From 2856b087447e131093b6a61c12a8b336031ef19d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 22 May 2023 07:45:31 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...tional-tunnel-beet-mode-templates-in.patch | 71 +++++ ...gi00x-prevent-potential-use-after-fr.patch | 41 +++ ...-apply-hp-b-o-top-speaker-profile-to.patch | 39 +++ ...fix-error-handler-with-pm_runtime_en.patch | 70 +++++ ...8186-fix-use-after-free-in-driver-re.patch | 170 +++++++++++ ...opology-fix-logic-for-copying-tuples.patch | 49 ++++ ...idge-always-declare-tunnel-functions.patch | 61 ++++ ...ing-can-xl-support-in-can_put_echo_s.patch | 39 +++ ...mory-leak-in-the-error-handling-path.patch | 42 +++ ...e-tsc-read-per-cpu-for-mperf-monitor.patch | 159 +++++++++++ ...2d_open-close-helper-function-defini.patch | 48 ++++ ...nregister-audio-driver-during-unbind.patch | 81 ++++++ ...pu-assign-missing-writeback-log_mask.patch | 40 +++ ...-non-mdp_top-intf_intr-offsets-out-o.patch | 67 +++++ ...ve-duplicate-register-defines-from-i.patch | 45 +++ .../drm-msm-fix-submit-error-path-leaks.patch | 87 ++++++ ...lay-msm-dsi-controller-main-document.patch | 52 ++++ ...roto-with-the-md-version-for-collect.patch | 81 ++++++ ...-vf-reset-during-iavf-initialization.patch | 168 +++++++++++ ...ntroduce-clear_reset_state-operation.patch | 154 ++++++++++ ...igb-fix-bit_shift-to-be-in-1.8-range.patch | 50 ++++ ...idvb-fix-use-after-free-at-del_timer.patch | 49 ++++ ...ove-phy_stop-from-bcmgenet_netif_sto.patch | 37 +++ ...tore-phy_stop-depending-upon-suspend.patch | 71 +++++ ...x-fix-mv88e6393x-epc-write-command-o.patch | 37 +++ ...sw-disable-learning-for-standalone-p.patch | 89 ++++++ ...sw-enable-management-frames-for-cpu-.patch | 57 ++++ ...a-rzn1-a5psw-fix-stp-states-handling.patch | 142 ++++++++++ ...andle-pm_runtime_get-failing-in-.rem.patch | 67 +++++ ...put-information-incomplete-for-dumpi.patch | 54 ++++ ...et-delay-time-to-avoid-configuration.patch | 44 +++ ...ix-reset-timeout-when-enable-full-vf.patch | 111 ++++++++ ...sending-pfc-frames-after-reset-issue.patch | 91 ++++++ ...ect-mac_offset-to-unwind-gso-skb-in-.patch | 101 +++++++ ...-xpcs-fix-c73-an-not-getting-enabled.patch | 46 +++ ...add-w-a-for-packet-errors-seen-with-.patch | 77 +++++ queue-6.1/net-selftests-fix-optstring.patch | 41 +++ ...build-error-handling-in-tun_get_user.patch | 147 ++++++++++ ...x-null-pointer-dereference-when-remo.patch | 154 ++++++++++ ..._tables-fix-nft_trans-type-confusion.patch | 43 +++ ...t_rbtree-fix-null-deref-on-element-i.patch | 88 ++++++ ...-a-remove-callback-that-returns-no-v.patch | 86 ++++++ ...frm-i-support-for-nested-esp-tunnels.patch | 125 ++++++++ ...-subchannels-without-devices-also-fo.patch | 44 +++ ...n-t-pass-unused-pfns-to-hyper-v-host.patch | 65 +++++ ...isable-dad-on-ipv6-router-cfg-for-sr.patch | 56 ++++ ...sable-rp_filter-by-default-in-srv6_e.patch | 63 +++++ ...250_bcm7271-balance-clk_enable-calls.patch | 58 ++++ ...0_bcm7271-fix-leak-in-brcmuart_probe.patch | 43 +++ ...fix-of_iomap-leak-in-arc_serial_prob.patch | 51 ++++ queue-6.1/series | 75 +++++ ...-rxfcs-and-rxall-features-by-default.patch | 43 +++ ...ee-ctxt-when-freeing-deferred-reques.patch | 267 ++++++++++++++++++ ...le-free-xprt_ctxt-while-still-in-use.patch | 58 ++++ ...rpc-fix-trace_svc_register-call-site.patch | 35 +++ ...-sk_priority-leak-in-tcp_v4_send_res.patch | 62 ++++ ..._bearer_min_mtu-to-calculate-min-mtu.patch | 105 +++++++ ...earer-min-mtu-properly-when-setting-.patch | 45 +++ ...te-mtu-if-msg_max-is-too-small-in-mt.patch | 92 ++++++ ...-memory-leak-for-detached-napi-queue.patch | 144 ++++++++++ ...o-net-maintain-reverse-cleanup-order.patch | 40 +++ ...rror-unwinding-of-xdp-initialization.patch | 126 +++++++++ ...tial-uninit-value-in-vlan_dev_hard_s.patch | 93 ++++++ ...lose-connected-socket-after-the-time.patch | 54 ++++ ...op-entries-with-invalid-bssids-in-rn.patch | 49 ++++ ...-oem-s-name-in-the-ppag-approved-lis.patch | 37 +++ queue-6.1/wifi-iwlwifi-fw-fix-dbgi-dump.patch | 90 ++++++ ...-mvm-don-t-trust-firmware-n_channels.patch | 60 ++++ ...-fix-cancel_delayed_work_sync-deadlo.patch | 44 +++ ...-fix-oem-s-name-in-the-tas-approved-.patch | 37 +++ ...ort-running-color-change-when-stoppi.patch | 41 +++ ...1-fix-min-center-freq-offset-tracing.patch | 39 +++ ...rtify-the-spinlock-against-deadlock-.patch | 221 +++++++++++++++ ...onnac-fix-stats-tx_bytes-calculation.patch | 51 ++++ ...-the-default-policy-if-the-policy-al.patch | 49 ++++ ...onal-tunnel-beet-mode-templates-in-o.patch | 92 ++++++ 76 files changed, 5800 insertions(+) create mode 100644 queue-6.1/af_key-reject-optional-tunnel-beet-mode-templates-in.patch create mode 100644 queue-6.1/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch create mode 100644 queue-6.1/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch create mode 100644 queue-6.1/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch create mode 100644 queue-6.1/asoc-mediatek-mt8186-fix-use-after-free-in-driver-re.patch create mode 100644 queue-6.1/asoc-sof-topology-fix-logic-for-copying-tuples.patch create mode 100644 queue-6.1/bridge-always-declare-tunnel-functions.patch create mode 100644 queue-6.1/can-dev-fix-missing-can-xl-support-in-can_put_echo_s.patch create mode 100644 queue-6.1/cassini-fix-a-memory-leak-in-the-error-handling-path.patch create mode 100644 queue-6.1/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch create mode 100644 queue-6.1/drm-exynos-fix-g2d_open-close-helper-function-defini.patch create mode 100644 queue-6.1/drm-msm-dp-unregister-audio-driver-during-unbind.patch create mode 100644 queue-6.1/drm-msm-dpu-assign-missing-writeback-log_mask.patch create mode 100644 queue-6.1/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch create mode 100644 queue-6.1/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch create mode 100644 queue-6.1/drm-msm-fix-submit-error-path-leaks.patch create mode 100644 queue-6.1/dt-bindings-display-msm-dsi-controller-main-document.patch create mode 100644 queue-6.1/erspan-get-the-proto-with-the-md-version-for-collect.patch create mode 100644 queue-6.1/ice-fix-ice-vf-reset-during-iavf-initialization.patch create mode 100644 queue-6.1/ice-introduce-clear_reset_state-operation.patch create mode 100644 queue-6.1/igb-fix-bit_shift-to-be-in-1.8-range.patch create mode 100644 queue-6.1/media-netup_unidvb-fix-use-after-free-at-del_timer.patch create mode 100644 queue-6.1/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch create mode 100644 queue-6.1/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch create mode 100644 queue-6.1/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch create mode 100644 queue-6.1/net-dsa-rzn1-a5psw-disable-learning-for-standalone-p.patch create mode 100644 queue-6.1/net-dsa-rzn1-a5psw-enable-management-frames-for-cpu-.patch create mode 100644 queue-6.1/net-dsa-rzn1-a5psw-fix-stp-states-handling.patch create mode 100644 queue-6.1/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch create mode 100644 queue-6.1/net-hns3-fix-output-information-incomplete-for-dumpi.patch create mode 100644 queue-6.1/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch create mode 100644 queue-6.1/net-hns3-fix-reset-timeout-when-enable-full-vf.patch create mode 100644 queue-6.1/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch create mode 100644 queue-6.1/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch create mode 100644 queue-6.1/net-pcs-xpcs-fix-c73-an-not-getting-enabled.patch create mode 100644 queue-6.1/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch create mode 100644 queue-6.1/net-selftests-fix-optstring.patch create mode 100644 queue-6.1/net-tun-rebuild-error-handling-in-tun_get_user.patch create mode 100644 queue-6.1/net-wwan-iosm-fix-null-pointer-dereference-when-remo.patch create mode 100644 queue-6.1/netfilter-nf_tables-fix-nft_trans-type-confusion.patch create mode 100644 queue-6.1/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch create mode 100644 queue-6.1/platform-provide-a-remove-callback-that-returns-no-v.patch create mode 100644 queue-6.1/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch create mode 100644 queue-6.1/s390-cio-include-subchannels-without-devices-also-fo.patch create mode 100644 queue-6.1/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch create mode 100644 queue-6.1/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch create mode 100644 queue-6.1/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch create mode 100644 queue-6.1/serial-8250_bcm7271-balance-clk_enable-calls.patch create mode 100644 queue-6.1/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch create mode 100644 queue-6.1/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch create mode 100644 queue-6.1/sfc-disable-rxfcs-and-rxall-features-by-default.patch create mode 100644 queue-6.1/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch create mode 100644 queue-6.1/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch create mode 100644 queue-6.1/sunrpc-fix-trace_svc_register-call-site.patch create mode 100644 queue-6.1/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch create mode 100644 queue-6.1/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch create mode 100644 queue-6.1/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch create mode 100644 queue-6.1/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch create mode 100644 queue-6.1/tun-fix-memory-leak-for-detached-napi-queue.patch create mode 100644 queue-6.1/virtio-net-maintain-reverse-cleanup-order.patch create mode 100644 queue-6.1/virtio_net-fix-error-unwinding-of-xdp-initialization.patch create mode 100644 queue-6.1/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch create mode 100644 queue-6.1/vsock-avoid-to-close-connected-socket-after-the-time.patch create mode 100644 queue-6.1/wifi-cfg80211-drop-entries-with-invalid-bssids-in-rn.patch create mode 100644 queue-6.1/wifi-iwlwifi-fix-oem-s-name-in-the-ppag-approved-lis.patch create mode 100644 queue-6.1/wifi-iwlwifi-fw-fix-dbgi-dump.patch create mode 100644 queue-6.1/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch create mode 100644 queue-6.1/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch create mode 100644 queue-6.1/wifi-iwlwifi-mvm-fix-oem-s-name-in-the-tas-approved-.patch create mode 100644 queue-6.1/wifi-mac80211-abort-running-color-change-when-stoppi.patch create mode 100644 queue-6.1/wifi-mac80211-fix-min-center-freq-offset-tracing.patch create mode 100644 queue-6.1/wifi-mac80211-fortify-the-spinlock-against-deadlock-.patch create mode 100644 queue-6.1/wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch create mode 100644 queue-6.1/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch create mode 100644 queue-6.1/xfrm-reject-optional-tunnel-beet-mode-templates-in-o.patch diff --git a/queue-6.1/af_key-reject-optional-tunnel-beet-mode-templates-in.patch b/queue-6.1/af_key-reject-optional-tunnel-beet-mode-templates-in.patch new file mode 100644 index 00000000000..4742aaf87f4 --- /dev/null +++ b/queue-6.1/af_key-reject-optional-tunnel-beet-mode-templates-in.patch @@ -0,0 +1,71 @@ +From e41cb78fc6a5b241c577f73fba7b5e9fa45c635a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 11:00:06 +0200 +Subject: af_key: Reject optional tunnel/BEET mode templates in outbound + policies + +From: Tobias Brunner + +[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 95edcbedf6ef2..8c21de50eadf8 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1940,7 +1940,8 @@ static u32 gen_reqid(struct net *net) + } + + static int +-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) ++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol, ++ struct sadb_x_ipsecrequest *rq) + { + struct net *net = xp_net(xp); + struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr; +@@ -1958,9 +1959,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) + if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0) + return -EINVAL; + t->mode = mode; +- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) ++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) { ++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) && ++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) ++ return -EINVAL; + t->optional = 1; +- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { ++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { + t->reqid = rq->sadb_x_ipsecrequest_reqid; + if (t->reqid > IPSEC_MANUAL_REQID_MAX) + t->reqid = 0; +@@ -2002,7 +2006,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) + rq->sadb_x_ipsecrequest_len < sizeof(*rq)) + return -EINVAL; + +- if ((err = parse_ipsecrequest(xp, rq)) < 0) ++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0) + return err; + len -= rq->sadb_x_ipsecrequest_len; + rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len); +-- +2.39.2 + diff --git a/queue-6.1/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch b/queue-6.1/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch new file mode 100644 index 00000000000..14bcf40e413 --- /dev/null +++ b/queue-6.1/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch @@ -0,0 +1,41 @@ +From 0657e4cc26a0c74f856212ffb0dc819969bec6a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 12:07:11 +0300 +Subject: ALSA: firewire-digi00x: prevent potential use after free + +From: Dan Carpenter + +[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ] + +This code was supposed to return an error code if init_stream() +failed, but it instead freed dg00x->rx_stream and returned success. +This potentially leads to a use after free. + +Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/digi00x/digi00x-stream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c +index a15f55b0dce37..295163bb8abb6 100644 +--- a/sound/firewire/digi00x/digi00x-stream.c ++++ b/sound/firewire/digi00x/digi00x-stream.c +@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) + return err; + + err = init_stream(dg00x, &dg00x->tx_stream); +- if (err < 0) ++ if (err < 0) { + destroy_stream(dg00x, &dg00x->rx_stream); ++ return err; ++ } + + err = amdtp_domain_init(&dg00x->domain); + if (err < 0) { +-- +2.39.2 + diff --git a/queue-6.1/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch b/queue-6.1/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch new file mode 100644 index 00000000000..092ee3c2cf0 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch @@ -0,0 +1,39 @@ +From ca7a3ecd060c99ad79bdf397b12da9b4ebf79e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 12:32:21 -0500 +Subject: ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 + +From: Ryan C. Underwood + +[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ] + +The Pavilion 15 line has B&O top speakers similar to the x360 and +applying the same profile produces good sound. Without this, the +sound would be tinny and underpowered without either applying +model=alc295-hp-x360 or booting another OS first. + +Signed-off-by: Ryan Underwood +Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15") +Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 172ffc2c332b7..5d78d4ba1c959 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9363,7 +9363,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC), + SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC), +- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), ++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC), + SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), +-- +2.39.2 + diff --git a/queue-6.1/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch b/queue-6.1/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch new file mode 100644 index 00000000000..8856906d98d --- /dev/null +++ b/queue-6.1/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch @@ -0,0 +1,70 @@ +From 8afbb90503cbc2af02f1db83bae7718f4e4c1856 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 18:16:36 +0800 +Subject: ASoC: fsl_micfil: Fix error handler with pm_runtime_enable + +From: Shengjiu Wang + +[ Upstream commit 17955aba7877a4494d8093ae5498e19469b01d57 ] + +There is error message when defer probe happens: + +fsl-micfil-dai 30ca0000.micfil: Unbalanced pm_runtime_enable! + +Fix the error handler with pm_runtime_enable and add +fsl_micfil_remove() for pm_runtime_disable. + +Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.") +Signed-off-by: Shengjiu Wang +--- + sound/soc/fsl/fsl_micfil.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 4b8fe9b8be407..3a03f49452fa3 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -712,7 +712,7 @@ static int fsl_micfil_probe(struct platform_device *pdev) + ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); + if (ret) { + dev_err(&pdev->dev, "failed to pcm register\n"); +- return ret; ++ goto err_pm_disable; + } + + fsl_micfil_dai.capture.formats = micfil->soc->formats; +@@ -722,9 +722,20 @@ static int fsl_micfil_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, "failed to register component %s\n", + fsl_micfil_component.name); ++ goto err_pm_disable; + } + + return ret; ++ ++err_pm_disable: ++ pm_runtime_disable(&pdev->dev); ++ ++ return ret; ++} ++ ++static void fsl_micfil_remove(struct platform_device *pdev) ++{ ++ pm_runtime_disable(&pdev->dev); + } + + static int __maybe_unused fsl_micfil_runtime_suspend(struct device *dev) +@@ -785,6 +796,7 @@ static const struct dev_pm_ops fsl_micfil_pm_ops = { + + static struct platform_driver fsl_micfil_driver = { + .probe = fsl_micfil_probe, ++ .remove_new = fsl_micfil_remove, + .driver = { + .name = "fsl-micfil-dai", + .pm = &fsl_micfil_pm_ops, +-- +2.39.2 + diff --git a/queue-6.1/asoc-mediatek-mt8186-fix-use-after-free-in-driver-re.patch b/queue-6.1/asoc-mediatek-mt8186-fix-use-after-free-in-driver-re.patch new file mode 100644 index 00000000000..260c8f87536 --- /dev/null +++ b/queue-6.1/asoc-mediatek-mt8186-fix-use-after-free-in-driver-re.patch @@ -0,0 +1,170 @@ +From 0decfdd3cde8847c98d43f52d995eee371939515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 09:25:12 -0700 +Subject: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path + +From: Douglas Anderson + +[ Upstream commit a93d2afd3f77a7331271a0f25c6a11003db69b3c ] + +When devm runs function in the "remove" path for a device it runs them +in the reverse order. That means that if you have parts of your driver +that aren't using devm or are using "roll your own" devm w/ +devm_add_action_or_reset() you need to keep that in mind. + +The mt8186 audio driver didn't quite get this right. Specifically, in +mt8186_init_clock() it called mt8186_audsys_clk_register() and then +went on to call a bunch of other devm function. The caller of +mt8186_init_clock() used devm_add_action_or_reset() to call +mt8186_deinit_clock() but, because of the intervening devm functions, +the order was wrong. + +Specifically at probe time, the order was: +1. mt8186_audsys_clk_register() +2. afe_priv->clk = devm_kcalloc(...) +3. afe_priv->clk[i] = devm_clk_get(...) + +At remove time, the order (which should have been 3, 2, 1) was: +1. mt8186_audsys_clk_unregister() +3. Free all of afe_priv->clk[i] +2. Free afe_priv->clk + +The above seemed to be causing a use-after-free. Luckily, it's easy to +fix this by simply using devm more correctly. Let's move the +devm_add_action_or_reset() to the right place. In addition to fixing +the use-after-free, code inspection shows that this fixes a leak +(missing call to mt8186_audsys_clk_unregister()) that would have +happened if any of the syscon_regmap_lookup_by_phandle() calls in +mt8186_init_clock() had failed. + +Fixes: 55b423d5623c ("ASoC: mediatek: mt8186: support audio clock control in platform driver") +Signed-off-by: Douglas Anderson +--- + sound/soc/mediatek/mt8186/mt8186-afe-clk.c | 6 --- + sound/soc/mediatek/mt8186/mt8186-afe-clk.h | 1 - + sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 4 -- + sound/soc/mediatek/mt8186/mt8186-audsys-clk.c | 46 ++++++++++--------- + sound/soc/mediatek/mt8186/mt8186-audsys-clk.h | 1 - + 5 files changed, 24 insertions(+), 34 deletions(-) + +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-clk.c b/sound/soc/mediatek/mt8186/mt8186-afe-clk.c +index a6b4f29049bbc..539e3a023bc4e 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-clk.c ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-clk.c +@@ -644,9 +644,3 @@ int mt8186_init_clock(struct mtk_base_afe *afe) + + return 0; + } +- +-void mt8186_deinit_clock(void *priv) +-{ +- struct mtk_base_afe *afe = priv; +- mt8186_audsys_clk_unregister(afe); +-} +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-clk.h b/sound/soc/mediatek/mt8186/mt8186-afe-clk.h +index d5988717d8f2d..a9d59e506d9af 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-clk.h ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-clk.h +@@ -81,7 +81,6 @@ enum { + struct mtk_base_afe; + int mt8186_set_audio_int_bus_parent(struct mtk_base_afe *afe, int clk_id); + int mt8186_init_clock(struct mtk_base_afe *afe); +-void mt8186_deinit_clock(void *priv); + int mt8186_afe_enable_cgs(struct mtk_base_afe *afe); + void mt8186_afe_disable_cgs(struct mtk_base_afe *afe); + int mt8186_afe_enable_clock(struct mtk_base_afe *afe); +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c +index d7e94e6a19c70..0e3792ccd49f6 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c +@@ -2847,10 +2847,6 @@ static int mt8186_afe_pcm_dev_probe(struct platform_device *pdev) + return ret; + } + +- ret = devm_add_action_or_reset(dev, mt8186_deinit_clock, (void *)afe); +- if (ret) +- return ret; +- + /* init memif */ + afe->memif_32bit_supported = 0; + afe->memif_size = MT8186_MEMIF_NUM; +diff --git a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c +index 578969ca91c8e..5666be6b1bd2e 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c ++++ b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c +@@ -84,6 +84,29 @@ static const struct afe_gate aud_clks[CLK_AUD_NR_CLK] = { + GATE_AUD2(CLK_AUD_ETDM_OUT1_BCLK, "aud_etdm_out1_bclk", "top_audio", 24), + }; + ++static void mt8186_audsys_clk_unregister(void *data) ++{ ++ struct mtk_base_afe *afe = data; ++ struct mt8186_afe_private *afe_priv = afe->platform_priv; ++ struct clk *clk; ++ struct clk_lookup *cl; ++ int i; ++ ++ if (!afe_priv) ++ return; ++ ++ for (i = 0; i < CLK_AUD_NR_CLK; i++) { ++ cl = afe_priv->lookup[i]; ++ if (!cl) ++ continue; ++ ++ clk = cl->clk; ++ clk_unregister_gate(clk); ++ ++ clkdev_drop(cl); ++ } ++} ++ + int mt8186_audsys_clk_register(struct mtk_base_afe *afe) + { + struct mt8186_afe_private *afe_priv = afe->platform_priv; +@@ -124,27 +147,6 @@ int mt8186_audsys_clk_register(struct mtk_base_afe *afe) + afe_priv->lookup[i] = cl; + } + +- return 0; ++ return devm_add_action_or_reset(afe->dev, mt8186_audsys_clk_unregister, afe); + } + +-void mt8186_audsys_clk_unregister(struct mtk_base_afe *afe) +-{ +- struct mt8186_afe_private *afe_priv = afe->platform_priv; +- struct clk *clk; +- struct clk_lookup *cl; +- int i; +- +- if (!afe_priv) +- return; +- +- for (i = 0; i < CLK_AUD_NR_CLK; i++) { +- cl = afe_priv->lookup[i]; +- if (!cl) +- continue; +- +- clk = cl->clk; +- clk_unregister_gate(clk); +- +- clkdev_drop(cl); +- } +-} +diff --git a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h +index b8d6a06e11e8d..897a2914dc191 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h ++++ b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h +@@ -10,6 +10,5 @@ + #define _MT8186_AUDSYS_CLK_H_ + + int mt8186_audsys_clk_register(struct mtk_base_afe *afe); +-void mt8186_audsys_clk_unregister(struct mtk_base_afe *afe); + + #endif +-- +2.39.2 + diff --git a/queue-6.1/asoc-sof-topology-fix-logic-for-copying-tuples.patch b/queue-6.1/asoc-sof-topology-fix-logic-for-copying-tuples.patch new file mode 100644 index 00000000000..b3c76ade632 --- /dev/null +++ b/queue-6.1/asoc-sof-topology-fix-logic-for-copying-tuples.patch @@ -0,0 +1,49 @@ +From 8ebcccb2f180c8fbd931b967047e08325aaae6b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 14:46:30 +0300 +Subject: ASoC: SOF: topology: Fix logic for copying tuples +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ranjani Sridharan + +[ Upstream commit 41c5305cc3d827d2ea686533777a285176ae01a0 ] + +Topology could have more instances of the tokens being searched for than +the number of sets that need to be copied. Stop copying token after the +limit of number of token instances has been reached. This worked before +only by chance as we had allocated more size for the tuples array than +the number of actual tokens being parsed. + +Fixes: 7006d20e5e9d ("ASoC: SOF: Introduce IPC3 ops") +Signed-off-by: Ranjani Sridharan +--- + sound/soc/sof/topology.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 6a0e7f3b50234..872e44408298f 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -545,6 +545,10 @@ static int sof_copy_tuples(struct snd_sof_dev *sdev, struct snd_soc_tplg_vendor_ + if (*num_copied_tuples == tuples_size) + return 0; + } ++ ++ /* stop when we've found the required token instances */ ++ if (found == num_tokens * token_instance_num) ++ return 0; + } + + /* next array */ +-- +2.39.2 + diff --git a/queue-6.1/bridge-always-declare-tunnel-functions.patch b/queue-6.1/bridge-always-declare-tunnel-functions.patch new file mode 100644 index 00000000000..e108ade50c2 --- /dev/null +++ b/queue-6.1/bridge-always-declare-tunnel-functions.patch @@ -0,0 +1,61 @@ +From 2c333f202961ea2f4e4da5335b23811aafecb93a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:45:35 +0200 +Subject: bridge: always declare tunnel functions + +From: Arnd Bergmann + +[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ] + +When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still +defined but have no prototype or caller. This causes a W=1 warning for +the missing prototypes: + +net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes] +net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes] + +The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING, +and I coulnd't easily figure out the right set of #ifdefs, so just +move the declarations out of the #ifdef to avoid the warning, +at a small cost in code size over a more elaborate fix. + +Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping") +Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del") +Signed-off-by: Arnd Bergmann +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_private_tunnel.