From 719b0787a061876880f2d382533079b1f231412c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 15 Jun 2024 22:37:25 -0400 Subject: [PATCH] Revert "Fixes for 5.15" This reverts commit 692674bc014318689a92d3717a38badcb7cab728. Signed-off-by: Sasha Levin --- ...-data-races-around-sk-sk_state-for-w.patch | 88 --- ...-data-race-of-net-unx.sysctl_max_dgr.patch | 38 -- ...-data-race-of-sk-sk_shutdown-in-sk_d.patch | 37 -- ...-data-race-of-sk-sk_state-in-unix_in.patch | 50 -- ...-data-race-of-sk-sk_state-in-unix_st.patch | 60 -- ...-race-of-sk-sk_state-in-unix_st.patch-5290 | 39 -- ...-data-races-around-sk-sk_state-in-se.patch | 72 -- ...-data-races-around-sk-sk_state-in-un.patch | 128 ---- ...-races-around-sk-sk_state-in-un.patch-6162 | 71 -- ...otate-lockless-accesses-to-sk-sk_err.patch | 66 -- .../af_unix-clean-up-some-sock_net-uses.patch | 140 ---- ...x_mkname-into-unix_find_-bsd-abstrac.patch | 202 ------ ...nix_validate_addr-out-of-unix_mkname.patch | 118 ---- ...e-unix_find_other-based-on-address-t.patch | 178 ----- ...ix-pass-struct-sock-to-unix_autobind.patch | 121 ---- ...n-error-as-a-pointer-in-unix_find_ot.patch | 127 ---- ...k_state-under-unix_state_lock-for-tr.patch | 90 --- ..._unix-use-offsetof-instead-of-sizeof.patch | 118 ---- ...queue_empty_lockless-in-unix_release.patch | 44 -- ...queue_len_lockless-in-sk_diag_show_r.patch | 41 -- ..._recvq_full_lockless-in-unix_stream_.patch | 72 -- .../bluetooth-btqca-add-wcn3988-support.patch | 124 ---- ...btqca-use-le32_to_cpu-for-ver.soc_id.patch | 40 -- ...a-mark-of-related-data-as-maybe-unus.patch | 82 --- ...luetooth-qca-add-support-for-qca2066.patch | 224 ------- ...x-info-leak-when-fetching-fw-build-i.patch | 93 --- ...se-switch-case-for-soc-type-behavior.patch | 616 ------------------ ...-context-for-rawtp-test_run-callback.patch | 52 -- ...f-qgroup-extent-records-after-transa.patch | 66 -- ...or-out-minimum-alignment-requirement.patch | 221 ------- ...clean-up-some-inconsistent-indenting.patch | 190 ------ ...drop-unnecessary-null-checks-in-debu.patch | 235 ------- ...y-fix-incorrect-dsc-instance-for-mst.patch | 166 ----- ...handle-y-carry-over-in-vcp-x.y-calcu.patch | 44 -- ...ble-use-after-free-issue-in-ftrace_l.patch | 175 ----- ...pi-unbind-mux-adapters-before-delete.patch | 158 ----- queue-5.15/i2c-add-fwnode-apis.patch | 290 --------- ...c4005-reset-chip-on-probe-and-resume.patch | 157 ----- ...ssible-race-in-__fib6_drop_pcpu_from.patch | 130 ---- ...-in-seg6_output_core-and-seg6_input_.patch | 95 --- ...misc-pvpanic-deduplicate-common-code.patch | 328 ---------- ...i-register-attributes-via-pci_driver.patch | 48 -- ...unnecessary-flush-on-change_huge_pmd.patch | 154 ----- ...rrect-alignment-check-in-cma_init_re.patch | 51 -- ...een-__split_huge_pmd_locked-and-gup-.patch | 242 ------- ...ot-flush-when-not-required-architect.patch | 251 ------- queue-5.15/mm-mprotect-use-mmu_gather.patch | 537 --------------- ...t-strip-remove-function-when-driver-.patch | 59 -- ...convert-to-platform-remove-callback-.patch | 67 -- ...pt-requirement-on-sock_prot_inuse_ad.patch | 258 -------- .../net-inline-sock_prot_inuse_add.patch | 76 --- ...e-multi-thread-manner-of-ncsi-driver.patch | 220 ------- ...si-simplify-kconfig-dts-control-flow.patch | 152 ----- ...ltiq-fix-possible-oob-write-in-multi.patch | 38 -- ...-always-validate-tca_taprio_attr_pri.patch | 63 -- ..._empty_dir-misjudgment-and-long-loop.patch | 51 -- .../nilfs2-remove-check-for-pageerror.patch | 35 - ...e-mapped-address-from-nilfs_get_page.patch | 146 ----- ...ays-allocate-pf-entries-from-low-pri.patch | 87 --- ...r-message-on-failed-pin-verification.patch | 42 -- ...nic-indentation-fixes-here-and-there.patch | 146 ----- ...nic-keep-single-style-across-modules.patch | 82 --- ...paction_test-fix-bogus-test-success-.patch | 109 ---- ...paction_test-fix-incorrect-write-of-.patch | 43 -- ...mm-conform-test-to-tap-format-output.patch | 229 ------- ...-a-consistent-test-name-for-check_co.patch | 124 ---- ...-fix-bug-in-sc16is7xx_set_baud-when-.patch | 96 --- ...-replace-hardcoded-divisor-value-wit.patch | 39 -- queue-5.15/series | 86 --- .../skbuff-introduce-skb_pull_data.patch | 83 --- ...e-wait-sockets-for-tcp_mib_currestab.patch | 71 -- ...fix-race-between-aio_cancel-and-aio-.patch | 95 --- ...f_fs-use-io_data-status-consistently.patch | 65 -- ...sion-when-dropping-packets-due-to-in.patch | 65 -- ...10k-fix-qcom_rproc_common-dependency.patch | 45 -- ...wifi-ath10k-fix-qcom_smem-dependency.patch | 47 -- ...e-wlan-firmware-version-in-smem-imag.patch | 123 ---- ...1-lock-wiphy-in-cfg80211_get_station.patch | 103 --- ...msr-use-correct-nla_get_ux-functions.patch | 85 --- ..._ini-move-iwl_dbg_tlv_free-outside-o.patch | 41 -- ...-check-n_ssids-before-accessing-the-.patch | 49 -- ...-don-t-read-past-the-mfuart-notifcat.patch | 55 -- ...mvm-revert-gen2-tx-a-mpdu-size-to-64.patch | 49 -- ...rrectly-parse-spatial-reuse-paramete.patch | 65 -- ...x-deadlock-in-ieee80211_sta_ps_deliv.patch | 109 ---- ...sh-fix-leak-of-mesh_preq_queue-objec.patch | 100 --- ...trace-search-for-__fentry__-location.patch | 218 ------- 87 files changed, 10385 deletions(-) delete mode 100644 queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch delete mode 100644 queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch delete mode 100644 queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch delete mode 100644 queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch delete mode 100644 queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch delete mode 100644 queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 delete mode 100644 queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch delete mode 100644 queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch delete mode 100644 queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 delete mode 100644 queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch delete mode 100644 queue-5.15/af_unix-clean-up-some-sock_net-uses.patch delete mode 100644 queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch delete mode 100644 queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch delete mode 100644 queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch delete mode 100644 queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch delete mode 100644 queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch delete mode 100644 queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch delete mode 100644 queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch delete mode 100644 queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch delete mode 100644 queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch delete mode 100644 queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch delete mode 100644 queue-5.15/bluetooth-btqca-add-wcn3988-support.patch delete mode 100644 queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch delete mode 100644 queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch delete mode 100644 queue-5.15/bluetooth-qca-add-support-for-qca2066.patch delete mode 100644 queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch delete mode 100644 queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch delete mode 100644 queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch delete mode 100644 queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch delete mode 100644 queue-5.15/cma-factor-out-minimum-alignment-requirement.patch delete mode 100644 queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch delete mode 100644 queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch delete mode 100644 queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch delete mode 100644 queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch delete mode 100644 queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch delete mode 100644 queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch delete mode 100644 queue-5.15/i2c-add-fwnode-apis.patch delete mode 100644 queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch delete mode 100644 queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch delete mode 100644 queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch delete mode 100644 queue-5.15/misc-pvpanic-deduplicate-common-code.patch delete mode 100644 queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch delete mode 100644 queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch delete mode 100644 queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch delete mode 100644 queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch delete mode 100644 queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch delete mode 100644 queue-5.15/mm-mprotect-use-mmu_gather.patch delete mode 100644 queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch delete mode 100644 queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch delete mode 100644 queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch delete mode 100644 queue-5.15/net-inline-sock_prot_inuse_add.patch delete mode 100644 queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch delete mode 100644 queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch delete mode 100644 queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch delete mode 100644 queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch delete mode 100644 queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch delete mode 100644 queue-5.15/nilfs2-remove-check-for-pageerror.patch delete mode 100644 queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch delete mode 100644 queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch delete mode 100644 queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch delete mode 100644 queue-5.15/pvpanic-indentation-fixes-here-and-there.patch delete mode 100644 queue-5.15/pvpanic-keep-single-style-across-modules.patch delete mode 100644 queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch delete mode 100644 queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch delete mode 100644 queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch delete mode 100644 queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch delete mode 100644 queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch delete mode 100644 queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch delete mode 100644 queue-5.15/skbuff-introduce-skb_pull_data.patch delete mode 100644 queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch delete mode 100644 queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch delete mode 100644 queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch delete mode 100644 queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch delete mode 100644 queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch delete mode 100644 queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch delete mode 100644 queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch delete mode 100644 queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch delete mode 100644 queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch delete mode 100644 queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch delete mode 100644 queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch delete mode 100644 queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch delete mode 100644 queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch delete mode 100644 queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch delete mode 100644 queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch delete mode 100644 queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch delete mode 100644 queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch diff --git a/queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch b/queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch deleted file mode 100644 index 11db5597b04..00000000000 --- a/queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 4e7817c3190175d02a107405205be715d8ddebbd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:28 -0700 -Subject: af_unix: Annodate data-races around sk->sk_state for writers. - -From: Kuniyuki Iwashima - -[ Upstream commit 942238f9735a4a4ebf8274b218d9a910158941d1 ] - -sk->sk_state is changed under unix_state_lock(), but it's read locklessly -in many places. - -This patch adds WRITE_ONCE() on the writer side. - -We will add READ_ONCE() to the lockless readers in the following patches. - -Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 914e40697f00a..616d6c34d6102 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -542,7 +542,7 @@ static void unix_release_sock(struct sock *sk, int embrion) - u->path.dentry = NULL; - u->path.mnt = NULL; - state = sk->sk_state; -- sk->sk_state = TCP_CLOSE; -+ WRITE_ONCE(sk->sk_state, TCP_CLOSE); - - skpair = unix_peer(sk); - unix_peer(sk) = NULL; -@@ -664,7 +664,8 @@ static int unix_listen(struct socket *sock, int backlog) - if (backlog > sk->sk_max_ack_backlog) - wake_up_interruptible_all(&u->peer_wait); - sk->sk_max_ack_backlog = backlog; -- sk->sk_state = TCP_LISTEN; -+ WRITE_ONCE(sk->sk_state, TCP_LISTEN); -+ - /* set credentials so connect can copy them */ - init_peercred(sk); - err = 0; -@@ -1254,7 +1255,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - if (err) - goto out_unlock; - -- sk->sk_state = other->sk_state = TCP_ESTABLISHED; -+ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED); -+ WRITE_ONCE(other->sk_state, TCP_ESTABLISHED); - } else { - /* - * 1003.1g breaking connected state with AF_UNSPEC -@@ -1271,7 +1273,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - - unix_peer(sk) = other; - if (!other) -- sk->sk_state = TCP_CLOSE; -+ WRITE_ONCE(sk->sk_state, TCP_CLOSE); - unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); - - unix_state_double_unlock(sk, other); -@@ -1484,7 +1486,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - copy_peercred(sk, other); - - sock->state = SS_CONNECTED; -- sk->sk_state = TCP_ESTABLISHED; -+ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED); - sock_hold(newsk); - - smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */ -@@ -1880,7 +1882,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - unix_peer(sk) = NULL; - unix_dgram_peer_wake_disconnect_wakeup(sk, other); - -- sk->sk_state = TCP_CLOSE; -+ WRITE_ONCE(sk->sk_state, TCP_CLOSE); - unix_state_unlock(sk); - - unix_dgram_disconnected(sk, other); --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch b/queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch deleted file mode 100644 index 43066025588..00000000000 --- a/queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d0211af6e254986091d952cd861d1ec9517ca5cf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:37 -0700 -Subject: af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. - -From: Kuniyuki Iwashima - -[ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ] - -net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be -changed concurrently. - -Let's use READ_ONCE() in unix_create1(). - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index c6d3a19956004..5c4318f64d253 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -888,7 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, - - sk->sk_allocation = GFP_KERNEL_ACCOUNT; - sk->sk_write_space = unix_write_space; -- sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen; -+ sk->sk_max_ack_backlog = READ_ONCE(net->unx.sysctl_max_dgram_qlen); - sk->sk_destruct = unix_sock_destructor; - u = unix_sk(sk); - u->inflight = 0; --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch deleted file mode 100644 index fd132f653bc..00000000000 --- a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 94dccc65b7d84333cead9dfbd69fd322a517704d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:41 -0700 -Subject: af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). - -From: Kuniyuki Iwashima - -[ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ] - -While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock(). - -Let's use READ_ONCE() to read sk->sk_shutdown. - -Fixes: e4e541a84863 ("sock-diag: Report shutdown for inet and unix sockets (v2)") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/diag.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/unix/diag.c b/net/unix/diag.c -index 63a0040e9fb45..86b3401dcc000 100644 ---- a/net/unix/diag.c -+++ b/net/unix/diag.c -@@ -165,7 +165,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r - sock_diag_put_meminfo(sk, skb, UNIX_DIAG_MEMINFO)) - goto out_nlmsg_trim; - -- if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, sk->sk_shutdown)) -+ if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, READ_ONCE(sk->sk_shutdown))) - goto out_nlmsg_trim; - - if ((req->udiag_show & UDIAG_SHOW_UID) && --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch deleted file mode 100644 index dd88ae17726..00000000000 --- a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 606ac2707f4c4f563be7f791560647cbac5c339c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:29 -0700 -Subject: af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). - -From: Kuniyuki Iwashima - -[ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ] - -ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first -and returns -EINVAL if it's TCP_LISTEN. - -Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of -bytes in recvq. - -However, unix_inq_len() does not hold unix_state_lock(), and the -concurrent listen() might change the state after checking sk->sk_state. - -If the race occurs, 0 is returned for the listener, instead of -EINVAL, -because the length of skb with embryo is 0. - -We could hold unix_state_lock() in unix_inq_len(), but it's overkill -given the result is true for pre-listen() TCP_CLOSE state. - -So, let's use READ_ONCE() for sk->sk_state in unix_inq_len(). - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 616d6c34d6102..18e2dea699720 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2957,7 +2957,7 @@ long unix_inq_len(struct sock *sk) - struct sk_buff *skb; - long amount = 0; - -- if (sk->sk_state == TCP_LISTEN) -+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) - return -EINVAL; - - spin_lock(&sk->sk_receive_queue.lock); --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch deleted file mode 100644 index ebb773cf4bf..00000000000 --- a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch +++ /dev/null @@ -1,60 +0,0 @@ -From aeec58466a73081c275584e95c683b252b99a215 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:31 -0700 -Subject: af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). - -From: Kuniyuki Iwashima - -[ Upstream commit a9bf9c7dc6a5899c01cb8f6e773a66315a5cd4b7 ] - -As small optimisation, unix_stream_connect() prefetches the client's -sk->sk_state without unix_state_lock() and checks if it's TCP_CLOSE. - -Later, sk->sk_state is checked again under unix_state_lock(). - -Let's use READ_ONCE() for the first check and TCP_CLOSE directly for -the second check. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 9800d255a8bc7..628b3fcc74227 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1371,7 +1371,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - struct sk_buff *skb = NULL; - long timeo; - int err; -- int st; - - err = unix_validate_addr(sunaddr, addr_len); - if (err) -@@ -1455,9 +1454,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - - Well, and we have to recheck the state after socket locked. - */ -- st = sk->sk_state; -- -- switch (st) { -+ switch (READ_ONCE(sk->sk_state)) { - case TCP_CLOSE: - /* This is ok... continue with connect */ - break; -@@ -1472,7 +1469,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - - unix_state_lock_nested(sk, U_LOCK_SECOND); - -- if (sk->sk_state != st) { -+ if (sk->sk_state != TCP_CLOSE) { - unix_state_unlock(sk); - unix_state_unlock(other); - sock_put(other); --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 deleted file mode 100644 index ed338c1a425..00000000000 --- a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 +++ /dev/null @@ -1,39 +0,0 @@ -From 342e27acc53fd2f8a50a957f7c82bf1445299273 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:34 -0700 -Subject: af_unix: Annotate data-race of sk->sk_state in - unix_stream_read_skb(). - -From: Kuniyuki Iwashima - -[ Upstream commit af4c733b6b1aded4dc808fafece7dfe6e9d2ebb3 ] - -unix_stream_read_skb() is called from sk->sk_data_ready() context -where unix_state_lock() is not held. - -Let's use READ_ONCE() there. - -Fixes: 77462de14a43 ("af_unix: Add read_sock for stream socket types") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index d00d781f777be..c6d3a19956004 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2642,7 +2642,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, - static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc, - sk_read_actor_t recv_actor) - { -- if (unlikely(sk->sk_state != TCP_ESTABLISHED)) -+ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) - return -ENOTCONN; - - return unix_read_sock(sk, desc, recv_actor); --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch deleted file mode 100644 index a51461faab3..00000000000 --- a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 00d7a1aca3c596b90e6bd71e005335419ed7f4fb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:33 -0700 -Subject: af_unix: Annotate data-races around sk->sk_state in sendmsg() and - recvmsg(). - -From: Kuniyuki Iwashima - -[ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ] - -The following functions read sk->sk_state locklessly and proceed only if -the state is TCP_ESTABLISHED. - - * unix_stream_sendmsg - * unix_stream_read_generic - * unix_seqpacket_sendmsg - * unix_seqpacket_recvmsg - -Let's use READ_ONCE() there. - -Fixes: a05d2ad1c1f3 ("af_unix: Only allow recv on connected seqpacket sockets.") -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 628b3fcc74227..d00d781f777be 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2093,7 +2093,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, - } - - if (msg->msg_namelen) { -- err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; -+ err = READ_ONCE(sk->sk_state) == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; - goto out_err; - } else { - err = -ENOTCONN; -@@ -2305,7 +2305,7 @@ static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg, - if (err) - return err; - -- if (sk->sk_state != TCP_ESTABLISHED) -+ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED) - return -ENOTCONN; - - if (msg->msg_namelen) -@@ -2319,7 +2319,7 @@ static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg, - { - struct sock *sk = sock->sk; - -- if (sk->sk_state != TCP_ESTABLISHED) -+ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED) - return -ENOTCONN; - - return unix_dgram_recvmsg(sock, msg, size, flags); -@@ -2666,7 +2666,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, - size_t size = state->size; - unsigned int last_len; - -- if (unlikely(sk->sk_state != TCP_ESTABLISHED)) { -+ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) { - err = -EINVAL; - goto out; - } --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch deleted file mode 100644 index 616b02b702f..00000000000 --- a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch +++ /dev/null @@ -1,128 +0,0 @@ -From b2efe08af840020f292ef96693445bd9feffa196 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:30 -0700 -Subject: af_unix: Annotate data-races around sk->sk_state in - unix_write_space() and poll(). - -From: Kuniyuki Iwashima - -[ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ] - -unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and -calls unix_writable() which also reads sk->sk_state without holding -unix_state_lock(). - -Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass -it to unix_writable(). - -While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as -that state does not exist for AF_UNIX socket since the code was added. - -Fixes: 1586a5877db9 ("af_unix: do not report POLLOUT on listeners") -Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets") -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 25 ++++++++++++------------- - 1 file changed, 12 insertions(+), 13 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 18e2dea699720..73b287b7a1154 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -455,9 +455,9 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) - return 0; - } - --static int unix_writable(const struct sock *sk) -+static int unix_writable(const struct sock *sk, unsigned char state) - { -- return sk->sk_state != TCP_LISTEN && -+ return state != TCP_LISTEN && - (refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; - } - -@@ -466,7 +466,7 @@ static void unix_write_space(struct sock *sk) - struct socket_wq *wq; - - rcu_read_lock(); -- if (unix_writable(sk)) { -+ if (unix_writable(sk, READ_ONCE(sk->sk_state))) { - wq = rcu_dereference(sk->sk_wq); - if (skwq_has_sleeper(wq)) - wake_up_interruptible_sync_poll(&wq->wait, -@@ -3069,12 +3069,14 @@ static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned lon - static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait) - { - struct sock *sk = sock->sk; -+ unsigned char state; - __poll_t mask; - u8 shutdown; - - sock_poll_wait(file, sock, wait); - mask = 0; - shutdown = READ_ONCE(sk->sk_shutdown); -+ state = READ_ONCE(sk->sk_state); - - /* exceptional events? */ - if (sk->sk_err) -@@ -3096,14 +3098,14 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa - - /* Connection-based need to check for termination and startup */ - if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) && -- sk->sk_state == TCP_CLOSE) -+ state == TCP_CLOSE) - mask |= EPOLLHUP; - - /* - * we set writable also when the other side has shut down the - * connection. This prevents stuck sockets. - */ -- if (unix_writable(sk)) -+ if (unix_writable(sk, state)) - mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND; - - return mask; -@@ -3114,12 +3116,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, - { - struct sock *sk = sock->sk, *other; - unsigned int writable; -+ unsigned char state; - __poll_t mask; - u8 shutdown; - - sock_poll_wait(file, sock, wait); - mask = 0; - shutdown = READ_ONCE(sk->sk_shutdown); -+ state = READ_ONCE(sk->sk_state); - - /* exceptional events? */ - if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) -@@ -3138,19 +3142,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, - mask |= EPOLLIN | EPOLLRDNORM; - - /* Connection-based need to check for termination and startup */ -- if (sk->sk_type == SOCK_SEQPACKET) { -- if (sk->sk_state == TCP_CLOSE) -- mask |= EPOLLHUP; -- /* connection hasn't started yet? */ -- if (sk->sk_state == TCP_SYN_SENT) -- return mask; -- } -+ if (sk->sk_type == SOCK_SEQPACKET && state == TCP_CLOSE) -+ mask |= EPOLLHUP; - - /* No write status requested, avoid expensive OUT tests. */ - if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT))) - return mask; - -- writable = unix_writable(sk); -+ writable = unix_writable(sk, state); - if (writable) { - unix_state_lock(sk); - --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 deleted file mode 100644 index 2c9a559faf5..00000000000 --- a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 +++ /dev/null @@ -1,71 +0,0 @@ -From 3e7745374f5d333d3c29dd950a845f1990da2cb9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:35 -0700 -Subject: af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. - -From: Kuniyuki Iwashima - -[ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ] - -While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read -locklessly. - -Let's use READ_ONCE() there. - -Note that the result could be inconsistent if the socket is dumped -during the state change. This is common for other SOCK_DIAG and -similar interfaces. - -Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report") -Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA") -Fixes: 45a96b9be6ec ("unix_diag: Dumping all sockets core") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/diag.