From 5a5e7fb012b24155c52c610e14915cca24a3ce31 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 7 Jul 2024 10:53:23 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...of-bounds-read-in-bond_option_arp_ip.patch | 79 ++++++ ...-s0ix-residency-on-corporate-systems.patch | 211 +++++++++++++++ ...-quirk-for-legacy-names-in-mediatek-.patch | 79 ++++++ ...-quirk-for-reset-line-for-marvell-nf.patch | 46 ++++ ...-quirk-for-reset-line-polarity-for-h.patch | 79 ++++++ ...ib-of-add-polarity-quirk-for-tsc2005.patch | 46 ++++ ...uirk-for-locating-reset-lines-with-l.patch | 62 +++++ ...lidate-simple-renames-into-a-single-.patch | 241 ++++++++++++++++++ ...r-out-code-overriding-gpio-line-pola.patch | 105 ++++++++ ...-of-fix-lookup-quirk-for-mips-lantiq.patch | 71 ++++++ ...en-selection-of-gpio-renaming-quirks.patch | 77 ++++++ ...lize-pad-field-in-struct-inet_diag_r.patch | 117 +++++++++ queue-6.1/kvm-s390-fix-lpswey-handling.patch | 130 ++++++++++ ...me-calculation-in-ieee802154_configu.patch | 62 +++++ ...ards-fix-double-memory-deallocation-.patch | 46 ++++ ...tagram_iter-to-be-called-from-any-co.patch | 60 +++++ ...witch-create-ingress-acl-when-needed.patch | 122 +++++++++ ...prio_rl-cleanup-and-free-in-mlx5e_pr.patch | 43 ++++ ...ove-ntb_netdev_rx_handler-to-call-ne.patch | 79 ++++++ ...les-unconditionally-flush-pending-wo.patch | 62 +++++ ...c-avoid-deadlock-in-kexec-crash-path.patch | 58 +++++ ...sts-fix-oom-in-msg_zerocopy-selftest.patch | 101 ++++++++ ...rder-checking-verbose-in-msg_zerocop.patch | 40 +++ queue-6.1/series | 26 ++ ..._metrics-validate-source-addr-length.patch | 38 +++ ...-dsack-undo-in-fast-recovery-to-call.patch | 70 +++++ ...000-fix-ies_len-type-in-connect-path.patch | 51 ++++ 27 files changed, 2201 insertions(+) create mode 100644 queue-6.1/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch create mode 100644 queue-6.1/e1000e-fix-s0ix-residency-on-corporate-systems.patch create mode 100644 queue-6.1/gpiolib-of-add-a-quirk-for-legacy-names-in-mediatek-.patch create mode 100644 queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-for-marvell-nf.patch create mode 100644 queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-polarity-for-h.patch create mode 100644 queue-6.1/gpiolib-of-add-polarity-quirk-for-tsc2005.patch create mode 100644 queue-6.1/gpiolib-of-add-quirk-for-locating-reset-lines-with-l.patch create mode 100644 queue-6.1/gpiolib-of-consolidate-simple-renames-into-a-single-.patch create mode 100644 queue-6.1/gpiolib-of-factor-out-code-overriding-gpio-line-pola.patch create mode 100644 queue-6.1/gpiolib-of-fix-lookup-quirk-for-mips-lantiq.patch create mode 100644 queue-6.1/gpiolib-of-tighten-selection-of-gpio-renaming-quirks.patch create mode 100644 queue-6.1/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch create mode 100644 queue-6.1/kvm-s390-fix-lpswey-handling.patch create mode 100644 queue-6.1/mac802154-fix-time-calculation-in-ieee802154_configu.patch create mode 100644 queue-6.1/mlxsw-core_linecards-fix-double-memory-deallocation-.patch create mode 100644 queue-6.1/net-allow-skb_datagram_iter-to-be-called-from-any-co.patch create mode 100644 queue-6.1/net-mlx5-e-switch-create-ingress-acl-when-needed.patch create mode 100644 queue-6.1/net-mlx5e-add-mqprio_rl-cleanup-and-free-in-mlx5e_pr.patch create mode 100644 queue-6.1/net-ntb_netdev-move-ntb_netdev_rx_handler-to-call-ne.patch create mode 100644 queue-6.1/netfilter-nf_tables-unconditionally-flush-pending-wo.patch create mode 100644 queue-6.1/riscv-kexec-avoid-deadlock-in-kexec-crash-path.patch create mode 100644 queue-6.1/selftests-fix-oom-in-msg_zerocopy-selftest.patch create mode 100644 queue-6.1/selftests-make-order-checking-verbose-in-msg_zerocop.patch create mode 100644 queue-6.1/tcp_metrics-validate-source-addr-length.patch create mode 100644 queue-6.1/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch create mode 100644 queue-6.1/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch diff --git a/queue-6.1/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch b/queue-6.1/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch new file mode 100644 index 00000000000..df97fe733a0 --- /dev/null +++ b/queue-6.1/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch @@ -0,0 +1,79 @@ +From 9243df51f391b1c359324651ce40c92270a10840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 14:55:55 +0100 +Subject: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() + +From: Sam Sun + +[ Upstream commit e271ff53807e8f2c628758290f0e499dbe51cb3d ] + +In function bond_option_arp_ip_targets_set(), if newval->string is an +empty string, newval->string+1 will point to the byte after the +string, causing an out-of-bound read. + +BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 +Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 +CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:364 [inline] + print_report+0xc1/0x5e0 mm/kasan/report.c:475 + kasan_report+0xbe/0xf0 mm/kasan/report.c:588 + strlen+0x7d/0xa0 lib/string.c:418 + __fortify_strlen include/linux/fortify-string.h:210 [inline] + in4_pton+0xa3/0x3f0 net/core/utils.c:130 + bond_option_arp_ip_targets_set+0xc2/0x910 +drivers/net/bonding/bond_options.c:1201 + __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 + __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 + bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 + bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 + dev_attr_store+0x54/0x80 drivers/base/core.c:2366 + sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 + kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 + call_write_iter include/linux/fs.h:2020 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x96a/0xd80 fs/read_write.c:584 + ksys_write+0x122/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b +---[ end trace ]--- + +Fix it by adding a check of string length before using it. + +Fixes: f9de11a16594 ("bonding: add ip checks when store ip target") +Signed-off-by: Yue Sun +Signed-off-by: Simon Horman +Acked-by: Jay Vosburgh +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20240702-bond-oob-v6-1-2dfdba195c19@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_options.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 5bb2c098bf4df..685fb4703ee1f 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1210,9 +1210,9 @@ static int bond_option_arp_ip_targets_set(struct bonding *bond, + __be32 target; + + if (newval->string) { +- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) { +- netdev_err(bond->dev, "invalid ARP target %pI4 specified\n", +- &target); ++ if (strlen(newval->string) < 1 || ++ !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) { ++ netdev_err(bond->dev, "invalid ARP target specified\n"); + return ret; + } + if (newval->string[0] == '+') +-- +2.43.0 + diff --git a/queue-6.1/e1000e-fix-s0ix-residency-on-corporate-systems.patch b/queue-6.1/e1000e-fix-s0ix-residency-on-corporate-systems.patch new file mode 100644 index 00000000000..038baf9a34f --- /dev/null +++ b/queue-6.1/e1000e-fix-s0ix-residency-on-corporate-systems.patch @@ -0,0 +1,211 @@ +From 2d33d1b6b1cb6d74eb8a99f5b353d109e208f616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 13:17:53 -0700 +Subject: e1000e: Fix S0ix residency on corporate systems + +From: Dima Ruinskiy + +[ Upstream commit c93a6f62cb1bd097aef2e4588648a420d175eee2 ] + +On vPro systems, the configuration of the I219-LM to achieve power +gating and S0ix residency is split between the driver and the CSME FW. +It was discovered that in some scenarios, where the network cable is +connected and then disconnected, S0ix residency is not always reached. +This was root-caused to a subset of I219-LM register writes that are not +performed by the CSME FW. Therefore, the driver should perform these +register writes on corporate setups, regardless of the CSME FW state. + +This was discovered on Meteor Lake systems; however it is likely to +appear on other platforms as well. + +Fixes: cc23f4f0b6b9 ("e1000e: Add support for Meteor Lake") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218589 +Signed-off-by: Dima Ruinskiy +Signed-off-by: Vitaly Lifshits +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240628201754.2744221-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 132 ++++++++++----------- + 1 file changed, 66 insertions(+), 66 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index db8e06157da29..cbd8357c61edc 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -6369,49 +6369,49 @@ static void e1000e_s0ix_entry_flow(struct e1000_adapter *adapter) + mac_data |= E1000_EXTCNF_CTRL_GATE_PHY_CFG; + ew32(EXTCNF_CTRL, mac_data); + +- /* Enable the Dynamic Power Gating in the MAC */ +- mac_data = er32(FEXTNVM7); +- mac_data |= BIT(22); +- ew32(FEXTNVM7, mac_data); +- + /* Disable disconnected cable conditioning for Power Gating */ + mac_data = er32(DPGFR); + mac_data |= BIT(2); + ew32(DPGFR, mac_data); + +- /* Don't wake from dynamic Power Gating with clock request */ +- mac_data = er32(FEXTNVM12); +- mac_data |= BIT(12); +- ew32(FEXTNVM12, mac_data); +- +- /* Ungate PGCB clock */ +- mac_data = er32(FEXTNVM9); +- mac_data &= ~BIT(28); +- ew32(FEXTNVM9, mac_data); +- +- /* Enable K1 off to enable mPHY Power Gating */ +- mac_data = er32(FEXTNVM6); +- mac_data |= BIT(31); +- ew32(FEXTNVM6, mac_data); +- +- /* Enable mPHY power gating for any link and speed */ +- mac_data = er32(FEXTNVM8); +- mac_data |= BIT(9); +- ew32(FEXTNVM8, mac_data); +- + /* Enable the Dynamic Clock Gating in the DMA and MAC */ + mac_data = er32(CTRL_EXT); + mac_data |= E1000_CTRL_EXT_DMA_DYN_CLK_EN; + ew32(CTRL_EXT, mac_data); +- +- /* No MAC DPG gating SLP_S0 in modern standby +- * Switch the logic of the lanphypc to use PMC counter +- */ +- mac_data = er32(FEXTNVM5); +- mac_data |= BIT(7); +- ew32(FEXTNVM5, mac_data); + } + ++ /* Enable the Dynamic Power Gating in the MAC */ ++ mac_data = er32(FEXTNVM7); ++ mac_data |= BIT(22); ++ ew32(FEXTNVM7, mac_data); ++ ++ /* Don't wake from dynamic Power Gating with clock request */ ++ mac_data = er32(FEXTNVM12); ++ mac_data |= BIT(12); ++ ew32(FEXTNVM12, mac_data); ++ ++ /* Ungate PGCB clock */ ++ mac_data = er32(FEXTNVM9); ++ mac_data &= ~BIT(28); ++ ew32(FEXTNVM9, mac_data); ++ ++ /* Enable K1 off to enable mPHY Power Gating */ ++ mac_data = er32(FEXTNVM6); ++ mac_data |= BIT(31); ++ ew32(FEXTNVM6, mac_data); ++ ++ /* Enable mPHY power gating for any link and speed */ ++ mac_data = er32(FEXTNVM8); ++ mac_data |= BIT(9); ++ ew32(FEXTNVM8, mac_data); ++ ++ /* No MAC DPG gating SLP_S0 in modern standby ++ * Switch the logic of the lanphypc to use PMC counter ++ */ ++ mac_data = er32(FEXTNVM5); ++ mac_data |= BIT(7); ++ ew32(FEXTNVM5, mac_data); ++ + /* Disable the time synchronization clock */ + mac_data = er32(FEXTNVM7); + mac_data |= BIT(31); +@@ -6503,33 +6503,6 @@ static void e1000e_s0ix_exit_flow(struct e1000_adapter *adapter) + } else { + /* Request driver unconfigure the device from S0ix */ + +- /* Disable the Dynamic Power Gating in the MAC */ +- mac_data = er32(FEXTNVM7); +- mac_data &= 0xFFBFFFFF; +- ew32(FEXTNVM7, mac_data); +- +- /* Disable mPHY power gating for any link and speed */ +- mac_data = er32(FEXTNVM8); +- mac_data &= ~BIT(9); +- ew32(FEXTNVM8, mac_data); +- +- /* Disable K1 off */ +- mac_data = er32(FEXTNVM6); +- mac_data &= ~BIT(31); +- ew32(FEXTNVM6, mac_data); +- +- /* Disable Ungate PGCB clock */ +- mac_data = er32(FEXTNVM9); +- mac_data |= BIT(28); +- ew32(FEXTNVM9, mac_data); +- +- /* Cancel not waking from dynamic +- * Power Gating with clock request +- */ +- mac_data = er32(FEXTNVM12); +- mac_data &= ~BIT(12); +- ew32(FEXTNVM12, mac_data); +- + /* Cancel disable disconnected cable conditioning + * for Power Gating + */ +@@ -6542,13 +6515,6 @@ static void e1000e_s0ix_exit_flow(struct e1000_adapter *adapter) + mac_data &= 0xFFF7FFFF; + ew32(CTRL_EXT, mac_data); + +- /* Revert the lanphypc logic to use the internal Gbe counter +- * and not the PMC counter +- */ +- mac_data = er32(FEXTNVM5); +- mac_data &= 0xFFFFFF7F; +- ew32(FEXTNVM5, mac_data); +- + /* Enable the periodic inband message, + * Request PCIe clock in K1 page770_17[10:9] =01b + */ +@@ -6586,6 +6552,40 @@ static void e1000e_s0ix_exit_flow(struct e1000_adapter *adapter) + mac_data &= ~BIT(31); + mac_data |= BIT(0); + ew32(FEXTNVM7, mac_data); ++ ++ /* Disable the Dynamic Power Gating in the MAC */ ++ mac_data = er32(FEXTNVM7); ++ mac_data &= 0xFFBFFFFF; ++ ew32(FEXTNVM7, mac_data); ++ ++ /* Disable mPHY power gating for any link and speed */ ++ mac_data = er32(FEXTNVM8); ++ mac_data &= ~BIT(9); ++ ew32(FEXTNVM8, mac_data); ++ ++ /* Disable K1 off */ ++ mac_data = er32(FEXTNVM6); ++ mac_data &= ~BIT(31); ++ ew32(FEXTNVM6, mac_data); ++ ++ /* Disable Ungate PGCB clock */ ++ mac_data = er32(FEXTNVM9); ++ mac_data |= BIT(28); ++ ew32(FEXTNVM9, mac_data); ++ ++ /* Cancel not waking from dynamic ++ * Power Gating with clock request ++ */ ++ mac_data = er32(FEXTNVM12); ++ mac_data &= ~BIT(12); ++ ew32(FEXTNVM12, mac_data); ++ ++ /* Revert the lanphypc logic to use the internal Gbe counter ++ * and not the PMC counter ++ */ ++ mac_data = er32(FEXTNVM5); ++ mac_data &= 0xFFFFFF7F; ++ ew32(FEXTNVM5, mac_data); + } + + static int e1000e_pm_freeze(struct device *dev) +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-add-a-quirk-for-legacy-names-in-mediatek-.patch b/queue-6.1/gpiolib-of-add-a-quirk-for-legacy-names-in-mediatek-.patch new file mode 100644 index 00000000000..ea72ac5a8e9 --- /dev/null +++ b/queue-6.1/gpiolib-of-add-a-quirk-for-legacy-names-in-mediatek-.patch @@ -0,0 +1,79 @@ +From c98cd1a155be79deff08d6d3cb364a6ad9a95a19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:02 -0700 +Subject: gpiolib: of: add a quirk for legacy names in Mediatek mt2701-cs42448 + +From: Dmitry Torokhov + +[ Upstream commit 326c3753a6358ffab607749ea0aa95d1d0ad79b0 ] + +The driver is using non-standard "i2s1-in-sel-gpio1" and +"i2s1-in-sel-gpio2" names to describe its gpios. In preparation to +converting to the standard naming (i2s1-in-sel-gpios) and switching the +driver to gpiod API add a quirk to gpiolib to keep compatibility with +existing DTSes. + +Reviewed-by: Daniel Thompson +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 0e4e1291604d6..cef4f66341256 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -488,6 +488,38 @@ static struct gpio_desc *of_find_usb_gpio(struct device_node *np, + return of_get_named_gpiod_flags(np, con_id, idx, of_flags); + } + ++static struct gpio_desc *of_find_mt2701_gpio(struct device_node *np, ++ const char *con_id, ++ unsigned int idx, ++ enum of_gpio_flags *of_flags) ++{ ++ struct gpio_desc *desc; ++ const char *legacy_id; ++ ++ if (!IS_ENABLED(CONFIG_SND_SOC_MT2701_CS42448)) ++ return ERR_PTR(-ENOENT); ++ ++ if (!of_device_is_compatible(np, "mediatek,mt2701-cs42448-machine")) ++ return ERR_PTR(-ENOENT); ++ ++ if (!con_id || strcmp(con_id, "i2s1-in-sel")) ++ return ERR_PTR(-ENOENT); ++ ++ if (idx == 0) ++ legacy_id = "i2s1-in-sel-gpio1"; ++ else if (idx == 1) ++ legacy_id = "i2s1-in-sel-gpio2"; ++ else ++ return ERR_PTR(-ENOENT); ++ ++ desc = of_get_named_gpiod_flags(np, legacy_id, 0, of_flags); ++ if (!gpiod_not_found(desc)) ++ pr_info("%s is using legacy gpio name '%s' instead of '%s-gpios'\n", ++ of_node_full_name(np), legacy_id, con_id); ++ ++ return desc; ++} ++ + typedef struct gpio_desc *(*of_find_gpio_quirk)(struct device_node *np, + const char *con_id, + unsigned int idx, +@@ -498,6 +530,7 @@ static const of_find_gpio_quirk of_find_gpio_quirks[] = { + of_find_regulator_gpio, + of_find_arizona_gpio, + of_find_usb_gpio, ++ of_find_mt2701_gpio, + NULL + }; + +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-for-marvell-nf.patch b/queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-for-marvell-nf.patch new file mode 100644 index 00000000000..17bc3651bab --- /dev/null +++ b/queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-for-marvell-nf.patch @@ -0,0 +1,46 @@ +From 02a7a4499b8f000e166f7422115fc9d4a2d070a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:06 -0700 +Subject: gpiolib: of: add a quirk for reset line for Marvell NFC controller + +From: Dmitry Torokhov + +[ Upstream commit 9c2cc7171e08eef52110d272fdf2225d6dcd81b6 ] + +The controller is using non-standard "reset-n-io" name for its reset +gpio property, whereas gpiod API expects "-gpios". Add a quirk +so that gpiod API will still work on unmodified DTSes. + +Reviewed-by: Daniel Thompson +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 2b5d1b3095c7b..a9cedc39a2459 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -390,6 +390,16 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + #if IS_ENABLED(CONFIG_MFD_ARIZONA) + { "wlf,reset", NULL, NULL }, + #endif ++#if IS_ENABLED(CONFIG_NFC_MRVL_I2C) ++ { "reset", "reset-n-io", "marvell,nfc-i2c" }, ++#endif ++#if IS_ENABLED(CONFIG_NFC_MRVL_SPI) ++ { "reset", "reset-n-io", "marvell,nfc-spi" }, ++#endif ++#if IS_ENABLED(CONFIG_NFC_MRVL_UART) ++ { "reset", "reset-n-io", "marvell,nfc-uart" }, ++ { "reset", "reset-n-io", "mrvl,nfc-uart" }, ++#endif + #if !IS_ENABLED(CONFIG_PCI_LANTIQ) + /* MIPS Lantiq PCI */ + { "reset", "gpios-reset", "lantiq,pci-xway" }, +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-polarity-for-h.patch b/queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-polarity-for-h.patch new file mode 100644 index 00000000000..e06e57b040d --- /dev/null +++ b/queue-6.1/gpiolib-of-add-a-quirk-for-reset-line-polarity-for-h.patch @@ -0,0 +1,79 @@ +From 0ab372f75b5473f08e306a1b64a6a7d5fc00a832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:11 -0700 +Subject: gpiolib: of: add a quirk for reset line polarity for Himax LCDs + +From: Dmitry Torokhov + +[ Upstream commit 99d18d42c942854a073191714a311dc2420ec7d3 ] + +Existing DTS that use legacy (non-standard) property name for the reset +line "gpios-reset" also specify incorrect polarity (0 which maps to +"active high"). Add a quirk to force polarity to "active low" so that +once driver is converted to gpiod API that pays attention to line +polarity it will work properly. + +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 618d7781299d4..c76489dec6456 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -152,11 +152,47 @@ static void of_gpio_quirk_polarity(const struct device_node *np, + } + } + ++/* ++ * This quirk does static polarity overrides in cases where existing ++ * DTS specified incorrect polarity. ++ */ ++static void of_gpio_try_fixup_polarity(const struct device_node *np, ++ const char *propname, ++ enum of_gpio_flags *flags) ++{ ++ static const struct { ++ const char *compatible; ++ const char *propname; ++ bool active_high; ++ } gpios[] = { ++#if !IS_ENABLED(CONFIG_LCD_HX8357) ++ /* ++ * Himax LCD controllers used incorrectly named ++ * "gpios-reset" property and also specified wrong ++ * polarity. ++ */ ++ { "himax,hx8357", "gpios-reset", false }, ++ { "himax,hx8369", "gpios-reset", false }, ++#endif ++ }; ++ unsigned int i; ++ ++ for (i = 0; i < ARRAY_SIZE(gpios); i++) { ++ if (of_device_is_compatible(np, gpios[i].compatible) && ++ !strcmp(propname, gpios[i].propname)) { ++ of_gpio_quirk_polarity(np, gpios[i].active_high, flags); ++ break; ++ } ++ } ++} ++ + static void of_gpio_flags_quirks(const struct device_node *np, + const char *propname, + enum of_gpio_flags *flags, + int index) + { ++ of_gpio_try_fixup_polarity(np, propname, flags); ++ + /* + * Some GPIO fixed regulator quirks. + * Note that active low is the default. +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-add-polarity-quirk-for-tsc2005.patch b/queue-6.1/gpiolib-of-add-polarity-quirk-for-tsc2005.patch new file mode 100644 index 00000000000..d107ebd89a2 --- /dev/null +++ b/queue-6.1/gpiolib-of-add-polarity-quirk-for-tsc2005.patch @@ -0,0 +1,46 @@ +From f5e962846e0715e9edec9e81929fbe6a6e767864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 11:26:09 -0700 +Subject: gpiolib: of: add polarity quirk for TSC2005 + +From: Dmitry Torokhov + +[ Upstream commit f8d76c2c313c56d5cb894a243dff4550f048278d ] + +DTS for Nokia N900 incorrectly specifies "active high" polarity for +the reset line, while the chip documentation actually specifies it as +"active low". In the past the driver fudged gpiod API and inverted +the logic internally, but it was changed in d0d89493bff8. + +Fixes: d0d89493bff8 ("Input: tsc2004/5 - switch to using generic device properties") +Signed-off-by: Dmitry Torokhov +Acked-by: Linus Walleij +Link: https://lore.kernel.org/r/ZoWXwYtwgJIxi-hD@google.