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h +index 2b053289f0166..efb096025151a 100644 +--- a/net/bridge/br_private_tunnel.h ++++ b/net/bridge/br_private_tunnel.h +@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br, + int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg); + int br_fill_vlan_tunnel_info(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); ++bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, ++ const struct net_bridge_vlan *v_last); ++int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, ++ u16 vid, u32 tun_id, bool *changed); + + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + /* br_vlan_tunnel.c */ +@@ -43,10 +47,6 @@ void br_handle_ingress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); + int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan *vlan); +-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, +- const struct net_bridge_vlan *v_last); +-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, +- u16 vid, u32 tun_id, bool *changed); + #else + static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg) + { +-- +2.39.2 + diff --git a/queue-6.1/can-dev-fix-missing-can-xl-support-in-can_put_echo_s.patch b/queue-6.1/can-dev-fix-missing-can-xl-support-in-can_put_echo_s.patch new file mode 100644 index 00000000000..d86e965a67e --- /dev/null +++ b/queue-6.1/can-dev-fix-missing-can-xl-support-in-can_put_echo_s.patch @@ -0,0 +1,39 @@ +From 3f3f41d1f8ecaf62af6e6de2ed4e62faba6b77aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 May 2023 20:45:15 +0200 +Subject: can: dev: fix missing CAN XL support in can_put_echo_skb() + +From: Oliver Hartkopp + +[ Upstream commit 6bffdc38f9935bae49f980448f3f6be2dada0564 ] + +can_put_echo_skb() checks for the enabled IFF_ECHO flag and the +correct ETH_P type of the given skbuff. When implementing the CAN XL +support the new check for ETH_P_CANXL has been forgotten. + +Fixes: fb08cba12b52 ("can: canxl: update CAN infrastructure for CAN XL frames") +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230506184515.39241-1-socketcan@hartkopp.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev/skb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/skb.c b/drivers/net/can/dev/skb.c +index 241ec636e91fd..f6d05b3ef59ab 100644 +--- a/drivers/net/can/dev/skb.c ++++ b/drivers/net/can/dev/skb.c +@@ -54,7 +54,8 @@ int can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, + /* check flag whether this packet has to be looped back */ + if (!(dev->flags & IFF_ECHO) || + (skb->protocol != htons(ETH_P_CAN) && +- skb->protocol != htons(ETH_P_CANFD))) { ++ skb->protocol != htons(ETH_P_CANFD) && ++ skb->protocol != htons(ETH_P_CANXL))) { + kfree_skb(skb); + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/cassini-fix-a-memory-leak-in-the-error-handling-path.patch b/queue-6.1/cassini-fix-a-memory-leak-in-the-error-handling-path.patch new file mode 100644 index 00000000000..112a1b964de --- /dev/null +++ b/queue-6.1/cassini-fix-a-memory-leak-in-the-error-handling-path.patch @@ -0,0 +1,42 @@ +From 8967c472af27aeb923bf18d802705e843f816df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:09:11 +0200 +Subject: cassini: Fix a memory leak in the error handling path of + cas_init_one() + +From: Christophe JAILLET + +[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ] + +cas_saturn_firmware_init() allocates some memory using vmalloc(). This +memory is freed in the .remove() function but not it the error handling +path of the probe. + +Add the missing vfree() to avoid a memory leak, should an error occur. + +Fixes: fcaa40669cd7 ("cassini: use request_firmware") +Signed-off-by: Christophe JAILLET +Reviewed-by: Pavan Chebbi +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/cassini.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c +index 0aca193d9550d..800956d5464b4 100644 +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -5095,6 +5095,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + cas_shutdown(cp); + mutex_unlock(&cp->pm_mutex); + ++ vfree(cp->fw_data); ++ + pci_iounmap(pdev, cp->regs); + + +-- +2.39.2 + diff --git a/queue-6.1/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch b/queue-6.1/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch new file mode 100644 index 00000000000..65c90c1c40f --- /dev/null +++ b/queue-6.1/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch @@ -0,0 +1,159 @@ +From 1da33a5d4b79687a504a50c9ebedcc717bbd2ef5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 06:25:44 +0000 +Subject: cpupower: Make TSC read per CPU for Mperf monitor + +From: Wyes Karny + +[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ] + +System-wide TSC read could cause a drift in C0 percentage calculation. +Because if first TSC is read and then one by one mperf is read for all +cpus, this introduces drift between mperf reading of later CPUs and TSC +reading. To lower this drift read TSC per CPU and also just after mperf +read. This technique improves C0 percentage calculation in Mperf monitor. + +Before fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + +After fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + +Cc: Thomas Renninger +Cc: Shuah Khan +Cc: Dominik Brodowski + +Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features") +Signed-off-by: Wyes Karny +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++---------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index e7d48cb563c0e..ae6af354a81db 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -70,8 +70,8 @@ static int max_freq_mode; + */ + static unsigned long max_frequency; + +-static unsigned long long tsc_at_measure_start; +-static unsigned long long tsc_at_measure_end; ++static unsigned long long *tsc_at_measure_start; ++static unsigned long long *tsc_at_measure_end; + static unsigned long long *mperf_previous_count; + static unsigned long long *aperf_previous_count; + static unsigned long long *mperf_current_count; +@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu]; + + if (max_freq_mode == MAX_FREQ_TSC_REF) { +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + *percent = 100.0 * mperf_diff / tsc_diff; + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); +@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + time_diff = timespec_diff_us(time_start, time_end); + max_frequency = tsc_diff / time_diff; + } +@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + static int mperf_start(void) + { + int cpu; +- unsigned long long dbg; + + clock_gettime(CLOCK_REALTIME, &time_start); +- mperf_get_tsc(&tsc_at_measure_start); + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { ++ mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); ++ } + +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start); + return 0; + } + + static int mperf_stop(void) + { +- unsigned long long dbg; + int cpu; + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ } + +- mperf_get_tsc(&tsc_at_measure_end); + clock_gettime(CLOCK_REALTIME, &time_end); +- +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end); +- + return 0; + } + +@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long)); + mperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); +- ++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); ++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -364,6 +359,8 @@ void mperf_unregister(void) + free(aperf_previous_count); + free(mperf_current_count); + free(aperf_current_count); ++ free(tsc_at_measure_start); ++ free(tsc_at_measure_end); + free(is_valid); + } + +-- +2.39.2 + diff --git a/queue-6.1/drm-exynos-fix-g2d_open-close-helper-function-defini.patch b/queue-6.1/drm-exynos-fix-g2d_open-close-helper-function-defini.patch new file mode 100644 index 00000000000..ab28460f70d --- /dev/null +++ b/queue-6.1/drm-exynos-fix-g2d_open-close-helper-function-defini.patch @@ -0,0 +1,48 @@ +From dca6f3aff6abeaafec195e6aed00f909abd2fa84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 23:04:11 +0200 +Subject: drm/exynos: fix g2d_open/close helper function definitions + +From: Arnd Bergmann + +[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ] + +The empty stub functions are defined as global functions, which +causes a warning because of missing prototypes: + +drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open' +drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close' + +Mark them as 'static inline' to avoid the warning and to make +them behave as intended. + +Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +index 74ea3c26deadc..1a5ae781b56c6 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data, + return -ENODEV; + } + +-int g2d_open(struct drm_device *drm_dev, struct drm_file *file) ++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file) + { + return 0; + } + +-void g2d_close(struct drm_device *drm_dev, struct drm_file *file) ++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file) + { } + #endif +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dp-unregister-audio-driver-during-unbind.patch b/queue-6.1/drm-msm-dp-unregister-audio-driver-during-unbind.patch new file mode 100644 index 00000000000..2c249f1b1ac --- /dev/null +++ b/queue-6.1/drm-msm-dp-unregister-audio-driver-during-unbind.patch @@ -0,0 +1,81 @@ +From 192109a48951265379ca4a0d42b3fbb50695b173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 15:56:57 +0100 +Subject: drm/msm/dp: unregister audio driver during unbind + +From: Srinivas Kandagatla + +[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ] + +while binding the code always registers a audio driver, however there +is no corresponding unregistration done in unbind. This leads to multiple +redundant audio platform devices if dp_display_bind and dp_display_unbind +happens multiple times during startup. On X13s platform this resulted in +6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports. + +Fix this by unregistering codecs on unbind. + +Signed-off-by: Srinivas Kandagatla +Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/533324/ +Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++ + drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++ + drivers/gpu/drm/msm/dp/dp_display.c | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c +index 6666783e1468e..1245c7aa49df8 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.c ++++ b/drivers/gpu/drm/msm/dp/dp_audio.c +@@ -593,6 +593,18 @@ static struct hdmi_codec_pdata codec_data = { + .i2s = 1, + }; + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio) ++{ ++ struct dp_audio_private *audio_priv; ++ ++ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio); ++ ++ if (audio_priv->audio_pdev) { ++ platform_device_unregister(audio_priv->audio_pdev); ++ audio_priv->audio_pdev = NULL; ++ } ++} ++ + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio) + { +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h +index 84e5f4a5d26ba..4ab78880af829 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.h ++++ b/drivers/gpu/drm/msm/dp/dp_audio.h +@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev, + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio); + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio); ++ + /** + * dp_audio_put() + * +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index c9d9b384ddd03..57b82e5d0ab12 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -323,6 +323,7 @@ static void dp_display_unbind(struct device *dev, struct device *master, + kthread_stop(dp->ev_tsk); + + dp_power_client_deinit(dp->power); ++ dp_unregister_audio_driver(dev, dp->audio); + dp_aux_unregister(dp->aux); + dp->drm_dev = NULL; + dp->aux->drm_dev = NULL; +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-assign-missing-writeback-log_mask.patch b/queue-6.1/drm-msm-dpu-assign-missing-writeback-log_mask.patch new file mode 100644 index 00000000000..4218d400990 --- /dev/null +++ b/queue-6.1/drm-msm-dpu-assign-missing-writeback-log_mask.patch @@ -0,0 +1,40 @@ +From 75fe94f6d728abc0ef15f95f5de05dabf2949fdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 01:11:09 +0200 +Subject: drm/msm/dpu: Assign missing writeback log_mask + +From: Marijn Suijten + +[ Upstream commit a432fc31f03db2546a48bcf5dd69ca28ceb732bf ] + +The WB debug log mask ended up never being assigned, leading to writes +to this block to never be logged even if the mask is enabled in +dpu_hw_util_log_mask via debugfs. + +Fixes: 84a33d0fd921 ("drm/msm/dpu: add dpu_hw_wb abstraction for writeback blocks") +Signed-off-by: Marijn Suijten +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/533860/ +Link: https://lore.kernel.org/r/20230418-dpu-drop-useless-for-lookup-v3-1-e8d869eea455@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c +index 2d28afdf860ef..a3e413d277175 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c +@@ -61,6 +61,7 @@ static const struct dpu_wb_cfg *_wb_offset(enum dpu_wb wb, + for (i = 0; i < m->wb_count; i++) { + if (wb == m->wb[i].id) { + b->blk_addr = addr + m->wb[i].base; ++ b->log_mask = DPU_DBG_MASK_WB; + return &m->wb[i]; + } + } +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch b/queue-6.1/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch new file mode 100644 index 00000000000..7754059affa --- /dev/null +++ b/queue-6.1/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch @@ -0,0 +1,67 @@ +From 2d14357ab99b68f2679c57937f0abc2245cdd2a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 00:37:17 +0200 +Subject: drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header + +From: Marijn Suijten + +[ Upstream commit e9d9ce5462fecdeefec87953de71df4d025cbc72 ] + +These offsets do not fall under the MDP TOP block and do not fit the +comment right above. Move them to dpu_hw_interrupts.c next to the +repsective MDP_INTF_x_OFF interrupt block offsets. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534203/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-3-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 5 ++++- + drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h | 3 --- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +index cf1b6d84c18a3..75e1b89c9eacf 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +@@ -15,7 +15,7 @@ + + /* + * Register offsets in MDSS register file for the interrupt registers +- * w.r.t. to the MDP base ++ * w.r.t. the MDP base + */ + #define MDP_SSPP_TOP0_OFF 0x0 + #define MDP_INTF_0_OFF 0x6A000 +@@ -24,6 +24,9 @@ + #define MDP_INTF_3_OFF 0x6B800 + #define MDP_INTF_4_OFF 0x6C000 + #define MDP_INTF_5_OFF 0x6C800 ++#define INTF_INTR_EN 0x1c0 ++#define INTF_INTR_STATUS 0x1c4 ++#define INTF_INTR_CLEAR 0x1c8 + #define MDP_AD4_0_OFF 0x7C000 + #define MDP_AD4_1_OFF 0x7D000 + #define MDP_AD4_INTR_EN_OFF 0x41c +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h +index c8156ed4b7fb8..93081e82c6d74 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h +@@ -20,9 +20,6 @@ + #define HIST_INTR_EN 0x01c + #define HIST_INTR_STATUS 0x020 + #define HIST_INTR_CLEAR 0x024 +-#define INTF_INTR_EN 0x1C0 +-#define INTF_INTR_STATUS 0x1C4 +-#define INTF_INTR_CLEAR 0x1C8 + #define SPLIT_DISPLAY_EN 0x2F4 + #define SPLIT_DISPLAY_UPPER_PIPE_CTRL 0x2F8 + #define DSPP_IGC_COLOR0_RAM_LUTN 0x300 +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch b/queue-6.1/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch new file mode 100644 index 00000000000..b4f67bf660a --- /dev/null +++ b/queue-6.1/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch @@ -0,0 +1,45 @@ +From f2df0140e19c5caf3303ad6baac812d3005c2c15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 00:37:22 +0200 +Subject: drm/msm/dpu: Remove duplicate register defines from INTF + +From: Marijn Suijten + +[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ] + +The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT +registers are already defined higher up, in the right place when sorted +numerically. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534231/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +index 7ce66bf3f4c8d..b2a94b9a3e987 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +@@ -56,11 +56,6 @@ + #define INTF_TPG_RGB_MAPPING 0x11C + #define INTF_PROG_FETCH_START 0x170 + #define INTF_PROG_ROT_START 0x174 +- +-#define INTF_FRAME_LINE_COUNT_EN 0x0A8 +-#define INTF_FRAME_COUNT 0x0AC +-#define INTF_LINE_COUNT 0x0B0 +- + #define INTF_MUX 0x25C + + #define INTF_CFG_ACTIVE_H_EN BIT(29) +-- +2.39.2 + diff --git a/queue-6.1/drm-msm-fix-submit-error-path-leaks.patch b/queue-6.1/drm-msm-fix-submit-error-path-leaks.patch new file mode 100644 index 00000000000..1299d555413 --- /dev/null +++ b/queue-6.1/drm-msm-fix-submit-error-path-leaks.patch @@ -0,0 +1,87 @@ +From 2d884fa019087d8fd1e7fee1524d1f99e3a0ea54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 13:30:41 -0700 +Subject: drm/msm: Fix submit error-path leaks + +From: Rob Clark + +[ Upstream commit 68dc6c2d5eec45515855cce99256162f45651a0b ] + +For errors after msm_submitqueue_get(), we need to drop the submitqueue +reference. Additionally after get_unused_fd() we need to drop the fd. +The ordering for dropping the queue lock and put_unused_fd() is not +important, so just move this all into out_post_unlock. + +v2: Only drop queue ref if submit doesn't take it +v3: Fix unitialized submit ref in error path +v4: IS_ERR_OR_NULL() + +Reported-by: pinkperfect2021@gmail.com +Fixes: f0de40a131d9 drm/msm: ("Reorder lock vs submit alloc") +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/536073/ +Link: https://lore.kernel.org/r/20230509203041.440619-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index d8c9d184190bb..d6162561141c5 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -709,7 +709,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + struct msm_drm_private *priv = dev->dev_private; + struct drm_msm_gem_submit *args = data; + struct msm_file_private *ctx = file->driver_priv; +- struct msm_gem_submit *submit; ++ struct msm_gem_submit *submit = NULL; + struct msm_gpu *gpu = priv->gpu; + struct msm_gpu_submitqueue *queue; + struct msm_ringbuffer *ring; +@@ -756,13 +756,15 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + out_fence_fd = get_unused_fd_flags(O_CLOEXEC); + if (out_fence_fd < 0) { + ret = out_fence_fd; +- return ret; ++ goto out_post_unlock; + } + } + + submit = submit_create(dev, gpu, queue, args->nr_bos, args->nr_cmds); +- if (IS_ERR(submit)) +- return PTR_ERR(submit); ++ if (IS_ERR(submit)) { ++ ret = PTR_ERR(submit); ++ goto out_post_unlock; ++ } + + trace_msm_gpu_submit(pid_nr(submit->pid), ring->id, submit->ident, + args->nr_bos, args->nr_cmds); +@@ -945,11 +947,20 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + if (has_ww_ticket) + ww_acquire_fini(&submit->ticket); + out_unlock: +- if (ret && (out_fence_fd >= 0)) +- put_unused_fd(out_fence_fd); + mutex_unlock(&queue->lock); + out_post_unlock: +- msm_gem_submit_put(submit); ++ if (ret && (out_fence_fd >= 0)) ++ put_unused_fd(out_fence_fd); ++ ++ if (!IS_ERR_OR_NULL(submit)) { ++ msm_gem_submit_put(submit); ++ } else { ++ /* ++ * If the submit hasn't yet taken ownership of the queue ++ * then we need to drop the reference ourself: ++ */ ++ msm_submitqueue_put(queue); ++ } + if (!IS_ERR_OR_NULL(post_deps)) { + for (i = 0; i < args->nr_out_syncobjs; ++i) { + kfree(post_deps[i].chain); +-- +2.39.2 + diff --git a/queue-6.1/dt-bindings-display-msm-dsi-controller-main-document.patch b/queue-6.1/dt-bindings-display-msm-dsi-controller-main-document.patch new file mode 100644 index 00000000000..391bf6eb874 --- /dev/null +++ b/queue-6.1/dt-bindings-display-msm-dsi-controller-main-document.patch @@ -0,0 +1,52 @@ +From 17e003072766cb1c16c6a6eb0402f4987c18a60b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 20:21:32 +0800 +Subject: dt-bindings: display/msm: dsi-controller-main: Document qcom, + master-dsi and qcom, sync-dual-dsi + +From: Jianhua Lu + +[ Upstream commit ca29699a57ecee6084a4056f5bfd6f11dd359a71 ] + +This fixes warning: + sm8250-xiaomi-elish-csot.dtb: dsi@ae94000: Unevaluated properties are not allowed ('qcom,master-dsi', 'qcom,sync-dual-dsi' were unexpected) + +Reviewed-by: Dmitry Baryshkov +Acked-by: Rob Herring +Signed-off-by: Jianhua Lu +Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534306/ +Link: https://lore.kernel.org/r/20230427122132.24840-1-lujianhua000@gmail.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + .../bindings/display/msm/dsi-controller-main.yaml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml +index 6c5b4783812ae..2fa1759e74d95 100644 +--- a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml ++++ b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml +@@ -65,6 +65,18 @@ properties: + Indicates if the DSI controller is driving a panel which needs + 2 DSI links. + ++ qcom,master-dsi: ++ type: boolean ++ description: | ++ Indicates if the DSI controller is the master DSI controller when ++ qcom,dual-dsi-mode enabled. ++ ++ qcom,sync-dual-dsi: ++ type: boolean ++ description: | ++ Indicates if the DSI controller needs to sync the other DSI controller ++ with MIPI DCS commands when qcom,dual-dsi-mode enabled. ++ + assigned-clocks: + maxItems: 2 + description: | +-- +2.39.2 + diff --git a/queue-6.1/erspan-get-the-proto-with-the-md-version-for-collect.patch b/queue-6.1/erspan-get-the-proto-with-the-md-version-for-collect.patch new file mode 100644 index 00000000000..2c4b8ec71a6 --- /dev/null +++ b/queue-6.1/erspan-get-the-proto-with-the-md-version-for-collect.patch @@ -0,0 +1,81 @@ +From 69fc62d48c576ff77f006cdd2e85bf9be1b7704e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:22:11 -0400 +Subject: erspan: get the proto with the md version for collect_md + +From: Xin Long + +[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ] + +In commit 20704bd1633d ("erspan: build the header with the right proto +according to erspan_ver"), it gets the proto with t->parms.erspan_ver, +but t->parms.erspan_ver is not used by collect_md branch, and instead +it should get the proto with md->version for collect_md. + +Thanks to Kevin for pointing this out. + +Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver") +Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support") +Reported-by: Kevin Traynor +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 4d5937af08ee9..216b40ccadae0 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1037,12 +1037,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + ntohl(tun_id), + ntohl(md->u.index), truncate, + false); ++ proto = htons(ETH_P_ERSPAN); + } else if (md->version == 2) { + erspan_build_header_v2(skb, + ntohl(tun_id), + md->u.md2.dir, + get_hwid(&md->u.md2), + truncate, false); ++ proto = htons(ETH_P_ERSPAN2); + } else { + goto tx_err; + } +@@ -1065,24 +1067,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + break; + } + +- if (t->parms.erspan_ver == 1) ++ if (t->parms.erspan_ver == 1) { + erspan_build_header(skb, ntohl(t->parms.o_key), + t->parms.index, + truncate, false); +- else if (t->parms.erspan_ver == 2) ++ proto = htons(ETH_P_ERSPAN); ++ } else if (t->parms.erspan_ver == 2) { + erspan_build_header_v2(skb, ntohl(t->parms.o_key), + t->parms.dir, + t->parms.hwid, + truncate, false); +- else ++ proto = htons(ETH_P_ERSPAN2); ++ } else { + goto tx_err; ++ } + + fl6.daddr = t->parms.raddr; + } + + /* Push GRE header. */ +- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) +- : htons(ETH_P_ERSPAN2); + gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ +-- +2.39.2 + diff --git a/queue-6.1/ice-fix-ice-vf-reset-during-iavf-initialization.patch b/queue-6.1/ice-fix-ice-vf-reset-during-iavf-initialization.patch new file mode 100644 index 00000000000..6e143d0d615 --- /dev/null +++ b/queue-6.1/ice-fix-ice-vf-reset-during-iavf-initialization.patch @@ -0,0 +1,168 @@ +From d1a88c61fd72140ee094d06f2d487e15ab61ad7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 11:52:55 +0200 +Subject: ice: Fix ice VF reset during iavf initialization + +From: Dawid Wesierski + +[ Upstream commit 7255355a0636b4eff08d5e8139c77d98f151c4fc ] + +Fix the current implementation that causes ice_trigger_vf_reset() +to start resetting the VF even when the VF-NIC is still initializing. + +When we reset NIC with ice driver it can interfere with +iavf-vf initialization e.g. during consecutive resets induced by ice + +iavf ice + | | + |<-----------------| + | ice resets vf + iavf | + reset | + start | + |<-----------------| + | ice resets vf + | causing iavf + | initialization + | error + | | + iavf + reset + end + +This leads to a series of -53 errors +(failed to init adminq) from the IAVF. + +Change the state of the vf_state field to be not active when the IAVF +is still initializing. Make sure to wait until receiving the message on +the message box to ensure that the vf is ready and initializded. + +In simple terms we use the ACTIVE flag to make sure that the ice +driver knows if the iavf is ready for another reset + + iavf ice + | | + | | + |<------------- ice resets vf + iavf vf_state != ACTIVE + reset | + start | + | | + | | + iavf | + reset-------> vf_state == ACTIVE + end ice resets vf + | | + | | + +Fixes: c54d209c78b8 ("ice: Wait for VF to be reset/ready before configuration") +Signed-off-by: Dawid Wesierski +Signed-off-by: Kamil Maziarz +Acked-by: Jacob Keller +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sriov.c | 8 ++++---- + drivers/net/ethernet/intel/ice/ice_vf_lib.c | 19 +++++++++++++++++++ + drivers/net/ethernet/intel/ice/ice_vf_lib.h | 1 + + drivers/net/ethernet/intel/ice/ice_virtchnl.c | 1 + + 4 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c +index b719e9a771e36..b8c31bf721ad1 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sriov.c ++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c +@@ -1240,7 +1240,7 @@ int ice_set_vf_spoofchk(struct net_device *netdev, int vf_id, bool ena) + if (!vf) + return -EINVAL; + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +@@ -1355,7 +1355,7 @@ int ice_set_vf_mac(struct net_device *netdev, int vf_id, u8 *mac) + goto out_put_vf; + } + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +@@ -1409,7 +1409,7 @@ int ice_set_vf_trust(struct net_device *netdev, int vf_id, bool trusted) + return -EOPNOTSUPP; + } + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +@@ -1722,7 +1722,7 @@ ice_set_vf_port_vlan(struct net_device *netdev, int vf_id, u16 vlan_id, u8 qos, + if (!vf) + return -EINVAL; + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +index 86abbcb480d9d..71047fc341392 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +@@ -185,6 +185,25 @@ int ice_check_vf_ready_for_cfg(struct ice_vf *vf) + return 0; + } + ++/** ++ * ice_check_vf_ready_for_reset - check if VF is ready to be reset ++ * @vf: VF to check if it's ready to be reset ++ * ++ * The purpose of this function is to ensure that the VF is not in reset, ++ * disabled, and is both initialized and active, thus enabling us to safely ++ * initialize another reset. ++ */ ++int ice_check_vf_ready_for_reset(struct ice_vf *vf) ++{ ++ int ret; ++ ++ ret = ice_check_vf_ready_for_cfg(vf); ++ if (!ret && !test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states)) ++ ret = -EAGAIN; ++ ++ return ret; ++} ++ + /** + * ice_trigger_vf_reset - Reset a VF on HW + * @vf: pointer to the VF structure +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h +index 9f7fcd8e5714b..e5bed85724622 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h +@@ -214,6 +214,7 @@ u16 ice_get_num_vfs(struct ice_pf *pf); + struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf); + bool ice_is_vf_disabled(struct ice_vf *vf); + int ice_check_vf_ready_for_cfg(struct ice_vf *vf); ++int ice_check_vf_ready_for_reset(struct ice_vf *vf); + void ice_set_vf_state_dis(struct ice_vf *vf); + bool ice_is_any_vf_in_unicast_promisc(struct ice_pf *pf); + void +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +index 2b4c791b6cbad..ef3c709d6a750 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +@@ -3722,6 +3722,7 @@ void ice_vc_process_vf_msg(struct ice_pf *pf, struct ice_rq_event_info *event) + ice_vc_notify_vf_link_state(vf); + break; + case VIRTCHNL_OP_RESET_VF: ++ clear_bit(ICE_VF_STATE_ACTIVE, vf->vf_states); + ops->reset_vf(vf); + break; + case VIRTCHNL_OP_ADD_ETH_ADDR: +-- +2.39.2 + diff --git a/queue-6.1/ice-introduce-clear_reset_state-operation.patch b/queue-6.1/ice-introduce-clear_reset_state-operation.patch new file mode 100644 index 00000000000..3e6c7823b33 --- /dev/null +++ b/queue-6.1/ice-introduce-clear_reset_state-operation.patch @@ -0,0 +1,154 @@ +From 5f9eb3fbe1f5e354e114dc7c61faa990d0a19b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 17:16:51 -0800 +Subject: ice: introduce clear_reset_state operation + +From: Jacob Keller + +[ Upstream commit fa4a15c85c849e92257da6dbffeb1e3a6399fd7b ] + +When hardware is reset, the VF relies on the VFGEN_RSTAT register to detect +when the VF is finished resetting. This is a tri-state register where 0 +indicates a reset is in progress, 1 indicates the hardware is done +resetting, and 2 indicates that the software is done resetting. + +Currently the PF driver relies on the device hardware resetting VFGEN_RSTAT +when a global reset occurs. This works ok, but it does mean that the VF +might not immediately notice a reset when the driver first detects that the +global reset is occurring. + +This is also problematic for Scalable IOV, because there is no read/write +equivalent VFGEN_RSTAT register for the Scalable VSI type. Instead, the +Scalable IOV VFs will need to emulate this register. + +To support this, introduce a new VF operation, clear_reset_state, which is +called when the PF driver first detects a global reset. The Single Root IOV +implementation can just write to VFGEN_RSTAT to ensure it's cleared +immediately, without waiting for the actual hardware reset to begin. The +Scalable IOV implementation will use this as part of its tracking of the +reset status to allow properly reporting the emulated VFGEN_RSTAT to the VF +driver. + +Signed-off-by: Jacob Keller +Reviewed-by: Paul Menzel +Tested-by: Marek Szlosek +Signed-off-by: Tony Nguyen +Stable-dep-of: 7255355a0636 ("ice: Fix ice VF reset during iavf initialization") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 2 +- + drivers/net/ethernet/intel/ice/ice_sriov.c | 16 ++++++++++++++++ + drivers/net/ethernet/intel/ice/ice_vf_lib.c | 12 +++++++++++- + drivers/net/ethernet/intel/ice/ice_vf_lib.h | 5 +++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index cfc57cfc46e42..6a50f8ba3940c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -573,7 +573,7 @@ ice_prepare_for_reset(struct ice_pf *pf, enum ice_reset_req reset_type) + /* Disable VFs until reset is completed */ + mutex_lock(&pf->vfs.table_lock); + ice_for_each_vf(pf, bkt, vf) +- ice_set_vf_state_qs_dis(vf); ++ ice_set_vf_state_dis(vf); + mutex_unlock(&pf->vfs.table_lock); + + if (ice_is_eswitch_mode_switchdev(pf)) { +diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c +index b3849bc3d4fc6..b719e9a771e36 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sriov.c ++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c +@@ -696,6 +696,21 @@ static void ice_sriov_free_vf(struct ice_vf *vf) + kfree_rcu(vf, rcu); + } + ++/** ++ * ice_sriov_clear_reset_state - clears VF Reset status register ++ * @vf: the vf to configure ++ */ ++static void ice_sriov_clear_reset_state(struct ice_vf *vf) ++{ ++ struct ice_hw *hw = &vf->pf->hw; ++ ++ /* Clear the reset status register so that VF immediately sees that ++ * the device is resetting, even if hardware hasn't yet gotten around ++ * to clearing VFGEN_RSTAT for us. ++ */ ++ wr32(hw, VFGEN_RSTAT(vf->vf_id), VIRTCHNL_VFR_INPROGRESS); ++} ++ + /** + * ice_sriov_clear_mbx_register - clears SRIOV VF's mailbox registers + * @vf: the vf to configure +@@ -835,6 +850,7 @@ static void ice_sriov_post_vsi_rebuild(struct ice_vf *vf) + static const struct ice_vf_ops ice_sriov_vf_ops = { + .reset_type = ICE_VF_RESET, + .free = ice_sriov_free_vf, ++ .clear_reset_state = ice_sriov_clear_reset_state, + .clear_mbx_register = ice_sriov_clear_mbx_register, + .trigger_reset_register = ice_sriov_trigger_reset_register, + .poll_reset_status = ice_sriov_poll_reset_status, +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +index 1c51778db951b..86abbcb480d9d 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +@@ -673,7 +673,7 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags) + * ice_set_vf_state_qs_dis - Set VF queues state to disabled + * @vf: pointer to the VF structure + */ +-void ice_set_vf_state_qs_dis(struct ice_vf *vf) ++static void ice_set_vf_state_qs_dis(struct ice_vf *vf) + { + /* Clear Rx/Tx enabled queues flag */ + bitmap_zero(vf->txq_ena, ICE_MAX_RSS_QS_PER_VF); +@@ -681,6 +681,16 @@ void ice_set_vf_state_qs_dis(struct ice_vf *vf) + clear_bit(ICE_VF_STATE_QS_ENA, vf->vf_states); + } + ++/** ++ * ice_set_vf_state_dis - Set VF state to disabled ++ * @vf: pointer to the VF structure ++ */ ++void ice_set_vf_state_dis(struct ice_vf *vf) ++{ ++ ice_set_vf_state_qs_dis(vf); ++ vf->vf_ops->clear_reset_state(vf); ++} ++ + /* Private functions only accessed from other virtualization files */ + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h +index 52bd9a3816bf2..9f7fcd8e5714b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h +@@ -56,6 +56,7 @@ struct ice_mdd_vf_events { + struct ice_vf_ops { + enum ice_disq_rst_src reset_type; + void (*free)(struct ice_vf *vf); ++ void (*clear_reset_state)(struct ice_vf *vf); + void (*clear_mbx_register)(struct ice_vf *vf); + void (*trigger_reset_register)(struct ice_vf *vf, bool is_vflr); + bool (*poll_reset_status)(struct ice_vf *vf); +@@ -213,7 +214,7 @@ u16 ice_get_num_vfs(struct ice_pf *pf); + struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf); + bool ice_is_vf_disabled(struct ice_vf *vf); + int ice_check_vf_ready_for_cfg(struct ice_vf *vf); +-void ice_set_vf_state_qs_dis(struct ice_vf *vf); ++void ice_set_vf_state_dis(struct ice_vf *vf); + bool ice_is_any_vf_in_unicast_promisc(struct ice_pf *pf); + void + ice_vf_get_promisc_masks(struct ice_vf *vf, struct ice_vsi *vsi, +@@ -259,7 +260,7 @@ static inline int ice_check_vf_ready_for_cfg(struct ice_vf *vf) + return -EOPNOTSUPP; + } + +-static inline void ice_set_vf_state_qs_dis(struct ice_vf *vf) ++static inline void ice_set_vf_state_dis(struct ice_vf *vf) + { + } + +-- +2.39.2 + diff --git a/queue-6.1/igb-fix-bit_shift-to-be-in-1.8-range.patch b/queue-6.1/igb-fix-bit_shift-to-be-in-1.8-range.patch new file mode 100644 index 00000000000..111f37564b2 --- /dev/null +++ b/queue-6.1/igb-fix-bit_shift-to-be-in-1.8-range.patch @@ -0,0 +1,50 @@ +From 626f935f8ed7bbe4b5945da9e92a8e1e0ffaff9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:41:46 -0700 +Subject: igb: fix bit_shift to be in [1..8] range + +From: Aleksandr Loktionov + +[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ] + +In igb_hash_mc_addr() the expression: + "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]" +shift by more than 7 bits always yields zero, so hash becomes not so different. +Add initialization with bit_shift = 1 and add a loop condition to ensure +bit_shift will be always in [1..8] range. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c +index 205d577bdbbaa..caf91c6f52b4d 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_mac.c ++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c +@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value) + static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + { + u32 hash_value, hash_mask; +- u8 bit_shift = 0; ++ u8 bit_shift = 1; + + /* Register count multiplied by bits per register */ + hash_mask = (hw->mac.mta_reg_count * 32) - 1; +@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + /* For a mc_filter_type of 0, bit_shift is the number of left-shifts + * where 0xFF would still fall within the hash mask. + */ +- while (hash_mask >> bit_shift != 0xFF) ++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4) + bit_shift++; + + /* The portion of the address that is used for the hash table +-- +2.39.2 + diff --git a/queue-6.1/media-netup_unidvb-fix-use-after-free-at-del_timer.patch b/queue-6.1/media-netup_unidvb-fix-use-after-free-at-del_timer.patch new file mode 100644 index 00000000000..ff8b0ba1510 --- /dev/null +++ b/queue-6.1/media-netup_unidvb-fix-use-after-free-at-del_timer.patch @@ -0,0 +1,49 @@ +From 35ffeb041dad5b60e1ab7d86184bfa835558948c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 12:55:14 +0000 +Subject: media: netup_unidvb: fix use-after-free at del_timer() + +From: Duoming Zhou + +[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ] + +When Universal DVB card is detaching, netup_unidvb_dma_fini() +uses del_timer() to stop dma->timeout timer. But when timer +handler netup_unidvb_dma_timeout() is running, del_timer() +could not stop it. As a result, the use-after-free bug could +happen. The process is shown below: + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +netup_unidvb_finidev() | (wait a time) + netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() + del_timer(&dma->timeout); | + | ndev->pci_dev->dev //USE + +Fix by changing del_timer() to del_timer_sync(). + +Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index 8287851b5ffdc..aaa1d2dedebdd 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num) + netup_unidvb_dma_enable(dma, 0); + msleep(50); + cancel_work_sync(&dma->work); +- del_timer(&dma->timeout); ++ del_timer_sync(&dma->timeout); + } + + static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev) +-- +2.39.2 + diff --git a/queue-6.1/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch b/queue-6.1/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch new file mode 100644 index 00000000000..f36ba3c0c5a --- /dev/null +++ b/queue-6.1/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch @@ -0,0 +1,37 @@ +From 4ab52e8cd2ee24cc7fb80a290dead98a38245919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:07:27 -0700 +Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() + +From: Florian Fainelli + +[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ] + +The call to phy_stop() races with the later call to phy_disconnect(), +resulting in concurrent phy_suspend() calls being run from different +CPUs. The final call to phy_disconnect() ensures that the PHY is +stopped and suspended, too. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index f679ed54b3ef2..9860fd66f3bca 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3460,7 +3460,6 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + +- phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +-- +2.39.2 + diff --git a/queue-6.1/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch b/queue-6.1/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch new file mode 100644 index 00000000000..c01d00d1c61 --- /dev/null +++ b/queue-6.1/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch @@ -0,0 +1,71 @@ +From be4e6258350377f80161449c5354d3ce7bb5c430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 19:56:07 -0700 +Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close + +From: Florian Fainelli + +[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ] + +Removing the phy_stop() from bcmgenet_netif_stop() ended up causing +warnings from the PHY library that phy_start() is called from the +RUNNING state since we are no longer stopping the PHY state machine +during bcmgenet_suspend(). + +Restore the call to phy_stop() but make it conditional on being called +from the close or suspend path. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()") +Signed-off-by: Florian Fainelli +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 9860fd66f3bca..4da2becfa950c 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3445,7 +3445,7 @@ static int bcmgenet_open(struct net_device *dev) + return ret; + } + +-static void bcmgenet_netif_stop(struct net_device *dev) ++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + +@@ -3460,6 +3460,8 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + ++ if (stop_phy) ++ phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +@@ -3480,7 +3482,7 @@ static int bcmgenet_close(struct net_device *dev) + + netif_dbg(priv, ifdown, dev, "bcmgenet_close\n"); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, false); + + /* Really kill the PHY state machine and disconnect from it */ + phy_disconnect(dev->phydev); +@@ -4298,7 +4300,7 @@ static int bcmgenet_suspend(struct device *d) + + netif_device_detach(dev); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, true); + + if (!device_may_wakeup(d)) + phy_suspend(dev->phydev); +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch b/queue-6.1/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch new file mode 100644 index 00000000000..53e40f61f0d --- /dev/null +++ b/queue-6.1/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch @@ -0,0 +1,37 @@ +From 5e116b41b020732d77f3db0ae8cd1f400b349c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 09:38:54 +0200 +Subject: net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset + +From: Marco Migliore + +[ Upstream commit 1323e0c6e1d7e103d59384c3ac50f72b17a6936c ] + +According to datasheet, the command opcode must be specified +into bits [14:12] of the Extended Port Control register (EPC). + +Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family") +Signed-off-by: Marco Migliore +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/port.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h +index cb04243f37c1e..a91e22d9a6cb3 100644 +--- a/drivers/net/dsa/mv88e6xxx/port.h ++++ b/drivers/net/dsa/mv88e6xxx/port.h +@@ -276,7 +276,7 @@ + /* Offset 0x10: Extended Port Control Command */ + #define MV88E6393X_PORT_EPC_CMD 0x10 + #define MV88E6393X_PORT_EPC_CMD_BUSY 0x8000 +-#define MV88E6393X_PORT_EPC_CMD_WRITE 0x0300 ++#define MV88E6393X_PORT_EPC_CMD_WRITE 0x3000 + #define MV88E6393X_PORT_EPC_INDEX_PORT_ETYPE 0x02 + + /* Offset 0x11: Extended Port Control Data */ +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-rzn1-a5psw-disable-learning-for-standalone-p.patch b/queue-6.1/net-dsa-rzn1-a5psw-disable-learning-for-standalone-p.patch new file mode 100644 index 00000000000..a1155823735 --- /dev/null +++ b/queue-6.1/net-dsa-rzn1-a5psw-disable-learning-for-standalone-p.patch @@ -0,0 +1,89 @@ +From 8165c715b61e7f7e09baa961c98969a786e9c2b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:27:12 +0200 +Subject: net: dsa: rzn1-a5psw: disable learning for standalone ports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit ec52b69c046a6219011af780aca155a96719637b ] + +When ports are in standalone mode, they should have learning disabled to +avoid adding new entries in the MAC lookup table which might be used by +other bridge ports to forward packets. While adding that, also make sure +learning is enabled for CPU port. + +Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver") +Signed-off-by: Clément Léger +Signed-off-by: Alexis Lothoré +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rzn1_a5psw.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c +index 2b0463263767c..790e177e2aef6 100644 +--- a/drivers/net/dsa/rzn1_a5psw.c ++++ b/drivers/net/dsa/rzn1_a5psw.c +@@ -340,6 +340,14 @@ static void a5psw_flooding_set_resolution(struct a5psw *a5psw, int port, + a5psw_reg_writel(a5psw, offsets[i], a5psw->bridged_ports); + } + ++static void a5psw_port_set_standalone(struct a5psw *a5psw, int port, ++ bool standalone) ++{ ++ a5psw_port_learning_set(a5psw, port, !standalone); ++ a5psw_flooding_set_resolution(a5psw, port, !standalone); ++ a5psw_port_mgmtfwd_set(a5psw, port, standalone); ++} ++ + static int a5psw_port_bridge_join(struct dsa_switch *ds, int port, + struct dsa_bridge bridge, + bool *tx_fwd_offload, +@@ -355,8 +363,7 @@ static int a5psw_port_bridge_join(struct dsa_switch *ds, int port, + } + + a5psw->br_dev = bridge.dev; +- a5psw_flooding_set_resolution(a5psw, port, true); +- a5psw_port_mgmtfwd_set(a5psw, port, false); ++ a5psw_port_set_standalone(a5psw, port, false); + + return 0; + } +@@ -366,8 +373,7 @@ static void a5psw_port_bridge_leave(struct dsa_switch *ds, int port, + { + struct a5psw *a5psw = ds->priv; + +- a5psw_flooding_set_resolution(a5psw, port, false); +- a5psw_port_mgmtfwd_set(a5psw, port, true); ++ a5psw_port_set_standalone(a5psw, port, true); + + /* No more ports bridged */ + if (a5psw->bridged_ports == BIT(A5PSW_CPU_PORT)) +@@ -761,13 +767,15 @@ static int a5psw_setup(struct dsa_switch *ds) + if (dsa_port_is_unused(dp)) + continue; + +- /* Enable egress flooding for CPU port */ +- if (dsa_port_is_cpu(dp)) ++ /* Enable egress flooding and learning for CPU port */ ++ if (dsa_port_is_cpu(dp)) { + a5psw_flooding_set_resolution(a5psw, port, true); ++ a5psw_port_learning_set(a5psw, port, true); ++ } + +- /* Enable management forward only for user ports */ ++ /* Enable standalone mode for user ports */ + if (dsa_port_is_user(dp)) +- a5psw_port_mgmtfwd_set(a5psw, port, true); ++ a5psw_port_set_standalone(a5psw, port, true); + } + + return 0; +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-rzn1-a5psw-enable-management-frames-for-cpu-.patch b/queue-6.1/net-dsa-rzn1-a5psw-enable-management-frames-for-cpu-.patch new file mode 100644 index 00000000000..1af4bf4ae1b --- /dev/null +++ b/queue-6.1/net-dsa-rzn1-a5psw-enable-management-frames-for-cpu-.patch @@ -0,0 +1,57 @@ +From 057a8f5ddad891cced6acc76f66499fa89fc07f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:27:10 +0200 +Subject: net: dsa: rzn1-a5psw: enable management frames for CPU port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 9e4b45f20c5aac786c728619e5ee746bffce1798 ] + +Currently, management frame were discarded before reaching the CPU port due +to a misconfiguration of the MGMT_CONFIG register. Enable them by setting +the correct value in this register in order to correctly receive management +frame and handle STP. + +Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver") +Signed-off-by: Clément Léger +Signed-off-by: Alexis Lothoré +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rzn1_a5psw.c | 2 +- + drivers/net/dsa/rzn1_a5psw.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c +index ed413d555beca..92a3ac78ab1e5 100644 +--- a/drivers/net/dsa/rzn1_a5psw.c ++++ b/drivers/net/dsa/rzn1_a5psw.c +@@ -673,7 +673,7 @@ static int a5psw_setup(struct dsa_switch *ds) + } + + /* Configure management port */ +- reg = A5PSW_CPU_PORT | A5PSW_MGMT_CFG_DISCARD; ++ reg = A5PSW_CPU_PORT | A5PSW_MGMT_CFG_ENABLE; + a5psw_reg_writel(a5psw, A5PSW_MGMT_CFG, reg); + + /* Set pattern 0 to forward all frame to mgmt port */ +diff --git a/drivers/net/dsa/rzn1_a5psw.h b/drivers/net/dsa/rzn1_a5psw.h +index c67abd49c013d..b4fbf453ff741 100644 +--- a/drivers/net/dsa/rzn1_a5psw.h ++++ b/drivers/net/dsa/rzn1_a5psw.h +@@ -36,7 +36,7 @@ + #define A5PSW_INPUT_LEARN_BLOCK(p) BIT(p) + + #define A5PSW_MGMT_CFG 0x20 +-#define A5PSW_MGMT_CFG_DISCARD BIT(7) ++#define A5PSW_MGMT_CFG_ENABLE BIT(6) + + #define A5PSW_MODE_CFG 0x24 + #define A5PSW_MODE_STATS_RESET BIT(31) +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-rzn1-a5psw-fix-stp-states-handling.patch b/queue-6.1/net-dsa-rzn1-a5psw-fix-stp-states-handling.patch new file mode 100644 index 00000000000..fde4000d0bc --- /dev/null +++ b/queue-6.1/net-dsa-rzn1-a5psw-fix-stp-states-handling.patch @@ -0,0 +1,142 @@ +From e82a291982dd2462504a76390651991c360689b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:27:11 +0200 +Subject: net: dsa: rzn1-a5psw: fix STP states handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit ebe9bc50952757b4b25eaf514da7c464196c9606 ] + +stp_set_state() should actually allow receiving BPDU while in LEARNING +mode which is not the case. Additionally, the BLOCKEN bit does not +actually forbid sending forwarded frames from that port. To fix this, add +a5psw_port_tx_enable() function which allows to disable TX. However, while +its name suggest that TX is totally disabled, it is not and can still +allow to send BPDUs even if disabled. This can be done by using forced +forwarding with the switch tagging mechanism but keeping "filtering" +disabled (which is already the case in the rzn1-a5sw tag driver). With +these fixes, STP support is now functional. + +Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver") +Signed-off-by: Clément Léger +Signed-off-by: Alexis Lothoré +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rzn1_a5psw.c | 57 ++++++++++++++++++++++++++++++------ + drivers/net/dsa/rzn1_a5psw.h | 1 + + 2 files changed, 49 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c +index 92a3ac78ab1e5..2b0463263767c 100644 +--- a/drivers/net/dsa/rzn1_a5psw.c ++++ b/drivers/net/dsa/rzn1_a5psw.c +@@ -120,6 +120,22 @@ static void a5psw_port_mgmtfwd_set(struct a5psw *a5psw, int port, bool enable) + a5psw_port_pattern_set(a5psw, port, A5PSW_PATTERN_MGMTFWD, enable); + } + ++static void a5psw_port_tx_enable(struct a5psw *a5psw, int port, bool enable) ++{ ++ u32 mask = A5PSW_PORT_ENA_TX(port); ++ u32 reg = enable ? mask : 0; ++ ++ /* Even though the port TX is disabled through TXENA bit in the ++ * PORT_ENA register, it can still send BPDUs. This depends on the tag ++ * configuration added when sending packets from the CPU port to the ++ * switch port. Indeed, when using forced forwarding without filtering, ++ * even disabled ports will be able to send packets that are tagged. ++ * This allows to implement STP support when ports are in a state where ++ * forwarding traffic should be stopped but BPDUs should still be sent. ++ */ ++ a5psw_reg_rmw(a5psw, A5PSW_PORT_ENA, mask, reg); ++} ++ + static void a5psw_port_enable_set(struct a5psw *a5psw, int port, bool enable) + { + u32 port_ena = 0; +@@ -292,6 +308,22 @@ static int a5psw_set_ageing_time(struct dsa_switch *ds, unsigned int msecs) + return 0; + } + ++static void a5psw_port_learning_set(struct a5psw *a5psw, int port, bool learn) ++{ ++ u32 mask = A5PSW_INPUT_LEARN_DIS(port); ++ u32 reg = !learn ? mask : 0; ++ ++ a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg); ++} ++ ++static void a5psw_port_rx_block_set(struct a5psw *a5psw, int port, bool block) ++{ ++ u32 mask = A5PSW_INPUT_LEARN_BLOCK(port); ++ u32 reg = block ? mask : 0; ++ ++ a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg); ++} ++ + static void a5psw_flooding_set_resolution(struct a5psw *a5psw, int port, + bool set) + { +@@ -344,28 +376,35 @@ static void a5psw_port_bridge_leave(struct dsa_switch *ds, int port, + + static void a5psw_port_stp_state_set(struct dsa_switch *ds, int port, u8 state) + { +- u32 mask = A5PSW_INPUT_LEARN_DIS(port) | A5PSW_INPUT_LEARN_BLOCK(port); ++ bool learning_enabled, rx_enabled, tx_enabled; + struct a5psw *a5psw = ds->priv; +- u32 reg = 0; + + switch (state) { + case BR_STATE_DISABLED: + case BR_STATE_BLOCKING: +- reg |= A5PSW_INPUT_LEARN_DIS(port); +- reg |= A5PSW_INPUT_LEARN_BLOCK(port); +- break; + case BR_STATE_LISTENING: +- reg |= A5PSW_INPUT_LEARN_DIS(port); ++ rx_enabled = false; ++ tx_enabled = false; ++ learning_enabled = false; + break; + case BR_STATE_LEARNING: +- reg |= A5PSW_INPUT_LEARN_BLOCK(port); ++ rx_enabled = false; ++ tx_enabled = false; ++ learning_enabled = true; + break; + case BR_STATE_FORWARDING: +- default: ++ rx_enabled = true; ++ tx_enabled = true; ++ learning_enabled = true; + break; ++ default: ++ dev_err(ds->dev, "invalid STP state: %d\n", state); ++ return; + } + +- a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg); ++ a5psw_port_learning_set(a5psw, port, learning_enabled); ++ a5psw_port_rx_block_set(a5psw, port, !rx_enabled); ++ a5psw_port_tx_enable(a5psw, port, tx_enabled); + } + + static void a5psw_port_fast_age(struct dsa_switch *ds, int port) +diff --git a/drivers/net/dsa/rzn1_a5psw.h b/drivers/net/dsa/rzn1_a5psw.h +index b4fbf453ff741..b869192eef3f7 100644 +--- a/drivers/net/dsa/rzn1_a5psw.h ++++ b/drivers/net/dsa/rzn1_a5psw.h +@@ -19,6 +19,7 @@ + #define A5PSW_PORT_OFFSET(port) (0x400 * (port)) + + #define A5PSW_PORT_ENA 0x8 ++#define A5PSW_PORT_ENA_TX(port) BIT(port) + #define A5PSW_PORT_ENA_RX_SHIFT 16 + #define A5PSW_PORT_ENA_TX_RX(port) (BIT((port) + A5PSW_PORT_ENA_RX_SHIFT) | \ + BIT(port)) +-- +2.39.2 + diff --git a/queue-6.1/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch b/queue-6.1/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch new file mode 100644 index 00000000000..7c888617f2f --- /dev/null +++ b/queue-6.1/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch @@ -0,0 +1,67 @@ +From 3c5b3b13b4aa4ee7c98f6f00f8a6834f9ce65dae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 22:00:20 +0200 +Subject: net: fec: Better handle pm_runtime_get() failing in .remove() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ] + +In the (unlikely) event that pm_runtime_get() (disguised as +pm_runtime_resume_and_get()) fails, the remove callback returned an +error early. The problem with this is that the driver core ignores the +error value and continues removing the device. This results in a +resource leak. Worse the devm allocated resources are freed and so if a +callback of the driver is called later the register mapping is already +gone which probably results in a crash. + +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 6f914180f4797..33226a22d8a4a 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -4168,9 +4168,11 @@ fec_drv_remove(struct platform_device *pdev) + struct device_node *np = pdev->dev.of_node; + int ret; + +- ret = pm_runtime_resume_and_get(&pdev->dev); ++ ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, ++ "Failed to resume device in remove callback (%pe)\n", ++ ERR_PTR(ret)); + + cancel_work_sync(&fep->tx_timeout_work); + fec_ptp_stop(pdev); +@@ -4183,8 +4185,13 @@ fec_drv_remove(struct platform_device *pdev) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); + +- clk_disable_unprepare(fep->clk_ahb); +- clk_disable_unprepare(fep->clk_ipg); ++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip ++ * disabling them again. ++ */ ++ if (ret >= 0) { ++ clk_disable_unprepare(fep->clk_ahb); ++ clk_disable_unprepare(fep->clk_ipg); ++ } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +-- +2.39.2 + diff --git a/queue-6.1/net-hns3-fix-output-information-incomplete-for-dumpi.patch b/queue-6.1/net-hns3-fix-output-information-incomplete-for-dumpi.patch new file mode 100644 index 00000000000..7ef79527a69 --- /dev/null +++ b/queue-6.1/net-hns3-fix-output-information-incomplete-for-dumpi.patch @@ -0,0 +1,54 @@ +From 68de3588270d10a61e2e684f6e78c44dc6dee79f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:11 +0800 +Subject: net: hns3: fix output information incomplete for dumping tx queue + info with debugfs + +From: Jie Wang + +[ Upstream commit 89f6bfb071182f05d7188c255b0e7251c3806f16 ] + +In function hns3_dump_tx_queue_info, The print buffer is not enough when +the tx BD number is configured to 32760. As a result several BD +information wouldn't be displayed. + +So fix it by increasing the tx queue print buffer length. + +Fixes: 630a6738da82 ("net: hns3: adjust string spaces of some parameters of tx bd info in debugfs") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index 66feb23f7b7b6..bcccd82a2620f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -130,7 +130,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = { + .name = "tx_bd_queue", + .cmd = HNAE3_DBG_CMD_TX_BD, + .dentry = HNS3_DBG_DENTRY_TX_BD, +- .buf_len = HNS3_DBG_READ_LEN_4MB, ++ .buf_len = HNS3_DBG_READ_LEN_5MB, + .init = hns3_dbg_bd_file_init, + }, + { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +index 97578eabb7d8b..4a5ef8a90a104 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +@@ -10,6 +10,7 @@ + #define HNS3_DBG_READ_LEN_128KB 0x20000 + #define HNS3_DBG_READ_LEN_1MB 0x100000 + #define HNS3_DBG_READ_LEN_4MB 0x400000 ++#define HNS3_DBG_READ_LEN_5MB 0x500000 + #define HNS3_DBG_WRITE_LEN 1024 + + #define HNS3_DBG_DATA_STR_LEN 32 +-- +2.39.2 + diff --git a/queue-6.1/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch b/queue-6.1/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch new file mode 100644 index 00000000000..ff1dff9a51e --- /dev/null +++ b/queue-6.1/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch @@ -0,0 +1,44 @@ +From 5b0420f4414d4edbe78c04673a502199b5d92bf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:13 +0800 +Subject: net: hns3: fix reset delay time to avoid configuration timeout + +From: Jie Wang + +[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ] + +Currently the hns3 vf function reset delays 5000ms before vf rebuild +process. In product applications, this delay is too long for application +configurations and causes configuration timeout. + +According to the tests, 500ms delay is enough for reset process except PF +FLR. So this patch modifies delay to 500ms in these scenarios. + +Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index e84e5be8e59ed..b1b14850e958f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1436,7 +1436,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev) + * might happen in case reset assertion was made by PF. Yes, this also + * means we might end up waiting bit more even for VF reset. + */ +- msleep(5000); ++ if (hdev->reset_type == HNAE3_VF_FULL_RESET) ++ msleep(5000); ++ else ++ msleep(500); + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/net-hns3-fix-reset-timeout-when-enable-full-vf.patch b/queue-6.1/net-hns3-fix-reset-timeout-when-enable-full-vf.patch new file mode 100644 index 00000000000..8c4fc1b29c1 --- /dev/null +++ b/queue-6.1/net-hns3-fix-reset-timeout-when-enable-full-vf.patch @@ -0,0 +1,111 @@ +From 0139ec0c3a41ace5d3eb7d7e682e8c8d4520f7b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:14 +0800 +Subject: net: hns3: fix reset timeout when enable full VF + +From: Jijie Shao + +[ Upstream commit 6b45d5ff8c2c61baddd67d7510075ae121c5e704 ] + +The timeout of the cmdq reset command has been increased to +resolve the reset timeout issue in the full VF scenario. +The timeout of other cmdq commands remains unchanged. + +Fixes: 8d307f8e8cf1 ("net: hns3: create new set of unified hclge_comm_cmd_send APIs") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../hns3/hns3_common/hclge_comm_cmd.c | 25 ++++++++++++++++--- + .../hns3/hns3_common/hclge_comm_cmd.h | 8 +++++- + 2 files changed, 28 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c +index f671a63cecde4..c797d54f98caa 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c +@@ -330,9 +330,25 @@ static int hclge_comm_cmd_csq_done(struct hclge_comm_hw *hw) + return head == hw->cmq.csq.next_to_use; + } + +-static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, ++static u32 hclge_get_cmdq_tx_timeout(u16 opcode, u32 tx_timeout) ++{ ++ static const struct hclge_cmdq_tx_timeout_map cmdq_tx_timeout_map[] = { ++ {HCLGE_OPC_CFG_RST_TRIGGER, HCLGE_COMM_CMDQ_TX_TIMEOUT_500MS}, ++ }; ++ u32 i; ++ ++ for (i = 0; i < ARRAY_SIZE(cmdq_tx_timeout_map); i++) ++ if (cmdq_tx_timeout_map[i].opcode == opcode) ++ return cmdq_tx_timeout_map[i].tx_timeout; ++ ++ return tx_timeout; ++} ++ ++static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, u16 opcode, + bool *is_completed) + { ++ u32 cmdq_tx_timeout = hclge_get_cmdq_tx_timeout(opcode, ++ hw->cmq.tx_timeout); + u32 timeout = 0; + + do { +@@ -342,7 +358,7 @@ static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, + } + udelay(1); + timeout++; +- } while (timeout < hw->cmq.tx_timeout); ++ } while (timeout < cmdq_tx_timeout); + } + + static int hclge_comm_cmd_convert_err_code(u16 desc_ret) +@@ -406,7 +422,8 @@ static int hclge_comm_cmd_check_result(struct hclge_comm_hw *hw, + * if multi descriptors to be sent, use the first one to check + */ + if (HCLGE_COMM_SEND_SYNC(le16_to_cpu(desc->flag))) +- hclge_comm_wait_for_resp(hw, &is_completed); ++ hclge_comm_wait_for_resp(hw, le16_to_cpu(desc->opcode), ++ &is_completed); + + if (!is_completed) + ret = -EBADE; +@@ -528,7 +545,7 @@ int hclge_comm_cmd_queue_init(struct pci_dev *pdev, struct hclge_comm_hw *hw) + cmdq->crq.desc_num = HCLGE_COMM_NIC_CMQ_DESC_NUM; + + /* Setup Tx write back timeout */ +- cmdq->tx_timeout = HCLGE_COMM_CMDQ_TX_TIMEOUT; ++ cmdq->tx_timeout = HCLGE_COMM_CMDQ_TX_TIMEOUT_DEFAULT; + + /* Setup queue rings */ + ret = hclge_comm_alloc_cmd_queue(hw, HCLGE_COMM_TYPE_CSQ); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h +index b1f9383b418f4..2b2928c6dccfc 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h +@@ -54,7 +54,8 @@ + #define HCLGE_COMM_NIC_SW_RST_RDY BIT(HCLGE_COMM_NIC_SW_RST_RDY_B) + #define HCLGE_COMM_NIC_CMQ_DESC_NUM_S 3 + #define HCLGE_COMM_NIC_CMQ_DESC_NUM 1024 +-#define HCLGE_COMM_CMDQ_TX_TIMEOUT 30000 ++#define HCLGE_COMM_CMDQ_TX_TIMEOUT_DEFAULT 30000 ++#define HCLGE_COMM_CMDQ_TX_TIMEOUT_500MS 500000 + + enum hclge_opcode_type { + /* Generic commands */ +@@ -357,6 +358,11 @@ struct hclge_comm_caps_bit_map { + u16 local_bit; + }; + ++struct hclge_cmdq_tx_timeout_map { ++ u32 opcode; ++ u32 tx_timeout; ++}; ++ + struct hclge_comm_firmware_compat_cmd { + __le32 compat; + u8 rsv[20]; +-- +2.39.2 + diff --git a/queue-6.1/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch b/queue-6.1/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch new file mode 100644 index 00000000000..0c2dbcf16c4 --- /dev/null +++ b/queue-6.1/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch @@ -0,0 +1,91 @@ +From 1a3fd2e6b1467ea75359e6da5b65c49287c48aa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:12 +0800 +Subject: net: hns3: fix sending pfc frames after reset issue + +From: Jijie Shao + +[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ] + +To prevent the system from abnormally sending PFC frames after an +abnormal reset. The hns3 driver notifies the firmware to disable pfc +before reset. + +Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------ + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++-- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++ + 3 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 07ad5f35219e2..50e956d6c3b25 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -8053,12 +8053,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle) + /* If it is not PF reset or FLR, the firmware will disable the MAC, + * so it only need to stop phy here. + */ +- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && +- hdev->reset_type != HNAE3_FUNC_RESET && +- hdev->reset_type != HNAE3_FLR_RESET) { +- hclge_mac_stop_phy(hdev); +- hclge_update_link_status(hdev); +- return; ++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) { ++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE, ++ HCLGE_PFC_DISABLE); ++ if (hdev->reset_type != HNAE3_FUNC_RESET && ++ hdev->reset_type != HNAE3_FLR_RESET) { ++ hclge_mac_stop_phy(hdev); ++ hclge_update_link_status(hdev); ++ return; ++ } + } + + hclge_reset_tqp(handle); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index 4a33f65190e2b..922c0da3660c7 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -171,8 +171,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx) + return hclge_cmd_send(&hdev->hw, &desc, 1); + } + +-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, +- u8 pfc_bitmap) ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap) + { + struct hclge_desc desc; + struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +index 68f28a98e380b..dd6f1fd486cf2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -164,6 +164,9 @@ struct hclge_bp_to_qs_map_cmd { + u32 rsvd1; + }; + ++#define HCLGE_PFC_DISABLE 0 ++#define HCLGE_PFC_TX_RX_DISABLE 0 ++ + struct hclge_pfc_en_cmd { + u8 tx_rx_en_bitmap; + u8 pri_en_bitmap; +@@ -235,6 +238,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc); + void hclge_tm_pfc_info_update(struct hclge_dev *hdev); + int hclge_tm_dwrr_cfg(struct hclge_dev *hdev); + int hclge_tm_init_hw(struct hclge_dev *hdev, bool init); ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap); + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx); + int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr); + void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); +-- +2.39.2 + diff --git a/queue-6.1/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch b/queue-6.1/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch new file mode 100644 index 00000000000..2c403ce3c76 --- /dev/null +++ b/queue-6.1/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch @@ -0,0 +1,101 @@ +From d4a9fd553bfb0ee45bb1aca88ad536016a3898a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 20:54:40 +0800 +Subject: net: nsh: Use correct mac_offset to unwind gso skb in + nsh_gso_segment() + +From: Dong Chenchen + +[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] + +As the call trace shows, skb_panic was caused by wrong skb->mac_header +in nsh_gso_segment(): + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 +RIP: 0010:skb_panic+0xda/0xe0 +call Trace: + skb_push+0x91/0xa0 + nsh_gso_segment+0x4f3/0x570 + skb_mac_gso_segment+0x19e/0x270 + __skb_gso_segment+0x1e8/0x3c0 + validate_xmit_skb+0x452/0x890 + validate_xmit_skb_list+0x99/0xd0 + sch_direct_xmit+0x294/0x7c0 + __dev_queue_xmit+0x16f0/0x1d70 + packet_xmit+0x185/0x210 + packet_snd+0xc15/0x1170 + packet_sendmsg+0x7b/0xa0 + sock_sendmsg+0x14f/0x160 + +The root cause is: +nsh_gso_segment() use skb->network_header - nhoff to reset mac_header +in skb_gso_error_unwind() if inner-layer protocol gso fails. +However, skb->network_header may be reset by inner-layer protocol +gso function e.g. mpls_gso_segment. skb->mac_header reset by the +inaccurate network_header will be larger than skb headroom. + +nsh_gso_segment + nhoff = skb->network_header - skb->mac_header; + __skb_pull(skb,nsh_len) + skb_mac_gso_segment + mpls_gso_segment + skb_reset_network_header(skb);//skb->network_header+=nsh_len + return -EINVAL; + skb_gso_error_unwind + skb_push(skb, nsh_len); + skb->mac_header = skb->network_header - nhoff; + // skb->mac_header > skb->headroom, cause skb_push panic + +Use correct mac_offset to restore mac_header and get rid of nhoff. + +Fixes: c411ed854584 ("nsh: add GSO support") +Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nsh/nsh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c +index e9ca007718b7e..0f23e5e8e03eb 100644 +--- a/net/nsh/nsh.c ++++ b/net/nsh/nsh.c +@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + netdev_features_t features) + { + struct sk_buff *segs = ERR_PTR(-EINVAL); ++ u16 mac_offset = skb->mac_header; + unsigned int nsh_len, mac_len; + __be16 proto; +- int nhoff; + + skb_reset_network_header(skb); + +- nhoff = skb->network_header - skb->mac_header; + mac_len = skb->mac_len; + + if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) +@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + segs = skb_mac_gso_segment(skb, features); + if (IS_ERR_OR_NULL(segs)) { + skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, +- skb->network_header - nhoff, +- mac_len); ++ mac_offset, mac_len); + goto out; + } + + for (skb = segs; skb; skb = skb->next) { + skb->protocol = htons(ETH_P_NSH); + __skb_push(skb, nsh_len); +- skb_set_mac_header(skb, -nhoff); ++ skb->mac_header = mac_offset; + skb->network_header = skb->mac_header + mac_len; + skb->mac_len = mac_len; + } +-- +2.39.2 + diff --git a/queue-6.1/net-pcs-xpcs-fix-c73-an-not-getting-enabled.patch b/queue-6.1/net-pcs-xpcs-fix-c73-an-not-getting-enabled.patch new file mode 100644 index 00000000000..e4bf7139700 --- /dev/null +++ b/queue-6.1/net-pcs-xpcs-fix-c73-an-not-getting-enabled.patch @@ -0,0 +1,46 @@ +From 7037274d507d6fd52cd99761ad2c94708f1029fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 18:44:10 +0300 +Subject: net: pcs: xpcs: fix C73 AN not getting enabled + +From: Vladimir Oltean + +[ Upstream commit c46e78ba9a7a09da4f192dc8df15c4e8a07fb9e0 ] + +The XPCS expects clause 73 (copper backplane) autoneg to follow the +ethtool autoneg bit. It actually did that until the blamed +commit inaptly replaced state->an_enabled (coming from ethtool) with +phylink_autoneg_inband() (coming from the device tree or struct +phylink_config), as part of an unrelated phylink_pcs API conversion. + +Russell King suggests that state->an_enabled from the original code was +just a proxy for the ethtool Autoneg bit, and that the correct way of +restoring the functionality is to check for this bit in the advertising +mask. + +Fixes: 11059740e616 ("net: pcs: xpcs: convert to phylink_pcs_ops") +Link: https://lore.kernel.org/netdev/ZGNt2MFeRolKGFck@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/pcs/pcs-xpcs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/pcs/pcs-xpcs.c b/drivers/net/pcs/pcs-xpcs.c +index dd88624593c71..3f882bce37f42 100644 +--- a/drivers/net/pcs/pcs-xpcs.c ++++ b/drivers/net/pcs/pcs-xpcs.c +@@ -881,7 +881,7 @@ int xpcs_do_config(struct dw_xpcs *xpcs, phy_interface_t interface, + + switch (compat->an_mode) { + case DW_AN_C73: +- if (phylink_autoneg_inband(mode)) { ++ if (test_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, advertising)) { + ret = xpcs_config_aneg_c73(xpcs, compat); + if (ret) + return ret; +-- +2.39.2 + diff --git a/queue-6.1/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch b/queue-6.1/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch new file mode 100644 index 00000000000..13c9a1fa57a --- /dev/null +++ b/queue-6.1/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch @@ -0,0 +1,77 @@ +From 8649533f050e1d272f171bc0dcf76f6748ece389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:21:39 +0530 +Subject: net: phy: dp83867: add w/a for packet errors seen with short cables + +From: Grygorii Strashko + +[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ] + +Introduce the W/A for packet errors seen with short cables (<1m) between +two DP83867 PHYs. + +The W/A recommended by DM requires FFE Equalizer Configuration tuning by +writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard +and soft resets as follows: + +write_reg(0x001F, 0x8000); //hard reset +write_reg(DSP_FFE_CFG, 0x0E81); +write_reg(0x001F, 0x4000); //soft reset + +Since DP83867 PHY DM says "Changing this register to 0x0E81, will not +affect Long Cable performance.", enable the W/A by default. + +Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy") +Signed-off-by: Grygorii Strashko +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 7446d5c6c7146..14990f8462ae3 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -42,6 +42,7 @@ + #define DP83867_STRAP_STS1 0x006E + #define DP83867_STRAP_STS2 0x006f + #define DP83867_RGMIIDCTL 0x0086 ++#define DP83867_DSP_FFE_CFG 0x012c + #define DP83867_RXFCFG 0x0134 + #define DP83867_RXFPMD1 0x0136 + #define DP83867_RXFPMD2 0x0137 +@@ -910,8 +911,27 @@ static int dp83867_phy_reset(struct phy_device *phydev) + + usleep_range(10, 20); + +- return phy_modify(phydev, MII_DP83867_PHYCTRL, ++ err = phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); ++ if (err < 0) ++ return err; ++ ++ /* Configure the DSP Feedforward Equalizer Configuration register to ++ * improve short cable (< 1 meter) performance. This will not affect ++ * long cable performance. ++ */ ++ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG, ++ 0x0e81); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); ++ if (err < 0) ++ return err; ++ ++ usleep_range(10, 20); ++ ++ return 0; + } + + static void dp83867_link_change_notify(struct phy_device *phydev) +-- +2.39.2 + diff --git a/queue-6.1/net-selftests-fix-optstring.patch b/queue-6.1/net-selftests-fix-optstring.patch new file mode 100644 index 00000000000..02bdcd0f4e7 --- /dev/null +++ b/queue-6.1/net-selftests-fix-optstring.patch @@ -0,0 +1,41 @@ +From 9172b293c26055df2c8693ce36334497ab4ad807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 14:49:24 -0400 +Subject: net: selftests: Fix optstring + +From: Benjamin Poirier + +[ Upstream commit 9ba9485b87ac97fd159abdb4cbd53099bc9f01c6 ] + +The cited commit added a stray colon to the 'v' option. That makes the +option work incorrectly. + +ex: +tools/testing/selftests/net# ./fib_nexthops.sh -v +(should enable verbose mode, instead it shows help text due to missing arg) + +Fixes: 5feba4727395 ("selftests: fib_nexthops: Make ping timeout configurable") +Reviewed-by: Ido Schimmel +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_nexthops.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh +index a47b26ab48f23..0f5e88c8f4ffe 100755 +--- a/tools/testing/selftests/net/fib_nexthops.sh ++++ b/tools/testing/selftests/net/fib_nexthops.sh +@@ -2283,7 +2283,7 @@ EOF + ################################################################################ + # main + +-while getopts :t:pP46hv:w: o ++while getopts :t:pP46hvw: o + do + case $o in + t) TESTS=$OPTARG;; +-- +2.39.2 + diff --git a/queue-6.1/net-tun-rebuild-error-handling-in-tun_get_user.patch b/queue-6.1/net-tun-rebuild-error-handling-in-tun_get_user.patch new file mode 100644 index 00000000000..81cb70d37bd --- /dev/null +++ b/queue-6.1/net-tun-rebuild-error-handling-in-tun_get_user.patch @@ -0,0 +1,147 @@ +From e4871b1aa22c4a77b63a8cbef593964ff8b530de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 15:31:25 +0800 +Subject: net: tun: rebuild error handling in tun_get_user + +From: Chuang Wang + +[ Upstream commit ab00af85d2f886a8e4ace1342d9cc2b232eab6a8 ] + +The error handling in tun_get_user is very scattered. +This patch unifies error handling, reduces duplication of code, and +makes the logic clearer. + +Signed-off-by: Chuang Wang +Signed-off-by: David S. Miller +Stable-dep-of: 82b2bc279467 ("tun: Fix memory leak for detached NAPI queue.") +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 65 +++++++++++++++++++++-------------------------- + 1 file changed, 29 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 91d198aff2f9a..65706824eb828 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1748,7 +1748,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + u32 rxhash = 0; + int skb_xdp = 1; + bool frags = tun_napi_frags_enabled(tfile); +- enum skb_drop_reason drop_reason; ++ enum skb_drop_reason drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; + + if (!