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/unix/diag.c b/net/unix/diag.c -index 15aaeabb1363b..94c8f509261d0 100644 ---- a/net/unix/diag.c -+++ b/net/unix/diag.c -@@ -65,7 +65,7 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb) - u32 *buf; - int i; - -- if (sk->sk_state == TCP_LISTEN) { -+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { - spin_lock(&sk->sk_receive_queue.lock); - - attr = nla_reserve(nlskb, UNIX_DIAG_ICONS, -@@ -103,7 +103,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) - { - struct unix_diag_rqlen rql; - -- if (sk->sk_state == TCP_LISTEN) { -+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { - rql.udiag_rqueue = sk->sk_receive_queue.qlen; - rql.udiag_wqueue = sk->sk_max_ack_backlog; - } else { -@@ -136,7 +136,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r - rep = nlmsg_data(nlh); - rep->udiag_family = AF_UNIX; - rep->udiag_type = sk->sk_type; -- rep->udiag_state = sk->sk_state; -+ rep->udiag_state = READ_ONCE(sk->sk_state); - rep->pad = 0; - rep->udiag_ino = sk_ino; - sock_diag_save_cookie(sk, rep->udiag_cookie); -@@ -219,7 +219,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) - continue; - if (num < s_num) - goto next; -- if (!(req->udiag_states & (1 << sk->sk_state))) -+ if (!(req->udiag_states & (1 << READ_ONCE(sk->sk_state)))) - goto next; - if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk), - NETLINK_CB(cb->skb).portid, --- -2.43.0 - diff --git a/queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch b/queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch deleted file mode 100644 index 86118b37394..00000000000 --- a/queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d67e0043413caa1b66c8d9bb708330ddeebf7fa3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Mar 2023 20:57:46 +0000 -Subject: af_unix: annotate lockless accesses to sk->sk_err - -From: Eric Dumazet - -[ Upstream commit cc04410af7de348234ac36a5f50c4ce416efdb4b ] - -unix_poll() and unix_dgram_poll() read sk->sk_err -without any lock held. - -Add relevant READ_ONCE()/WRITE_ONCE() annotations. - -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Stable-dep-of: 83690b82d228 ("af_unix: Use skb_queue_empty_lockless() in unix_release_sock().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 3fa86d70467c2..85b1c0d7c287a 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -500,7 +500,7 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other) - * when peer was not connected to us. - */ - if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) { -- other->sk_err = ECONNRESET; -+ WRITE_ONCE(other->sk_err, ECONNRESET); - sk_error_report(other); - } - } -@@ -571,7 +571,7 @@ static void unix_release_sock(struct sock *sk, int embrion) - /* No more writes */ - WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); - if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) -- skpair->sk_err = ECONNRESET; -+ WRITE_ONCE(skpair->sk_err, ECONNRESET); - unix_state_unlock(skpair); - skpair->sk_state_change(skpair); - sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); -@@ -3108,7 +3108,7 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa - state = READ_ONCE(sk->sk_state); - - /* exceptional events? */ -- if (sk->sk_err) -+ if (READ_ONCE(sk->sk_err)) - mask |= EPOLLERR; - if (shutdown == SHUTDOWN_MASK) - mask |= EPOLLHUP; -@@ -3155,7 +3155,8 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, - state = READ_ONCE(sk->sk_state); - - /* exceptional events? */ -- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) -+ if (READ_ONCE(sk->sk_err) || -+ !skb_queue_empty_lockless(&sk->sk_error_queue)) - mask |= EPOLLERR | - (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0); - --- -2.43.0 - diff --git a/queue-5.15/af_unix-clean-up-some-sock_net-uses.patch b/queue-5.15/af_unix-clean-up-some-sock_net-uses.patch deleted file mode 100644 index 10c1f50e5d3..00000000000 --- a/queue-5.15/af_unix-clean-up-some-sock_net-uses.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 871f1d52052c897d94a9ed0573e073d4fe7ff7e0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 Jun 2022 10:19:08 -0700 -Subject: af_unix: Clean up some sock_net() uses. - -From: Kuniyuki Iwashima - -[ Upstream commit 340c3d337119ea177a98338be2e3bc62ee87ac80 ] - -Some functions define a net pointer only for one-shot use. Others call -sock_net() redundantly even when a net pointer is available. Let's fix -these and make the code simpler. - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 33 ++++++++++++++------------------- - net/unix/diag.c | 3 +-- - 2 files changed, 15 insertions(+), 21 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index a848e777e448c..9800d255a8bc7 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -903,7 +903,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, - memset(&u->scm_stat, 0, sizeof(struct scm_stat)); - unix_insert_socket(unix_sockets_unbound(sk), sk); - -- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); -+ sock_prot_inuse_add(net, sk->sk_prot, 1); - - return sk; - -@@ -1247,9 +1247,8 @@ static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2) - static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - int alen, int flags) - { -- struct sock *sk = sock->sk; -- struct net *net = sock_net(sk); - struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr; -+ struct sock *sk = sock->sk; - struct sock *other; - int err; - -@@ -1270,7 +1269,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - } - - restart: -- other = unix_find_other(net, sunaddr, alen, sock->type); -+ other = unix_find_other(sock_net(sk), sunaddr, alen, sock->type); - if (IS_ERR(other)) { - err = PTR_ERR(other); - goto out; -@@ -1366,15 +1365,13 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - int addr_len, int flags) - { - struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; -- struct sock *sk = sock->sk; -- struct net *net = sock_net(sk); -+ struct sock *sk = sock->sk, *newsk = NULL, *other = NULL; - struct unix_sock *u = unix_sk(sk), *newu, *otheru; -- struct sock *newsk = NULL; -- struct sock *other = NULL; -+ struct net *net = sock_net(sk); - struct sk_buff *skb = NULL; -- int st; -- int err; - long timeo; -+ int err; -+ int st; - - err = unix_validate_addr(sunaddr, addr_len); - if (err) -@@ -1394,7 +1391,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - */ - - /* create new sock for complete connection */ -- newsk = unix_create1(sock_net(sk), NULL, 0, sock->type); -+ newsk = unix_create1(net, NULL, 0, sock->type); - if (IS_ERR(newsk)) { - err = PTR_ERR(newsk); - newsk = NULL; -@@ -1803,17 +1800,15 @@ static void scm_stat_del(struct sock *sk, struct sk_buff *skb) - static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - size_t len) - { -- struct sock *sk = sock->sk; -- struct net *net = sock_net(sk); -- struct unix_sock *u = unix_sk(sk); - DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name); -- struct sock *other = NULL; -- int err; -- struct sk_buff *skb; -- long timeo; -+ struct sock *sk = sock->sk, *other = NULL; -+ struct unix_sock *u = unix_sk(sk); - struct scm_cookie scm; -+ struct sk_buff *skb; - int data_len = 0; - int sk_locked; -+ long timeo; -+ int err; - - wait_for_unix_gc(); - err = scm_send(sock, msg, &scm, false); -@@ -1880,7 +1875,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - if (sunaddr == NULL) - goto out_free; - -- other = unix_find_other(net, sunaddr, msg->msg_namelen, -+ other = unix_find_other(sock_net(sk), sunaddr, msg->msg_namelen, - sk->sk_type); - if (IS_ERR(other)) { - err = PTR_ERR(other); -diff --git a/net/unix/diag.c b/net/unix/diag.c -index 006438e2e07a2..15aaeabb1363b 100644 ---- a/net/unix/diag.c -+++ b/net/unix/diag.c -@@ -312,7 +312,6 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, - static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h) - { - int hdrlen = sizeof(struct unix_diag_req); -- struct net *net = sock_net(skb->sk); - - if (nlmsg_len(h) < hdrlen) - return -EINVAL; -@@ -321,7 +320,7 @@ static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h) - struct netlink_dump_control c = { - .dump = unix_diag_dump, - }; -- return netlink_dump_start(net->diag_nlsk, skb, h, &c); -+ return netlink_dump_start(sock_net(skb->sk)->diag_nlsk, skb, h, &c); - } else - return unix_diag_get_exact(skb, h, nlmsg_data(h)); - } --- -2.43.0 - diff --git a/queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch b/queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch deleted file mode 100644 index bd03dfbd025..00000000000 --- a/queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch +++ /dev/null @@ -1,202 +0,0 @@ -From a521bba7af6be404371346310d94ccd7c1e8c224 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Nov 2021 11:14:24 +0900 -Subject: af_unix: Copy unix_mkname() into unix_find_(bsd|abstract)(). - -From: Kuniyuki Iwashima - -[ Upstream commit d2d8c9fddb1c11ccfa73bf0ad2b1e6b4ea7afdaf ] - -We should not call unix_mkname() before unix_find_other() and instead do -the same thing where necessary based on the address type: - - - terminating the address with '\0' in unix_find_bsd() - - calculating the hash in unix_find_abstract(). - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Jakub Kicinski -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 63 ++++++++++++++++++---------------------------- - 1 file changed, 25 insertions(+), 38 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 8aeafe66e6115..a848e777e448c 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -239,19 +239,25 @@ static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len) - return 0; - } - -+static void unix_mkname_bsd(struct sockaddr_un *sunaddr, int addr_len) -+{ -+ /* This may look like an off by one error but it is a bit more -+ * subtle. 108 is the longest valid AF_UNIX path for a binding. -+ * sun_path[108] doesn't as such exist. However in kernel space -+ * we are guaranteed that it is a valid memory location in our -+ * kernel address buffer because syscall functions always pass -+ * a pointer of struct sockaddr_storage which has a bigger buffer -+ * than 108. -+ */ -+ ((char *)sunaddr)[addr_len] = 0; -+} -+ - static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp) - { - *hashp = 0; - - if (sunaddr->sun_path[0]) { -- /* -- * This may look like an off by one error but it is a bit more -- * subtle. 108 is the longest valid AF_UNIX path for a binding. -- * sun_path[108] doesn't as such exist. However in kernel space -- * we are guaranteed that it is a valid memory location in our -- * kernel address buffer. -- */ -- ((char *)sunaddr)[len] = 0; -+ unix_mkname_bsd(sunaddr, len); - len = strlen(sunaddr->sun_path) + - offsetof(struct sockaddr_un, sun_path) + 1; - return len; -@@ -959,13 +965,14 @@ static int unix_release(struct socket *sock) - } - - static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, -- int type) -+ int addr_len, int type) - { - struct inode *inode; - struct path path; - struct sock *sk; - int err; - -+ unix_mkname_bsd(sunaddr, addr_len); - err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path); - if (err) - goto fail; -@@ -1003,9 +1010,9 @@ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, - - static struct sock *unix_find_abstract(struct net *net, - struct sockaddr_un *sunaddr, -- int addr_len, int type, -- unsigned int hash) -+ int addr_len, int type) - { -+ unsigned int hash = unix_hash_fold(csum_partial(sunaddr, addr_len, 0)); - struct dentry *dentry; - struct sock *sk; - -@@ -1022,15 +1029,14 @@ static struct sock *unix_find_abstract(struct net *net, - - static struct sock *unix_find_other(struct net *net, - struct sockaddr_un *sunaddr, -- int addr_len, int type, -- unsigned int hash) -+ int addr_len, int type) - { - struct sock *sk; - - if (sunaddr->sun_path[0]) -- sk = unix_find_bsd(net, sunaddr, type); -+ sk = unix_find_bsd(net, sunaddr, addr_len, type); - else -- sk = unix_find_abstract(net, sunaddr, addr_len, type, hash); -+ sk = unix_find_abstract(net, sunaddr, addr_len, type); - - return sk; - } -@@ -1245,7 +1251,6 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - struct net *net = sock_net(sk); - struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr; - struct sock *other; -- unsigned int hash; - int err; - - err = -EINVAL; -@@ -1257,11 +1262,6 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - if (err) - goto out; - -- err = unix_mkname(sunaddr, alen, &hash); -- if (err < 0) -- goto out; -- alen = err; -- - if (test_bit(SOCK_PASSCRED, &sock->flags) && - !unix_sk(sk)->addr) { - err = unix_autobind(sk); -@@ -1270,7 +1270,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - } - - restart: -- other = unix_find_other(net, sunaddr, alen, sock->type, hash); -+ other = unix_find_other(net, sunaddr, alen, sock->type); - if (IS_ERR(other)) { - err = PTR_ERR(other); - goto out; -@@ -1372,7 +1372,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - struct