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 12b30136df94b..3868909f3d368 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -183,6 +183,14 @@ static void of_gpio_try_fixup_polarity(const struct device_node *np, + * for the property. + */ + { "lantiq,pci-xway", "gpio-reset", false }, ++#endif ++#if IS_ENABLED(CONFIG_TOUCHSCREEN_TSC2005) ++ /* ++ * DTS for Nokia N900 incorrectly specified "active high" ++ * polarity for the reset line, while the chip actually ++ * treats it as "active low". ++ */ ++ { "ti,tsc2005", "reset-gpios", false }, + #endif + }; + unsigned int i; +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-add-quirk-for-locating-reset-lines-with-l.patch b/queue-6.1/gpiolib-of-add-quirk-for-locating-reset-lines-with-l.patch new file mode 100644 index 00000000000..23124b1c28b --- /dev/null +++ b/queue-6.1/gpiolib-of-add-quirk-for-locating-reset-lines-with-l.patch @@ -0,0 +1,62 @@ +From 16cf310c2482fd22f75aac6c14f6c0712459fcd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:05 -0700 +Subject: gpiolib: of: add quirk for locating reset lines with legacy bindings + +From: Dmitry Torokhov + +[ Upstream commit fbbbcd177a27508a47c5136b31de5cf4c8d0ab1c ] + +Some legacy mappings used "gpio[s]-reset" instead of "reset-gpios", +add a quirk so that gpiod API will still work on unmodified DTSes. + +Reviewed-by: Daniel Thompson +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 7d4bbf6484bc7..2b5d1b3095c7b 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -382,9 +382,18 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + */ + const char *compatible; + } gpios[] = { ++#if !IS_ENABLED(CONFIG_LCD_HX8357) ++ /* Himax LCD controllers used "gpios-reset" */ ++ { "reset", "gpios-reset", "himax,hx8357" }, ++ { "reset", "gpios-reset", "himax,hx8369" }, ++#endif + #if IS_ENABLED(CONFIG_MFD_ARIZONA) + { "wlf,reset", NULL, NULL }, + #endif ++#if !IS_ENABLED(CONFIG_PCI_LANTIQ) ++ /* MIPS Lantiq PCI */ ++ { "reset", "gpios-reset", "lantiq,pci-xway" }, ++#endif + + /* + * Some regulator bindings happened before we managed to +@@ -399,6 +408,13 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + { "wlf,ldo2ena", NULL, NULL }, /* WM8994 */ + #endif + ++#if IS_ENABLED(CONFIG_SND_SOC_TLV320AIC3X) ++ { "reset", "gpio-reset", "ti,tlv320aic3x" }, ++ { "reset", "gpio-reset", "ti,tlv320aic33" }, ++ { "reset", "gpio-reset", "ti,tlv320aic3007" }, ++ { "reset", "gpio-reset", "ti,tlv320aic3104" }, ++ { "reset", "gpio-reset", "ti,tlv320aic3106" }, ++#endif + #if IS_ENABLED(CONFIG_SPI_GPIO) + /* + * The SPI GPIO bindings happened before we managed to +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-consolidate-simple-renames-into-a-single-.patch b/queue-6.1/gpiolib-of-consolidate-simple-renames-into-a-single-.patch new file mode 100644 index 00000000000..75de7a9ec0e --- /dev/null +++ b/queue-6.1/gpiolib-of-consolidate-simple-renames-into-a-single-.patch @@ -0,0 +1,241 @@ +From c2b9b11ef350f30614a772048eda7396230f109d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:03 -0700 +Subject: gpiolib: of: consolidate simple renames into a single quirk + +From: Dmitry Torokhov + +[ Upstream commit b311c5cba779a87e85525d351965bbd2c18111de ] + +This consolidates all quirks doing simple renames (either allowing +suffix-less names or trivial renames, when index changes are not +required) into a single quirk. + +Reviewed-by: Daniel Thompson +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 183 +++++++++++++++----------------------- + 1 file changed, 71 insertions(+), 112 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index cef4f66341256..63c6fa3086f3c 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -365,127 +365,90 @@ struct gpio_desc *gpiod_get_from_of_node(const struct device_node *node, + } + EXPORT_SYMBOL_GPL(gpiod_get_from_of_node); + +-/* +- * The SPI GPIO bindings happened before we managed to establish that GPIO +- * properties should be named "foo-gpios" so we have this special kludge for +- * them. +- */ +-static struct gpio_desc *of_find_spi_gpio(struct device_node *np, +- const char *con_id, +- unsigned int idx, +- enum of_gpio_flags *of_flags) +-{ +- char prop_name[32]; /* 32 is max size of property name */ +- +- /* +- * Hopefully the compiler stubs the rest of the function if this +- * is false. +- */ +- if (!IS_ENABLED(CONFIG_SPI_MASTER)) +- return ERR_PTR(-ENOENT); +- +- /* Allow this specifically for "spi-gpio" devices */ +- if (!of_device_is_compatible(np, "spi-gpio") || !con_id) +- return ERR_PTR(-ENOENT); +- +- /* Will be "gpio-sck", "gpio-mosi" or "gpio-miso" */ +- snprintf(prop_name, sizeof(prop_name), "%s-%s", "gpio", con_id); +- +- return of_get_named_gpiod_flags(np, prop_name, idx, of_flags); +-} +- +-/* +- * The old Freescale bindings use simply "gpios" as name for the chip select +- * lines rather than "cs-gpios" like all other SPI hardware. Account for this +- * with a special quirk. +- */ +-static struct gpio_desc *of_find_spi_cs_gpio(struct device_node *np, ++static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + const char *con_id, + unsigned int idx, + enum of_gpio_flags *of_flags) + { +- if (!IS_ENABLED(CONFIG_SPI_MASTER)) +- return ERR_PTR(-ENOENT); +- +- /* Allow this specifically for Freescale and PPC devices */ +- if (!of_device_is_compatible(np, "fsl,spi") && +- !of_device_is_compatible(np, "aeroflexgaisler,spictrl") && +- !of_device_is_compatible(np, "ibm,ppc4xx-spi")) +- return ERR_PTR(-ENOENT); +- /* Allow only if asking for "cs-gpios" */ +- if (!con_id || strcmp(con_id, "cs")) +- return ERR_PTR(-ENOENT); ++ static const struct of_rename_gpio { ++ const char *con_id; ++ const char *legacy_id; /* NULL - same as con_id */ ++ /* ++ * Compatible string can be set to NULL in case where ++ * matching to a particular compatible is not practical, ++ * but it should only be done for gpio names that have ++ * vendor prefix to reduce risk of false positives. ++ * Addition of such entries is strongly discouraged. ++ */ ++ const char *compatible; ++ } gpios[] = { ++#if IS_ENABLED(CONFIG_MFD_ARIZONA) ++ { "wlf,reset", NULL, NULL }, ++#endif ++#if IS_ENABLED(CONFIG_REGULATOR) ++ /* ++ * Some regulator bindings happened before we managed to ++ * establish that GPIO properties should be named ++ * "foo-gpios" so we have this special kludge for them. ++ */ ++ { "wlf,ldoena", NULL, NULL }, /* Arizona */ ++ { "wlf,ldo1ena", NULL, NULL }, /* WM8994 */ ++ { "wlf,ldo2ena", NULL, NULL }, /* WM8994 */ ++#endif ++#if IS_ENABLED(CONFIG_SPI_MASTER) + +- /* +- * While all other SPI controllers use "cs-gpios" the Freescale +- * uses just "gpios" so translate to that when "cs-gpios" is +- * requested. +- */ +- return of_get_named_gpiod_flags(np, "gpios", idx, of_flags); +-} ++ /* ++ * The SPI GPIO bindings happened before we managed to ++ * establish that GPIO properties should be named ++ * "foo-gpios" so we have this special kludge for them. ++ */ ++ { "miso", "gpio-miso", "spi-gpio" }, ++ { "mosi", "gpio-mosi", "spi-gpio" }, ++ { "sck", "gpio-sck", "spi-gpio" }, + +-/* +- * Some regulator bindings happened before we managed to establish that GPIO +- * properties should be named "foo-gpios" so we have this special kludge for +- * them. +- */ +-static struct gpio_desc *of_find_regulator_gpio(struct device_node *np, +- const char *con_id, +- unsigned int idx, +- enum of_gpio_flags *of_flags) +-{ +- /* These are the connection IDs we accept as legacy GPIO phandles */ +- const char *whitelist[] = { +- "wlf,ldoena", /* Arizona */ +- "wlf,ldo1ena", /* WM8994 */ +- "wlf,ldo2ena", /* WM8994 */ ++ /* ++ * The old Freescale bindings use simply "gpios" as name ++ * for the chip select lines rather than "cs-gpios" like ++ * all other SPI hardware. Allow this specifically for ++ * Freescale and PPC devices. ++ */ ++ { "cs", "gpios", "fsl,spi" }, ++ { "cs", "gpios", "aeroflexgaisler,spictrl" }, ++ { "cs", "gpios", "ibm,ppc4xx-spi" }, ++#endif ++#if IS_ENABLED(CONFIG_TYPEC_FUSB302) ++ /* ++ * Fairchild FUSB302 host is using undocumented "fcs,int_n" ++ * property without the compulsory "-gpios" suffix. ++ */ ++ { "fcs,int_n", NULL, "fcs,fusb302" }, ++#endif + }; +- int i; +- +- if (!IS_ENABLED(CONFIG_REGULATOR)) +- return ERR_PTR(-ENOENT); ++ struct gpio_desc *desc; ++ const char *legacy_id; ++ unsigned int i; + + if (!con_id) + return ERR_PTR(-ENOENT); + +- i = match_string(whitelist, ARRAY_SIZE(whitelist), con_id); +- if (i < 0) +- return ERR_PTR(-ENOENT); +- +- return of_get_named_gpiod_flags(np, con_id, idx, of_flags); +-} +- +-static struct gpio_desc *of_find_arizona_gpio(struct device_node *np, +- const char *con_id, +- unsigned int idx, +- enum of_gpio_flags *of_flags) +-{ +- if (!IS_ENABLED(CONFIG_MFD_ARIZONA)) +- return ERR_PTR(-ENOENT); +- +- if (!con_id || strcmp(con_id, "wlf,reset")) +- return ERR_PTR(-ENOENT); +- +- return of_get_named_gpiod_flags(np, con_id, idx, of_flags); +-} ++ for (i = 0; i < ARRAY_SIZE(gpios); i++) { ++ if (strcmp(con_id, gpios[i].con_id)) ++ continue; + +-static struct gpio_desc *of_find_usb_gpio(struct device_node *np, +- const char *con_id, +- unsigned int idx, +- enum of_gpio_flags *of_flags) +-{ +- /* +- * Currently this USB quirk is only for the Fairchild FUSB302 host +- * which is using an undocumented DT GPIO line named "fcs,int_n" +- * without the compulsory "-gpios" suffix. +- */ +- if (!IS_ENABLED(CONFIG_TYPEC_FUSB302)) +- return ERR_PTR(-ENOENT); ++ if (gpios[i].compatible && ++ !of_device_is_compatible(np, gpios[i].compatible)) ++ continue; + +- if (!con_id || strcmp(con_id, "fcs,int_n")) +- return ERR_PTR(-ENOENT); ++ legacy_id = gpios[i].legacy_id ?: gpios[i].con_id; ++ desc = of_get_named_gpiod_flags(np, legacy_id, idx, of_flags); ++ if (!gpiod_not_found(desc)) { ++ pr_info("%s uses legacy gpio name '%s' instead of '%s-gpios'\n", ++ of_node_full_name(np), legacy_id, con_id); ++ return desc; ++ } ++ } + +- return of_get_named_gpiod_flags(np, con_id, idx, of_flags); ++ return ERR_PTR(-ENOENT); + } + + static struct gpio_desc *of_find_mt2701_gpio(struct