(tun->flags & IFF_NO_PI)) { + if (len < sizeof(pi)) +@@ -1809,10 +1809,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + * skb was created with generic XDP routine. + */ + skb = tun_build_skb(tun, tfile, from, &gso, len, &skb_xdp); +- if (IS_ERR(skb)) { +- dev_core_stats_rx_dropped_inc(tun->dev); +- return PTR_ERR(skb); +- } ++ err = PTR_ERR_OR_ZERO(skb); ++ if (err) ++ goto drop; + if (!skb) + return total_len; + } else { +@@ -1837,13 +1836,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + noblock); + } + +- if (IS_ERR(skb)) { +- if (PTR_ERR(skb) != -EAGAIN) +- dev_core_stats_rx_dropped_inc(tun->dev); +- if (frags) +- mutex_unlock(&tfile->napi_mutex); +- return PTR_ERR(skb); +- } ++ err = PTR_ERR_OR_ZERO(skb); ++ if (err) ++ goto drop; + + if (zerocopy) + err = zerocopy_sg_from_iter(skb, from); +@@ -1853,27 +1848,14 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + if (err) { + err = -EFAULT; + drop_reason = SKB_DROP_REASON_SKB_UCOPY_FAULT; +-drop: +- dev_core_stats_rx_dropped_inc(tun->dev); +- kfree_skb_reason(skb, drop_reason); +- if (frags) { +- tfile->napi.skb = NULL; +- mutex_unlock(&tfile->napi_mutex); +- } +- +- return err; ++ goto drop; + } + } + + if (virtio_net_hdr_to_skb(skb, &gso, tun_is_little_endian(tun))) { + atomic_long_inc(&tun->rx_frame_errors); +- kfree_skb(skb); +- if (frags) { +- tfile->napi.skb = NULL; +- mutex_unlock(&tfile->napi_mutex); +- } +- +- return -EINVAL; ++ err = -EINVAL; ++ goto free_skb; + } + + switch (tun->flags & TUN_TYPE_MASK) { +@@ -1889,9 +1871,8 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + pi.proto = htons(ETH_P_IPV6); + break; + default: +- dev_core_stats_rx_dropped_inc(tun->dev); +- kfree_skb(skb); +- return -EINVAL; ++ err = -EINVAL; ++ goto drop; + } + } + +@@ -1933,11 +1914,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + if (ret != XDP_PASS) { + rcu_read_unlock(); + local_bh_enable(); +- if (frags) { +- tfile->napi.skb = NULL; +- mutex_unlock(&tfile->napi_mutex); +- } +- return total_len; ++ goto unlock_frags; + } + } + rcu_read_unlock(); +@@ -2017,6 +1994,22 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + tun_flow_update(tun, rxhash, tfile); + + return total_len; ++ ++drop: ++ if (err != -EAGAIN) ++ dev_core_stats_rx_dropped_inc(tun->dev); ++ ++free_skb: ++ if (!IS_ERR_OR_NULL(skb)) ++ kfree_skb_reason(skb, drop_reason); ++ ++unlock_frags: ++ if (frags) { ++ tfile->napi.skb = NULL; ++ mutex_unlock(&tfile->napi_mutex); ++ } ++ ++ return err ?: total_len; + } + + static ssize_t tun_chr_write_iter(struct kiocb *iocb, struct iov_iter *from) +-- +2.39.2 + diff --git a/queue-6.1/net-wwan-iosm-fix-null-pointer-dereference-when-remo.patch b/queue-6.1/net-wwan-iosm-fix-null-pointer-dereference-when-remo.patch new file mode 100644 index 00000000000..20daa1e5c21 --- /dev/null +++ b/queue-6.1/net-wwan-iosm-fix-null-pointer-dereference-when-remo.patch @@ -0,0 +1,154 @@ +From 8eba731456e3baa3001e651a95333434cdc0f732 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:09:46 +0530 +Subject: net: wwan: iosm: fix NULL pointer dereference when removing device + +From: M Chetan Kumar + +[ Upstream commit 60829145f1e2650b31ebe6a0ec70a9725b38fa2c ] + +In suspend and resume cycle, the removal and rescan of device ends +up in NULL pointer dereference. + +During driver initialization, if the ipc_imem_wwan_channel_init() +fails to get the valid device capabilities it returns an error and +further no resource (wwan struct) will be allocated. Now in this +situation if driver removal procedure is initiated it would result +in NULL pointer exception since unallocated wwan struct is dereferenced +inside ipc_wwan_deinit(). + +ipc_imem_run_state_worker() to handle the called functions return value +and to release the resource in failure case. It also reports the link +down event in failure cases. The user space application can handle this +event to do a device reset for restoring the device communication. + +Fixes: 3670970dd8c6 ("net: iosm: shared memory IPC interface") +Reported-by: Samuel Wein PhD +Closes: https://lore.kernel.org/netdev/20230427140819.1310f4bd@kernel.org/T/ +Signed-off-by: M Chetan Kumar +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_imem.c | 27 ++++++++++++++++++----- + drivers/net/wwan/iosm/iosm_ipc_imem_ops.c | 12 ++++++---- + drivers/net/wwan/iosm/iosm_ipc_imem_ops.h | 6 +++-- + 3 files changed, 33 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/iosm_ipc_imem.c +index 1e6a479766429..8ccd4d26b9060 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c +@@ -565,24 +565,32 @@ static void ipc_imem_run_state_worker(struct work_struct *instance) + struct ipc_mux_config mux_cfg; + struct iosm_imem *ipc_imem; + u8 ctrl_chl_idx = 0; ++ int ret; + + ipc_imem = container_of(instance, struct iosm_imem, run_state_worker); + + if (ipc_imem->phase != IPC_P_RUN) { + dev_err(ipc_imem->dev, + "Modem link down. Exit run state worker."); +- return; ++ goto err_out; + } + + if (test_and_clear_bit(IOSM_DEVLINK_INIT, &ipc_imem->flag)) + ipc_devlink_deinit(ipc_imem->ipc_devlink); + +- if (!ipc_imem_setup_cp_mux_cap_init(ipc_imem, &mux_cfg)) +- ipc_imem->mux = ipc_mux_init(&mux_cfg, ipc_imem); ++ ret = ipc_imem_setup_cp_mux_cap_init(ipc_imem, &mux_cfg); ++ if (ret < 0) ++ goto err_out; ++ ++ ipc_imem->mux = ipc_mux_init(&mux_cfg, ipc_imem); ++ if (!ipc_imem->mux) ++ goto err_out; ++ ++ ret = ipc_imem_wwan_channel_init(ipc_imem, mux_cfg.protocol); ++ if (ret < 0) ++ goto err_ipc_mux_deinit; + +- ipc_imem_wwan_channel_init(ipc_imem, mux_cfg.protocol); +- if (ipc_imem->mux) +- ipc_imem->mux->wwan = ipc_imem->wwan; ++ ipc_imem->mux->wwan = ipc_imem->wwan; + + while (ctrl_chl_idx < IPC_MEM_MAX_CHANNELS) { + if (!ipc_chnl_cfg_get(&chnl_cfg_port, ctrl_chl_idx)) { +@@ -615,6 +623,13 @@ static void ipc_imem_run_state_worker(struct work_struct *instance) + + /* Complete all memory stores after setting bit */ + smp_mb__after_atomic(); ++ ++ return; ++ ++err_ipc_mux_deinit: ++ ipc_mux_deinit(ipc_imem->mux); ++err_out: ++ ipc_uevent_send(ipc_imem->dev, UEVENT_CD_READY_LINK_DOWN); + } + + static void ipc_imem_handle_irq(struct iosm_imem *ipc_imem, int irq) +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c +index 66b90cc4c3460..109cf89304888 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c +@@ -77,8 +77,8 @@ int ipc_imem_sys_wwan_transmit(struct iosm_imem *ipc_imem, + } + + /* Initialize wwan channel */ +-void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, +- enum ipc_mux_protocol mux_type) ++int ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, ++ enum ipc_mux_protocol mux_type) + { + struct ipc_chnl_cfg chnl_cfg = { 0 }; + +@@ -87,7 +87,7 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, + /* If modem version is invalid (0xffffffff), do not initialize WWAN. */ + if (ipc_imem->cp_version == -1) { + dev_err(ipc_imem->dev, "invalid CP version"); +- return; ++ return -EIO; + } + + ipc_chnl_cfg_get(&chnl_cfg, ipc_imem->nr_of_channels); +@@ -104,9 +104,13 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, + + /* WWAN registration. */ + ipc_imem->wwan = ipc_wwan_init(ipc_imem, ipc_imem->dev); +- if (!ipc_imem->wwan) ++ if (!ipc_imem->wwan) { + dev_err(ipc_imem->dev, + "failed to register the ipc_wwan interfaces"); ++ return -ENOMEM; ++ } ++ ++ return 0; + } + + /* Map SKB to DMA for transfer */ +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h +index f8afb217d9e2f..026c5bd0f9992 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h +@@ -91,9 +91,11 @@ int ipc_imem_sys_wwan_transmit(struct iosm_imem *ipc_imem, int if_id, + * MUX. + * @ipc_imem: Pointer to iosm_imem struct. + * @mux_type: Type of mux protocol. ++ * ++ * Return: 0 on success and failure value on error + */ +-void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, +- enum ipc_mux_protocol mux_type); ++int ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, ++ enum ipc_mux_protocol mux_type); + + /** + * ipc_imem_sys_devlink_open - Open a Flash/CD Channel link to CP +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-fix-nft_trans-type-confusion.patch b/queue-6.1/netfilter-nf_tables-fix-nft_trans-type-confusion.patch new file mode 100644 index 00000000000..869d3d15131 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-nft_trans-type-confusion.patch @@ -0,0 +1,43 @@ +From 8513422591ec102ba5e342578669176313472947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 14:15:15 +0200 +Subject: netfilter: nf_tables: fix nft_trans type confusion + +From: Florian Westphal + +[ Upstream commit e3c361b8acd636f5fe80c02849ca175201edf10c ] + +nft_trans_FOO objects all share a common nft_trans base structure, but +trailing fields depend on the real object size. Access is only safe after +trans->msg_type check. + +Check for rule type first. Found by code inspection. + +Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f663262df6987..31775d54f4b40 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3692,12 +3692,10 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + struct nft_trans *trans; + + list_for_each_entry(trans, &nft_net->commit_list, list) { +- struct nft_rule *rule = nft_trans_rule(trans); +- + if (trans->msg_type == NFT_MSG_NEWRULE && + trans->ctx.chain == chain && + id == nft_trans_rule_id(trans)) +- return rule; ++ return nft_trans_rule(trans); + } + return ERR_PTR(-ENOENT); + } +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch b/queue-6.1/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch new file mode 100644 index 00000000000..08cefd2e696 --- /dev/null +++ b/queue-6.1/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch @@ -0,0 +1,88 @@ +From 6bd90060d25698663978d16c5d4456d7989e3e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 22:39:30 +0200 +Subject: netfilter: nft_set_rbtree: fix null deref on element insertion + +From: Florian Westphal + +[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ] + +There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem(): + +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + nft_add_set_elem+0x14b0/0x2990 + nf_tables_newsetelem+0x528/0xb30 + +Furthermore, there is a possible use-after-free while iterating, +'node' can be free'd so we need to cache the next value to use. + +Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 19ea4d3c35535..2f114aa10f1a7 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -221,7 +221,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + { + struct nft_set *set = (struct nft_set *)__set; + struct rb_node *prev = rb_prev(&rbe->node); +- struct nft_rbtree_elem *rbe_prev; ++ struct nft_rbtree_elem *rbe_prev = NULL; + struct nft_set_gc_batch *gcb; + + gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC); +@@ -229,17 +229,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + return -ENOMEM; + + /* search for expired end interval coming before this element. */ +- do { ++ while (prev) { + rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); + if (nft_rbtree_interval_end(rbe_prev)) + break; + + prev = rb_prev(prev); +- } while (prev != NULL); ++ } ++ ++ if (rbe_prev) { ++ rb_erase(&rbe_prev->node, &priv->root); ++ atomic_dec(&set->nelems); ++ } + +- rb_erase(&rbe_prev->node, &priv->root); + rb_erase(&rbe->node, &priv->root); +- atomic_sub(2, &set->nelems); ++ atomic_dec(&set->nelems); + + nft_set_gc_batch_add(gcb, rbe); + nft_set_gc_batch_complete(gcb); +@@ -268,7 +272,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_set_ext **ext) + { + struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL; +- struct rb_node *node, *parent, **p, *first = NULL; ++ struct rb_node *node, *next, *parent, **p, *first = NULL; + struct nft_rbtree *priv = nft_set_priv(set); + u8 genmask = nft_genmask_next(net); + int d, err; +@@ -307,7 +311,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + * Values stored in the tree are in reversed order, starting from + * highest to lowest value. + */ +- for (node = first; node != NULL; node = rb_next(node)) { ++ for (node = first; node != NULL; node = next) { ++ next = rb_next(node); ++ + rbe = rb_entry(node, struct nft_rbtree_elem, node); + + if (!nft_set_elem_active(&rbe->ext, genmask)) +-- +2.39.2 + diff --git a/queue-6.1/platform-provide-a-remove-callback-that-returns-no-v.patch b/queue-6.1/platform-provide-a-remove-callback-that-returns-no-v.patch new file mode 100644 index 00000000000..84319661c4e --- /dev/null +++ b/queue-6.1/platform-provide-a-remove-callback-that-returns-no-v.patch @@ -0,0 +1,86 @@ +From dcd137a257beffcdffe45bd40a68393820fe261c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 16:09:14 +0100 +Subject: platform: Provide a remove callback that returns no value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5c5a7680e67ba6fbbb5f4d79fa41485450c1985c ] + +struct platform_driver::remove returning an integer made driver authors +expect that returning an error code was proper error handling. However +the driver core ignores the error and continues to remove the device +because there is nothing the core could do anyhow and reentering the +remove callback again is only calling for trouble. + +So this is an source for errors typically yielding resource leaks in the +error path. + +As there are too many platform drivers to neatly convert them all to +return void in a single go, do it in several steps after this patch: + + a) Convert all drivers to implement .remove_new() returning void instead + of .remove() returning int; + b) Change struct platform_driver::remove() to return void and so make + it identical to .remove_new(); + c) Change all drivers back to .remove() now with the better prototype; + d) drop struct platform_driver::remove_new(). + +While this touches all drivers eventually twice, steps a) and c) can be +done one driver after another and so reduces coordination efforts +immensely and simplifies review. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20221209150914.3557650-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 17955aba7877 ("ASoC: fsl_micfil: Fix error handler with pm_runtime_enable") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 4 +++- + include/linux/platform_device.h | 11 +++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 51bb2289865c7..3a06c214ca1c6 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -1416,7 +1416,9 @@ static void platform_remove(struct device *_dev) + struct platform_driver *drv = to_platform_driver(_dev->driver); + struct platform_device *dev = to_platform_device(_dev); + +- if (drv->remove) { ++ if (drv->remove_new) { ++ drv->remove_new(dev); ++ } else if (drv->remove) { + int ret = drv->remove(dev); + + if (ret) +diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h +index b0d5a253156ec..b845fd83f429b 100644 +--- a/include/linux/platform_device.h ++++ b/include/linux/platform_device.h +@@ -207,7 +207,18 @@ extern void platform_device_put(struct platform_device *pdev); + + struct platform_driver { + int (*probe)(struct platform_device *); ++ ++ /* ++ * Traditionally the remove callback returned an int which however is ++ * ignored by the driver core. This led to wrong expectations by driver ++ * authors who thought returning an error code was a valid error ++ * handling strategy. To convert to a callback returning void, new ++ * drivers should implement .remove_new() until the conversion it done ++ * that eventually makes .remove() return void. ++ */ + int (*remove)(struct platform_device *); ++ void (*remove_new)(struct platform_device *); ++ + void (*shutdown)(struct platform_device *); + int (*suspend)(struct platform_device *, pm_message_t state); + int (*resume)(struct platform_device *); +-- +2.39.2 + diff --git a/queue-6.1/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch b/queue-6.1/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch new file mode 100644 index 00000000000..71839e77846 --- /dev/null +++ b/queue-6.1/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch @@ -0,0 +1,125 @@ +From 1b45b843365f885e0a1f95e87c6cc6f5abf11430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 09:46:18 +0200 +Subject: Revert "Fix XFRM-I support for nested ESP tunnels" + +From: Martin Willi + +[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ] + +This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de. + +The reverted commit clears the secpath on packets received via xfrm interfaces +to support nested IPsec tunnels. This breaks Netfilter policy matching using +xt_policy in the FORWARD chain, as the secpath is missing during forwarding. +Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode. + +Fix this regression by reverting the commit until we have a better approach +for nested IPsec tunnels. + +Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") +Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/ +Signed-off-by: Martin Willi +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface.c | 54 +++------------------------------------ + net/xfrm/xfrm_policy.c | 3 --- + 2 files changed, 4 insertions(+), 53 deletions(-) + +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index 94a3609548b11..5a67b120c4dbd 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -310,52 +310,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) + skb->mark = 0; + } + +-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type, unsigned short family) +-{ +- struct sec_path *sp; +- +- sp = skb_sec_path(skb); +- if (sp && (sp->len || sp->olen) && +- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) +- goto discard; +- +- XFRM_SPI_SKB_CB(skb)->family = family; +- if (family == AF_INET) { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; +- } else { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; +- } +- +- return xfrm_input(skb, nexthdr, spi, encap_type); +-discard: +- kfree_skb(skb); +- return 0; +-} +- +-static int xfrmi4_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET); +-} +- +-static int xfrmi6_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff], +- 0, 0, AF_INET6); +-} +- +-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET); +-} +- +-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6); +-} +- + static int xfrmi_rcv_cb(struct sk_buff *skb, int err) + { + const struct xfrm_mode *inner_mode; +@@ -983,8 +937,8 @@ static struct pernet_operations xfrmi_net_ops = { + }; + + static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { +- .handler = xfrmi6_rcv, +- .input_handler = xfrmi6_input, ++ .handler = xfrm6_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, + .priority = 10, +@@ -1034,8 +988,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { + #endif + + static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = { +- .handler = xfrmi4_rcv, +- .input_handler = xfrmi4_input, ++ .handler = xfrm4_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, + .priority = 10, +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index bea48a73a7313..bc04cb83215f9 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3664,9 +3664,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + goto reject; + } + +- if (if_id) +- secpath_reset(skb); +- + xfrm_pols_put(pols, npols); + return 1; + } +-- +2.39.2 + diff --git a/queue-6.1/s390-cio-include-subchannels-without-devices-also-fo.patch b/queue-6.1/s390-cio-include-subchannels-without-devices-also-fo.patch new file mode 100644 index 00000000000..f39375d3dcc --- /dev/null +++ b/queue-6.1/s390-cio-include-subchannels-without-devices-also-fo.patch @@ -0,0 +1,44 @@ +From e8cf3dad8e8176bbbd4fcdaae4007142b706bd58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 11:12:42 +0200 +Subject: s390/cio: include subchannels without devices also for evaluation + +From: Vineeth Vijayan + +[ Upstream commit b1b0d5aec1cf9f9a900a14964f869c68688d923e ] + +Currently when the new channel-path is enabled, we do evaluation only +on the subchannels with a device connected on it. This is because, +in the past, if the device in the subchannel is not working or not +available, we used to unregister the subchannels. But, from the 'commit +2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")' +we allow subchannels with or without an active device connected +on it. So, when we do the io_subchannel_verify, make sure that, +we are evaluating the subchannels without any device too. + +Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") +Reported-by: Boris Fiuczynski +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c +index 3b1cd0c96a74b..ba4c69226c337 100644 +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -1102,6 +1102,8 @@ static void io_subchannel_verify(struct subchannel *sch) + cdev = sch_get_cdev(sch); + if (cdev) + dev_fsm_event(cdev, DEV_EVENT_VERIFY); ++ else ++ css_schedule_eval(sch->schid); + } + + static void io_subchannel_terminate_path(struct subchannel *sch, u8 mask) +-- +2.39.2 + diff --git a/queue-6.1/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch b/queue-6.1/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch new file mode 100644 index 00000000000..bf3e2b702f5 --- /dev/null +++ b/queue-6.1/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch @@ -0,0 +1,65 @@ +From 66c17b18edb7213498699afd13a896105aff35c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 10:20:41 -0700 +Subject: scsi: storvsc: Don't pass unused PFNs to Hyper-V host + +From: Michael Kelley + +[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ] + +In a SCSI request, storvsc pre-allocates space for up to +MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If +the size of the I/O request requires more PFNs, a separate memory area of +exactly the correct size is dynamically allocated. + +But when the pre-allocated area is used, current code always passes +MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While +this doesn't break anything because the additional PFNs are always zero, +more bytes than necessary are copied into the VMBus channel ring buffer. +This takes CPU cycles and wastes space in the ring buffer. For a typical 4 +Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are +copied. + +Fix this by setting the payload_sz based on the actual number of PFNs +required, not the size of the pre-allocated space. + +Reported-by: John Starks +Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K") +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index a0665bca54b99..5284f9a0b826e 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1780,7 +1780,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; +- payload_sz = sizeof(cmd_request->mpb); ++ payload_sz = 0; + + if (scsi_sg_count(scmnd)) { + unsigned long offset_in_hvpg = offset_in_hvpage(sgl->offset); +@@ -1789,10 +1789,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + unsigned long hvpfn, hvpfns_to_add; + int j, i = 0, sg_count; + +- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { ++ payload_sz = (hvpg_count * sizeof(u64) + ++ sizeof(struct vmbus_packet_mpb_array)); + +- payload_sz = (hvpg_count * sizeof(u64) + +- sizeof(struct vmbus_packet_mpb_array)); ++ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { + payload = kzalloc(payload_sz, GFP_ATOMIC); + if (!payload) + return SCSI_MLQUEUE_DEVICE_BUSY; +-- +2.39.2 + diff --git a/queue-6.1/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch b/queue-6.1/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch new file mode 100644 index 00000000000..2910162ca05 --- /dev/null +++ b/queue-6.1/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch @@ -0,0 +1,56 @@ +From 0f2a089c4a734162475dbb02de35933c8fd50db8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 13:16:37 +0200 +Subject: selftests: seg6: disable DAD on IPv6 router cfg for + srv6_end_dt4_l3vpn_test + +From: Andrea Mayer + +[ Upstream commit 21a933c79a33add3612808f3be4ad65dd4dc026b ] + +The srv6_end_dt4_l3vpn_test instantiates a virtual network consisting of +several routers (rt-1, rt-2) and hosts. +When the IPv6 addresses of rt-{1,2} routers are configured, the Deduplicate +Address Detection (DAD) kicks in when enabled in the Linux distros running +the selftests. DAD is used to check whether an IPv6 address is already +assigned in a network. Such a mechanism consists of sending an ICMPv6 Echo +Request and waiting for a reply. +As the DAD process could take too long to complete, it may cause the +failing of some tests carried out by the srv6_end_dt4_l3vpn_test script. + +To make the srv6_end_dt4_l3vpn_test more robust, we disable DAD on routers +since we configure the virtual network manually and do not need any address +deduplication mechanism at all. + +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Signed-off-by: Andrea Mayer +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +index 1003119773e5d..37f08d582d2fe 100755 +--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh ++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +@@ -232,10 +232,14 @@ setup_rt_networking() + local nsname=rt-${rt} + + ip netns add ${nsname} ++ ++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0 ++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0 ++ + ip link set veth-rt-${rt} netns ${nsname} + ip -netns ${nsname} link set veth-rt-${rt} name veth0 + +- ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 ++ ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad + ip -netns ${nsname} link set veth0 up + ip -netns ${nsname} link set lo up + +-- +2.39.2 + diff --git a/queue-6.1/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch b/queue-6.1/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch new file mode 100644 index 00000000000..148e368498e --- /dev/null +++ b/queue-6.1/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch @@ -0,0 +1,63 @@ +From 72a6f7778f7a6fd5aa90cf545e901689863cf5f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 13:16:38 +0200 +Subject: selftets: seg6: disable rp_filter by default in + srv6_end_dt4_l3vpn_test + +From: Andrea Mayer + +[ Upstream commit f97b8401e0deb46ad1e4245c21f651f64f55aaa6 ] + +On some distributions, the rp_filter is automatically set (=1) by +default on a netdev basis (also on VRFs). +In an SRv6 End.DT4 behavior, decapsulated IPv4 packets are routed using +the table associated with the VRF bound to that tunnel. During lookup +operations, the rp_filter can lead to packet loss when activated on the +VRF. +Therefore, we chose to make this selftest more robust by explicitly +disabling the rp_filter during tests (as it is automatically set by some +Linux distributions). + +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Reported-by: Hangbin Liu +Signed-off-by: Andrea Mayer +Tested-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +index 37f08d582d2fe..f962823628119 100755 +--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh ++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +@@ -258,6 +258,12 @@ setup_hs() + + # set the networking for the host + ip netns add ${hsname} ++ ++ # disable the rp_filter otherwise the kernel gets confused about how ++ # to route decap ipv4 packets. ++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0 ++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.default.rp_filter=0 ++ + ip -netns ${hsname} link add veth0 type veth peer name ${rtveth} + ip -netns ${hsname} link set ${rtveth} netns ${rtname} + ip -netns ${hsname} addr add ${IPv4_HS_NETWORK}.${hs}/24 dev veth0 +@@ -276,11 +282,6 @@ setup_hs() + + ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.proxy_arp=1 + +- # disable the rp_filter otherwise the kernel gets confused about how +- # to route decap ipv4 packets. +- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0 +- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.rp_filter=0 +- + ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode" + } + +-- +2.39.2 + diff --git a/queue-6.1/serial-8250_bcm7271-balance-clk_enable-calls.patch b/queue-6.1/serial-8250_bcm7271-balance-clk_enable-calls.patch new file mode 100644 index 00000000000..7f18998f7de --- /dev/null +++ b/queue-6.1/serial-8250_bcm7271-balance-clk_enable-calls.patch @@ -0,0 +1,58 @@ +From f364e02966e254b8bd8605860488af813dafa92f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 11:19:15 -0700 +Subject: serial: 8250_bcm7271: balance clk_enable calls + +From: Doug Berger + +[ Upstream commit 8a3b5477256a54ae4a470dcebbcf8cdc18e4696d ] + +The sw_baud clock must be disabled when the device driver is not +connected to the device. This now occurs when probe fails and +upon remove. + +Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") +Reported-by: XuDong Liu +Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/ +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230427181916.2983697-2-opendmb@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_bcm7271.