sock *newsk = NULL; - struct sock *other = NULL; - struct sk_buff *skb = NULL; -- unsigned int hash; - int st; - int err; - long timeo; -@@ -1381,11 +1380,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - if (err) - goto out; - -- err = unix_mkname(sunaddr, addr_len, &hash); -- if (err < 0) -- goto out; -- addr_len = err; -- - if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) { - err = unix_autobind(sk); - if (err) -@@ -1416,7 +1410,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - - restart: - /* Find listening sock. */ -- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash); -+ other = unix_find_other(net, sunaddr, addr_len, sk->sk_type); - if (IS_ERR(other)) { - err = PTR_ERR(other); - other = NULL; -@@ -1814,9 +1808,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - struct unix_sock *u = unix_sk(sk); - DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name); - struct sock *other = NULL; -- int namelen = 0; /* fake GCC */ - int err; -- unsigned int hash; - struct sk_buff *skb; - long timeo; - struct scm_cookie scm; -@@ -1836,11 +1828,6 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - err = unix_validate_addr(sunaddr, msg->msg_namelen); - if (err) - goto out; -- -- err = unix_mkname(sunaddr, msg->msg_namelen, &hash); -- if (err < 0) -- goto out; -- namelen = err; - } else { - sunaddr = NULL; - err = -ENOTCONN; -@@ -1893,8 +1880,8 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - if (sunaddr == NULL) - goto out_free; - -- other = unix_find_other(net, sunaddr, namelen, sk->sk_type, -- hash); -+ other = unix_find_other(net, sunaddr, msg->msg_namelen, -+ sk->sk_type); - if (IS_ERR(other)) { - err = PTR_ERR(other); - other = NULL; --- -2.43.0 - diff --git a/queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch b/queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch deleted file mode 100644 index 872d4056a1d..00000000000 --- a/queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 66094a2eae821c3437f6bee8337b83adbd0663a4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Nov 2021 11:14:23 +0900 -Subject: af_unix: Cut unix_validate_addr() out of unix_mkname(). - -From: Kuniyuki Iwashima - -[ Upstream commit b8a58aa6fccc5b2940f0da18c7f02e8a1deb693a ] - -unix_mkname() tests socket address length and family and does some -processing based on the address type. It is called in the early stage, -and therefore some instructions are redundant and can end up in vain. - -The address length/family tests are done twice in unix_bind(). Also, the -address type is rechecked later in unix_bind() and unix_find_other(), where -we can do the same processing. Moreover, in the BSD address case, the hash -is set to 0 but never used and confusing. - -This patch moves the address tests out of unix_mkname(), and the following -patches move the other part into appropriate places and remove -unix_mkname() finally. - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Jakub Kicinski -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 40 ++++++++++++++++++++++++++++++---------- - 1 file changed, 30 insertions(+), 10 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 0a1258b417a9d..8aeafe66e6115 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -227,15 +227,22 @@ static inline void unix_release_addr(struct unix_address *addr) - * - if started by zero, it is abstract name. - */ - -+static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len) -+{ -+ if (addr_len <= offsetof(struct sockaddr_un, sun_path) || -+ addr_len > sizeof(*sunaddr)) -+ return -EINVAL; -+ -+ if (sunaddr->sun_family != AF_UNIX) -+ return -EINVAL; -+ -+ return 0; -+} -+ - static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp) - { - *hashp = 0; - -- if (len <= offsetof(struct sockaddr_un, sun_path) || -- len > sizeof(*sunaddr)) -- return -EINVAL; -- if (!sunaddr || sunaddr->sun_family != AF_UNIX) -- return -EINVAL; - if (sunaddr->sun_path[0]) { - /* - * This may look like an off by one error but it is a bit more -@@ -1178,13 +1185,14 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - unsigned int hash; - struct unix_address *addr; - -- if (addr_len < offsetofend(struct sockaddr_un, sun_family) || -- sunaddr->sun_family != AF_UNIX) -- return -EINVAL; -- -- if (addr_len == offsetof(struct sockaddr_un, sun_path)) -+ if (addr_len == offsetof(struct sockaddr_un, sun_path) && -+ sunaddr->sun_family == AF_UNIX) - return unix_autobind(sk); - -+ err = unix_validate_addr(sunaddr, addr_len); -+ if (err) -+ return err; -+ - err = unix_mkname(sunaddr, addr_len, &hash); - if (err < 0) - return err; -@@ -1245,6 +1253,10 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - goto out; - - if (addr->sa_family != AF_UNSPEC) { -+ err = unix_validate_addr(sunaddr, alen); -+ if (err) -+ goto out; -+ - err = unix_mkname(sunaddr, alen, &hash); - if (err < 0) - goto out; -@@ -1365,6 +1377,10 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - int err; - long timeo; - -+ err = unix_validate_addr(sunaddr, addr_len); -+ if (err) -+ goto out; -+ - err = unix_mkname(sunaddr, addr_len, &hash); - if (err < 0) - goto out; -@@ -1817,6 +1833,10 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - goto out; - - if (msg->msg_namelen) { -+ err = unix_validate_addr(sunaddr, msg->msg_namelen); -+ if (err) -+ goto out; -+ - err = unix_mkname(sunaddr, msg->msg_namelen, &hash); - if (err < 0) - goto out; --- -2.43.0 - diff --git a/queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch b/queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch deleted file mode 100644 index 3446a6d77e7..00000000000 --- a/queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 37f21e3bf98191271a970d44f8437110434cf447 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Nov 2021 11:14:21 +0900 -Subject: af_unix: Factorise unix_find_other() based on address types. - -From: Kuniyuki Iwashima - -[ Upstream commit fa39ef0e472961baef49ddb0e6f7b8ebb555bd8f ] - -As done in the commit fa42d910a38e ("unix_bind(): take BSD and abstract -address cases into new helpers"), this patch moves BSD and abstract address -cases from unix_find_other() into unix_find_bsd() and unix_find_abstract(). - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Jakub Kicinski -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 136 +++++++++++++++++++++++++++------------------ - 1 file changed, 81 insertions(+), 55 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 1fc3022510093..20a7be3effe83 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -951,6 +951,87 @@ static int unix_release(struct socket *sock) - return 0; - } - -+static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, -+ int type, int *error) -+{ -+ struct inode *inode; -+ struct path path; -+ struct sock *sk; -+ int err; -+ -+ err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path); -+ if (err) -+ goto fail; -+ -+ err = path_permission(&path, MAY_WRITE); -+ if (err) -+ goto path_put; -+ -+ err = -ECONNREFUSED; -+ inode = d_backing_inode(path.dentry); -+ if (!S_ISSOCK(inode->i_mode)) -+ goto path_put; -+ -+ sk = unix_find_socket_byinode(inode); -+ if (!sk) -+ goto path_put; -+ -+ err = -EPROTOTYPE; -+ if (sk->sk_type == type) -+ touch_atime(&path); -+ else -+ goto sock_put; -+ -+ path_put(&path); -+ -+ return sk; -+ -+sock_put: -+ sock_put(sk); -+path_put: -+ path_put(&path); -+fail: -+ *error = err; -+ return NULL; -+} -+ -+static struct sock *unix_find_abstract(struct net *net, -+ struct sockaddr_un *sunaddr, -+ int addr_len, int type, -+ unsigned int hash, int *error) -+{ -+ struct dentry *dentry; -+ struct sock *sk; -+ -+ sk = unix_find_socket_byname(net, sunaddr, addr_len, type ^ hash); -+ if (!sk) { -+ *error = -ECONNREFUSED; -+ return NULL; -+ } -+ -+ dentry = unix_sk(sk)->path.dentry; -+ if (dentry) -+ touch_atime(&unix_sk(sk)->path); -+ -+ return sk; -+} -+ -+static struct sock *unix_find_other(struct net *net, -+ struct sockaddr_un *sunaddr, -+ int addr_len, int type, -+ unsigned int hash, int *error) -+{ -+ struct sock *sk; -+ -+ if (sunaddr->sun_path[0]) -+ sk = unix_find_bsd(net, sunaddr, type, error); -+ else -+ sk = unix_find_abstract(net, sunaddr, addr_len, type, hash, -+ error); -+ -+ return sk; -+} -+ - static int unix_autobind(struct sock *sk) - { - struct unix_sock *u = unix_sk(sk); -@@ -1009,61 +1090,6 @@ out: mutex_unlock(&u->bindlock); - return err; - } - --static struct sock *unix_find_other(struct net *net, -- struct sockaddr_un *sunname, int len, -- int type, unsigned int hash, int *error) --{ -- struct sock *u; -- struct path path; -- int err = 0; -- -- if (sunname->sun_path[0]) { -- struct inode *inode; -- err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path); -- if (err) -- goto fail; -- inode = d_backing_inode(path.dentry); -- err = path_permission(&path, MAY_WRITE); -- if (err) -- goto put_fail; -- -- err = -ECONNREFUSED; -- if (!S_ISSOCK(inode->i_mode)) -- goto put_fail; -- u = unix_find_socket_byinode(inode); -- if (!u) -- goto put_fail; -- -- if (u->sk_type == type) -- touch_atime(&path); -- -- path_put(&path); -- -- err = -EPROTOTYPE; -- if (u->sk_type != type) { -- sock_put(u); -- goto fail; -- } -- } else { -- err = -ECONNREFUSED; -- u = unix_find_socket_byname(net, sunname, len, type ^ hash); -- if (u) { -- struct dentry *dentry; -- dentry = unix_sk(u)->path.dentry; -- if (dentry) -- touch_atime(&unix_sk(u)->path); -- } else -- goto fail; -- } -- return u; -- --put_fail: -- path_put(&path); --fail: -- *error = err; -- return NULL; --} -- - static int unix_bind_bsd(struct sock *sk, struct unix_address *addr) - { - struct unix_sock *u = unix_sk(sk); --- -2.43.0 - diff --git a/queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch b/queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch deleted file mode 100644 index 592137c26f3..00000000000 --- a/queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 6e28b0638dc4a6110a6b56646b3b62d9619a0076 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Nov 2021 11:14:20 +0900 -Subject: af_unix: Pass struct sock to unix_autobind(). - -From: Kuniyuki Iwashima - -[ Upstream commit f7ed31f4615f4e1d97c0e4325c5b8a240e10073c ] - -We do not use struct socket in unix_autobind() and pass struct sock to -unix_bind_bsd() and unix_bind_abstract(). Let's pass it to unix_autobind() -as well. - -Also, this patch fixes these errors by checkpatch.pl. - - ERROR: do not use assignment in if condition - #1795: FILE: net/unix/af_unix.c:1795: - + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr - - CHECK: Logical continuations should be on the previous line - #1796: FILE: net/unix/af_unix.c:1796: - + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr - + && (err = unix_autobind(sock)) != 0) - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Jakub Kicinski -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 36 +++++++++++++++++++++--------------- - 1 file changed, 21 insertions(+), 15 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 7d58067ffd3f8..1fc3022510093 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -951,15 +951,13 @@ static int unix_release(struct socket *sock) - return 0; - } - --static int unix_autobind(struct socket *sock) -+static int unix_autobind(struct sock *sk) - { -- struct sock *sk = sock->sk; -- struct net *net = sock_net(sk); - struct unix_sock *u = unix_sk(sk); -- static u32 ordernum = 1; - struct unix_address *addr; -- int err; - unsigned int retries = 0; -+ static u32 ordernum = 1; -+ int err; - - err = mutex_lock_interruptible(&u->bindlock); - if (err) -@@ -986,7 +984,8 @@ static int unix_autobind(struct socket *sock) - spin_lock(&unix_table_lock); - ordernum = (ordernum+1)&0xFFFFF; - -- if (__unix_find_socket_byname(net, addr->name, addr->len, addr->hash)) { -+ if (__unix_find_socket_byname(sock_net(sk), addr->name, addr->len, -+ addr->hash)) { - spin_unlock(&unix_table_lock); - /* - * __unix_find_socket_byname() may take long time if many names -@@ -1162,7 +1161,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - return -EINVAL; - - if (addr_len == offsetof(struct sockaddr_un, sun_path)) -- return unix_autobind(sock); -+ return unix_autobind(sk); - - err = unix_mkname(sunaddr, addr_len, &hash); - if (err < 0) -@@ -1230,8 +1229,11 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - alen = err; - - if (test_bit(SOCK_PASSCRED, &sock->flags) && -- !unix_sk(sk)->addr && (err = unix_autobind(sock)) != 0) -- goto out; -+ !unix_sk(sk)->addr) { -+ err = unix_autobind(sk); -+ if (err) -+ goto out; -+ } - - restart: - other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err); -@@ -1344,9 +1346,11 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - goto out; - addr_len = err; - -- if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr && -- (err = unix_autobind(sock)) != 0) -- goto out; -+ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) { -+ err = unix_autobind(sk); -+ if (err) -+ goto out; -+ } - - timeo = sock_sndtimeo(sk, flags & O_NONBLOCK); - -@@ -1798,9 +1802,11 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - goto out; - } - -- if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr -- && (err = unix_autobind(sock)) != 0) -- goto out; -+ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) { -+ err = unix_autobind(sk); -+ if (err) -+ goto out; -+ } - - err = -EMSGSIZE; - if (len > sk->sk_sndbuf - 32) --- -2.43.0 - diff --git a/queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch b/queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch deleted file mode 100644 index 5970bdcbd28..00000000000 --- a/queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 8d66d269fbdf2e746bb696f4723f626698608dee Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Nov 