +-#define PORT_L1S_SUCCESS 1 +-#define PORT_RWE (1 << 3) +-#define PORT_HIRD(p) (((p) & 0xf) << 4) +-#define PORT_HIRD_MASK (0xf << 4) +-#define PORT_L1DS_MASK (0xff << 8) +-#define PORT_L1DS(p) (((p) & 0xff) << 8) +-#define PORT_HLE (1 << 16) +-#define PORT_TEST_MODE_SHIFT 28 +- +-/* USB3 Protocol PORTLI Port Link Information */ +-#define PORT_RX_LANES(p) (((p) >> 16) & 0xf) +-#define PORT_TX_LANES(p) (((p) >> 20) & 0xf) +- +-/* USB2 Protocol PORTHLPMC */ +-#define PORT_HIRDM(p)((p) & 3) +-#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2) +-#define PORT_BESLD(p)(((p) & 0xf) << 10) +- +-/* use 512 microseconds as USB2 LPM L1 default timeout. */ +-#define XHCI_L1_TIMEOUT 512 +- +-/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency. +- * Safe to use with mixed HIRD and BESL systems (host and device) and is used +- * by other operating systems. +- * +- * XHCI 1.0 errata 8/14/12 Table 13 notes: +- * "Software should choose xHC BESL/BESLD field values that do not violate a +- * device's resume latency requirements, +- * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached, +- * or not program values < '4' if BLC = '0' and a BESL device is attached. +- */ +-#define XHCI_DEFAULT_BESL 4 +- +-/* +- * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports +- * to complete link training. usually link trainig completes much faster +- * so check status 10 times with 36ms sleep in places we need to wait for +- * polling to complete. +- */ +-#define XHCI_PORT_POLLING_LFPS_TIME 36 +- + /** + * struct xhci_intr_reg - Interrupt Register Set + * @irq_pending: IMAN - Interrupt Management Register. Used to enable +-- +2.43.0 + -- 2.47.3