device_node *np, +@@ -525,11 +488,7 @@ typedef struct gpio_desc *(*of_find_gpio_quirk)(struct device_node *np, + unsigned int idx, + enum of_gpio_flags *of_flags); + static const of_find_gpio_quirk of_find_gpio_quirks[] = { +- of_find_spi_gpio, +- of_find_spi_cs_gpio, +- of_find_regulator_gpio, +- of_find_arizona_gpio, +- of_find_usb_gpio, ++ of_find_gpio_rename, + of_find_mt2701_gpio, + NULL + }; +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-factor-out-code-overriding-gpio-line-pola.patch b/queue-6.1/gpiolib-of-factor-out-code-overriding-gpio-line-pola.patch new file mode 100644 index 00000000000..382502b3ed3 --- /dev/null +++ b/queue-6.1/gpiolib-of-factor-out-code-overriding-gpio-line-pola.patch @@ -0,0 +1,105 @@ +From ed9d3b8645efdec55e7b60311e9b40533fa43f2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:09 -0700 +Subject: gpiolib: of: factor out code overriding gpio line polarity + +From: Dmitry Torokhov + +[ Upstream commit e3186e36925fc18384492491ebcf3da749780a30 ] + +There are several instances where we use a separate property to +override polarity specified in gpio property. Factor it out into +a separate function. + +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 48 +++++++++++++++++++++++---------------- + 1 file changed, 28 insertions(+), 20 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index a9cedc39a2459..618d7781299d4 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -130,6 +130,28 @@ bool of_gpio_need_valid_mask(const struct gpio_chip *gc) + return false; + } + ++/* ++ * Overrides stated polarity of a gpio line and warns when there is a ++ * discrepancy. ++ */ ++static void of_gpio_quirk_polarity(const struct device_node *np, ++ bool active_high, ++ enum of_gpio_flags *flags) ++{ ++ if (active_high) { ++ if (*flags & OF_GPIO_ACTIVE_LOW) { ++ pr_warn("%s GPIO handle specifies active low - ignored\n", ++ of_node_full_name(np)); ++ *flags &= ~OF_GPIO_ACTIVE_LOW; ++ } ++ } else { ++ if (!(*flags & OF_GPIO_ACTIVE_LOW)) ++ pr_info("%s enforce active low on GPIO handle\n", ++ of_node_full_name(np)); ++ *flags |= OF_GPIO_ACTIVE_LOW; ++ } ++} ++ + static void of_gpio_flags_quirks(const struct device_node *np, + const char *propname, + enum of_gpio_flags *flags, +@@ -145,7 +167,7 @@ static void of_gpio_flags_quirks(const struct device_node *np, + (!(strcmp(propname, "enable-gpio") && + strcmp(propname, "enable-gpios")) && + of_device_is_compatible(np, "regulator-gpio")))) { +- bool active_low = !of_property_read_bool(np, ++ bool active_high = of_property_read_bool(np, + "enable-active-high"); + /* + * The regulator GPIO handles are specified such that the +@@ -153,13 +175,7 @@ static void of_gpio_flags_quirks(const struct device_node *np, + * the polarity of the GPIO line. Any phandle flags must + * be actively ignored. + */ +- if ((*flags & OF_GPIO_ACTIVE_LOW) && !active_low) { +- pr_warn("%s GPIO handle specifies active low - ignored\n", +- of_node_full_name(np)); +- *flags &= ~OF_GPIO_ACTIVE_LOW; +- } +- if (active_low) +- *flags |= OF_GPIO_ACTIVE_LOW; ++ of_gpio_quirk_polarity(np, active_high, flags); + } + /* + * Legacy open drain handling for fixed voltage regulators. +@@ -200,18 +216,10 @@ static void of_gpio_flags_quirks(const struct device_node *np, + * conflict and the "spi-cs-high" flag will + * take precedence. + */ +- if (of_property_read_bool(child, "spi-cs-high")) { +- if (*flags & OF_GPIO_ACTIVE_LOW) { +- pr_warn("%s GPIO handle specifies active low - ignored\n", +- of_node_full_name(child)); +- *flags &= ~OF_GPIO_ACTIVE_LOW; +- } +- } else { +- if (!(*flags & OF_GPIO_ACTIVE_LOW)) +- pr_info("%s enforce active low on chipselect handle\n", +- of_node_full_name(child)); +- *flags |= OF_GPIO_ACTIVE_LOW; +- } ++ bool active_high = of_property_read_bool(child, ++ "spi-cs-high"); ++ of_gpio_quirk_polarity(child, active_high, ++ flags); + of_node_put(child); + break; + } +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-fix-lookup-quirk-for-mips-lantiq.patch b/queue-6.1/gpiolib-of-fix-lookup-quirk-for-mips-lantiq.patch new file mode 100644 index 00000000000..7d1746a0928 --- /dev/null +++ b/queue-6.1/gpiolib-of-fix-lookup-quirk-for-mips-lantiq.patch @@ -0,0 +1,71 @@ +From 0c19b751bd6b1abe1d23e99ef833ea3c4a19e63c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 10:38:50 -0700 +Subject: gpiolib: of: fix lookup quirk for MIPS Lantiq + +From: Dmitry Torokhov + +[ Upstream commit 3645ffaf2b334abaf5f53e5ca0f47465d91e69d2 ] + +As it turns out, there is a large number of out-of-tree DTSes (in +OpenWrt project) that used to specify incorrect (active high) polarity +for the Lantiq reset GPIO, so to keep compatibility while they are +being updated a quirk for force the polarity low is needed. Luckily +these old DTSes used nonstandard name for the property ("gpio-reset" vs +"reset-gpios") so the quirk will not hurt if there are any new devices +that need inverted polarity as they can specify the right polarity in +their DTS when using the standard "reset-gpios" property. + +Additionally the condition to enable the transition from standard to +non-standard reset GPIO property name was inverted and the replacement +name for the property was not correct. Fix this as well. + +Fixes: fbbbcd177a27 ("gpiolib: of: add quirk for locating reset lines with legacy bindings") +Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") +Reported-by: Martin Schiller +Acked-by: Martin Schiller +Signed-off-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/ZoLpqv1PN08xHioh@google.com +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index c76489dec6456..12b30136df94b 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -173,6 +173,16 @@ static void of_gpio_try_fixup_polarity(const struct device_node *np, + */ + { "himax,hx8357", "gpios-reset", false }, + { "himax,hx8369", "gpios-reset", false }, ++#endif ++#if IS_ENABLED(CONFIG_PCI_LANTIQ) ++ /* ++ * According to the PCI specification, the RST# pin is an ++ * active-low signal. However, most of the device trees that ++ * have been widely used for a long time incorrectly describe ++ * reset GPIO as active-high, and were also using wrong name ++ * for the property. ++ */ ++ { "lantiq,pci-xway", "gpio-reset", false }, + #endif + }; + unsigned int i; +@@ -444,9 +454,9 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + { "reset", "reset-n-io", "marvell,nfc-uart" }, + { "reset", "reset-n-io", "mrvl,nfc-uart" }, + #endif +-#if !IS_ENABLED(CONFIG_PCI_LANTIQ) ++#if IS_ENABLED(CONFIG_PCI_LANTIQ) + /* MIPS Lantiq PCI */ +- { "reset", "gpios-reset", "lantiq,pci-xway" }, ++ { "reset", "gpio-reset", "lantiq,pci-xway" }, + #endif + + /* +-- +2.43.0 + diff --git a/queue-6.1/gpiolib-of-tighten-selection-of-gpio-renaming-quirks.patch b/queue-6.1/gpiolib-of-tighten-selection-of-gpio-renaming-quirks.patch new file mode 100644 index 00000000000..9418566d397 --- /dev/null +++ b/queue-6.1/gpiolib-of-tighten-selection-of-gpio-renaming-quirks.patch @@ -0,0 +1,77 @@ +From 7f1ae24290c0e91b2f514a4c8bdd6c7c104f0b7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 22:41:04 -0700 +Subject: gpiolib: of: tighten selection of gpio renaming quirks + +From: Dmitry Torokhov + +[ Upstream commit 307c593ba5f915e308fd23a2daae7e9a5209b604 ] + +Tighten selection of legacy gpio renaming quirks so that they only +considered on more relevant configurations. + +Suggested-by: Daniel Thompson +Reviewed-by: Daniel Thompson +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Torokhov +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: f8d76c2c313c ("gpiolib: of: add polarity quirk for TSC2005") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 63c6fa3086f3c..7d4bbf6484bc7 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -385,18 +385,21 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + #if IS_ENABLED(CONFIG_MFD_ARIZONA) + { "wlf,reset", NULL, NULL }, + #endif +-#if IS_ENABLED(CONFIG_REGULATOR) ++ + /* + * Some regulator bindings happened before we managed to + * establish that GPIO properties should be named + * "foo-gpios" so we have this special kludge for them. + */ ++#if IS_ENABLED(CONFIG_REGULATOR_ARIZONA_LDO1) + { "wlf,ldoena", NULL, NULL }, /* Arizona */ ++#endif ++#if IS_ENABLED(CONFIG_REGULATOR_WM8994) + { "wlf,ldo1ena", NULL, NULL }, /* WM8994 */ + { "wlf,ldo2ena", NULL, NULL }, /* WM8994 */ + #endif +-#if IS_ENABLED(CONFIG_SPI_MASTER) + ++#if IS_ENABLED(CONFIG_SPI_GPIO) + /* + * The SPI GPIO bindings happened before we managed to + * establish that GPIO properties should be named +@@ -405,6 +408,7 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + { "miso", "gpio-miso", "spi-gpio" }, + { "mosi", "gpio-mosi", "spi-gpio" }, + { "sck", "gpio-sck", "spi-gpio" }, ++#endif + + /* + * The old Freescale bindings use simply "gpios" as name +@@ -412,10 +416,14 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np, + * all other SPI hardware. Allow this specifically for + * Freescale and PPC devices. + */ ++#if IS_ENABLED(CONFIG_SPI_FSL_SPI) + { "cs", "gpios", "fsl,spi" }, + { "cs", "gpios", "aeroflexgaisler,spictrl" }, ++#endif ++#if IS_ENABLED(CONFIG_SPI_PPC4xx) + { "cs", "gpios", "ibm,ppc4xx-spi" }, + #endif ++ + #if IS_ENABLED(CONFIG_TYPEC_FUSB302) + /* + * Fairchild FUSB302 host is using undocumented "fcs,int_n" +-- +2.43.0 + diff --git a/queue-6.1/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch b/queue-6.1/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch new file mode 100644 index 00000000000..8ac8b080211 --- /dev/null +++ b/queue-6.1/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch @@ -0,0 +1,117 @@ +From 198eedcaabf8bb2f346c0ffcadf92c466e7d1d5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 18:16:49 +0900 +Subject: inet_diag: Initialize pad field in struct inet_diag_req_v2 + +From: Shigeru Yoshida + +[ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ] + +KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw +sockets uses the pad field in struct inet_diag_req_v2 for the +underlying protocol. This field corresponds to the sdiag_raw_protocol +field in struct inet_diag_req_raw. + +inet_diag_get_exact_compat() converts inet_diag_req to +inet_diag_req_v2, but leaves the pad field