2021 11:14:22 +0900 -Subject: af_unix: Return an error as a pointer in unix_find_other(). - -From: Kuniyuki Iwashima - -[ Upstream commit aed26f557bbc94f0c778f63d7dfe86af99208f68 ] - -We can return an error as a pointer and need not pass an additional -argument to unix_find_other(). - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Jakub Kicinski -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 40 ++++++++++++++++++++++------------------ - 1 file changed, 22 insertions(+), 18 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 20a7be3effe83..0a1258b417a9d 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -952,7 +952,7 @@ static int unix_release(struct socket *sock) - } - - static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, -- int type, int *error) -+ int type) - { - struct inode *inode; - struct path path; -@@ -991,23 +991,20 @@ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, - path_put: - path_put(&path); - fail: -- *error = err; -- return NULL; -+ return ERR_PTR(err); - } - - static struct sock *unix_find_abstract(struct net *net, - struct sockaddr_un *sunaddr, - int addr_len, int type, -- unsigned int hash, int *error) -+ unsigned int hash) - { - struct dentry *dentry; - struct sock *sk; - - sk = unix_find_socket_byname(net, sunaddr, addr_len, type ^ hash); -- if (!sk) { -- *error = -ECONNREFUSED; -- return NULL; -- } -+ if (!sk) -+ return ERR_PTR(-ECONNREFUSED); - - dentry = unix_sk(sk)->path.dentry; - if (dentry) -@@ -1019,15 +1016,14 @@ static struct sock *unix_find_abstract(struct net *net, - static struct sock *unix_find_other(struct net *net, - struct sockaddr_un *sunaddr, - int addr_len, int type, -- unsigned int hash, int *error) -+ unsigned int hash) - { - struct sock *sk; - - if (sunaddr->sun_path[0]) -- sk = unix_find_bsd(net, sunaddr, type, error); -+ sk = unix_find_bsd(net, sunaddr, type); - else -- sk = unix_find_abstract(net, sunaddr, addr_len, type, hash, -- error); -+ sk = unix_find_abstract(net, sunaddr, addr_len, type, hash); - - return sk; - } -@@ -1262,9 +1258,11 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - } - - restart: -- other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err); -- if (!other) -+ other = unix_find_other(net, sunaddr, alen, sock->type, hash); -+ if (IS_ERR(other)) { -+ err = PTR_ERR(other); - goto out; -+ } - - unix_state_double_lock(sk, other); - -@@ -1402,9 +1400,12 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - - restart: - /* Find listening sock. */ -- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash, &err); -- if (!other) -+ other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash); -+ if (IS_ERR(other)) { -+ err = PTR_ERR(other); -+ other = NULL; - goto out; -+ } - - /* Latch state of peer */ - unix_state_lock(other); -@@ -1873,9 +1874,12 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, - goto out_free; - - other = unix_find_other(net, sunaddr, namelen, sk->sk_type, -- hash, &err); -- if (other == NULL) -+ hash); -+ if (IS_ERR(other)) { -+ err = PTR_ERR(other); -+ other = NULL; - goto out_free; -+ } - } - - if (sk_filter(other, skb) < 0) { --- -2.43.0 - diff --git a/queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch b/queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch deleted file mode 100644 index db3a224f99a..00000000000 --- a/queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch +++ /dev/null @@ -1,90 +0,0 @@ -From afe6f203c22c6b2ebb197c34f902211d748b58f3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:27 -0700 -Subject: af_unix: Set sk->sk_state under unix_state_lock() for truly - disconencted peer. - -From: Kuniyuki Iwashima - -[ Upstream commit 26bfb8b57063f52b867f9b6c8d1742fcb5bd656c ] - -When a SOCK_DGRAM socket connect()s to another socket, the both sockets' -sk->sk_state are changed to TCP_ESTABLISHED so that we can register them -to BPF SOCKMAP. - -When the socket disconnects from the peer by connect(AF_UNSPEC), the state -is set back to TCP_CLOSE. - -Then, the peer's state is also set to TCP_CLOSE, but the update is done -locklessly and unconditionally. - -Let's say socket A connect()ed to B, B connect()ed to C, and A disconnects -from B. - -After the first two connect()s, all three sockets' sk->sk_state are -TCP_ESTABLISHED: - - $ ss -xa - Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess - u_dgr ESTAB 0 0 @A 641 * 642 - u_dgr ESTAB 0 0 @B 642 * 643 - u_dgr ESTAB 0 0 @C 643 * 0 - -And after the disconnect, B's state is TCP_CLOSE even though it's still -connected to C and C's state is TCP_ESTABLISHED. - - $ ss -xa - Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess - u_dgr UNCONN 0 0 @A 641 * 0 - u_dgr UNCONN 0 0 @B 642 * 643 - u_dgr ESTAB 0 0 @C 643 * 0 - -In this case, we cannot register B to SOCKMAP. - -So, when a socket disconnects from the peer, we should not set TCP_CLOSE to -the peer if the peer is connected to yet another socket, and this must be -done under unix_state_lock(). - -Note that we use WRITE_ONCE() for sk->sk_state as there are many lockless -readers. These data-races will be fixed in the following patches. - -Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 80f91b5ab4012..914e40697f00a 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -495,7 +495,6 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other) - sk_error_report(other); - } - } -- other->sk_state = TCP_CLOSE; - } - - static void unix_sock_destructor(struct sock *sk) -@@ -1277,8 +1276,15 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, - - unix_state_double_unlock(sk, other); - -- if (other != old_peer) -+ if (other != old_peer) { - unix_dgram_disconnected(sk, old_peer); -+ -+ unix_state_lock(old_peer); -+ if (!unix_peer(old_peer)) -+ WRITE_ONCE(old_peer->sk_state, TCP_CLOSE); -+ unix_state_unlock(old_peer); -+ } -+ - sock_put(old_peer); - } else { - unix_peer(sk) = other; --- -2.43.0 - diff --git a/queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch b/queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch deleted file mode 100644 index 5f4b03f3ab0..00000000000 --- a/queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 9f19d9848e020c6dd48d37bfff3428f2376e72dc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Nov 2021 11:14:19 +0900 -Subject: af_unix: Use offsetof() instead of sizeof(). - -From: Kuniyuki Iwashima - -[ Upstream commit 755662ce78d14c1a9118df921c528b1f992ded2e ] - -The length of the AF_UNIX socket address contains an offset to the member -sun_path of struct sockaddr_un. - -Currently, the preceding member is just sun_family, and its type is -sa_family_t and resolved to short. Therefore, the offset is represented by -sizeof(short). However, it is not clear and fragile to changes in struct -sockaddr_storage or sockaddr_un. - -This commit makes it clear and robust by rewriting sizeof() with -offsetof(). - -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Jakub Kicinski -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 19 ++++++++++++------- - net/unix/diag.c | 3 ++- - 2 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 262aeaea9861c..7d58067ffd3f8 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -231,7 +231,8 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp - { - *hashp = 0; - -- if (len <= sizeof(short) || len > sizeof(*sunaddr)) -+ if (len <= offsetof(struct sockaddr_un, sun_path) || -+ len > sizeof(*sunaddr)) - return -EINVAL; - if (!sunaddr || sunaddr->sun_family != AF_UNIX) - return -EINVAL; -@@ -244,7 +245,8 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp - * kernel address buffer. - */ - ((char *)sunaddr)[len] = 0; -- len = strlen(sunaddr->sun_path)+1+sizeof(short); -+ len = strlen(sunaddr->sun_path) + -+ offsetof(struct sockaddr_un, sun_path) + 1; - return len; - } - -@@ -967,7 +969,8 @@ static int unix_autobind(struct socket *sock) - goto out; - - err = -ENOMEM; -- addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL); -+ addr = kzalloc(sizeof(*addr) + -+ offsetof(struct sockaddr_un, sun_path) + 16, GFP_KERNEL); - if (!addr) - goto out; - -@@ -975,7 +978,8 @@ static int unix_autobind(struct socket *sock) - refcount_set(&addr->refcnt, 1); - - retry: -- addr->len = sprintf(addr->name->sun_path+1, "%05x", ordernum) + 1 + sizeof(short); -+ addr->len = sprintf(addr->name->sun_path + 1, "%05x", ordernum) + -+ offsetof(struct sockaddr_un, sun_path) + 1; - addr->hash = unix_hash_fold(csum_partial(addr->name, addr->len, 0)); - addr->hash ^= sk->sk_type; - -@@ -1157,7 +1161,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - sunaddr->sun_family != AF_UNIX) - return -EINVAL; - -- if (addr_len == sizeof(short)) -+ if (addr_len == offsetof(struct sockaddr_un, sun_path)) - return unix_autobind(sock); - - err = unix_mkname(sunaddr, addr_len, &hash); -@@ -1607,7 +1611,7 @@ static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer) - if (!addr) { - sunaddr->sun_family = AF_UNIX; - sunaddr->sun_path[0] = 0; -- err = sizeof(short); -+ err = offsetof(struct sockaddr_un, sun_path); - } else { - err = addr->len; - memcpy(sunaddr, addr->name, addr->len); -@@ -3271,7 +3275,8 @@ static int unix_seq_show(struct seq_file *seq, void *v) - seq_putc(seq, ' '); - - i = 0; -- len = u->addr->len - sizeof(short); -+ len = u->addr->len - -+ offsetof(struct sockaddr_un, sun_path); - if (!UNIX_ABSTRACT(s)) - len--; - else { -diff --git a/net/unix/diag.c b/net/unix/diag.c -index daef19932f780..006438e2e07a2 100644 ---- a/net/unix/diag.c -+++ b/net/unix/diag.c -@@ -19,7 +19,8 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) - if (!addr) - return 0; - -- return nla_put(nlskb, UNIX_DIAG_NAME, addr->len - sizeof(short), -+ return nla_put(nlskb, UNIX_DIAG_NAME, -+ addr->len - offsetof(struct sockaddr_un, sun_path), - addr->name->sun_path); - } - --- -2.43.0 - diff --git a/queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch b/queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch deleted file mode 100644 index 6be1803b8e5..00000000000 --- a/queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0d596d22aae72b7ca666d21a079b8f63449f0407 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:39 -0700 -Subject: af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). - -From: Kuniyuki Iwashima - -[ Upstream commit 83690b82d228b3570565ebd0b41873933238b97f ] - -If the socket type is SOCK_STREAM or SOCK_SEQPACKET, unix_release_sock() -checks the length of the peer socket's recvq under unix_state_lock(). - -However, unix_stream_read_generic() calls skb_unlink() after releasing -the lock. Also, for SOCK_SEQPACKET, __skb_try_recv_datagram() unlinks -skb without unix_state_lock(). - -Thues, unix_state_lock() does not protect qlen. - -Let's use skb_queue_empty_lockless() in unix_release_sock(). - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 85b1c0d7c287a..12099b06d7e88 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -570,7 +570,7 @@ static void unix_release_sock(struct sock *sk, int embrion) - unix_state_lock(skpair); - /* No more writes */ - WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); -- if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) -+ if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion) - WRITE_ONCE(skpair->sk_err, ECONNRESET); - unix_state_unlock(skpair); - skpair->sk_state_change(skpair); --- -2.43.0 - diff --git a/queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch b/queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch deleted file mode 100644 index 5a7e0e1672c..00000000000 --- a/queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 27be04be4ebc9fca755aeeec004c4367ae4dc3eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:40 -0700 -Subject: af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). - -From: Kuniyuki Iwashima - -[ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ] - -We can dump the socket queue length via UNIX_DIAG by specifying -UDIAG_SHOW_RQLEN. - -If sk->sk_state is TCP_LISTEN, we return the recv queue length, -but here we do not hold recvq lock. - -Let's use skb_queue_len_lockless() in sk_diag_show_rqlen(). - -Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/diag.