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c +index 36e31b96ef4a5..1f0095cf57a7e 100644 +--- a/drivers/tty/serial/8250/8250_bcm7271.c ++++ b/drivers/tty/serial/8250/8250_bcm7271.c +@@ -1034,7 +1034,7 @@ static int brcmuart_probe(struct platform_device *pdev) + if (clk_rate == 0) { + dev_err(dev, "clock-frequency or clk not defined\n"); + ret = -EINVAL; +- goto release_dma; ++ goto err_clk_disable; + } + + dev_dbg(dev, "DMA is %senabled\n", priv->dma_enabled ? "" : "not "); +@@ -1121,6 +1121,8 @@ static int brcmuart_probe(struct platform_device *pdev) + serial8250_unregister_port(priv->line); + err: + brcmuart_free_bufs(dev, priv); ++err_clk_disable: ++ clk_disable_unprepare(baud_mux_clk); + release_dma: + if (priv->dma_enabled) + brcmuart_arbitration(priv, 0); +@@ -1135,6 +1137,7 @@ static int brcmuart_remove(struct platform_device *pdev) + hrtimer_cancel(&priv->hrt); + serial8250_unregister_port(priv->line); + brcmuart_free_bufs(&pdev->dev, priv); ++ clk_disable_unprepare(priv->baud_mux_clk); + if (priv->dma_enabled) + brcmuart_arbitration(priv, 0); + return 0; +-- +2.39.2 + diff --git a/queue-6.1/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch b/queue-6.1/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch new file mode 100644 index 00000000000..231d8bd3179 --- /dev/null +++ b/queue-6.1/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch @@ -0,0 +1,43 @@ +From 40e8b7e1174091416ff6c8a7ddbd626d01b39fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 11:19:16 -0700 +Subject: serial: 8250_bcm7271: fix leak in `brcmuart_probe` + +From: Doug Berger + +[ Upstream commit f264f2f6f4788dc031cef60a0cf2881902736709 ] + +Smatch reports: +drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn: +'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032. + +The issue is fixed by using a managed clock. + +Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") +Reported-by: XuDong Liu +Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/ +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230427181916.2983697-3-opendmb@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_bcm7271.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c +index 1f0095cf57a7e..ffc7f67e27e35 100644 +--- a/drivers/tty/serial/8250/8250_bcm7271.c ++++ b/drivers/tty/serial/8250/8250_bcm7271.c +@@ -1014,7 +1014,7 @@ static int brcmuart_probe(struct platform_device *pdev) + of_property_read_u32(np, "clock-frequency", &clk_rate); + + /* See if a Baud clock has been specified */ +- baud_mux_clk = of_clk_get_by_name(np, "sw_baud"); ++ baud_mux_clk = devm_clk_get(dev, "sw_baud"); + if (IS_ERR(baud_mux_clk)) { + if (PTR_ERR(baud_mux_clk) == -EPROBE_DEFER) { + ret = -EPROBE_DEFER; +-- +2.39.2 + diff --git a/queue-6.1/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch b/queue-6.1/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch new file mode 100644 index 00000000000..008d4e1468a --- /dev/null +++ b/queue-6.1/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch @@ -0,0 +1,51 @@ +From 0237fbc56189c178be4e315e6d8c5b8d8e5b8205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 11:16:36 +0800 +Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe` + +From: Ke Zhang + +[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ] + +Smatch reports: + +drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn: +'port->membase' from of_iomap() not released on lines: 631. + +In arc_serial_probe(), if uart_add_one_port() fails, +port->membase is not released, which would cause a resource leak. + +To fix this, I replace of_iomap with devm_platform_ioremap_resource. + +Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper") +Signed-off-by: Ke Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/arc_uart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index 2a65ea2660e10..f3ccc59d8c1f3 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -607,10 +607,11 @@ static int arc_serial_probe(struct platform_device *pdev) + } + uart->baud = val; + +- port->membase = of_iomap(np, 0); +- if (!port->membase) ++ port->membase = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(port->membase)) { + /* No point of dev_err since UART itself is hosed here */ +- return -ENXIO; ++ return PTR_ERR(port->membase); ++ } + + port->irq = irq_of_parse_and_map(np, 0); + +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series index 2520695106c..0c75ca8ca58 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -148,3 +148,78 @@ parisc-replace-regular-spinlock-with-spin_trylock-on.patch platform-x86-move-existing-hp-drivers-to-a-new-hp-su.patch platform-x86-hp-wmi-add-micmute-to-hp_wmi_keymap-str.patch drm-amdgpu-drop-gfx_v11_0_cp_ecc_error_irq_funcs.patch +xfrm-don-t-check-the-default-policy-if-the-policy-al.patch +revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch +drm-msm-dp-unregister-audio-driver-during-unbind.patch +drm-msm-dpu-assign-missing-writeback-log_mask.patch +drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch +drm-msm-dpu-remove-duplicate-register-defines-from-i.patch +dt-bindings-display-msm-dsi-controller-main-document.patch +platform-provide-a-remove-callback-that-returns-no-v.patch +asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch +cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch +xfrm-reject-optional-tunnel-beet-mode-templates-in-o.patch +af_key-reject-optional-tunnel-beet-mode-templates-in.patch +drm-msm-fix-submit-error-path-leaks.patch +selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch +selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch +net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch +net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch +alsa-firewire-digi00x-prevent-potential-use-after-fr.patch +wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch +alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch +sfc-disable-rxfcs-and-rxall-features-by-default.patch +vsock-avoid-to-close-connected-socket-after-the-time.patch +tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch +serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch +serial-8250_bcm7271-balance-clk_enable-calls.patch +serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch +erspan-get-the-proto-with-the-md-version-for-collect.patch +net-dsa-rzn1-a5psw-enable-management-frames-for-cpu-.patch +net-dsa-rzn1-a5psw-fix-stp-states-handling.patch +net-dsa-rzn1-a5psw-disable-learning-for-standalone-p.patch +net-hns3-fix-output-information-incomplete-for-dumpi.patch +net-hns3-fix-sending-pfc-frames-after-reset-issue.patch +net-hns3-fix-reset-delay-time-to-avoid-configuration.patch +net-hns3-fix-reset-timeout-when-enable-full-vf.patch +media-netup_unidvb-fix-use-after-free-at-del_timer.patch +sunrpc-double-free-xprt_ctxt-while-still-in-use.patch +sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch +sunrpc-fix-trace_svc_register-call-site.patch +asoc-mediatek-mt8186-fix-use-after-free-in-driver-re.patch +asoc-sof-topology-fix-logic-for-copying-tuples.patch +drm-exynos-fix-g2d_open-close-helper-function-defini.patch +net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch +virtio-net-maintain-reverse-cleanup-order.patch +virtio_net-fix-error-unwinding-of-xdp-initialization.patch +tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch +tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch +tipc-check-the-bearer-min-mtu-properly-when-setting-.patch +s390-cio-include-subchannels-without-devices-also-fo.patch +can-dev-fix-missing-can-xl-support-in-can_put_echo_s.patch +net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch +net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch +ice-introduce-clear_reset_state-operation.patch +ice-fix-ice-vf-reset-during-iavf-initialization.patch +wifi-cfg80211-drop-entries-with-invalid-bssids-in-rn.patch +wifi-mac80211-fortify-the-spinlock-against-deadlock-.patch +wifi-mac80211-fix-min-center-freq-offset-tracing.patch +wifi-mac80211-abort-running-color-change-when-stoppi.patch +wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch +wifi-iwlwifi-fw-fix-dbgi-dump.patch +wifi-iwlwifi-fix-oem-s-name-in-the-ppag-approved-lis.patch +wifi-iwlwifi-mvm-fix-oem-s-name-in-the-tas-approved-.patch +wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch +scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch +net-tun-rebuild-error-handling-in-tun_get_user.patch +tun-fix-memory-leak-for-detached-napi-queue.patch +cassini-fix-a-memory-leak-in-the-error-handling-path.patch +net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch +igb-fix-bit_shift-to-be-in-1.8-range.patch +vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch +net-wwan-iosm-fix-null-pointer-dereference-when-remo.patch +net-pcs-xpcs-fix-c73-an-not-getting-enabled.patch +net-selftests-fix-optstring.patch +netfilter-nf_tables-fix-nft_trans-type-confusion.patch +netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch +bridge-always-declare-tunnel-functions.patch diff --git a/queue-6.1/sfc-disable-rxfcs-and-rxall-features-by-default.patch b/queue-6.1/sfc-disable-rxfcs-and-rxall-features-by-default.patch new file mode 100644 index 00000000000..a7188411752 --- /dev/null +++ b/queue-6.1/sfc-disable-rxfcs-and-rxall-features-by-default.patch @@ -0,0 +1,43 @@ +From 613928b94b9b5aa4f8869d69b38036d308bcf802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 10:43:33 +0100 +Subject: sfc: disable RXFCS and RXALL features by default + +From: Pieter Jansen van Vuuren + +[ Upstream commit 134120b066044399ef59564ff3ba66ab344cfc5b ] + +By default we would not want RXFCS and RXALL features enabled as they are +mainly intended for debugging purposes. This does not stop users from +enabling them later on as needed. + +Fixes: 8e57daf70671 ("sfc_ef100: RX path for EF100") +Signed-off-by: Pieter Jansen van Vuuren +Co-developed-by: Edward Cree +Signed-off-by: Edward Cree +Reviewed-by: Martin Habets +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef100_netdev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c +index ddcc325ed5701..c6b9ba6803c8d 100644 +--- a/drivers/net/ethernet/sfc/ef100_netdev.c ++++ b/drivers/net/ethernet/sfc/ef100_netdev.c +@@ -372,7 +372,9 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data) + efx->net_dev = net_dev; + SET_NETDEV_DEV(net_dev, &efx->pci_dev->dev); + +- net_dev->features |= efx->type->offload_features; ++ /* enable all supported features except rx-fcs and rx-all */ ++ net_dev->features |= efx->type->offload_features & ++ ~(NETIF_F_RXFCS | NETIF_F_RXALL); + net_dev->hw_features |= efx->type->offload_features; + net_dev->hw_enc_features |= efx->type->offload_features; + net_dev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_SG | +-- +2.39.2 + diff --git a/queue-6.1/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch b/queue-6.1/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch new file mode 100644 index 00000000000..d5837f55e3e --- /dev/null +++ b/queue-6.1/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch @@ -0,0 +1,267 @@ +From cc8da785a3965f55b52346dae919e6489e4eae5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 09:42:47 +1000 +Subject: SUNRPC: always free ctxt when freeing deferred request + +From: NeilBrown + +[ Upstream commit 948f072ada23e0a504c5e4d7d71d4c83bd0785ec ] + +Since the ->xprt_ctxt pointer was added to svc_deferred_req, it has not +been sufficient to use kfree() to free a deferred request. We may need +to free the ctxt as well. + +As freeing the ctxt is all that ->xpo_release_rqst() does, we repurpose +it to explicit do that even when the ctxt is not stored in an rqst. +So we now have ->xpo_release_ctxt() which is given an xprt and a ctxt, +which may have been taken either from an rqst or from a dreq. The +caller is now responsible for clearing that pointer after the call to +->xpo_release_ctxt. + +We also clear dr->xprt_ctxt when the ctxt is moved into a new rqst when +revisiting a deferred request. This ensures there is only one pointer +to the ctxt, so the risk of double freeing in future is reduced. The +new code in svc_xprt_release which releases both the ctxt and any +rq_deferred depends on this. + +Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports") +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/svc_rdma.h | 2 +- + include/linux/sunrpc/svc_xprt.h | 2 +- + net/sunrpc/svc_xprt.c | 23 +++++++++++++----- + net/sunrpc/svcsock.c | 30 +++++++++++++----------- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 11 ++++----- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 2 +- + 6 files changed, 41 insertions(+), 29 deletions(-) + +diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h +index 24aa159d29a7f..fbc4bd423b355 100644 +--- a/include/linux/sunrpc/svc_rdma.h ++++ b/include/linux/sunrpc/svc_rdma.h +@@ -176,7 +176,7 @@ extern struct svc_rdma_recv_ctxt * + extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + struct svc_rdma_recv_ctxt *ctxt); + extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma); +-extern void svc_rdma_release_rqst(struct svc_rqst *rqstp); ++extern void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *ctxt); + extern int svc_rdma_recvfrom(struct svc_rqst *); + + /* svc_rdma_rw.c */ +diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h +index d42a75b3be102..e882fe16a5008 100644 +--- a/include/linux/sunrpc/svc_xprt.h ++++ b/include/linux/sunrpc/svc_xprt.h +@@ -23,7 +23,7 @@ struct svc_xprt_ops { + int (*xpo_sendto)(struct svc_rqst *); + int (*xpo_result_payload)(struct svc_rqst *, unsigned int, + unsigned int); +- void (*xpo_release_rqst)(struct svc_rqst *); ++ void (*xpo_release_ctxt)(struct svc_xprt *xprt, void *ctxt); + void (*xpo_detach)(struct svc_xprt *); + void (*xpo_free)(struct svc_xprt *); + void (*xpo_secure_port)(struct svc_rqst *rqstp); +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index b4306cf1b458c..8117d0e08d5a2 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -534,13 +534,23 @@ void svc_reserve(struct svc_rqst *rqstp, int space) + } + EXPORT_SYMBOL_GPL(svc_reserve); + ++static void free_deferred(struct svc_xprt *xprt, struct svc_deferred_req *dr) ++{ ++ if (!dr) ++ return; ++ ++ xprt->xpt_ops->xpo_release_ctxt(xprt, dr->xprt_ctxt); ++ kfree(dr); ++} ++ + static void svc_xprt_release(struct svc_rqst *rqstp) + { + struct svc_xprt *xprt = rqstp->rq_xprt; + +- xprt->xpt_ops->xpo_release_rqst(rqstp); ++ xprt->xpt_ops->xpo_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + +- kfree(rqstp->rq_deferred); ++ free_deferred(xprt, rqstp->rq_deferred); + rqstp->rq_deferred = NULL; + + pagevec_release(&rqstp->rq_pvec); +@@ -1059,7 +1069,7 @@ static void svc_delete_xprt(struct svc_xprt *xprt) + spin_unlock_bh(&serv->sv_lock); + + while ((dr = svc_deferred_dequeue(xprt)) != NULL) +- kfree(dr); ++ free_deferred(xprt, dr); + + call_xpt_users(xprt); + svc_xprt_put(xprt); +@@ -1181,8 +1191,8 @@ static void svc_revisit(struct cache_deferred_req *dreq, int too_many) + if (too_many || test_bit(XPT_DEAD, &xprt->xpt_flags)) { + spin_unlock(&xprt->xpt_lock); + trace_svc_defer_drop(dr); ++ free_deferred(xprt, dr); + svc_xprt_put(xprt); +- kfree(dr); + return; + } + dr->xprt = NULL; +@@ -1227,14 +1237,13 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->addrlen = rqstp->rq_addrlen; + dr->daddr = rqstp->rq_daddr; + dr->argslen = rqstp->rq_arg.len >> 2; +- dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + + /* back up head to the start of the buffer and copy */ + skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len; + memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip, + dr->argslen << 2); + } +- WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt); ++ dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + rqstp->rq_xprt_ctxt = NULL; + trace_svc_defer(rqstp); + svc_xprt_get(rqstp->rq_xprt); +@@ -1268,6 +1277,8 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp) + rqstp->rq_daddr = dr->daddr; + rqstp->rq_respages = rqstp->rq_pages; + rqstp->rq_xprt_ctxt = dr->xprt_ctxt; ++ ++ dr->xprt_ctxt = NULL; + svc_xprt_received(rqstp->rq_xprt); + return dr->argslen << 2; + } +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index 815baf308236a..7107fbcbff343 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -111,27 +111,27 @@ static void svc_reclassify_socket(struct socket *sock) + #endif + + /** +- * svc_tcp_release_rqst - Release transport-related resources +- * @rqstp: request structure with resources to be released ++ * svc_tcp_release_ctxt - Release transport-related resources ++ * @xprt: the transport which owned the context ++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + */ +-static void svc_tcp_release_rqst(struct svc_rqst *rqstp) ++static void svc_tcp_release_ctxt(struct svc_xprt *xprt, void *ctxt) + { + } + + /** +- * svc_udp_release_rqst - Release transport-related resources +- * @rqstp: request structure with resources to be released ++ * svc_udp_release_ctxt - Release transport-related resources ++ * @xprt: the transport which owned the context ++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + */ +-static void svc_udp_release_rqst(struct svc_rqst *rqstp) ++static void svc_udp_release_ctxt(struct svc_xprt *xprt, void *ctxt) + { +- struct sk_buff *skb = rqstp->rq_xprt_ctxt; ++ struct sk_buff *skb = ctxt; + +- if (skb) { +- rqstp->rq_xprt_ctxt = NULL; ++ if (skb) + consume_skb(skb); +- } + } + + union svc_pktinfo_u { +@@ -559,7 +559,8 @@ static int svc_udp_sendto(struct svc_rqst *rqstp) + unsigned int sent; + int err; + +- svc_udp_release_rqst(rqstp); ++ svc_udp_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + + svc_set_cmsg_data(rqstp, cmh); + +@@ -631,7 +632,7 @@ static const struct svc_xprt_ops svc_udp_ops = { + .xpo_recvfrom = svc_udp_recvfrom, + .xpo_sendto = svc_udp_sendto, + .xpo_result_payload = svc_sock_result_payload, +- .xpo_release_rqst = svc_udp_release_rqst, ++ .xpo_release_ctxt = svc_udp_release_ctxt, + .xpo_detach = svc_sock_detach, + .xpo_free = svc_sock_free, + .xpo_has_wspace = svc_udp_has_wspace, +@@ -1159,7 +1160,8 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp) + unsigned int sent; + int err; + +- svc_tcp_release_rqst(rqstp); ++ svc_tcp_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + + atomic_inc(&svsk->sk_sendqlen); + mutex_lock(&xprt->xpt_mutex); +@@ -1204,7 +1206,7 @@ static const struct svc_xprt_ops svc_tcp_ops = { + .xpo_recvfrom = svc_tcp_recvfrom, + .xpo_sendto = svc_tcp_sendto, + .xpo_result_payload = svc_sock_result_payload, +- .xpo_release_rqst = svc_tcp_release_rqst, ++ .xpo_release_ctxt = svc_tcp_release_ctxt, + .xpo_detach = svc_tcp_sock_detach, + .xpo_free = svc_sock_free, + .xpo_has_wspace = svc_tcp_has_wspace, +diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +index 5242ad121450b..53a7cb2f6c07d 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -239,21 +239,20 @@ void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + } + + /** +- * svc_rdma_release_rqst - Release transport-specific per-rqst resources +- * @rqstp: svc_rqst being released ++ * svc_rdma_release_ctxt - Release transport-specific per-rqst resources ++ * @xprt: the transport which owned the context ++ * @vctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + * Ensure that the recv_ctxt is released whether or not a Reply + * was sent. For example, the client could close the connection, + * or svc_process could drop an RPC, before the Reply is sent. + */ +-void svc_rdma_release_rqst(struct svc_rqst *rqstp) ++void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *vctxt) + { +- struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt; +- struct svc_xprt *xprt = rqstp->rq_xprt; ++ struct svc_rdma_recv_ctxt *ctxt = vctxt; + struct svcxprt_rdma *rdma = + container_of(xprt, struct svcxprt_rdma, sc_xprt); + +- rqstp->rq_xprt_ctxt = NULL; + if (ctxt) + svc_rdma_recv_ctxt_put(rdma, ctxt); + } +diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c +index 94b20fb471356..f776f0cb471f0 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -81,7 +81,7 @@ static const struct svc_xprt_ops svc_rdma_ops = { + .xpo_recvfrom = svc_rdma_recvfrom, + .xpo_sendto = svc_rdma_sendto, + .xpo_result_payload = svc_rdma_result_payload, +- .xpo_release_rqst = svc_rdma_release_rqst, ++ .xpo_release_ctxt = svc_rdma_release_ctxt, + .xpo_detach = svc_rdma_detach, + .xpo_free = svc_rdma_free, + .xpo_has_wspace = svc_rdma_has_wspace, +-- +2.39.2 + diff --git a/queue-6.1/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch b/queue-6.1/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch new file mode 100644 index 00000000000..2f94569fdd6 --- /dev/null +++ b/queue-6.1/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch @@ -0,0 +1,58 @@ +From 5ec7e3ff7e0314d0441331e0f11d27e3cd3acbab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 09:41:49 +1000 +Subject: SUNRPC: double free xprt_ctxt while still in use + +From: NeilBrown + +[ Upstream commit eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 ] + +When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out +of the svc_rqst into the svc_deferred_req. +When the deferred request is revisited, the pointer is copied into +the new svc_rqst - and also remains in the svc_deferred_req. + +In the (rare?) case that the request is deferred a second time, the old +svc_deferred_req is reused - it still has all the correct content. +However in that case the rq_xprt_ctxt pointer is NOT cleared so that +when xpo_release_xprt is called, the ctxt is freed (UDP) or possible +added to a free list (RDMA). +When the deferred request is revisited for a second time, it will +reference this ctxt which may be invalid, and the free the object a +second time which is likely to oops. + +So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that +the value is now stored in the svc_deferred_req. + +Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports") +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc_xprt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index c2ce125380080..b4306cf1b458c 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1228,13 +1228,14 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->daddr = rqstp->rq_daddr; + dr->argslen = rqstp->rq_arg.len >> 2; + dr->xprt_ctxt = rqstp->rq_xprt_ctxt; +- rqstp->rq_xprt_ctxt = NULL; + + /* back up head to the start of the buffer and copy */ + skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len; + memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip, + dr->argslen << 2); + } ++ WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + trace_svc_defer(rqstp); + svc_xprt_get(rqstp->rq_xprt); + dr->xprt = rqstp->rq_xprt; +-- +2.39.2 + diff --git a/queue-6.1/sunrpc-fix-trace_svc_register-call-site.patch b/queue-6.1/sunrpc-fix-trace_svc_register-call-site.patch new file mode 100644 index 00000000000..cd7dc826ea7 --- /dev/null +++ b/queue-6.1/sunrpc-fix-trace_svc_register-call-site.patch @@ -0,0 +1,35 @@ +From 2646d32f968bf74cbaa7b25b1b2a892569eeded3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:51:48 -0400 +Subject: SUNRPC: Fix trace_svc_register() call site + +From: Chuck Lever + +[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ] + +The trace event recorded incorrect values for the registered family, +protocol, and port because the arguments are in the wrong order. + +Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index 9ee32e06f877e..9b0b21cccca9a 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1007,7 +1007,7 @@ static int __svc_register(struct net *net, const char *progname, + #endif + } + +- trace_svc_register(progname, version, protocol, port, family, error); ++ trace_svc_register(progname, version, family, protocol, port, error); + return error; + } + +-- +2.39.2 + diff --git a/queue-6.1/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch b/queue-6.1/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch new file mode 100644 index 00000000000..77313f3c637 --- /dev/null +++ b/queue-6.1/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch @@ -0,0 +1,62 @@ +From 34a8100f0a89286badb5bb8e7ebd32ec63700638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 11:47:49 +0000 +Subject: tcp: fix possible sk_priority leak in tcp_v4_send_reset() + +From: Eric Dumazet + +[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ] + +When tcp_v4_send_reset() is called with @sk == NULL, +we do not change ctl_sk->sk_priority, which could have been +set from a prior invocation. + +Change tcp_v4_send_reset() to set sk_priority and sk_mark +fields before calling ip_send_unicast_reply(). + +This means tcp_v4_send_reset() and tcp_v4_send_ack() +no longer have to clear ctl_sk->sk_mark after +their call to ip_send_unicast_reply(). + +Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state") +Signed-off-by: Eric Dumazet +Cc: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index ad0a5f185a694..b37c1bcb15097 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -829,6 +829,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ } else { ++ ctl_sk->sk_mark = 0; ++ ctl_sk->sk_priority = 0; + } + ip_send_unicast_reply(ctl_sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, +@@ -836,7 +839,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -935,7 +937,6 @@ static void tcp_v4_send_ack(const struct sock *sk, + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + local_bh_enable(); +-- +2.39.2 + diff --git a/queue-6.1/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch b/queue-6.1/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch new file mode 100644 index 00000000000..2ab67494dbb --- /dev/null +++ b/queue-6.1/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch @@ -0,0 +1,105 @@ +From 6403db14e5ea15de4435c3dbf748b52baf84e376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:27 -0400 +Subject: tipc: add tipc_bearer_min_mtu to calculate min mtu + +From: Xin Long + +[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ] + +As different media may requires different min mtu, and even the +same media with different net family requires different min mtu, +add tipc_bearer_min_mtu() to calculate min mtu accordingly. + +This API will be used to check the new mtu when doing the link +mtu negotiation in the next patch. + +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation") +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 13 +++++++++++++ + net/tipc/bearer.h | 3 +++ + net/tipc/udp_media.c | 5 +++-- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 35cac7733fd3a..0e9a29e1536b7 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -541,6 +541,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id) + return mtu; + } + ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id) ++{ ++ int mtu = TIPC_MIN_BEARER_MTU; ++ struct tipc_bearer *b; ++ ++ rcu_read_lock(); ++ b = bearer_get(net, bearer_id); ++ if (b) ++ mtu += b->encap_hlen; ++ rcu_read_unlock(); ++ return mtu; ++} ++ + /* tipc_bearer_xmit_skb - sends buffer to destination over bearer + */ + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, +diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h +index 490ad6e5f7a3c..bd0cc5c287ef8 100644 +--- a/net/tipc/bearer.h ++++ b/net/tipc/bearer.h +@@ -146,6 +146,7 @@ struct tipc_media { + * @identity: array index of this bearer within TIPC bearer array + * @disc: ptr to link setup request + * @net_plane: network plane ('A' through 'H') currently associated with bearer ++ * @encap_hlen: encap headers length + * @up: bearer up flag (bit 0) + * @refcnt: tipc_bearer reference counter + * +@@ -170,6 +171,7 @@ struct tipc_bearer { + u32 identity; + struct tipc_discoverer *disc; + char net_plane; ++ u16 encap_hlen; + unsigned long up; + refcount_t refcnt; + }; +@@ -232,6 +234,7 @@ int tipc_bearer_setup(void); + void tipc_bearer_cleanup(void); + void tipc_bearer_stop(struct net *net); + int tipc_bearer_mtu(struct net *net, u32 bearer_id); ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id); + bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id); + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, + struct sk_buff *skb, +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index c2bb818704c8f..0a85244fd6188 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -738,8 +738,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + udp_conf.local_ip.s_addr = local.ipv4.s_addr; + udp_conf.use_udp_checksums = false; + ub->ifindex = dev->ifindex; +- if (tipc_mtu_bad(dev, sizeof(struct iphdr) + +- sizeof(struct udphdr))) { ++ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr); ++ if (tipc_mtu_bad(dev, b->encap_hlen)) { + err = -EINVAL; + goto err; + } +@@ -760,6 +760,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + else + udp_conf.local_ip6 = local.ipv6; + ub->ifindex = dev->ifindex; ++ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr); + b->mtu = 1280; + #endif + } else { +-- +2.39.2 + diff --git a/queue-6.1/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch b/queue-6.1/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch new file mode 100644 index 00000000000..72b9121ff7c --- /dev/null +++ b/queue-6.1/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch @@ -0,0 +1,45 @@ +From 38faf4c273062ef6ce8902a0ab5227cfbe56228c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:29 -0400 +Subject: tipc: check the bearer min mtu properly when setting it by netlink + +From: Xin Long + +[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ] + +Checking the bearer min mtu with tipc_udp_mtu_bad() only works for +IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the +min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU +for min mtu, which works for both IPv4 and IPv6 UDP bearer. + +Note that tipc_udp_mtu_bad() is still used to check media min mtu +in __tipc_nl_media_set(), as m->mtu currently is only used by the +IPv4 UDP bearer as its default mtu value. + +Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 0e9a29e1536b7..53881406e2006 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1151,8 +1151,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + } + #ifdef CONFIG_TIPC_MEDIA_UDP +- if (tipc_udp_mtu_bad(nla_get_u32 +- (props[TIPC_NLA_PROP_MTU]))) { ++ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) < ++ b->encap_hlen + TIPC_MIN_BEARER_MTU) { + NL_SET_ERR_MSG(info->extack, + "MTU value is out-of-range"); + return -EINVAL; +-- +2.39.2 + diff --git a/queue-6.1/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch b/queue-6.1/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch new file mode 100644 index 00000000000..88d2cbab10c --- /dev/null +++ b/queue-6.1/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch @@ -0,0 +1,92 @@ +From 397d3b5904f21e1a1c407036157d3df6254e57ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:28 -0400 +Subject: tipc: do not update mtu if msg_max is too small in mtu negotiation + +From: Xin Long + +[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ] + +When doing link mtu negotiation, a malicious peer may send Activate msg +with a very small mtu, e.g. 4 in Shuang's testing, without checking for +the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then +n->links[bearer_id].mtu is set to 4294967228, which is a overflow of +'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss(). + +With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning: + + tipc: Too large msg, purging xmit list 1 5 0 40 4! + tipc: Too large msg, purging xmit list 1 15 0 60 4! + +And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in +named_distribute(), and when purging it in tipc_link_xmit(), a crash +was even caused: + + general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19 + RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0 + Call Trace: + + skb_release_data+0xf9/0x1d0 + kfree_skb_reason+0x40/0x100 + tipc_link_xmit+0x57a/0x740 [tipc] + tipc_node_xmit+0x16c/0x5c0 [tipc] + tipc_named_node_up+0x27f/0x2c0 [tipc] + tipc_node_write_unlock+0x149/0x170 [tipc] + tipc_rcv+0x608/0x740 [tipc] + tipc_udp_recv+0xdc/0x1f0 [tipc] + udp_queue_rcv_one_skb+0x33e/0x620 + udp_unicast_rcv_skb.isra.72+0x75/0x90 + __udp4_lib_rcv+0x56d/0xc20 + ip_protocol_deliver_rcu+0x100/0x2d0 + +This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(), +and not updating mtu if it is too small. + +Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index b3ce24823f503..2eff1c7949cbc 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2200,7 +2200,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + struct tipc_msg *hdr = buf_msg(skb); + struct tipc_gap_ack_blks *ga = NULL; + bool reply = msg_probe(hdr), retransmitted = false; +- u32 dlen = msg_data_sz(hdr), glen = 0; ++ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max; + u16 peers_snd_nxt = msg_next_sent(hdr); + u16 peers_tol = msg_link_tolerance(hdr); + u16 peers_prio = msg_linkprio(hdr); +@@ -2239,6 +2239,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + switch (mtyp) { + case RESET_MSG: + case ACTIVATE_MSG: ++ msg_max = msg_max_pkt(hdr); ++ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id)) ++ break; + /* Complete own link name with peer's interface name */ + if_name = strrchr(l->name, ':') + 1; + if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME) +@@ -2283,8 +2286,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + l->peer_session = msg_session(hdr); + l->in_session = true; + l->peer_bearer_id = msg_bearer_id(hdr); +- if (l->mtu > msg_max_pkt(hdr)) +- l->mtu = msg_max_pkt(hdr); ++ if (l->mtu > msg_max) ++ l->mtu = msg_max; + break; + + case STATE_MSG: +-- +2.39.2 + diff --git a/queue-6.1/tun-fix-memory-leak-for-detached-napi-queue.patch b/queue-6.1/tun-fix-memory-leak-for-detached-napi-queue.patch new file mode 100644 index 00000000000..a32a6d78799 --- /dev/null +++ b/queue-6.1/tun-fix-memory-leak-for-detached-napi-queue.patch @@ -0,0 +1,144 @@ +From 99b4676b4b1220e0aac5a9426df7b26d97398a7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 11:42:04 -0700 +Subject: tun: Fix memory leak for detached NAPI queue. + +From: Kuniyuki Iwashima + +[ Upstream commit 82b2bc279467c875ec36f8ef820f00997c2a4e8e ] + +syzkaller reported [0] memory leaks of sk and skb related to the TUN +device with no repro, but we can reproduce it easily with: + + struct ifreq ifr = {} + int fd_tun, fd_tmp; + char buf[4] = {}; + + fd_tun = openat(AT_FDCWD, "/dev/net/tun", O_WRONLY, 0); + ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE; + ioctl(fd_tun, TUNSETIFF, &ifr); + + ifr.ifr_flags = IFF_DETACH_QUEUE; + ioctl(fd_tun, TUNSETQUEUE, &ifr); + + fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0); + ifr.ifr_flags = IFF_UP; + ioctl(fd_tmp, SIOCSIFFLAGS, &ifr); + + write(fd_tun, buf, sizeof(buf)); + close(fd_tun); + +If we enable NAPI and multi-queue on a TUN device, we can put skb into +tfile->sk.sk_write_queue after the queue is detached. We should prevent +it by checking tfile->detached before queuing skb. + +Note this must be done under tfile->sk.sk_write_queue.lock because write() +and ioctl(IFF_DETACH_QUEUE) can run concurrently. Otherwise, there would +be a small race window: + + write() ioctl(IFF_DETACH_QUEUE) + `- tun_get_user `- __tun_detach + |- if (tfile->detached) |- tun_disable_queue + | `-> false | `- tfile->detached = tun + | `- tun_queue_purge + |- spin_lock_bh(&queue->lock) + `- __skb_queue_tail(queue, skb) + +Another solution is to call tun_queue_purge() when closing and +reattaching the detached queue, but it could paper over another +problems. Also, we do the same kind of test for IFF_NAPI_FRAGS. + +[0]: +unreferenced object 0xffff88801edbc800 (size 2048): + comm "syz-executor.1", pid 33269, jiffies 4295743834 (age 18.756s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<000000008c16ea3d>] __do_kmalloc_node mm/slab_common.c:965 [inline] + [<000000008c16ea3d>] __kmalloc+0x4a/0x130 mm/slab_common.c:979 + [<000000003addde56>] kmalloc include/linux/slab.h:563 [inline] + [<000000003addde56>] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035 + [<000000003e20621f>] sk_alloc+0x36/0x2f0 net/core/sock.c:2088 + [<0000000028e43843>] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438 + [<000000001b0f1f28>] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165 + [<000000004376f706>] chrdev_open+0x111/0x300 fs/char_dev.c:414 + [<00000000614d379f>] do_dentry_open+0x2f9/0x750 fs/open.c:920 + [<000000008eb24774>] do_open fs/namei.c:3636 [inline] + [<000000008eb24774>] path_openat+0x143f/0x1a30 fs/namei.c:3791 + [<00000000955077b5>] do_filp_open+0xce/0x1c0 fs/namei.c:3818 + [<00000000b78973b0>] do_sys_openat2+0xf0/0x260 fs/open.c:1356 + [<00000000057be699>] do_sys_open fs/open.c:1372 [inline] + [<00000000057be699>] __do_sys_openat fs/open.c:1388 [inline] + [<00000000057be699>] __se_sys_openat fs/open.c:1383 [inline] + [<00000000057be699>] __x64_sys_openat+0x83/0xf0 fs/open.c:1383 + [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80 + [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +unreferenced object 0xffff88802f671700 (size 240): + comm "syz-executor.1", pid 33269, jiffies 4295743854 (age 18.736s) + hex dump (first 32 bytes): + 68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff h.......h....... + 00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff ..{/............ + backtrace: + [<00000000e9d9fdb6>] __alloc_skb+0x223/0x250 net/core/skbuff.c:644 + [<000000002c3e4e0b>] alloc_skb include/linux/skbuff.h:1288 [inline] + [<000000002c3e4e0b>] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378 + [<00000000825f98d7>] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729 + [<00000000e9eb3df3>] tun_alloc_skb drivers/net/tun.c:1529 [inline] + [<00000000e9eb3df3>] tun_get_user+0x5e1/0x1f90 drivers/net/tun.c:1841 + [<0000000053096912>] tun_chr_write_iter+0xac/0x120 drivers/net/tun.c:2035 + [<00000000b9282ae0>] call_write_iter include/linux/fs.h:1868 [inline] + [<00000000b9282ae0>] new_sync_write fs/read_write.c:491 [inline] + [<00000000b9282ae0>] vfs_write+0x40f/0x530 fs/read_write.c:584 + [<00000000524566e4>] ksys_write+0xa1/0x170 fs/read_write.c:637 + [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80 + [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixes: cde8b15f1aab ("tuntap: add ioctl to attach or detach a file form tuntap device") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 65706824eb828..7c8db8f6f661e 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1971,6 +1971,14 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + int queue_len; + + spin_lock_bh(&queue->lock); ++ ++ if (unlikely(tfile->detached)) { ++ spin_unlock_bh(&queue->lock); ++ rcu_read_unlock(); ++ err = -EBUSY; ++ goto free_skb; ++ } ++ + __skb_queue_tail(queue, skb); + queue_len = skb_queue_len(queue); + spin_unlock(&queue->lock); +@@ -2506,6 +2514,13 @@ static int tun_xdp_one(struct tun_struct *tun, + if (tfile->napi_enabled) { + queue = &tfile->sk.sk_write_queue; + spin_lock(&queue->lock); ++ ++ if (unlikely(tfile->detached)) { ++ spin_unlock(&queue->lock); ++ kfree_skb(skb); ++ return -EBUSY; ++ } ++ + __skb_queue_tail(queue, skb); + spin_unlock(&queue->lock); + ret = 1; +-- +2.39.2 + diff --git a/queue-6.1/virtio-net-maintain-reverse-cleanup-order.patch b/queue-6.1/virtio-net-maintain-reverse-cleanup-order.patch new file mode 100644 index 00000000000..b63678d0f7c --- /dev/null +++ b/queue-6.1/virtio-net-maintain-reverse-cleanup-order.patch @@ -0,0 +1,40 @@ +From fca81ada14156a939ee86296bfe12a728c147e9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 15:37:38 +0200 +Subject: virtio-net: Maintain reverse cleanup order + +From: Parav Pandit + +[ Upstream commit 27369c9c2b722617063d6b80c758ab153f1d95d4 ] + +To easily audit the code, better to keep the device stop() +sequence to be mirror of the device open() sequence. + +Acked-by: Michael S. Tsirkin +Reviewed-by: Jiri Pirko +Signed-off-by: Parav Pandit +Signed-off-by: David S. Miller +Stable-dep-of: 5306623a9826 ("virtio_net: Fix error unwinding of XDP initialization") +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 9a612b13b4e46..08a23ba3d68a2 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2158,9 +2158,9 @@ static int virtnet_close(struct net_device *dev) + cancel_delayed_work_sync(&vi->refill); + + for (i = 0; i < vi->max_queue_pairs; i++) { ++ virtnet_napi_tx_disable(&vi->sq[i].napi); + napi_disable(&vi->rq[i].napi); + xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- virtnet_napi_tx_disable(&vi->sq[i].napi); + } + + return 0; +-- +2.39.2 + diff --git a/queue-6.1/virtio_net-fix-error-unwinding-of-xdp-initialization.patch b/queue-6.1/virtio_net-fix-error-unwinding-of-xdp-initialization.patch new file mode 100644 index 00000000000..8c7f944ed6c --- /dev/null +++ b/queue-6.1/virtio_net-fix-error-unwinding-of-xdp-initialization.patch @@ -0,0 +1,126 @@ +From b9f8f1c7ec488ae95452c85edbc1a6caa88e8670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 11:18:12 -0400 +Subject: virtio_net: Fix error unwinding of XDP initialization + +From: Feng Liu + +[ Upstream commit 5306623a9826aa7d63b32c6a3803c798a765474d ] + +When initializing XDP in virtnet_open(), some rq xdp initialization +may hit an error causing net device open failed. However, previous +rqs have already initialized XDP and enabled NAPI, which is not the +expected behavior. Need to roll back the previous rq initialization +to avoid leaks in error unwinding of init code. + +Also extract helper functions of disable and enable queue pairs. +Use newly introduced disable helper function in error unwinding and +virtnet_close. Use enable helper function in virtnet_open. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Signed-off-by: Feng Liu +Reviewed-by: Jiri Pirko +Reviewed-by: William Tu +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Reviewed-by: Xuan Zhuo +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 61 +++++++++++++++++++++++++++++----------- + 1 file changed, 44 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 08a23ba3d68a2..47788f0935514 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1697,6 +1697,38 @@ static int virtnet_poll(struct napi_struct *napi, int budget) + return received; + } + ++static void virtnet_disable_queue_pair(struct virtnet_info *vi, int qp_index) ++{ ++ virtnet_napi_tx_disable(&vi->sq[qp_index].napi); ++ napi_disable(&vi->rq[qp_index].napi); ++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq); ++} ++ ++static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index) ++{ ++ struct net_device *dev = vi->dev; ++ int err; ++ ++ err = xdp_rxq_info_reg(&vi->rq[qp_index].xdp_rxq, dev, qp_index, ++ vi->rq[qp_index].napi.napi_id); ++ if (err < 0) ++ return err; ++ ++ err = xdp_rxq_info_reg_mem_model(&vi->rq[qp_index].xdp_rxq, ++ MEM_TYPE_PAGE_SHARED, NULL); ++ if (err < 0) ++ goto err_xdp_reg_mem_model; ++ ++ virtnet_napi_enable(vi->rq[qp_index].vq, &vi->rq[qp_index].napi); ++ virtnet_napi_tx_enable(vi, vi->sq[qp_index].vq, &vi->sq[qp_index].napi); ++ ++ return 0; ++ ++err_xdp_reg_mem_model: ++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq); ++ return err; ++} ++ + static int virtnet_open(struct net_device *dev) + { + struct virtnet_info *vi = netdev_priv(dev); +@@ -1710,22 +1742,20 @@ static int virtnet_open(struct net_device *dev) + if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL)) + schedule_delayed_work(&vi->refill, 0); + +- err = xdp_rxq_info_reg(&vi->rq[i].xdp_rxq, dev, i, vi->rq[i].napi.napi_id); ++ err = virtnet_enable_queue_pair(vi, i); + if (err < 0) +- return err; +- +- err = xdp_rxq_info_reg_mem_model(&vi->rq[i].xdp_rxq, +- MEM_TYPE_PAGE_SHARED, NULL); +- if (err < 0) { +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- return err; +- } +- +- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi); +- virtnet_napi_tx_enable(vi, vi->sq[i].vq, &vi->sq[i].napi); ++ goto err_enable_qp; + } + + return 0; ++ ++err_enable_qp: ++ disable_delayed_refill(vi); ++ cancel_delayed_work_sync(&vi->refill); ++ ++ for (i--; i >= 0; i--) ++ virtnet_disable_queue_pair(vi, i); ++ return err; + } + + static int virtnet_poll_tx(struct napi_struct *napi, int budget) +@@ -2157,11 +2187,8 @@ static int virtnet_close(struct net_device *dev) + /* Make sure refill_work doesn't re-enable napi! */ + cancel_delayed_work_sync(&vi->refill); + +- for (i = 0; i < vi->max_queue_pairs; i++) { +- virtnet_napi_tx_disable(&vi->sq[i].napi); +- napi_disable(&vi->rq[i].napi); +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- } ++ for (i = 0; i < vi->max_queue_pairs; i++) ++ virtnet_disable_queue_pair(vi, i); + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch b/queue-6.1/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch new file mode 100644 index 00000000000..ac7e3efc3e2 --- /dev/null +++ b/queue-6.1/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch @@ -0,0 +1,93 @@ +From aa2554f43397c7d4e797bf845082609e43909ffd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 14:23:42 +0000 +Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() + +From: Eric Dumazet + +[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ] + +syzbot triggered the following splat [1], sending an empty message +through pppoe_sendmsg(). + +When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header() +does not push extra bytes for the VLAN header, because vlan is offloaded. + +Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto +before testing (vlan->flags & VLAN_FLAG_REORDER_HDR). + +We need to swap the two conditions. + +[1] +BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +__netdev_start_xmit include/linux/netdevice.h:4883 [inline] +netdev_start_xmit include/linux/netdevice.h:4897 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596 +__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3053 [inline] +pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774 +slab_alloc_node mm/slub.c:3452 [inline] +kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497 +kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520 +__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606 +alloc_skb include/linux/skbuff.h:1277 [inline] +sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583 +pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 07e86d03d4bae..d3e511e1eba8a 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, + * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING + * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... + */ +- if (veth->h_vlan_proto != vlan->vlan_proto || +- vlan->flags & VLAN_FLAG_REORDER_HDR) { ++ if (vlan->flags & VLAN_FLAG_REORDER_HDR || ++ veth->h_vlan_proto != vlan->vlan_proto) { + u16 vlan_tci; + vlan_tci = vlan->vlan_id; + vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority); +-- +2.39.2 + diff --git a/queue-6.1/vsock-avoid-to-close-connected-socket-after-the-time.patch b/queue-6.1/vsock-avoid-to-close-connected-socket-after-the-time.patch new file mode 100644 index 00000000000..05f465846ab --- /dev/null +++ b/queue-6.1/vsock-avoid-to-close-connected-socket-after-the-time.patch @@ -0,0 +1,54 @@ +From 3ef6bbe9016c6c2a91360934ee711c0ab842e03c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:34:30 +0800 +Subject: vsock: avoid to close connected socket after the timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhuang Shengen + +[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ] + +When client and server establish a connection through vsock, +the client send a request to the server to initiate the connection, +then start a timer to wait for the server's response. When the server's +RESPONSE message arrives, the timer also times out and exits. The +server's RESPONSE message is processed first, and the connection is +established. However, the client's timer also times out, the original +processing logic of the client is to directly set the state of this vsock +to CLOSE and return ETIMEDOUT. It will not notify the server when the port +is released, causing the server port remain. +when client's vsock_connect timeout,it should check sk state is +ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection +is established, the client should not set the sk state to CLOSE + +Note: I encountered this issue on kernel-4.18, which can be fixed by +this patch. Then I checked the latest code in the community +and found similar issue. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Zhuang Shengen +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 884eca7f6743a..8360c790a8a01 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1427,7 +1427,7 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + vsock_transport_cancel_pkt(vsk); + vsock_remove_connected(vsk); + goto out_wait; +- } else if (timeout == 0) { ++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { + err = -ETIMEDOUT; + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; +-- +2.39.2 + diff --git a/queue-6.1/wifi-cfg80211-drop-entries-with-invalid-bssids-in-rn.patch b/queue-6.1/wifi-cfg80211-drop-entries-with-invalid-bssids-in-rn.patch new file mode 100644 index 00000000000..1e2437d7d74 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-drop-entries-with-invalid-bssids-in-rn.patch @@ -0,0 +1,49 @@ +From b0a9bef2401fed790a6cb0bfedf7cd1291cf1089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 10:32:24 +0300 +Subject: wifi: cfg80211: Drop entries with invalid BSSIDs in RNR + +From: Ilan Peer + +[ Upstream commit 1b6b4ed01493b7ea2205ab83c49198f7d13ca9d2 ] + +Ignore AP information for entries that include an invalid +BSSID in the TBTT information field, e.g., all zeros BSSIDs. + +Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning") +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230424103224.5e65d04d1448.Ic10c8577ae4a85272c407106c9d0a2ecb5372743@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 3d86482e83f51..6c2b73c0d36e8 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -5,7 +5,7 @@ + * Copyright 2008 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright 2016 Intel Deutschland GmbH +- * Copyright (C) 2018-2022 Intel Corporation ++ * Copyright (C) 2018-2023 Intel Corporation + */ + #include + #include +@@ -543,6 +543,10 @@ static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry, + /* skip the TBTT offset */ + pos++; + ++ /* ignore entries with invalid BSSID */ ++ if (!is_valid_ether_addr(pos)) ++ return -EINVAL; ++ + memcpy(entry->bssid, pos, ETH_ALEN); + pos += ETH_ALEN; + +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-fix-oem-s-name-in-the-ppag-approved-lis.patch b/queue-6.1/wifi-iwlwifi-fix-oem-s-name-in-the-ppag-approved-lis.patch new file mode 100644 index 00000000000..d9ead7c3c6c --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-fix-oem-s-name-in-the-ppag-approved-lis.patch @@ -0,0 +1,37 @@ +From 3f9b1862fb2a86a762ca86684203344684849463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:51 +0300 +Subject: wifi: iwlwifi: fix OEM's name in the ppag approved list + +From: Alon Giladi + +[ Upstream commit eca7296d9a671e9961834d2ace9cc0ce21fc15b3 ] + +Fix a spelling mistake. + +Fixes: e8e10a37c51c ("iwlwifi: acpi: move ppag code from mvm to fw/acpi") +Signed-off-by: Alon Giladi +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.fdd07f36a8bf.I223e5fb16ab5c95d504c3fdaffd0bd70affad1c2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +index a02e5a67b7066..585e8cd2d332d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -38,7 +38,7 @@ static const struct dmi_system_id dmi_ppag_approved_list[] = { + }, + { .ident = "ASUS", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek COMPUTER INC."), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + }, + }, + {} +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-fw-fix-dbgi-dump.patch b/queue-6.1/wifi-iwlwifi-fw-fix-dbgi-dump.patch new file mode 100644 index 00000000000..6e72ec99a83 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-fw-fix-dbgi-dump.patch @@ -0,0 +1,90 @@ +From 270f4a3b3fd3496814d86ce8f24dd7c5f45076e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:48 +0300 +Subject: wifi: iwlwifi: fw: fix DBGI dump + +From: Johannes Berg + +[ Upstream commit d3ae69180bbd74bcbc03a2b6d10ed7eccbe98c23 ] + +The DBGI dump is (unsurprisingly) of type DBGI, not SRAM. +This leads to bad register accesses because the union is +built differently, there's no allocation ID, and thus the +allocation ID ends up being 0x8000. + +Note that this was already wrong for DRAM vs. SMEM since +they use different parts of the union, but the allocation +ID is at the same place, so it worked. + +Fix all of this but set the allocation ID in a way that +the offset calculation ends up without any offset. + +Fixes: 34bc27783a31 ("iwlwifi: yoyo: fix DBGI_SRAM ini dump header.") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.19a302ae4c65.I12272599f7c1930666157b9d5e7f81fe9ec4c421@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index 027360e63b926..3ef0b776b7727 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -1664,14 +1664,10 @@ static __le32 iwl_get_mon_reg(struct iwl_fw_runtime *fwrt, u32 alloc_id, + } + + static void * +-iwl_dump_ini_mon_fill_header(struct iwl_fw_runtime *fwrt, +- struct iwl_dump_ini_region_data *reg_data, ++iwl_dump_ini_mon_fill_header(struct iwl_fw_runtime *fwrt, u32 alloc_id, + struct iwl_fw_ini_monitor_dump *data, + const struct iwl_fw_mon_regs *addrs) + { +- struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data; +- u32 alloc_id = le32_to_cpu(reg->dram_alloc_id); +- + if (!iwl_trans_grab_nic_access(fwrt->trans)) { + IWL_ERR(fwrt, "Failed to get monitor header\n"); + return NULL; +@@ -1702,8 +1698,10 @@ iwl_dump_ini_mon_dram_fill_header(struct iwl_fw_runtime *fwrt, + void *data, u32 data_len) + { + struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data; ++ struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data; ++ u32 alloc_id = le32_to_cpu(reg->dram_alloc_id); + +- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump, ++ return iwl_dump_ini_mon_fill_header(fwrt, alloc_id, mon_dump, + &fwrt->trans->cfg->mon_dram_regs); + } + +@@ -1713,8 +1711,10 @@ iwl_dump_ini_mon_smem_fill_header(struct iwl_fw_runtime *fwrt, + void *data, u32 data_len) + { + struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data; ++ struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data; ++ u32 alloc_id = le32_to_cpu(reg->internal_buffer.alloc_id); + +- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump, ++ return iwl_dump_ini_mon_fill_header(fwrt, alloc_id, mon_dump, + &fwrt->trans->cfg->mon_smem_regs); + } + +@@ -1725,7 +1725,10 @@ iwl_dump_ini_mon_dbgi_fill_header(struct iwl_fw_runtime *fwrt, + { + struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data; + +- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump, ++ return iwl_dump_ini_mon_fill_header(fwrt, ++ /* no offset calculation later */ ++ IWL_FW_INI_ALLOCATION_ID_DBGC1, ++ mon_dump, + &fwrt->trans->cfg->mon_dbgi_regs); + } + +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch b/queue-6.1/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch new file mode 100644 index 00000000000..9319ef9a2a5 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch @@ -0,0 +1,60 @@ +From ec84705413211a1fa6a9269c614e3824c02eddb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:53 +0300 +Subject: wifi: iwlwifi: mvm: don't trust firmware n_channels + +From: Johannes Berg + +[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ] + +If the firmware sends us a corrupted MCC response with +n_channels much larger than the command response can be, +we might copy far too much (uninitialized) memory and +even crash if the n_channels is large enough to make it +run out of the one page allocated for the FW response. + +Fix that by checking the lengths. Doing a < comparison +would be sufficient, but the firmware should be doing +it correctly, so check more strictly. + +Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +index 6d18a1fd649b9..fdf60afb0f3f2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -445,6 +445,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL); +@@ -456,6 +461,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp_v3->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp_v3, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kzalloc(resp_len, GFP_KERNEL); +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch b/queue-6.1/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch new file mode 100644 index 00000000000..446997cda06 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch @@ -0,0 +1,44 @@ +From 8485e024529552121d2a4b0bc55e95272a7eef62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:46 +0300 +Subject: wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock + +From: Johannes Berg + +[ Upstream commit c2d8b7f257b2398f2d866205365895e038beca12 ] + +Lockdep points out that we can deadlock here by calling +cancel_delayed_work_sync() because that might be already +running and gotten interrupted by the NAPI soft-IRQ. +Even just calling something that can sleep is wrong in +this context though. + +Luckily, it doesn't even really matter since the things +we need to do are idempotent, so just drop the _sync(). + +Fixes: e5d153ec54f0 ("iwlwifi: mvm: fix CSA AP side") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.b1813c823b4d.I9d20cc06d24fa40b6774d3dd95ea5e2bf8dd015b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index 091225894037c..02c2a06301076 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -1975,7 +1975,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi, + RCU_INIT_POINTER(mvm->csa_tx_blocked_vif, NULL); + /* Unblock BCAST / MCAST station */ + iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, false); +- cancel_delayed_work_sync(&mvm->cs_tx_unblock_dwork); ++ cancel_delayed_work(&mvm->cs_tx_unblock_dwork); + } + } + +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-mvm-fix-oem-s-name-in-the-tas-approved-.patch b/queue-6.1/wifi-iwlwifi-mvm-fix-oem-s-name-in-the-tas-approved-.patch new file mode 100644 index 00000000000..2c8740ea120 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-mvm-fix-oem-s-name-in-the-tas-approved-.patch @@ -0,0 +1,37 @@ +From a05cf5998135324af872d72908acc990d1f172ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:52 +0300 +Subject: wifi: iwlwifi: mvm: fix OEM's name in the tas approved list + +From: Alon Giladi + +[ Upstream commit d0246a0e49efee0f8649d0e4f2350614cdfe6565 ] + +Fix a spelling mistake. + +Fixes: 2856f623ce48 ("iwlwifi: mvm: Add list of OEMs allowed to use TAS") +Signed-off-by: Alon Giladi +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.4090de6d1878.If9391ef6da78f1b2cc5eb6cb8f6965816bb7a7f5@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index 5de34edc51fe9..887d0789c96c3 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -1055,7 +1055,7 @@ static const struct dmi_system_id dmi_tas_approved_list[] = { + }, + { .ident = "LENOVO", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Lenovo"), ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + }, + }, + { .ident = "DELL", +-- +2.39.2 + diff --git a/queue-6.1/wifi-mac80211-abort-running-color-change-when-stoppi.patch b/queue-6.1/wifi-mac80211-abort-running-color-change-when-stoppi.patch new file mode 100644 index 00000000000..749b1f185b5 --- /dev/null +++ b/queue-6.1/wifi-mac80211-abort-running-color-change-when-stoppi.patch @@ -0,0 +1,41 @@ +From 0a34a8f148df9c43bd080e7b06ea623ac2d73ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:04:41 +0800 +Subject: wifi: mac80211: Abort running color change when stopping the AP + +From: Michael Lee + +[ Upstream commit a23d7f5b2fbda114de60c4b53311e052281d7533 ] + +When stopping the AP, there might be a color change in progress. It +should be deactivated here, or the driver might later finalize a color +change on a stopped AP. + +Fixes: 5f9404abdf2a (mac80211: add support for BSS color change) +Signed-off-by: Michael Lee +Link: https://lore.kernel.org/r/20230504080441.22958-1-michael-cy.lee@mediatek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index e8beec0a0ae1c..06b9df2fbcd77 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1477,9 +1477,10 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + sdata_dereference(link->u.ap.unsol_bcast_probe_resp, + sdata); + +- /* abort any running channel switch */ ++ /* abort any running channel switch or color change */ + mutex_lock(&local->mtx); + link_conf->csa_active = false; ++ link_conf->color_change_active = false; + if (link->csa_block_tx) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +-- +2.39.2 + diff --git a/queue-6.1/wifi-mac80211-fix-min-center-freq-offset-tracing.patch b/queue-6.1/wifi-mac80211-fix-min-center-freq-offset-tracing.patch new file mode 100644 index 00000000000..bdbf1667645 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-min-center-freq-offset-tracing.patch @@ -0,0 +1,39 @@ +From 4b654a6522073dbfa84dd45597aba55c174e0f46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:01 +0300 +Subject: wifi: mac80211: fix min center freq offset tracing + +From: Johannes Berg + +[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ] + +We need to set the correct trace variable, otherwise we're +overwriting something else instead and the right one that +we print later is not initialized. + +Fixes: b6011960f392 ("mac80211: handle channel frequency offset") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 9f4377566c425..c85367a4757a9 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -67,7 +67,7 @@ + __entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \ + __entry->min_chan_width = (c)->width; \ + __entry->min_center_freq1 = (c)->center_freq1; \ +- __entry->freq1_offset = (c)->freq1_offset; \ ++ __entry->min_freq1_offset = (c)->freq1_offset; \ + __entry->min_center_freq2 = (c)->center_freq2; + #define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz" + #define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \ +-- +2.39.2 + diff --git a/queue-6.1/wifi-mac80211-fortify-the-spinlock-against-deadlock-.patch b/queue-6.1/wifi-mac80211-fortify-the-spinlock-against-deadlock-.patch new file mode 100644 index 00000000000..d59882bc8d9 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fortify-the-spinlock-against-deadlock-.patch @@ -0,0 +1,221 @@ +From 75d3cb21c9bc10054247c3006c15da03f1e4e47c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 18:40:08 +0200 +Subject: wifi: mac80211: fortify the spinlock against deadlock by interrupt + +From: Mirsad Goran Todorovac + +[ Upstream commit ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 ] + +In the function ieee80211_tx_dequeue() there is a particular locking +sequence: + +begin: + spin_lock(&local->queue_stop_reason_lock); + q_stopped = local->queue_stop_reasons[q]; + spin_unlock(&local->queue_stop_reason_lock); + +However small the chance (increased by ftracetest), an asynchronous +interrupt can occur in between of spin_lock() and spin_unlock(), +and the interrupt routine will attempt to lock the same +&local->queue_stop_reason_lock again. + +This will cause a costly reset of the CPU and the wifi device or an +altogether hang in the single CPU and single core scenario. + +The only remaining spin_lock(&local->queue_stop_reason_lock) that +did not disable interrupts was patched, which should prevent any +deadlocks on the same CPU/core and the same wifi device. + +This is the probable trace of the deadlock: + +kernel: ================================ +kernel: WARNING: inconsistent lock state +kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W +kernel: -------------------------------- +kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: +kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 +kernel: {IN-SOFTIRQ-W} state was registered at: +kernel: lock_acquire+0xc7/0x2d0 +kernel: _raw_spin_lock+0x36/0x50 +kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] +kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] +kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] +kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] +kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] +kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] +kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] +kernel: dev_hard_start_xmit+0xb5/0x260 +kernel: __dev_queue_xmit+0xdbe/0x1200 +kernel: neigh_resolve_output+0x166/0x260 +kernel: ip_finish_output2+0x216/0xb80 +kernel: __ip_finish_output+0x2a4/0x4d0 +kernel: ip_finish_output+0x2d/0xd0 +kernel: ip_output+0x82/0x2b0 +kernel: ip_local_out+0xec/0x110 +kernel: igmpv3_sendpack+0x5c/0x90 +kernel: igmp_ifc_timer_expire+0x26e/0x4e0 +kernel: call_timer_fn+0xa5/0x230 +kernel: run_timer_softirq+0x27f/0x550 +kernel: __do_softirq+0xb4/0x3a4 +kernel: irq_exit_rcu+0x9b/0xc0 +kernel: sysvec_apic_timer_interrupt+0x80/0xa0 +kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 +kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 +kernel: free_to_partial_list+0x3d6/0x590 +kernel: __slab_free+0x1b7/0x310 +kernel: kmem_cache_free+0x52d/0x550 +kernel: putname+0x5d/0x70 +kernel: do_sys_openat2+0x1d7/0x310 +kernel: do_sys_open+0x51/0x80 +kernel: __x64_sys_openat+0x24/0x30 +kernel: do_syscall_64+0x5c/0x90 +kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc +kernel: irq event stamp: 5120729 +kernel: hardirqs last enabled at (5120729): [] trace_graph_return+0xd6/0x120 +kernel: hardirqs last disabled at (5120728): [] trace_graph_return+0xf0/0x120 +kernel: softirqs last enabled at (5069900): [] return_to_handler+0x0/0x40 +kernel: softirqs last disabled at (5067555): [] return_to_handler+0x0/0x40 +kernel: + other info that might help us debug this: +kernel: Possible unsafe locking scenario: +kernel: CPU0 +kernel: ---- +kernel: lock(&local->queue_stop_reason_lock); +kernel: +kernel: lock(&local->queue_stop_reason_lock); +kernel: + *** DEADLOCK *** +kernel: 8 locks held by kworker/5:0/25656: +kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 +kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 +kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #3: ffff9d6190778728 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #4: ffff9d619077b480 (&mvm->mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #5: ffff9d61907bacd8 (&trans_pcie->mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #6: ffffffff9ef9cda0 (rcu_read_lock){....}-{1:2}, at: iwl_mvm_queue_state_change+0x59/0x3a0 [iwlmvm] +kernel: #7: ffffffff9ef9cda0 (rcu_read_lock){....}-{1:2}, at: iwl_mvm_mac_itxq_xmit+0x42/0x210 [iwlmvm] +kernel: + stack backtrace: +kernel: CPU: 5 PID: 25656 Comm: kworker/5:0 Tainted: G W 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 +kernel: Hardware name: LENOVO 82H8/LNVNB161216, BIOS GGCN51WW 11/16/2022 +kernel: Workqueue: events_freezable ieee80211_restart_work [mac80211] +kernel: Call Trace: +kernel: +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: dump_stack_lvl+0x5f/0xa0 +kernel: dump_stack+0x14/0x20 +kernel: print_usage_bug.part.46+0x208/0x2a0 +kernel: mark_lock.part.47+0x605/0x630 +kernel: ? sched_clock+0xd/0x20 +kernel: ? trace_clock_local+0x14/0x30 +kernel: ? __rb_reserve_next+0x5f/0x490 +kernel: ? _raw_spin_lock+0x1b/0x50 +kernel: __lock_acquire+0x464/0x1990 +kernel: ? mark_held_locks+0x4e/0x80 +kernel: lock_acquire+0xc7/0x2d0 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ? ftrace_return_to_handler+0x8b/0x100 +kernel: ? preempt_count_add+0x4/0x70 +kernel: _raw_spin_lock+0x36/0x50 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] +kernel: ? prepare_ftrace_return+0xc5/0x190 +kernel: ? ftrace_graph_func+0x16/0x20 +kernel: ? 0xffffffffc02ab0b1 +kernel: ? lock_acquire+0xc7/0x2d0 +kernel: ? iwl_mvm_mac_itxq_xmit+0x42/0x210 [iwlmvm] +kernel: ? ieee80211_tx_dequeue+0x9/0x1330 [mac80211] +kernel: ? __rcu_read_lock+0x4/0x40 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_queue_state_change+0x311/0x3a0 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_wake_sw_queue+0x17/0x20 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_txq_gen2_unmap+0x1c9/0x1f0 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_txq_gen2_free+0x55/0x130 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_txq_gen2_tx_free+0x63/0x80 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: _iwl_trans_pcie_gen2_stop_device+0x3f3/0x5b0 [iwlwifi] +kernel: ? _iwl_trans_pcie_gen2_stop_device+0x9/0x5b0 [iwlwifi] +kernel: ? mutex_lock_nested+0x4/0x30 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_trans_pcie_gen2_stop_device+0x5f/0x90 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_stop_device+0x78/0xd0 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: __iwl_mvm_mac_start+0x114/0x210 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_mac_start+0x76/0x150 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: drv_start+0x79/0x180 [mac80211] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ieee80211_reconfig+0x1523/0x1ce0 [mac80211] +kernel: ? synchronize_net+0x4/0x50 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ieee80211_restart_work+0x108/0x170 [mac80211] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: process_one_work+0x250/0x530 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: worker_thread+0x48/0x3a0 +kernel: ? __pfx_worker_thread+0x10/0x10 +kernel: kthread+0x10f/0x140 +kernel: ? __pfx_kthread+0x10/0x10 +kernel: ret_from_fork+0x29/0x50 +kernel: + +Fixes: 4444bc2116ae ("wifi: mac80211: Proper mark iTXQs for resumption") +Link: https://lore.kernel.org/all/1f58a0d1-d2b9-d851-73c3-93fcc607501c@alu.unizg.hr/ +Reported-by: Mirsad Goran Todorovac +Cc: Gregory Greenman +Cc: Johannes Berg +Link: https://lore.kernel.org/all/cdc80531-f25f-6f9d-b15f-25e16130b53a@alu.unizg.hr/ +Cc: David S. Miller +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Leon Romanovsky +Cc: Alexander Wetzel +Signed-off-by: Mirsad Goran Todorovac +Reviewed-by: Leon Romanovsky +Reviewed-by: tag, or it goes automatically? +Link: https://lore.kernel.org/r/20230425164005.25272-1-mirsad.todorovac@alu.unizg.hr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 6a1708db652f2..763cefd0cc268 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3718,6 +3718,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, + ieee80211_tx_result r; + struct ieee80211_vif *vif = txq->vif; + int q = vif->hw_queue[txq->ac]; ++ unsigned long flags; + bool q_stopped; + + WARN_ON_ONCE(softirq_count() == 0); +@@ -3726,9 +3727,9 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, + return NULL; + + begin: +- spin_lock(&local->queue_stop_reason_lock); ++ spin_lock_irqsave(&local->queue_stop_reason_lock, flags); + q_stopped = local->queue_stop_reasons[q]; +- spin_unlock(&local->queue_stop_reason_lock); ++ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags); + + if (unlikely(q_stopped)) { + /* mark for waking later */ +-- +2.39.2 + diff --git a/queue-6.1/wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch b/queue-6.1/wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch new file mode 100644 index 00000000000..49e29a4da83 --- /dev/null +++ b/queue-6.1/wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch @@ -0,0 +1,51 @@ +From b17bae30bde06f1d9415da37bc18b871da344cd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 05:39:06 +0800 +Subject: wifi: mt76: connac: fix stats->tx_bytes calculation + +From: Ryder Lee + +[ Upstream commit c7ab7a29ef5c0779574120d922256ce4651555d3 ] + +The stats->tx_bytes shall subtract retry byte from tx byte. + +Fixes: 43eaa3689507 ("wifi: mt76: add PPDU based TxS support for WED device") +Signed-off-by: Ryder Lee +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/b3cd45596943cf5a06b2e08e2fe732ab0b51311b.1682285873.git.ryder.lee@mediatek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h | 2 +- + drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h b/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h +index f33171bcd3432..c3b692eac6f65 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h +@@ -163,7 +163,7 @@ enum { + #define MT_TXS5_MPDU_TX_CNT GENMASK(31, 23) + + #define MT_TXS6_MPDU_FAIL_CNT GENMASK(31, 23) +- ++#define MT_TXS7_MPDU_RETRY_BYTE GENMASK(22, 0) + #define MT_TXS7_MPDU_RETRY_CNT GENMASK(31, 23) + + /* RXD DW1 */ +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c +index 19f02b632a204..68511597599e3 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c +@@ -570,7 +570,8 @@ bool mt76_connac2_mac_fill_txs(struct mt76_dev *dev, struct mt76_wcid *wcid, + /* PPDU based reporting */ + if (FIELD_GET(MT_TXS0_TXS_FORMAT, txs) > 1) { + stats->tx_bytes += +- le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_BYTE); ++ le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_BYTE) - ++ le32_get_bits(txs_data[7], MT_TXS7_MPDU_RETRY_BYTE); + stats->tx_packets += + le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_CNT); + stats->tx_failed += +-- +2.39.2 + diff --git a/queue-6.1/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch b/queue-6.1/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch new file mode 100644 index 00000000000..367e6e6bc97 --- /dev/null +++ b/queue-6.1/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch @@ -0,0 +1,49 @@ +From ff5b5fe28ef60949e32abd21647f6feca12e4602 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 15:12:16 +0200 +Subject: xfrm: don't check the default policy if the policy allows the packet + +From: Sabrina Dubroca + +[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ] + +The current code doesn't let a simple "allow" policy counteract a +default policy blocking all incoming packets: + + ip x p setdefault in block + ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow + +At this stage, we have an allow policy (with or without transforms) +for this packet. It doesn't matter what the default policy says, since +the policy we looked up lets the packet through. The case of a +blocking policy is already handled separately, so we can remove this +check. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 7f49dab3b6b59..bea48a73a7313 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3637,12 +3637,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + xfrm_nr = ti; + +- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK && +- !xfrm_nr) { +- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); +- goto reject; +- } +- + if (npols > 1) { + xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); + tpp = stp; +-- +2.39.2 + diff --git a/queue-6.1/xfrm-reject-optional-tunnel-beet-mode-templates-in-o.patch b/queue-6.1/xfrm-reject-optional-tunnel-beet-mode-templates-in-o.patch new file mode 100644 index 00000000000..945861eb2cd --- /dev/null +++ b/queue-6.1/xfrm-reject-optional-tunnel-beet-mode-templates-in-o.patch @@ -0,0 +1,92 @@ +From 88dd7115dea15f2f9e629eb55b8016e09421833a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 10:59:58 +0200 +Subject: xfrm: Reject optional tunnel/BEET mode templates in outbound policies + +From: Tobias Brunner + +[ Upstream commit 3d776e31c841ba2f69895d2255a49320bec7cea6 ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 83f35ecacf24f..2d68a173b2273 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1743,7 +1743,7 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, + } + + static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, +- struct netlink_ext_ack *extack) ++ int dir, struct netlink_ext_ack *extack) + { + u16 prev_family; + int i; +@@ -1769,6 +1769,10 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, + switch (ut[i].mode) { + case XFRM_MODE_TUNNEL: + case XFRM_MODE_BEET: ++ if (ut[i].optional && dir == XFRM_POLICY_OUT) { ++ NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy"); ++ return -EINVAL; ++ } + break; + default: + if (ut[i].family != prev_family) { +@@ -1806,7 +1810,7 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, + } + + static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, +- struct netlink_ext_ack *extack) ++ int dir, struct netlink_ext_ack *extack) + { + struct nlattr *rt = attrs[XFRMA_TMPL]; + +@@ -1817,7 +1821,7 @@ static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, + int nr = nla_len(rt) / sizeof(*utmpl); + int err; + +- err = validate_tmpl(nr, utmpl, pol->family, extack); ++ err = validate_tmpl(nr, utmpl, pol->family, dir, extack); + if (err) + return err; + +@@ -1894,7 +1898,7 @@ static struct xfrm_policy *xfrm_policy_construct(struct net *net, + if (err) + goto error; + +- if (!(err = copy_from_user_tmpl(xp, attrs, extack))) ++ if (!(err = copy_from_user_tmpl(xp, attrs, p->dir, extack))) + err = copy_from_user_sec_ctx(xp, attrs); + if (err) + goto error; +@@ -3443,7 +3447,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, + return NULL; + + nr = ((len - sizeof(*p)) / sizeof(*ut)); +- if (validate_tmpl(nr, ut, p->sel.family, NULL)) ++ if (validate_tmpl(nr, ut, p->sel.family, p->dir, NULL)) + return NULL; + + if (p->dir > XFRM_POLICY_OUT) +-- +2.39.2 + -- 2.47.3