uninitialized. So the issue +occurs when raw_lookup() accesses the sdiag_raw_protocol field. + +Fix this by initializing the pad field in +inet_diag_get_exact_compat(). Also, do the same fix in +inet_diag_dump_compat() to avoid the similar issue in the future. + +[1] +BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline] +BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 + raw_lookup net/ipv4/raw_diag.c:49 [inline] + raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 + raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 + inet_diag_cmd_exact+0x7d9/0x980 + inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] + inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 + sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 + netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 + sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 + netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] + netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 + netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x332/0x3d0 net/socket.c:745 + ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 + ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 + __sys_sendmsg net/socket.c:2668 [inline] + __do_sys_sendmsg net/socket.c:2677 [inline] + __se_sys_sendmsg net/socket.c:2675 [inline] + __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 + x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was stored to memory at: + raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71 + raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 + inet_diag_cmd_exact+0x7d9/0x980 + inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] + inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 + sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 + netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 + sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 + netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] + netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 + netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x332/0x3d0 net/socket.c:745 + ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 + ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 + __sys_sendmsg net/socket.c:2668 [inline] + __do_sys_sendmsg net/socket.c:2677 [inline] + __se_sys_sendmsg net/socket.c:2675 [inline] + __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 + x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable req.i created at: + inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline] + inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426 + sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 + +CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 + +Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets") +Reported-by: syzkaller +Signed-off-by: Shigeru Yoshida +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_diag.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index 8f690a6e61baa..e4e1999d93f50 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -1281,6 +1281,7 @@ static int inet_diag_dump_compat(struct sk_buff *skb, + req.sdiag_family = AF_UNSPEC; /* compatibility */ + req.sdiag_protocol = inet_diag_type2proto(cb->nlh->nlmsg_type); + req.idiag_ext = rc->idiag_ext; ++ req.pad = 0; + req.idiag_states = rc->idiag_states; + req.id = rc->id; + +@@ -1296,6 +1297,7 @@ static int inet_diag_get_exact_compat(struct sk_buff *in_skb, + req.sdiag_family = rc->idiag_family; + req.sdiag_protocol = inet_diag_type2proto(nlh->nlmsg_type); + req.idiag_ext = rc->idiag_ext; ++ req.pad = 0; + req.idiag_states = rc->idiag_states; + req.id = rc->id; + +-- +2.43.0 + diff --git a/queue-6.1/kvm-s390-fix-lpswey-handling.patch b/queue-6.1/kvm-s390-fix-lpswey-handling.patch new file mode 100644 index 00000000000..8574e0218ac --- /dev/null +++ b/queue-6.1/kvm-s390-fix-lpswey-handling.patch @@ -0,0 +1,130 @@ +From d1457eae85ce1f86c63632db8a44b4ac219df4db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 18:35:47 +0200 +Subject: KVM: s390: fix LPSWEY handling + +From: Christian Borntraeger + +[ Upstream commit 4c6abb7f7b349f00c0f7ed5045bf67759c012892 ] + +in rare cases, e.g. for injecting a machine check we do intercept all +load PSW instructions via ICTL_LPSW. With facility 193 a new variant +LPSWEY was added. KVM needs to handle that as well. + +Fixes: a3efa8429266 ("KVM: s390: gen_facilities: allow facilities 165, 193, 194 and 196") +Reported-by: Marc Hartmayer +Reviewed-by: Sven Schnelle +Reviewed-by: Claudio Imbrenda +Signed-off-by: Christian Borntraeger +Message-ID: <20240628163547.2314-1-borntraeger@linux.ibm.com> +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/kvm_host.h | 1 + + arch/s390/kvm/kvm-s390.c | 1 + + arch/s390/kvm/kvm-s390.h | 15 +++++++++++++++ + arch/s390/kvm/priv.c | 32 ++++++++++++++++++++++++++++++++ + 4 files changed, 49 insertions(+) + +diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h +index 09abf000359f8..0ef662fbade0d 100644 +--- a/arch/s390/include/asm/kvm_host.h ++++ b/arch/s390/include/asm/kvm_host.h +@@ -427,6 +427,7 @@ struct kvm_vcpu_stat { + u64 instruction_io_other; + u64 instruction_lpsw; + u64 instruction_lpswe; ++ u64 instruction_lpswey; + u64 instruction_pfmf; + u64 instruction_ptff; + u64 instruction_sck; +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 348d49268a7ec..e6606ff91921a 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -132,6 +132,7 @@ const struct _kvm_stats_desc kvm_vcpu_stats_desc[] = { + STATS_DESC_COUNTER(VCPU, instruction_io_other), + STATS_DESC_COUNTER(VCPU, instruction_lpsw), + STATS_DESC_COUNTER(VCPU, instruction_lpswe), ++ STATS_DESC_COUNTER(VCPU, instruction_lpswey), + STATS_DESC_COUNTER(VCPU, instruction_pfmf), + STATS_DESC_COUNTER(VCPU, instruction_ptff), + STATS_DESC_COUNTER(VCPU, instruction_sck), +diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h +index 4755492dfabc6..bb8d1a050b669 100644 +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -119,6 +119,21 @@ static inline u64 kvm_s390_get_base_disp_s(struct kvm_vcpu *vcpu, u8 *ar) + return (base2 ? vcpu->run->s.regs.gprs[base2] : 0) + disp2; + } + ++static inline u64 kvm_s390_get_base_disp_siy(struct kvm_vcpu *vcpu, u8 *ar) ++{ ++ u32 base1 = vcpu->arch.sie_block->ipb >> 28; ++ s64 disp1; ++ ++ /* The displacement is a 20bit _SIGNED_ value */ ++ disp1 = sign_extend64(((vcpu->arch.sie_block->ipb & 0x0fff0000) >> 16) + ++ ((vcpu->arch.sie_block->ipb & 0xff00) << 4), 19); ++ ++ if (ar) ++ *ar = base1; ++ ++ return (base1 ? vcpu->run->s.regs.gprs[base1] : 0) + disp1; ++} ++ + static inline void kvm_s390_get_base_disp_sse(struct kvm_vcpu *vcpu, + u64 *address1, u64 *address2, + u8 *ar_b1, u8 *ar_b2) +diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c +index 3335fa09b6f1d..9af826d093efc 100644 +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -794,6 +794,36 @@ static int handle_lpswe(struct kvm_vcpu *vcpu) + return 0; + } + ++static int handle_lpswey(struct kvm_vcpu *vcpu) ++{ ++ psw_t new_psw; ++ u64 addr; ++ int rc; ++ u8 ar; ++ ++ vcpu->stat.instruction_lpswey++; ++ ++ if (!test_kvm_facility(vcpu->kvm, 193)) ++ return kvm_s390_inject_program_int(vcpu, PGM_OPERATION); ++ ++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE) ++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP); ++ ++ addr = kvm_s390_get_base_disp_siy(vcpu, &ar); ++ if (addr & 7) ++ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION); ++ ++ rc = read_guest(vcpu, addr, ar, &new_psw, sizeof(new_psw)); ++ if (rc) ++ return kvm_s390_inject_prog_cond(vcpu, rc); ++ ++ vcpu->arch.sie_block->gpsw = new_psw; ++ if (!is_valid_psw(&vcpu->arch.sie_block->gpsw)) ++ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION); ++ ++ return 0; ++} ++ + static int handle_stidp(struct kvm_vcpu *vcpu) + { + u64 stidp_data = vcpu->kvm->arch.model.cpuid; +@@ -1460,6 +1490,8 @@ int kvm_s390_handle_eb(struct kvm_vcpu *vcpu) + case 0x61: + case 0x62: + return handle_ri(vcpu); ++ case 0x71: ++ return handle_lpswey(vcpu); + default: + return -EOPNOTSUPP; + } +-- +2.43.0 + diff --git a/queue-6.1/mac802154-fix-time-calculation-in-ieee802154_configu.patch b/queue-6.1/mac802154-fix-time-calculation-in-ieee802154_configu.patch new file mode 100644 index 00000000000..d3e632cbaad --- /dev/null +++ b/queue-6.1/mac802154-fix-time-calculation-in-ieee802154_configu.patch @@ -0,0 +1,62 @@ +From e20f8816a33e6c94c67b5d847bd355e3050c9de0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 14:40:10 +0300 +Subject: mac802154: fix time calculation in ieee802154_configure_durations() + +From: Dmitry Antipov + +[ Upstream commit 07aa33988ad92fef79056f5ec30b9a0e4364b616 ] + +Since 'symbol_duration' of 'struct wpan_phy' is in nanoseconds but +'lifs_period' and 'sifs_period' are both in microseconds, fix time +calculation in 'ieee802154_configure_durations()' and use convenient +'NSEC_PER_USEC' in 'ieee802154_setup_wpan_phy_pib()' as well. +Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 781830c800dd ("net: mac802154: Set durations automatically") +Signed-off-by: Dmitry Antipov +Acked-by: Miquel Raynal +Message-ID: <20240508114010.219527-1-dmantipov@yandex.ru> +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/mac802154/main.c b/net/mac802154/main.c +index bd7bdb1219dd8..356e86c3c9b15 100644 +--- a/net/mac802154/main.c ++++ b/net/mac802154/main.c +@@ -152,8 +152,10 @@ void ieee802154_configure_durations(struct wpan_phy *phy) + } + + phy->symbol_duration = duration; +- phy->lifs_period = (IEEE802154_LIFS_PERIOD * phy->symbol_duration) / NSEC_PER_SEC; +- phy->sifs_period = (IEEE802154_SIFS_PERIOD * phy->symbol_duration) / NSEC_PER_SEC; ++ phy->lifs_period = ++ (IEEE802154_LIFS_PERIOD * phy->symbol_duration) / NSEC_PER_USEC; ++ phy->sifs_period = ++ (IEEE802154_SIFS_PERIOD * phy->symbol_duration) / NSEC_PER_USEC; + } + EXPORT_SYMBOL(ieee802154_configure_durations); + +@@ -175,10 +177,10 @@ static void ieee802154_setup_wpan_phy_pib(struct wpan_phy *wpan_phy) + * Should be done when all drivers sets this value. + */ + +- wpan_phy->lifs_period = +- (IEEE802154_LIFS_PERIOD * wpan_phy->symbol_duration) / 1000; +- wpan_phy->sifs_period = +- (IEEE802154_SIFS_PERIOD * wpan_phy->symbol_duration) / 1000; ++ wpan_phy->lifs_period = (IEEE802154_LIFS_PERIOD * ++ wpan_phy->symbol_duration) / NSEC_PER_USEC; ++ wpan_phy->sifs_period = (IEEE802154_SIFS_PERIOD * ++ wpan_phy->symbol_duration) / NSEC_PER_USEC; + } + + int ieee802154_register_hw(struct ieee802154_hw *hw) +-- +2.43.0 + diff --git a/queue-6.1/mlxsw-core_linecards-fix-double-memory-deallocation-.patch b/queue-6.1/mlxsw-core_linecards-fix-double-memory-deallocation-.patch new file mode 100644 index 00000000000..b4a6f807cfb --- /dev/null +++ b/queue-6.1/mlxsw-core_linecards-fix-double-memory-deallocation-.patch @@ -0,0 +1,46 @@ +From 0bc656bb072b4d116677b1a1b53ee99a3da60152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 23:32:51 +0300 +Subject: mlxsw: core_linecards: Fix double memory deallocation in case of + invalid INI file + +From: Aleksandr Mishin + +[ Upstream commit 8ce34dccbe8fa7d2ef86f2d8e7db2a9b67cabfc3 ] + +In case of invalid INI file mlxsw_linecard_types_init() deallocates memory +but doesn't reset pointer to NULL and returns 0. In case of any error +occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init() +calls mlxsw_linecard_types_fini() which performs memory deallocation again. + +Add pointer reset to NULL. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: b217127e5e4e ("mlxsw: core_linecards: Add line card objects and implement provisioning") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Przemek Kitszel +Reviewed-by: Ido Schimmel +Reviewed-by: Michal Kubiak +Link: https://patch.msgid.link/20240703203251.8871-1-amishin@t-argos.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +index 83d2dc91ba2c8..99196333d1324 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +@@ -1484,6 +1484,7 @@ static int mlxsw_linecard_types_init(struct mlxsw_core *mlxsw_core, + vfree(types_info->data); + err_data_alloc: + kfree(types_info); ++ linecards->types_info = NULL; + return err; + } + +-- +2.43.0 + diff --git a/queue-6.1/net-allow-skb_datagram_iter-to-be-called-from-any-co.patch b/queue-6.1/net-allow-skb_datagram_iter-to-be-called-from-any-co.patch new file mode 100644 index 00000000000..8ee0d7899bd --- /dev/null +++ b/queue-6.1/net-allow-skb_datagram_iter-to-be-called-from-any-co.patch @@ -0,0 +1,60 @@ +From 80c9a63592547fb6727a52b3976ca6c7ba5be3f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 13:00:08 +0300 +Subject: net: allow skb_datagram_iter to be called from any context + +From: Sagi Grimberg + +[ Upstream commit d2d30a376d9cc94c6fb730c58b3e5b7426ecb6de ] + +We only use the mapping in a single context, so kmap_local is sufficient +and cheaper. Make sure to use skb_frag_foreach_page as skb frags may +contain compound pages and we need to map page by page. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202406161539.b5ff7b20-oliver.sang@intel.com +Fixes: 950fcaecd5cc ("datagram: consolidate datagram copy to iter helpers") +Signed-off-by: Sagi Grimberg +Link: https://patch.msgid.link/20240626100008.831849-1-sagi@grimberg.me +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/datagram.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/core/datagram.c b/net/core/datagram.c +index 8dabb9a74cb17..cdd65ca3124a4 100644 +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -434,15 +434,22 @@ static int __skb_datagram_iter(const struct sk_buff *skb, int offset, + + end = start + skb_frag_size(frag); + if ((copy = end - offset) > 0) { +- struct page *page = skb_frag_page(frag); +- u8 *vaddr = kmap(page); ++ u32 p_off, p_len, copied; ++ struct page *p; ++ u8 *vaddr; + + if (copy > len) + copy = len; +- n = INDIRECT_CALL_1(cb, simple_copy_to_iter, +- vaddr + skb_frag_off(frag) + offset - start, +- copy, data, to); +- kunmap(page); ++ ++ skb_frag_foreach_page(frag, ++ skb_frag_off(frag) + offset - start, ++ copy, p, p_off, p_len, copied) { ++ vaddr = kmap_local_page(p); ++ n = INDIRECT_CALL_1(cb, simple_copy_to_iter, ++ vaddr + p_off, p_len, data, to); ++ kunmap_local(vaddr); ++ } ++ + offset += n; + if (n != copy) + goto short_copy; +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-e-switch-create-ingress-acl-when-needed.patch b/queue-6.1/net-mlx5-e-switch-create-ingress-acl-when-needed.patch new file mode 100644 index 00000000000..d9d2c3b407a --- /dev/null +++ b/queue-6.1/net-mlx5-e-switch-create-ingress-acl-when-needed.patch @@ -0,0 +1,122 @@ +From 221d51378893a5b95508b94de0825e8001ddfc0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 21:02:37 +0300 +Subject: net/mlx5: E-switch, Create ingress ACL when needed + +From: Chris Mi + +[ Upstream commit b20c2fb45470d0c7a603613c9cfa5d45720e17f2 ] + +Currently, ingress acl is used for three features. It is created only +when vport metadata match and prio tag are enabled. But active-backup +lag mode also uses it. It is independent of vport metadata match and +prio tag. And vport metadata match can be disabled using the +following devlink command: + + # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \ + value false cmode runtime + +If ingress acl is not created, will hit panic when creating drop rule +for active-backup lag mode. If always create it, there will be about +5% performance degradation. + +Fix it by creating ingress acl when needed. If esw_port_metadata is +true, ingress acl exists, then create drop rule using existing +ingress acl. If esw_port_metadata is false, create ingress acl and +then create drop rule. + +Fixes: 1749c4c51c16 ("net/mlx5: E-switch, add drop rule support to ingress ACL") +Signed-off-by: Chris Mi +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/esw/acl/ingress_ofld.c | 37 +++++++++++++++---- + 1 file changed, 29 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c +index db578a7e7008a..59fb31201c35e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c +@@ -6,6 +6,9 @@ + #include "helper.h" + #include "ofld.h" + ++static int ++acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport); ++ + static bool + esw_acl_ingress_prio_tag_enabled(struct mlx5_eswitch *esw, + const struct mlx5_vport *vport) +@@ -123,18 +126,31 @@ static int esw_acl_ingress_src_port_drop_create(struct mlx5_eswitch *esw, + { + struct mlx5_flow_act flow_act = {}; + struct mlx5_flow_handle *flow_rule; ++ bool created = false; + int err = 0; + ++ if (!vport->ingress.acl) { ++ err = acl_ingress_ofld_setup(esw, vport); ++ if (err) ++ return err; ++ created = true; ++ } ++ + flow_act.action = MLX5_FLOW_CONTEXT_ACTION_DROP; + flow_act.fg = vport->ingress.offloads.drop_grp; + flow_rule = mlx5_add_flow_rules(vport->ingress.acl, NULL, &flow_act, NULL, 0); + if (IS_ERR(flow_rule)) { + err = PTR_ERR(flow_rule); +- goto out; ++ goto err_out; + } + + vport->ingress.offloads.drop_rule = flow_rule; +-out: ++ ++ return 0; ++err_out: ++ /* Only destroy ingress acl created in this function. */ ++ if (created) ++ esw_acl_ingress_ofld_cleanup(esw, vport); + return err; + } + +@@ -299,16 +315,12 @@ static void esw_acl_ingress_ofld_groups_destroy(struct mlx5_vport *vport) + } + } + +-int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, +- struct mlx5_vport *vport) ++static int ++acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport) + { + int num_ftes = 0; + int err; + +- if (!mlx5_eswitch_vport_match_metadata_enabled(esw) && +- !esw_acl_ingress_prio_tag_enabled(esw, vport)) +- return 0; +- + esw_acl_ingress_allow_rule_destroy(vport); + + if (mlx5_eswitch_vport_match_metadata_enabled(esw)) +@@ -347,6 +359,15 @@ int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, + return err; + } + ++int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport) ++{ ++ if (!mlx5_eswitch_vport_match_metadata_enabled(esw) && ++ !esw_acl_ingress_prio_tag_enabled(esw, vport)) ++ return 0; ++ ++ return acl_ingress_ofld_setup(esw, vport); ++} ++ + void esw_acl_ingress_ofld_cleanup(struct mlx5_eswitch *esw, + struct mlx5_vport *vport) + { +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-add-mqprio_rl-cleanup-and-free-in-mlx5e_pr.patch b/queue-6.1/net-mlx5e-add-mqprio_rl-cleanup-and-free-in-mlx5e_pr.patch new file mode 100644 index 00000000000..a24550c9d3c --- /dev/null +++ b/queue-6.1/net-mlx5e-add-mqprio_rl-cleanup-and-free-in-mlx5e_pr.patch @@ -0,0 +1,43 @@ +From 67154173a192c4e5831e4b7d9b2a0ed140e5ba40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 21:02:38 +0300 +Subject: net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup() + +From: Jianbo Liu + +[ Upstream commit 1da839eab6dbc26b95bfcd1ed1a4d1aaa5c144a3 ] + +In the cited commit, mqprio_rl cleanup and free are mistakenly removed +in mlx5e_priv_cleanup(), and it causes the leakage of host memory and +firmware SCHEDULING_ELEMENT objects while changing eswitch mode. So, +add them back. + +Fixes: 0bb7228f7096 ("net/mlx5e: Fix mqprio_rl handling on devlink reload") +Signed-off-by: Jianbo Liu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 4c0eac83546de..385904502a6be 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5584,6 +5584,11 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + kfree(priv->htb_qos_sq_stats[i]); + kvfree(priv->htb_qos_sq_stats); + ++ if (priv->mqprio_rl) { ++ mlx5e_mqprio_rl_cleanup(priv->mqprio_rl); ++ mlx5e_mqprio_rl_free(priv->mqprio_rl); ++ } ++ + memset(priv, 0, sizeof(*priv)); + } + +-- +2.43.0 + diff --git a/queue-6.1/net-ntb_netdev-move-ntb_netdev_rx_handler-to-call-ne.patch b/queue-6.1/net-ntb_netdev-move-ntb_netdev_rx_handler-to-call-ne.patch new file mode 100644 index 00000000000..4efbd40cf1d --- /dev/null +++ b/queue-6.1/net-ntb_netdev-move-ntb_netdev_rx_handler-to-call-ne.patch @@ -0,0 +1,79 @@ +From fd03b67b5cb016154b31c362c4403590e5f079ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 11:15:38 -0700 +Subject: net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from + __netif_rx() + +From: Dave Jiang + +[ Upstream commit e15a5d821e5192a3769d846079bc9aa380139baf ] + +The following is emitted when using idxd (DSA) dmanegine as the data +mover for ntb_transport that ntb_netdev uses. + +[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526 +[74412.556784] caller is netif_rx_internal+0x42/0x130 +[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5 +[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024 +[74412.581699] Call