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/unix/diag.c b/net/unix/diag.c -index 94c8f509261d0..63a0040e9fb45 100644 ---- a/net/unix/diag.c -+++ b/net/unix/diag.c -@@ -104,7 +104,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) - struct unix_diag_rqlen rql; - - if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { -- rql.udiag_rqueue = sk->sk_receive_queue.qlen; -+ rql.udiag_rqueue = skb_queue_len_lockless(&sk->sk_receive_queue); - rql.udiag_wqueue = sk->sk_max_ack_backlog; - } else { - rql.udiag_rqueue = (u32) unix_inq_len(sk); --- -2.43.0 - diff --git a/queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch b/queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch deleted file mode 100644 index 4fe7349b324..00000000000 --- a/queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 17eb75b26b34dcf7b81ff17b71e88f908abe9198 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 09:52:38 -0700 -Subject: af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). - -From: Kuniyuki Iwashima - -[ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ] - -Once sk->sk_state is changed to TCP_LISTEN, it never changes. - -unix_accept() takes advantage of this characteristics; it does not -hold the listener's unix_state_lock() and only acquires recvq lock -to pop one skb. - -It means unix_state_lock() does not prevent the queue length from -changing in unix_stream_connect(). - -Thus, we need to use unix_recvq_full_lockless() to avoid data-race. - -Now we remove unix_recvq_full() as no one uses it. - -Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in -unix_recvq_full_lockless() because of the following reasons: - - (1) For SOCK_DGRAM, it is a written-once field in unix_create1() - - (2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the - listener's unix_state_lock() in unix_listen(), and we hold - the lock in unix_stream_connect() - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/unix/af_unix.c | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 5c4318f64d253..3fa86d70467c2 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -190,15 +190,9 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk) - return unix_peer(osk) == NULL || unix_our_peer(sk, osk); - } - --static inline int unix_recvq_full(const struct sock *sk) --{ -- return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; --} -- - static inline int unix_recvq_full_lockless(const struct sock *sk) - { -- return skb_queue_len_lockless(&sk->sk_receive_queue) > -- READ_ONCE(sk->sk_max_ack_backlog); -+ return skb_queue_len_lockless(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; - } - - struct sock *unix_peer_get(struct sock *s) -@@ -1429,7 +1423,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, - if (other->sk_shutdown & RCV_SHUTDOWN) - goto out_unlock; - -- if (unix_recvq_full(other)) { -+ if (unix_recvq_full_lockless(other)) { - err = -EAGAIN; - if (!timeo) - goto out_unlock; --- -2.43.0 - diff --git a/queue-5.15/bluetooth-btqca-add-wcn3988-support.patch b/queue-5.15/bluetooth-btqca-add-wcn3988-support.patch deleted file mode 100644 index d989cb56c9f..00000000000 --- a/queue-5.15/bluetooth-btqca-add-wcn3988-support.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 98c19c5237cadc9efec6b16923140e860e0ce0dd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 2 Aug 2023 08:56:29 +0200 -Subject: Bluetooth: btqca: Add WCN3988 support - -From: Luca Weiss - -[ Upstream commit f904feefe60c28b6852d5625adc4a2c39426a2d9 ] - -Add support for the Bluetooth chip codenamed APACHE which is part of -WCN3988. - -The firmware for this chip has a slightly different naming scheme -compared to most others. For ROM Version 0x0200 we need to use -apbtfw10.tlv + apnv10.bin and for ROM version 0x201 apbtfw11.tlv + -apnv11.bin - -Signed-off-by: Luca Weiss -Signed-off-by: Luiz Augusto von Dentz -Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/btqca.c | 13 +++++++++++-- - drivers/bluetooth/btqca.h | 12 ++++++++++-- - drivers/bluetooth/hci_qca.c | 12 ++++++++++++ - 3 files changed, 33 insertions(+), 4 deletions(-) - -diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c -index b850b5de9f862..6ae806b9e77f2 100644 ---- a/drivers/bluetooth/btqca.c -+++ b/drivers/bluetooth/btqca.c -@@ -595,11 +595,17 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - /* Firmware files to download are based on ROM version. - * ROM version is derived from last two bytes of soc_ver. - */ -- rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); -+ if (soc_type == QCA_WCN3988) -+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); -+ else -+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); - - /* Download rampatch file */ - config.type = TLV_TYPE_PATCH; -- if (qca_is_wcn399x(soc_type)) { -+ if (soc_type == QCA_WCN3988) { -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/apbtfw%02x.tlv", rom_ver); -+ } else if (qca_is_wcn399x(soc_type)) { - snprintf(config.fwname, sizeof(config.fwname), - "qca/crbtfw%02x.tlv", rom_ver); - } else if (soc_type == QCA_QCA6390) { -@@ -634,6 +640,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - if (firmware_name) - snprintf(config.fwname, sizeof(config.fwname), - "qca/%s", firmware_name); -+ else if (soc_type == QCA_WCN3988) -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/apnv%02x.bin", rom_ver); - else if (qca_is_wcn399x(soc_type)) { - if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { - snprintf(config.fwname, sizeof(config.fwname), -diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h -index b83bf202ea604..104bb12c88adf 100644 ---- a/drivers/bluetooth/btqca.h -+++ b/drivers/bluetooth/btqca.h -@@ -140,6 +140,7 @@ enum qca_btsoc_type { - QCA_INVALID = -1, - QCA_AR3002, - QCA_ROME, -+ QCA_WCN3988, - QCA_WCN3990, - QCA_WCN3998, - QCA_WCN3991, -@@ -160,8 +161,15 @@ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr); - int qca_send_pre_shutdown_cmd(struct hci_dev *hdev); - static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) - { -- return soc_type == QCA_WCN3990 || soc_type == QCA_WCN3991 || -- soc_type == QCA_WCN3998; -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ return true; -+ default: -+ return false; -+ } - } - static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) - { -diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c -index 1c2bd292ecb7c..3e67e07161969 100644 ---- a/drivers/bluetooth/hci_qca.c -+++ b/drivers/bluetooth/hci_qca.c -@@ -1834,6 +1834,17 @@ static const struct hci_uart_proto qca_proto = { - .dequeue = qca_dequeue, - }; - -+static const struct qca_device_data qca_soc_data_wcn3988 __maybe_unused = { -+ .soc_type = QCA_WCN3988, -+ .vregs = (struct qca_vreg []) { -+ { "vddio", 15000 }, -+ { "vddxo", 80000 }, -+ { "vddrf", 300000 }, -+ { "vddch0", 450000 }, -+ }, -+ .num_vregs = 4, -+}; -+ - static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = { - .soc_type = QCA_WCN3990, - .vregs = (struct qca_vreg []) { -@@ -2359,6 +2370,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = { - { .compatible = "qcom,qca6174-bt" }, - { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390}, - { .compatible = "qcom,qca9377-bt" }, -+ { .compatible = "qcom,wcn3988-bt", .data = &qca_soc_data_wcn3988}, - { .compatible = "qcom,wcn3990-bt", .data = &qca_soc_data_wcn3990}, - { .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991}, - { .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998}, --- -2.43.0 - diff --git a/queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch b/queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch deleted file mode 100644 index 1885635e8a0..00000000000 --- a/queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3323f172de3ed2953633009e6517363a8d748667 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 18:43:23 +0800 -Subject: Bluetooth: btqca: use le32_to_cpu for ver.soc_id - -From: Min-Hua Chen - -[ Upstream commit 8153b738bc547878a017889d2b1cf8dd2de0e0c6 ] - -Use le32_to_cpu for ver.soc_id to fix the following -sparse warning. - -drivers/bluetooth/btqca.c:640:24: sparse: warning: restricted -__le32 degrades to integer - -Signed-off-by: Min-Hua Chen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Jakub Kicinski -Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/btqca.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c -index d4ae33a5f805e..b850b5de9f862 100644 ---- a/drivers/bluetooth/btqca.c -+++ b/drivers/bluetooth/btqca.c -@@ -635,7 +635,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - snprintf(config.fwname, sizeof(config.fwname), - "qca/%s", firmware_name); - else if (qca_is_wcn399x(soc_type)) { -- if (ver.soc_id == QCA_WCN3991_SOC_ID) { -+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { - snprintf(config.fwname, sizeof(config.fwname), - "qca/crnv%02xu.bin", rom_ver); - } else { --- -2.43.0 - diff --git a/queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch b/queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch deleted file mode 100644 index 089497e2da6..00000000000 --- a/queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 391192635689b4cde600c4d5be334134929a0e79 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 11 Mar 2023 12:13:53 +0100 -Subject: Bluetooth: hci_qca: mark OF related data as maybe unused -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Krzysztof Kozlowski - -[ Upstream commit 44fac8a2fd2f72ee98ee41e6bc9ecc7765b5d3cc ] - -The driver can be compile tested with !CONFIG_OF making certain data -unused: - - drivers/bluetooth/hci_qca.c:1869:37: error: ‘qca_soc_data_wcn6750’ - defined but not used [-Werror=unused-const-variable=] - drivers/bluetooth/hci_qca.c:1853:37: error: ‘qca_soc_data_wcn3998’ - defined but not used [-Werror=unused-const-variable=] - drivers/bluetooth/hci_qca.c:1841:37: error: ‘qca_soc_data_wcn3991’ - defined but not used [-Werror=unused-const-variable=] - drivers/bluetooth/hci_qca.c:1830:37: error: ‘qca_soc_data_wcn3990’ - defined but not used [-Werror=unused-const-variable=] - -Signed-off-by: Krzysztof Kozlowski -Signed-off-by: Luiz Augusto von Dentz -Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/hci_qca.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c -index fb71caa31daa7..1c2bd292ecb7c 100644 ---- a/drivers/bluetooth/hci_qca.c -+++ b/drivers/bluetooth/hci_qca.c -@@ -1834,7 +1834,7 @@ static const struct hci_uart_proto qca_proto = { - .dequeue = qca_dequeue, - }; - --static const struct qca_device_data qca_soc_data_wcn3990 = { -+static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = { - .soc_type = QCA_WCN3990, - .vregs = (struct qca_vreg []) { - { "vddio", 15000 }, -@@ -1845,7 +1845,7 @@ static const struct qca_device_data qca_soc_data_wcn3990 = { - .num_vregs = 4, - }; - --static const struct qca_device_data qca_soc_data_wcn3991 = { -+static const struct qca_device_data qca_soc_data_wcn3991 __maybe_unused = { - .soc_type = QCA_WCN3991, - .vregs = (struct qca_vreg []) { - { "vddio", 15000 }, -@@ -1857,7 +1857,7 @@ static const struct qca_device_data qca_soc_data_wcn3991 = { - .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, - }; - --static const struct qca_device_data qca_soc_data_wcn3998 = { -+static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = { - .soc_type = QCA_WCN3998, - .vregs = (struct qca_vreg []) { - { "vddio", 10000 }, -@@ -1868,13 +1868,13 @@ static const struct qca_device_data qca_soc_data_wcn3998 = { - .num_vregs = 4, - }; - --static const struct qca_device_data qca_soc_data_qca6390 = { -+static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = { - .soc_type = QCA_QCA6390, - .num_vregs = 0, - .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, - }; - --static const struct qca_device_data qca_soc_data_wcn6750 = { -+static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = { - .soc_type = QCA_WCN6750, - .vregs = (struct qca_vreg []) { - { "vddio", 5000 }, --- -2.43.0 - diff --git a/queue-5.15/bluetooth-qca-add-support-for-qca2066.patch b/queue-5.15/bluetooth-qca-add-support-for-qca2066.patch deleted file mode 100644 index 15fef7f658c..00000000000 --- a/queue-5.15/bluetooth-qca-add-support-for-qca2066.patch +++ /dev/null @@ -1,224 +0,0 @@ -From 2bb103505fb2d3ef1afb539e814575d11df48336 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Sep 2023 17:39:57 +0800 -Subject: Bluetooth: qca: add support for QCA2066 - -From: Tim Jiang - -[ Upstream commit a7f8dedb4be2cc930a29af24427b885405ecd15d ] - -This patch adds support for QCA2066 firmware patch and NVM downloading. -as the RF performance of QCA2066 SOC chip from different foundries may -vary. Therefore we use different NVM to configure them based on board ID. - -Changes in v2 - - optimize the function qca_generate_hsp_nvm_name - - remove redundant debug code for function qca_read_fw_board_id - -Signed-off-by: Tim Jiang -Signed-off-by: Luiz Augusto von Dentz -Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/btqca.c | 68 +++++++++++++++++++++++++++++++++++++ - drivers/bluetooth/btqca.h | 5 ++- - drivers/bluetooth/hci_qca.c | 11 ++++++ - 3 files changed, 83 insertions(+), 1 deletion(-) - -diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c -index b14201b7bcd04..abd621d224667 100644 ---- a/drivers/bluetooth/btqca.c -+++ b/drivers/bluetooth/btqca.c -@@ -160,6 +160,44 @@ static int qca_send_reset(struct hci_dev *hdev) - return 0; - } - -+static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid) -+{ -+ u8 cmd; -+ struct sk_buff *skb; -+ struct edl_event_hdr *edl; -+ int err = 0; -+ -+ cmd = EDL_GET_BID_REQ_CMD; -+ skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN, -+ &cmd, 0, HCI_INIT_TIMEOUT); -+ if (IS_ERR(skb)) { -+ err = PTR_ERR(skb); -+ bt_dev_err(hdev, "Reading QCA board ID failed (%d)", err); -+ return err; -+ } -+ -+ edl = skb_pull_data(skb, sizeof(*edl)); -+ if (!edl) { -+ bt_dev_err(hdev, "QCA read board ID with no header"); -+ err = -EILSEQ; -+ goto out; -+ } -+ -+ if (edl->cresp != EDL_CMD_REQ_RES_EVT || -+ edl->rtype != EDL_GET_BID_REQ_CMD) { -+ bt_dev_err(hdev, "QCA Wrong packet: %d %d", edl->cresp, edl->rtype); -+ err = -EIO; -+ goto out; -+ } -+ -+ *bid = (edl->data[1] << 8) + edl->data[2]; -+ bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid); -+ -+out: -+ kfree_skb(skb); -+ return err; -+} -+ - int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) - { - struct sk_buff *skb; -@@ -575,6 +613,23 @@ int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) - } - EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); - -+static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size, -+ struct qca_btsoc_version ver, u8 rom_ver, u16 bid) -+{ -+ const char *variant; -+ -+ /* hsp gf chip */ -+ if ((le32_to_cpu(ver.soc_id) & QCA_HSP_GF_SOC_MASK) == QCA_HSP_GF_SOC_ID) -+ variant = "g"; -+ else -+ variant = ""; -+ -+ if (bid == 0x0) -+ snprintf(fwname, max_size, "qca/hpnv%02x%s.bin", rom_ver, variant); -+ else -+ snprintf(fwname, max_size, "qca/hpnv%02x%s.