Trace: +[74412.584514] +[74412.586933] dump_stack_lvl+0x55/0x70 +[74412.591129] check_preemption_disabled+0xc8/0xf0 +[74412.596374] netif_rx_internal+0x42/0x130 +[74412.600957] __netif_rx+0x20/0xd0 +[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev] +[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport] +[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport] +[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd] +[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd] +[74412.634046] irq_thread_fn+0x21/0x60 +[74412.638134] ? irq_thread+0xa8/0x290 +[74412.642218] irq_thread+0x1a0/0x290 +[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10 +[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10 +[74412.656117] ? __pfx_irq_thread+0x10/0x10 +[74412.660686] kthread+0x100/0x130 +[74412.664384] ? __pfx_kthread+0x10/0x10 +[74412.668639] ret_from_fork+0x31/0x50 +[74412.672716] ? __pfx_kthread+0x10/0x10 +[74412.676978] ret_from_fork_asm+0x1a/0x30 +[74412.681457] + +The cause is due to the idxd driver interrupt completion handler uses +threaded interrupt and the threaded handler is not hard or soft interrupt +context. However __netif_rx() can only be called from interrupt context. +Change the call to netif_rx() in order to allow completion via normal +context for dmaengine drivers that utilize threaded irq handling. + +While the following commit changed from netif_rx() to __netif_rx(), +baebdf48c360 ("net: dev: Makes sure netif_rx() can be invoked in any context."), +the change should've been a noop instead. However, the code precedes this +fix should've been using netif_rx_ni() or netif_rx_any_context(). + +Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device") +Reported-by: Jerry Dai +Tested-by: Jerry Dai +Signed-off-by: Dave Jiang +Link: https://patch.msgid.link/20240701181538.3799546-1-dave.jiang@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index 85dbe7f73e319..535dc5b2901fc 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -119,7 +119,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data, + skb->protocol = eth_type_trans(skb, ndev); + skb->ip_summed = CHECKSUM_NONE; + +- if (__netif_rx(skb) == NET_RX_DROP) { ++ if (netif_rx(skb) == NET_RX_DROP) { + ndev->stats.rx_errors++; + ndev->stats.rx_dropped++; + } else { +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_tables-unconditionally-flush-pending-wo.patch b/queue-6.1/netfilter-nf_tables-unconditionally-flush-pending-wo.patch new file mode 100644 index 00000000000..b0d2f0e1822 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-unconditionally-flush-pending-wo.patch @@ -0,0 +1,62 @@ +From e2facd957dcd7617bc2289ee65c9def3bd590caa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 16:08:14 +0200 +Subject: netfilter: nf_tables: unconditionally flush pending work before + notifier + +From: Florian Westphal + +[ Upstream commit 9f6958ba2e902f9820c594869bd710ba74b7c4c0 ] + +syzbot reports: + +KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831 +KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530 +KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 +Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45 +[..] +Workqueue: events nf_tables_trans_destroy_work +Call Trace: + nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline] + nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline] + nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 + +Problem is that the notifier does a conditional flush, but its possible +that the table-to-be-removed is still referenced by transactions being +processed by the worker, so we need to flush unconditionally. + +We could make the flush_work depend on whether we found a table to delete +in nf-next to avoid the flush for most cases. + +AFAICS this problem is only exposed in nf-next, with +commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"), +with this commit applied there is an unconditional fetch of +table->family which is whats triggering the above splat. + +Fixes: 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier") +Reported-and-tested-by: syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4fd66a69358fc15ae2ad +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 97ea72d31bd35..d18b698139caf 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10858,8 +10858,7 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, + + gc_seq = nft_gc_seq_begin(nft_net); + +- if (!list_empty(&nf_tables_destroy_list)) +- nf_tables_trans_destroy_flush_work(); ++ nf_tables_trans_destroy_flush_work(); + again: + list_for_each_entry(table, &nft_net->tables, list) { + if (nft_table_has_owner(table) && +-- +2.43.0 + diff --git a/queue-6.1/riscv-kexec-avoid-deadlock-in-kexec-crash-path.patch b/queue-6.1/riscv-kexec-avoid-deadlock-in-kexec-crash-path.patch new file mode 100644 index 00000000000..f4f1c2431e1 --- /dev/null +++ b/queue-6.1/riscv-kexec-avoid-deadlock-in-kexec-crash-path.patch @@ -0,0 +1,58 @@ +From cea3b6027dc01bccbb94fcdc15617d90aa39aa75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 10:33:16 +0800 +Subject: riscv: kexec: Avoid deadlock in kexec crash path + +From: Song Shuai + +[ Upstream commit c562ba719df570c986caf0941fea2449150bcbc4 ] + +If the kexec crash code is called in the interrupt context, the +machine_kexec_mask_interrupts() function will trigger a deadlock while +trying to acquire the irqdesc spinlock and then deactivate irqchip in +irq_set_irqchip_state() function. + +Unlike arm64, riscv only requires irq_eoi handler to complete EOI and +keeping irq_set_irqchip_state() will only leave this possible deadlock +without any use. So we simply remove it. + +Link: https://lore.kernel.org/linux-riscv/20231208111015.173237-1-songshuaishuai@tinylab.org/ +Fixes: b17d19a5314a ("riscv: kexec: Fixup irq controller broken in kexec crash path") +Signed-off-by: Song Shuai +Reviewed-by: Ryo Takakura +Link: https://lore.kernel.org/r/20240626023316.539971-1-songshuaishuai@tinylab.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/machine_kexec.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c +index 2d139b724bc84..ccb0c5d5c63c4 100644 +--- a/arch/riscv/kernel/machine_kexec.c ++++ b/arch/riscv/kernel/machine_kexec.c +@@ -147,20 +147,12 @@ static void machine_kexec_mask_interrupts(void) + + for_each_irq_desc(i, desc) { + struct irq_chip *chip; +- int ret; + + chip = irq_desc_get_chip(desc); + if (!chip) + continue; + +- /* +- * First try to remove the active state. If this +- * fails, try to EOI the interrupt. +- */ +- ret = irq_set_irqchip_state(i, IRQCHIP_STATE_ACTIVE, false); +- +- if (ret && irqd_irq_inprogress(&desc->irq_data) && +- chip->irq_eoi) ++ if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data)) + chip->irq_eoi(&desc->irq_data); + + if (chip->irq_mask) +-- +2.43.0 + diff --git a/queue-6.1/selftests-fix-oom-in-msg_zerocopy-selftest.patch b/queue-6.1/selftests-fix-oom-in-msg_zerocopy-selftest.patch new file mode 100644 index 00000000000..c90f485de15 --- /dev/null +++ b/queue-6.1/selftests-fix-oom-in-msg_zerocopy-selftest.patch @@ -0,0 +1,101 @@ +From d0f7b1930f5a054824f39e4c64d4f3136b5506a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 22:53:48 +0000 +Subject: selftests: fix OOM in msg_zerocopy selftest + +From: Zijian Zhang + +[ Upstream commit af2b7e5b741aaae9ffbba2c660def434e07aa241 ] + +In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg +on a socket with MSG_ZEROCOPY flag, and it will recv the notifications +until the socket is not writable. Typically, it will start the receiving +process after around 30+ sendmsgs. However, as the introduction of commit +dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is +always writable and does not get any chance to run recv notifications. +The selftest always exits with OUT_OF_MEMORY because the memory used by +opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a +different value to trigger OOM on older kernels too. + +Thus, we introduce "cfg_notification_limit" to force sender to receive +notifications after some number of sendmsgs. + +Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") +Signed-off-by: Zijian Zhang +Signed-off-by: Xiaochun Lu +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240701225349.3395580-2-zijianzhang@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/msg_zerocopy.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c +index bdc03a2097e85..926556febc83c 100644 +--- a/tools/testing/selftests/net/msg_zerocopy.c ++++ b/tools/testing/selftests/net/msg_zerocopy.c +@@ -85,6 +85,7 @@ static bool cfg_rx; + static int cfg_runtime_ms = 4200; + static int cfg_verbose; + static int cfg_waittime_ms = 500; ++static int cfg_notification_limit = 32; + static bool cfg_zerocopy; + + static socklen_t cfg_alen; +@@ -95,6 +96,7 @@ static char payload[IP_MAXPACKET]; + static long packets, bytes, completions, expected_completions; + static int zerocopied = -1; + static uint32_t next_completion; ++static uint32_t sends_since_notify; + + static unsigned long gettimeofday_ms(void) + { +@@ -208,6 +210,7 @@ static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy, int domain) + error(1, errno, "send"); + if (cfg_verbose && ret != len) + fprintf(stderr, "send: ret=%u != %u\n", ret, len); ++ sends_since_notify++; + + if (len) { + packets++; +@@ -460,6 +463,7 @@ static bool do_recv_completion(int fd, int domain) + static void do_recv_completions(int fd, int domain) + { + while (do_recv_completion(fd, domain)) {} ++ sends_since_notify = 0; + } + + /* Wait for all remaining completions on the errqueue */ +@@ -549,6 +553,9 @@ static void do_tx(int domain, int type, int protocol) + else + do_sendmsg(fd, &msg, cfg_zerocopy, domain); + ++ if (cfg_zerocopy && sends_since_notify >= cfg_notification_limit) ++ do_recv_completions(fd, domain); ++ + while (!do_poll(fd, POLLOUT)) { + if (cfg_zerocopy) + do_recv_completions(fd, domain); +@@ -708,7 +715,7 @@ static void parse_opts(int argc, char **argv) + + cfg_payload_len = max_payload_len; + +- while ((c = getopt(argc, argv, "46c:C:D:i:mp:rs:S:t:vz")) != -1) { ++ while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) { + switch (c) { + case '4': + if (cfg_family != PF_UNSPEC) +@@ -736,6 +743,9 @@ static void parse_opts(int argc, char **argv) + if (cfg_ifindex == 0) + error(1, errno, "invalid iface: %s", optarg); + break; ++ case 'l': ++ cfg_notification_limit = strtoul(optarg, NULL, 0); ++ break; + case 'm': + cfg_cork_mixed = true; + break; +-- +2.43.0 + diff --git a/queue-6.1/selftests-make-order-checking-verbose-in-msg_zerocop.patch b/queue-6.1/selftests-make-order-checking-verbose-in-msg_zerocop.patch new file mode 100644 index 00000000000..bc2adde783f --- /dev/null +++ b/queue-6.1/selftests-make-order-checking-verbose-in-msg_zerocop.patch @@ -0,0 +1,40 @@ +From 7bfa69fa32dc4462d95ced1db8ae817ce6a765d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 22:53:49 +0000 +Subject: selftests: make order checking verbose in msg_zerocopy selftest + +From: Zijian Zhang + +[ Upstream commit 7d6d8f0c8b700c9493f2839abccb6d29028b4219 ] + +We find that when lock debugging is on, notifications may not come in +order. Thus, we have order checking outputs managed by cfg_verbose, to +avoid too many outputs in this case. + +Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") +Signed-off-by: Zijian Zhang +Signed-off-by: Xiaochun Lu +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240701225349.3395580-3-zijianzhang@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/msg_zerocopy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c +index 926556febc83c..7ea5fb28c93db 100644 +--- a/tools/testing/selftests/net/msg_zerocopy.c ++++ b/tools/testing/selftests/net/msg_zerocopy.c +@@ -438,7 +438,7 @@ static bool do_recv_completion(int fd, int domain) + /* Detect notification gaps. These should not happen often, if at all. + * Gaps can occur due to drops, reordering and retransmissions. + */ +- if (lo != next_completion) ++ if (cfg_verbose && lo != next_completion) + fprintf(stderr, "gap: %u..%u does not append to %u\n", + lo, hi, next_completion); + next_completion = hi + 1; +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index bd90b4fc4ea..4b45fd2eaf1 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -42,3 +42,29 @@ s390-pkey-wipe-sensitive-data-on-failure.patch btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch cdrom-rearrange-last_media_change-check-to-avoid-uni.patch tools-power-turbostat-remember-global-max_die_id.patch +mac802154-fix-time-calculation-in-ieee802154_configu.patch +upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch +net-mlx5-e-switch-create-ingress-acl-when-needed.patch +net-mlx5e-add-mqprio_rl-cleanup-and-free-in-mlx5e_pr.patch +tcp_metrics-validate-source-addr-length.patch +kvm-s390-fix-lpswey-handling.patch +e1000e-fix-s0ix-residency-on-corporate-systems.patch +net-allow-skb_datagram_iter-to-be-called-from-any-co.patch +net-ntb_netdev-move-ntb_netdev_rx_handler-to-call-ne.patch +wifi-wilc1000-fix-ies_len-type-in-connect-path.patch +riscv-kexec-avoid-deadlock-in-kexec-crash-path.patch +netfilter-nf_tables-unconditionally-flush-pending-wo.patch +bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch +selftests-fix-oom-in-msg_zerocopy-selftest.patch +selftests-make-order-checking-verbose-in-msg_zerocop.patch +inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch +mlxsw-core_linecards-fix-double-memory-deallocation-.patch +gpiolib-of-add-a-quirk-for-legacy-names-in-mediatek-.patch +gpiolib-of-consolidate-simple-renames-into-a-single-.patch +gpiolib-of-tighten-selection-of-gpio-renaming-quirks.patch +gpiolib-of-add-quirk-for-locating-reset-lines-with-l.patch +gpiolib-of-add-a-quirk-for-reset-line-for-marvell-nf.patch +gpiolib-of-factor-out-code-overriding-gpio-line-pola.patch +gpiolib-of-add-a-quirk-for-reset-line-polarity-for-h.patch +gpiolib-of-fix-lookup-quirk-for-mips-lantiq.patch +gpiolib-of-add-polarity-quirk-for-tsc2005.patch diff --git a/queue-6.1/tcp_metrics-validate-source-addr-length.patch b/queue-6.1/tcp_metrics-validate-source-addr-length.patch new file mode 100644 index 00000000000..00bb3c57fd8 --- /dev/null +++ b/queue-6.1/tcp_metrics-validate-source-addr-length.patch @@ -0,0 +1,38 @@ +From e765bf460872032d31355953df5e462543b492fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 14:25:00 -0700 +Subject: tcp_metrics: validate source addr length + +From: Jakub Kicinski + +[ Upstream commit 66be40e622e177316ae81717aa30057ba9e61dff ] + +I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 +is at least 4 bytes long, and the policy doesn't have an entry +for this attribute at all (neither does it for IPv6 but v6 is +manually validated). + +Reviewed-by: Eric Dumazet +Fixes: 3e7013ddf55a ("tcp: metrics: Allow selective get/del of tcp-metrics based on src IP") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index a7364ff8b558d..a4e03a7a2c030 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -619,6 +619,7 @@ static const struct nla_policy tcp_metrics_nl_policy[TCP_METRICS_ATTR_MAX + 1] = + [TCP_METRICS_ATTR_ADDR_IPV4] = { .type = NLA_U32, }, + [TCP_METRICS_ATTR_ADDR_IPV6] = { .type = NLA_BINARY, + .len = sizeof(struct in6_addr), }, ++ [TCP_METRICS_ATTR_SADDR_IPV4] = { .type = NLA_U32, }, + /* Following attributes are not received for GET/DEL, + * we keep them for reference + */ +-- +2.43.0 + diff --git a/queue-6.1/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch b/queue-6.1/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch new file mode 100644 index 00000000000..ea5d3e458d0 --- /dev/null +++ b/queue-6.1/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch @@ -0,0 +1,70 @@ +From 293a445082ea335012148cf7b425cc41cf9c829b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 22:42:27 -0400 +Subject: UPSTREAM: tcp: fix DSACK undo in fast recovery to call + tcp_try_to_open() + +From: Neal Cardwell + +[ Upstream commit a6458ab7fd4f427d4f6f54380453ad255b7fde83 ] + +In some production workloads we noticed that connections could +sometimes close extremely prematurely with ETIMEDOUT after +transmitting only 1 TLP and RTO retransmission (when we would normally +expect roughly tcp_retries2 = TCP_RETR2 = 15 RTOs before a connection +closes with ETIMEDOUT). + +From tracing we determined that these workloads can suffer from a +scenario where in fast recovery, after some retransmits, a DSACK undo +can happen at a point where the scoreboard is totally clear (we have +retrans_out == sacked_out == lost_out == 0). In such cases, calling +tcp_try_keep_open() means that we do not execute any code path that +clears tp->retrans_stamp to 0. That means that tp->retrans_stamp can +remain erroneously set to the start time of the undone fast recovery, +even after the fast recovery is undone. If minutes or hours elapse, +and then a TLP/RTO/RTO sequence occurs, then the start_ts value in +retransmits_timed_out() (which is from tp->retrans_stamp) will be +erroneously ancient (left over from the fast recovery undone via +DSACKs). Thus this ancient tp->retrans_stamp value can cause the +connection to die very prematurely with ETIMEDOUT via +tcp_write_err(). + +The fix: we change DSACK undo in fast recovery (TCP_CA_Recovery) to +call tcp_try_to_open() instead of tcp_try_keep_open(). This ensures +that if no retransmits are in flight at the time of DSACK undo in fast +recovery then we properly zero retrans_stamp. Note that calling +tcp_try_to_open() is more consistent with other loss recovery +behavior, since normal fast recovery (CA_Recovery) and RTO recovery +(CA_Loss) both normally end when tp->snd_una meets or exceeds +tp->high_seq and then in tcp_fastretrans_alert() the "default" switch +case executes tcp_try_to_open(). Also note that by inspection this +change to call tcp_try_to_open() implies at least one other nice bug +fix, where now an ECE-marked DSACK that causes an undo will properly +invoke tcp_enter_cwr() rather than ignoring the ECE mark. + +Fixes: c7d9d6a185a7 ("tcp: undo on DSACK during recovery") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 2146299016eda..317cb90d77102 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3041,7 +3041,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + return; + + if (tcp_try_undo_dsack(sk)) +- tcp_try_keep_open(sk); ++ tcp_try_to_open(sk, flag); + + tcp_identify_packet_loss(sk, ack_flag); + if (icsk->icsk_ca_state != TCP_CA_Recovery) { +-- +2.43.0 + diff --git a/queue-6.1/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch b/queue-6.1/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch new file mode 100644 index 00000000000..1ccf42e551d --- /dev/null +++ b/queue-6.1/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch @@ -0,0 +1,51 @@ +From d6cb5c73da9b600efce84306e5c1a9e5b84137f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 18:23:20 +0200 +Subject: wifi: wilc1000: fix ies_len type in connect path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jozef Hopko + +[ Upstream commit 39ab8fff623053a50951b659e5f6b72343d7d78c ] + +Commit 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +made sure that the IEs data was manipulated under the relevant RCU section. +Unfortunately, while doing so, the commit brought a faulty implicit cast +from int to u8 on the ies_len variable, making the parsing fail to be +performed correctly if the IEs block is larger than 255 bytes. This failure +can be observed with Access Points appending a lot of IEs TLVs in their +beacon frames (reproduced with a Pixel phone acting as an Access Point, +which brough 273 bytes of IE data in my testing environment). + +Fix IEs parsing by removing this undesired implicit cast. + +Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +Signed-off-by: Jozef Hopko +Signed-off-by: Alexis Lothoré +Acked-by: Ajay Singh +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240701-wilc_fix_ies_data-v1-1-7486cbacf98a@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c +index 5eb02902e875a..13853fda3e047 100644 +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -379,7 +379,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + struct ieee80211_p2p_noa_attr noa_attr; + const struct cfg80211_bss_ies *ies; + struct wilc_join_bss_param *param; +- u8 rates_len = 0, ies_len; ++ u8 rates_len = 0; ++ int ies_len; + int ret; + + param = kzalloc(sizeof(*param), GFP_KERNEL); +-- +2.43.0 + -- 2.47.3