%x", rom_ver, variant, bid); -+} -+ - int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - enum qca_btsoc_type soc_type, struct qca_btsoc_version ver, - const char *firmware_name) -@@ -583,6 +638,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - int err; - u8 rom_ver = 0; - u32 soc_ver; -+ u16 boardid = 0; - - bt_dev_dbg(hdev, "QCA setup on UART"); - -@@ -613,6 +669,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - snprintf(config.fwname, sizeof(config.fwname), - "qca/apbtfw%02x.tlv", rom_ver); - break; -+ case QCA_QCA2066: -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/hpbtfw%02x.tlv", rom_ver); -+ break; - case QCA_QCA6390: - snprintf(config.fwname, sizeof(config.fwname), - "qca/htbtfw%02x.tlv", rom_ver); -@@ -643,6 +703,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - /* Give the controller some time to get ready to receive the NVM */ - msleep(10); - -+ if (soc_type == QCA_QCA2066) -+ qca_read_fw_board_id(hdev, &boardid); -+ - /* Download NVM configuration */ - config.type = TLV_TYPE_NVM; - if (firmware_name) { -@@ -665,6 +728,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - snprintf(config.fwname, sizeof(config.fwname), - "qca/apnv%02x.bin", rom_ver); - break; -+ case QCA_QCA2066: -+ qca_generate_hsp_nvm_name(config.fwname, -+ sizeof(config.fwname), ver, rom_ver, boardid); -+ break; - case QCA_QCA6390: - snprintf(config.fwname, sizeof(config.fwname), - "qca/htnv%02x.bin", rom_ver); -@@ -692,6 +759,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - - switch (soc_type) { - case QCA_WCN3991: -+ case QCA_QCA2066: - case QCA_QCA6390: - case QCA_WCN6750: - case QCA_WCN6855: -diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h -index fa77c07daecf5..d69ecfdef2a20 100644 ---- a/drivers/bluetooth/btqca.h -+++ b/drivers/bluetooth/btqca.h -@@ -12,6 +12,7 @@ - #define EDL_PATCH_VER_REQ_CMD (0x19) - #define EDL_PATCH_TLV_REQ_CMD (0x1E) - #define EDL_GET_BUILD_INFO_CMD (0x20) -+#define EDL_GET_BID_REQ_CMD (0x23) - #define EDL_NVM_ACCESS_SET_REQ_CMD (0x01) - #define MAX_SIZE_PER_TLV_SEGMENT (243) - #define QCA_PRE_SHUTDOWN_CMD (0xFC08) -@@ -45,7 +46,8 @@ - ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) - - #define QCA_FW_BUILD_VER_LEN 255 -- -+#define QCA_HSP_GF_SOC_ID 0x1200 -+#define QCA_HSP_GF_SOC_MASK 0x0000ff00 - - enum qca_baudrate { - QCA_BAUDRATE_115200 = 0, -@@ -144,6 +146,7 @@ enum qca_btsoc_type { - QCA_WCN3990, - QCA_WCN3998, - QCA_WCN3991, -+ QCA_QCA2066, - QCA_QCA6390, - QCA_WCN6750, - QCA_WCN6855, -diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c -index 62491e7610384..0800f6e62b7f0 100644 ---- a/drivers/bluetooth/hci_qca.c -+++ b/drivers/bluetooth/hci_qca.c -@@ -1801,6 +1801,10 @@ static int qca_setup(struct hci_uart *hu) - set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); - - switch (soc_type) { -+ case QCA_QCA2066: -+ soc_name = "qca2066"; -+ break; -+ - case QCA_WCN3988: - case QCA_WCN3990: - case QCA_WCN3991: -@@ -1981,6 +1985,11 @@ static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = { - .num_vregs = 4, - }; - -+static const struct qca_device_data qca_soc_data_qca2066 __maybe_unused = { -+ .soc_type = QCA_QCA2066, -+ .num_vregs = 0, -+}; -+ - static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = { - .soc_type = QCA_QCA6390, - .num_vregs = 0, -@@ -2492,6 +2501,7 @@ static SIMPLE_DEV_PM_OPS(qca_pm_ops, qca_suspend, qca_resume); - - #ifdef CONFIG_OF - static const struct of_device_id qca_bluetooth_of_match[] = { -+ { .compatible = "qcom,qca2066-bt", .data = &qca_soc_data_qca2066}, - { .compatible = "qcom,qca6174-bt" }, - { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390}, - { .compatible = "qcom,qca9377-bt" }, -@@ -2508,6 +2518,7 @@ MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match); - - #ifdef CONFIG_ACPI - static const struct acpi_device_id qca_bluetooth_acpi_match[] = { -+ { "QCOM2066", (kernel_ulong_t)&qca_soc_data_qca2066 }, - { "QCOM6390", (kernel_ulong_t)&qca_soc_data_qca6390 }, - { "DLA16390", (kernel_ulong_t)&qca_soc_data_qca6390 }, - { "DLB16390", (kernel_ulong_t)&qca_soc_data_qca6390 }, --- -2.43.0 - diff --git a/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch b/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch deleted file mode 100644 index 20d7bb1586a..00000000000 --- a/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 9a92c309f6ebee38d42f674015c7ad8270d8d690 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 May 2024 14:34:52 +0200 -Subject: Bluetooth: qca: fix info leak when fetching fw build id - -From: Johan Hovold - -[ Upstream commit cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 ] - -Add the missing sanity checks and move the 255-byte build-id buffer off -the stack to avoid leaking stack data through debugfs in case the -build-info reply is malformed. - -Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC") -Cc: stable@vger.kernel.org # 5.12 -Signed-off-by: Johan Hovold -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++---- - drivers/bluetooth/btqca.h | 1 - - 2 files changed, 21 insertions(+), 5 deletions(-) - -diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c -index abd621d224667..7011151420e48 100644 ---- a/drivers/bluetooth/btqca.c -+++ b/drivers/bluetooth/btqca.c -@@ -98,7 +98,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) - { - struct sk_buff *skb; - struct edl_event_hdr *edl; -- char cmd, build_label[QCA_FW_BUILD_VER_LEN]; -+ char *build_label; -+ char cmd; - int build_lbl_len, err = 0; - - bt_dev_dbg(hdev, "QCA read fw build info"); -@@ -113,6 +114,11 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) - return err; - } - -+ if (skb->len < sizeof(*edl)) { -+ err = -EILSEQ; -+ goto out; -+ } -+ - edl = (struct edl_event_hdr *)(skb->data); - if (!edl) { - bt_dev_err(hdev, "QCA read fw build info with no header"); -@@ -128,14 +134,25 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) - goto out; - } - -+ if (skb->len < sizeof(*edl) + 1) { -+ err = -EILSEQ; -+ goto out; -+ } -+ - build_lbl_len = edl->data[0]; -- if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) { -- memcpy(build_label, edl->data + 1, build_lbl_len); -- *(build_label + build_lbl_len) = '\0'; -+ -+ if (skb->len < sizeof(*edl) + 1 + build_lbl_len) { -+ err = -EILSEQ; -+ goto out; - } - -+ build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); -+ if (!build_label) -+ goto out; -+ - hci_set_fw_info(hdev, "%s", build_label); - -+ kfree(build_label); - out: - kfree_skb(skb); - return err; -diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h -index d69ecfdef2a20..6a6a286bc8547 100644 ---- a/drivers/bluetooth/btqca.h -+++ b/drivers/bluetooth/btqca.h -@@ -45,7 +45,6 @@ - #define get_soc_ver(soc_id, rom_ver) \ - ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) - --#define QCA_FW_BUILD_VER_LEN 255 - #define QCA_HSP_GF_SOC_ID 0x1200 - #define QCA_HSP_GF_SOC_MASK 0x0000ff00 - --- -2.43.0 - diff --git a/queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch b/queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch deleted file mode 100644 index 9888c79f466..00000000000 --- a/queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch +++ /dev/null @@ -1,616 +0,0 @@ -From ff36c600c800a4cbeb2ae58251e1465104807b29 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Aug 2023 10:06:47 +0200 -Subject: Bluetooth: qca: use switch case for soc type behavior - -From: Neil Armstrong - -[ Upstream commit 691d54d0f7cb14baac1ff4af210d13c0e4897e27 ] - -Use switch/case to handle soc type specific behaviour, -the permit dropping the qca_is_xxx() inline functions -and make the code clearer and easier to update for new -SoCs. - -Suggested-by: Konrad Dybcio -Suggested-by: Luiz Augusto von Dentz -Signed-off-by: Neil Armstrong -Signed-off-by: Luiz Augusto von Dentz -Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/btqca.c | 87 +++++++++----- - drivers/bluetooth/btqca.h | 36 ------ - drivers/bluetooth/hci_qca.c | 233 +++++++++++++++++++++++++++--------- - 3 files changed, 236 insertions(+), 120 deletions(-) - -diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c -index 6ae806b9e77f2..b14201b7bcd04 100644 ---- a/drivers/bluetooth/btqca.c -+++ b/drivers/bluetooth/btqca.c -@@ -602,26 +602,34 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - - /* Download rampatch file */ - config.type = TLV_TYPE_PATCH; -- if (soc_type == QCA_WCN3988) { -- snprintf(config.fwname, sizeof(config.fwname), -- "qca/apbtfw%02x.tlv", rom_ver); -- } else if (qca_is_wcn399x(soc_type)) { -+ switch (soc_type) { -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: - snprintf(config.fwname, sizeof(config.fwname), - "qca/crbtfw%02x.tlv", rom_ver); -- } else if (soc_type == QCA_QCA6390) { -+ break; -+ case QCA_WCN3988: -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/apbtfw%02x.tlv", rom_ver); -+ break; -+ case QCA_QCA6390: - snprintf(config.fwname, sizeof(config.fwname), - "qca/htbtfw%02x.tlv", rom_ver); -- } else if (soc_type == QCA_WCN6750) { -+ break; -+ case QCA_WCN6750: - /* Choose mbn file by default.If mbn file is not found - * then choose tlv file - */ - config.type = ELF_TYPE_PATCH; - snprintf(config.fwname, sizeof(config.fwname), - "qca/msbtfw%02x.mbn", rom_ver); -- } else if (soc_type == QCA_WCN6855) { -+ break; -+ case QCA_WCN6855: - snprintf(config.fwname, sizeof(config.fwname), - "qca/hpbtfw%02x.tlv", rom_ver); -- } else { -+ break; -+ default: - snprintf(config.fwname, sizeof(config.fwname), - "qca/rampatch_%08x.bin", soc_ver); - } -@@ -637,33 +645,44 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - - /* Download NVM configuration */ - config.type = TLV_TYPE_NVM; -- if (firmware_name) -+ if (firmware_name) { - snprintf(config.fwname, sizeof(config.fwname), - "qca/%s", firmware_name); -- else if (soc_type == QCA_WCN3988) -- snprintf(config.fwname, sizeof(config.fwname), -- "qca/apnv%02x.bin", rom_ver); -- else if (qca_is_wcn399x(soc_type)) { -- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { -+ } else { -+ switch (soc_type) { -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/crnv%02xu.bin", rom_ver); -+ } else { -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/crnv%02x.bin", rom_ver); -+ } -+ break; -+ case QCA_WCN3988: - snprintf(config.fwname, sizeof(config.fwname), -- "qca/crnv%02xu.bin", rom_ver); -- } else { -+ "qca/apnv%02x.bin", rom_ver); -+ break; -+ case QCA_QCA6390: -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/htnv%02x.bin", rom_ver); -+ break; -+ case QCA_WCN6750: - snprintf(config.fwname, sizeof(config.fwname), -- "qca/crnv%02x.bin", rom_ver); -+ "qca/msnv%02x.bin", rom_ver); -+ break; -+ case QCA_WCN6855: -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/hpnv%02x.bin", rom_ver); -+ break; -+ -+ default: -+ snprintf(config.fwname, sizeof(config.fwname), -+ "qca/nvm_%08x.bin", soc_ver); - } - } -- else if (soc_type == QCA_QCA6390) -- snprintf(config.fwname, sizeof(config.fwname), -- "qca/htnv%02x.bin", rom_ver); -- else if (soc_type == QCA_WCN6750) -- snprintf(config.fwname, sizeof(config.fwname), -- "qca/msnv%02x.bin", rom_ver); -- else if (soc_type == QCA_WCN6855) -- snprintf(config.fwname, sizeof(config.fwname), -- "qca/hpnv%02x.bin", rom_ver); -- else -- snprintf(config.fwname, sizeof(config.fwname), -- "qca/nvm_%08x.bin", soc_ver); - - err = qca_download_firmware(hdev, &config, soc_type, rom_ver); - if (err < 0) { -@@ -671,16 +690,24 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, - return err; - } - -- if (soc_type >= QCA_WCN3991) { -+ switch (soc_type) { -+ case QCA_WCN3991: -+ case QCA_QCA6390: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - err = qca_disable_soc_logging(hdev); - if (err < 0) - return err; -+ break; -+ default: -+ break; - } - - /* WCN399x and WCN6750 supports the Microsoft vendor extension with 0xFD70 as the - * VsMsftOpCode. - */ - switch (soc_type) { -+ case QCA_WCN3988: - case QCA_WCN3990: - case QCA_WCN3991: - case QCA_WCN3998: -diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h -index 104bb12c88adf..fa77c07daecf5 100644 ---- a/drivers/bluetooth/btqca.h -+++ b/drivers/bluetooth/btqca.h -@@ -159,27 +159,6 @@ int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, - enum qca_btsoc_type); - int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr); - int qca_send_pre_shutdown_cmd(struct hci_dev *hdev); --static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) --{ -- switch (soc_type) { -- case QCA_WCN3988: -- case QCA_WCN3990: -- case QCA_WCN3991: -- case QCA_WCN3998: -- return true; -- default: -- return false; -- } --} --static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) --{ -- return soc_type == QCA_WCN6750; --} --static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) --{ -- return soc_type == QCA_WCN6855; --} -- - #else - - static inline int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) -@@ -207,21 +186,6 @@ static inline int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) - return -EOPNOTSUPP; - } - --static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) --{ -- return false; --} -- --static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) --{ -- return false; --} -- --static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) --{ -- return false; --} -- - static inline int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) - { - return -EOPNOTSUPP; -diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c -index 3e67e07161969..62491e7610384 100644 ---- a/drivers/bluetooth/hci_qca.c -+++ b/drivers/bluetooth/hci_qca.c -@@ -606,9 +606,18 @@ static int qca_open(struct hci_uart *hu) - if (hu->serdev) { - qcadev = serdev_device_get_drvdata(hu->serdev); - -- if (qca_is_wcn399x(qcadev->btsoc_type) || -- qca_is_wcn6750(qcadev->btsoc_type)) -+ switch (qcadev->btsoc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: - hu->init_speed = qcadev->init_speed; -+ break; -+ -+ default: -+ break; -+ } - - if (qcadev->oper_speed) - hu->oper_speed = qcadev->oper_speed; -@@ -1314,12 +1323,19 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) - msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS)); - - /* Give the controller time to process the request */ -- if (qca_is_wcn399x(qca_soc_type(hu)) || -- qca_is_wcn6750(qca_soc_type(hu)) || -- qca_is_wcn6855(qca_soc_type(hu))) -+ switch (qca_soc_type(hu)) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - usleep_range(1000, 10000); -- else -+ break; -+ -+ default: - msleep(300); -+ } - - return 0; - } -@@ -1392,13 +1408,19 @@ static unsigned int qca_get_speed(struct hci_uart *hu, - - static int qca_check_speeds(struct hci_uart *hu) - { -- if (qca_is_wcn399x(qca_soc_type(hu)) || -- qca_is_wcn6750(qca_soc_type(hu)) || -- qca_is_wcn6855(qca_soc_type(hu))) { -+ switch (qca_soc_type(hu)) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - if (!qca_get_speed(hu, QCA_INIT_SPEED) && - !qca_get_speed(hu, QCA_OPER_SPEED)) - return -EINVAL; -- } else { -+ break; -+ -+ default: - if (!qca_get_speed(hu, QCA_INIT_SPEED) || - !qca_get_speed(hu, QCA_OPER_SPEED)) - return -EINVAL; -@@ -1427,14 +1449,28 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) - /* Disable flow control for wcn3990 to deassert RTS while - * changing the baudrate of chip and host. - */ -- if (qca_is_wcn399x(soc_type) || -- qca_is_wcn6750(soc_type) || -- qca_is_wcn6855(soc_type)) -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - hci_uart_set_flow_control(hu, true); -+ break; - -- if (soc_type == QCA_WCN3990) { -+ default: -+ break; -+ } -+ -+ switch (soc_type) { -+ case QCA_WCN3990: - reinit_completion(&qca->drop_ev_comp); - set_bit(QCA_DROP_VENDOR_EVENT, &qca->flags); -+ break; -+ -+ default: -+ break; - } - - qca_baudrate = qca_get_baudrate_value(speed); -@@ -1446,12 +1482,22 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) - host_set_baudrate(hu, speed); - - error: -- if (qca_is_wcn399x(soc_type) || -- qca_is_wcn6750(soc_type) || -- qca_is_wcn6855(soc_type)) -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - hci_uart_set_flow_control(hu, false); -+ break; - -- if (soc_type == QCA_WCN3990) { -+ default: -+ break; -+ } -+ -+ switch (soc_type) { -+ case QCA_WCN3990: - /* Wait for the controller to send the vendor event - * for the baudrate change command. - */ -@@ -1463,6 +1509,10 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) - } - - clear_bit(QCA_DROP_VENDOR_EVENT, &qca->flags); -+ break; -+ -+ default: -+ break; - } - } - -@@ -1627,12 +1677,20 @@ static int qca_regulator_init(struct hci_uart *hu) - } - } - -- if (qca_is_wcn399x(soc_type)) { -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: - /* Forcefully enable wcn399x to enter in to boot mode. */ - host_set_baudrate(hu, 2400); - ret = qca_send_power_pulse(hu, false); - if (ret) - return ret; -+ break; -+ -+ default: -+ break; - } - - /* For wcn6750 need to enable gpio bt_en */ -@@ -1649,10 +1707,18 @@ static int qca_regulator_init(struct hci_uart *hu) - - qca_set_speed(hu, QCA_INIT_SPEED); - -- if (qca_is_wcn399x(soc_type)) { -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: - ret = qca_send_power_pulse(hu, true); - if (ret) - return ret; -+ break; -+ -+ default: -+ break; - } - - /* Now the device is in ready state to communicate with host. -@@ -1686,11 +1752,17 @@ static int qca_power_on(struct hci_dev *hdev) - if (!hu->serdev) - return 0; - -- if (qca_is_wcn399x(soc_type) || -- qca_is_wcn6750(soc_type) || -- qca_is_wcn6855(soc_type)) { -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - ret = qca_regulator_init(hu); -- } else { -+ break; -+ -+ default: - qcadev = serdev_device_get_drvdata(hu->serdev); - if (qcadev->bt_en) { - gpiod_set_value_cansleep(qcadev->bt_en, 1); -@@ -1713,6 +1785,7 @@ static int qca_setup(struct hci_uart *hu) - const char *firmware_name = qca_get_firmware_name(hu); - int ret; - struct qca_btsoc_version ver; -+ const char *soc_name; - - ret = qca_check_speeds(hu); - if (ret) -@@ -1727,10 +1800,26 @@ static int qca_setup(struct hci_uart *hu) - */ - set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); - -- bt_dev_info(hdev, "setting up %s", -- qca_is_wcn399x(soc_type) ? "wcn399x" : -- (soc_type == QCA_WCN6750) ? "wcn6750" : -- (soc_type == QCA_WCN6855) ? "wcn6855" : "ROME/QCA6390"); -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ soc_name = "wcn399x"; -+ break; -+ -+ case QCA_WCN6750: -+ soc_name = "wcn6750"; -+ break; -+ -+ case QCA_WCN6855: -+ soc_name = "wcn6855"; -+ break; -+ -+ default: -+ soc_name = "ROME/QCA6390"; -+ } -+ bt_dev_info(hdev, "setting up %s", soc_name); - - qca->memdump_state = QCA_MEMDUMP_IDLE; - -@@ -1741,15 +1830,21 @@ static int qca_setup(struct hci_uart *hu) - - clear_bit(QCA_SSR_TRIGGERED, &qca->flags); - -- if (qca_is_wcn399x(soc_type) || -- qca_is_wcn6750(soc_type) || -- qca_is_wcn6855(soc_type)) { -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); - - ret = qca_read_soc_version(hdev, &ver, soc_type); - if (ret) - goto out; -- } else { -+ break; -+ -+ default: - qca_set_speed(hu, QCA_INIT_SPEED); - } - -@@ -1763,9 +1858,16 @@ static int qca_setup(struct hci_uart *hu) - qca_baudrate = qca_get_baudrate_value(speed); - } - -- if (!(qca_is_wcn399x(soc_type) || -- qca_is_wcn6750(soc_type) || -- qca_is_wcn6855(soc_type))) { -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: -+ break; -+ -+ default: - /* Get QCA version information */ - ret = qca_read_soc_version(hdev, &ver, soc_type); - if (ret) -@@ -1941,11 +2043,18 @@ static void qca_power_shutdown(struct hci_uart *hu) - - qcadev = serdev_device_get_drvdata(hu->serdev); - -- if (qca_is_wcn399x(soc_type)) { -+ switch (soc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: - host_set_baudrate(hu, 2400); - qca_send_power_pulse(hu, false); - qca_regulator_disable(qcadev); -- } else if (soc_type == QCA_WCN6750 || soc_type == QCA_WCN6855) { -+ break; -+ -+ case QCA_WCN6750: -+ case QCA_WCN6855: - gpiod_set_value_cansleep(qcadev->bt_en, 0); - msleep(100); - qca_regulator_disable(qcadev); -@@ -1953,7 +2062,9 @@ static void qca_power_shutdown(struct hci_uart *hu) - sw_ctrl_state = gpiod_get_value_cansleep(qcadev->sw_ctrl); - bt_dev_dbg(hu->hdev, "SW_CTRL is %d", sw_ctrl_state); - } -- } else if (qcadev->bt_en) { -+ break; -+ -+ default: - gpiod_set_value_cansleep(qcadev->bt_en, 0); - } - -@@ -2078,11 +2189,18 @@ static int qca_serdev_probe(struct serdev_device *serdev) - if (!qcadev->oper_speed) - BT_DBG("UART will pick default operating speed"); - -- if (data && -- (qca_is_wcn399x(data->soc_type) || -- qca_is_wcn6750(data->soc_type) || -- qca_is_wcn6855(data->soc_type))) { -+ if (data) - qcadev->btsoc_type = data->soc_type; -+ else -+ qcadev->btsoc_type = QCA_ROME; -+ -+ switch (qcadev->btsoc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: - qcadev->bt_power = devm_kzalloc(&serdev->dev, - sizeof(struct qca_power), - GFP_KERNEL); -@@ -2126,12 +2244,9 @@ static int qca_serdev_probe(struct serdev_device *serdev) - BT_ERR("wcn3990 serdev registration failed"); - return err; - } -- } else { -- if (data) -- qcadev->btsoc_type = data->soc_type; -- else -- qcadev->btsoc_type = QCA_ROME; -+ break; - -+ default: - qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable", - GPIOD_OUT_LOW); - if (IS_ERR(qcadev->bt_en)) { -@@ -2187,13 +2302,23 @@ static void qca_serdev_remove(struct serdev_device *serdev) - struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev); - struct qca_power *power = qcadev->bt_power; - -- if ((qca_is_wcn399x(qcadev->btsoc_type) || -- qca_is_wcn6750(qcadev->btsoc_type) || -- qca_is_wcn6855(qcadev->btsoc_type)) && -- power->vregs_on) -- qca_power_shutdown(&qcadev->serdev_hu); -- else if (qcadev->susclk) -- clk_disable_unprepare(qcadev->susclk); -+ switch (qcadev->btsoc_type) { -+ case QCA_WCN3988: -+ case QCA_WCN3990: -+ case QCA_WCN3991: -+ case QCA_WCN3998: -+ case QCA_WCN6750: -+ case QCA_WCN6855: -+ if (power->vregs_on) { -+ qca_power_shutdown(&qcadev->serdev_hu); -+ break; -+ } -+ fallthrough; -+ -+ default: -+ if (qcadev->susclk) -+ clk_disable_unprepare(qcadev->susclk); -+ } - - hci_uart_unregister_device(&qcadev->serdev_hu); - } --- -2.43.0 - diff --git a/queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch b/queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch deleted file mode 100644 index 6d42c063d5b..00000000000 --- a/queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch +++ /dev/null @@ -1,52 +0,0 @@ -From ee021c76a34f6d96be17d94e197d8b14a4d4b5d1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 17:00:24 +0200 -Subject: bpf: Set run context for rawtp test_run callback - -From: Jiri Olsa - -[ Upstream commit d0d1df8ba18abc57f28fb3bc053b2bf319367f2c ] - -syzbot reported crash when rawtp program executed through the -test_run interface calls bpf_get_attach_cookie helper or any -other helper that touches task->bpf_ctx pointer. - -Setting the run context (task->bpf_ctx pointer) for test_run -callback. - -Fixes: 7adfc6c9b315 ("bpf: Add bpf_get_attach_cookie() BPF helper to access bpf_cookie value") -Reported-by: syzbot+3ab78ff125b7979e45f9@syzkaller.appspotmail.com -Signed-off-by: Jiri Olsa -Signed-off-by: Andrii Nakryiko -Signed-off-by: Daniel Borkmann -Closes: https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9 -Link: https://lore.kernel.org/bpf/20240604150024.359247-1-jolsa@kernel.org -Signed-off-by: Sasha Levin ---- - net/bpf/test_run.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c -index 11d254ce3581c..a0d75c33b5d6a 100644 ---- a/net/bpf/test_run.c -+++ b/net/bpf/test_run.c -@@ -326,10 +326,16 @@ static void - __bpf_prog_test_run_raw_tp(void *data) - { - struct bpf_raw_tp_test_run_info *info = data; -+ struct bpf_trace_run_ctx run_ctx = {}; -+ struct bpf_run_ctx *old_run_ctx; -+ -+ old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx); - - rcu_read_lock(); - info->retval = bpf_prog_run(info->prog, info->ctx); - rcu_read_unlock(); -+ -+ bpf_reset_run_ctx(old_run_ctx); - } - - int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, --- -2.43.0 - diff --git a/queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch b/queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch deleted file mode 100644 index 82a2c386ba0..00000000000 --- a/queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch +++ /dev/null @@ -1,66 +0,0 @@ -From e889b0b319a8f077d83a493209c9a0ff93c16830 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jun 2024 12:49:08 +0100 -Subject: btrfs: fix leak of qgroup extent records after transaction abort - -From: Filipe Manana - -[ Upstream commit fb33eb2ef0d88e75564983ef057b44c5b7e4fded ] - -Qgroup extent records are created when delayed ref heads are created and -then released after accounting extents at btrfs_qgroup_account_extents(), -called during the transaction commit path. - -If a transaction is aborted we free the qgroup records by calling -btrfs_qgroup_destroy_extent_records() at btrfs_destroy_delayed_refs(), -unless we don't have delayed references. We are incorrectly assuming -that no delayed references means we don't have qgroup extents records. - -We can currently have no delayed references because we ran them all -during a transaction commit and the transaction was aborted after that -due to some error in the commit path. - -So fix this by ensuring we btrfs_qgroup_destroy_extent_records() at -btrfs_destroy_delayed_refs() even if we don't have any delayed references. - -Reported-by: syzbot+0fecc032fa134afd49df@syzkaller.appspotmail.com -Link: https://lore.kernel.org/linux-btrfs/0000000000004e7f980619f91835@google.com/ -Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") -CC: stable@vger.kernel.org # 6.1+ -Reviewed-by: Josef Bacik -Reviewed-by: Qu Wenruo -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/disk-io.c | 10 +--------- - 1 file changed, 1 insertion(+), 9 deletions(-) - -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index c1dfde886b1e3..092ebed754b0c 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -4707,19 +4707,11 @@ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, - struct btrfs_fs_info *fs_info) - { - struct rb_node *node; -- struct btrfs_delayed_ref_root *delayed_refs; -+ struct btrfs_delayed_ref_root *delayed_refs = &trans->delayed_refs; - struct btrfs_delayed_ref_node *ref; - int ret = 0; - -- delayed_refs = &trans->delayed_refs; -- - spin_lock(&delayed_refs->lock); -- if (atomic_read(&delayed_refs->num_entries) == 0) { -- spin_unlock(&delayed_refs->lock); -- btrfs_debug(fs_info, "delayed_refs has NO entry"); -- return ret; -- } -- - while ((node = rb_first_cached(&delayed_refs->href_root)) != NULL) { - struct btrfs_delayed_ref_head *head; - struct rb_node *n; --- -2.43.0 - diff --git a/queue-5.15/cma-factor-out-minimum-alignment-requirement.patch b/queue-5.15/cma-factor-out-minimum-alignment-requirement.patch deleted file mode 100644 index 2184a2e2ddf..00000000000 --- a/queue-5.15/cma-factor-out-minimum-alignment-requirement.patch +++ /dev/null @@ -1,221 +0,0 @@ -From ad9e4137a36db6cf7391c2f51b2fe9cd6ab0911a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 22 Mar 2022 14:43:17 -0700 -Subject: cma: factor out minimum alignment requirement - -From: David Hildenbrand - -[ Upstream commit e16faf26780fc0c8dd693ea9ee8420a7706cb2f5 ] - -Patch series "mm: enforce pageblock_order < MAX_ORDER". - -Having pageblock_order >= MAX_ORDER seems to be able to happen in corner -cases and some parts of the kernel are not prepared for it. - -For example, Aneesh has shown [1] that such kernels can be compiled on -ppc64 with 64k base pages by setting FORCE_MAX_ZONEORDER=8, which will -run into a WARN_ON_ONCE(order >= MAX_ORDER) in comapction code right -during boot. - -We can get pageblock_order >= MAX_ORDER when the default hugetlb size is -bigger than the maximum allocation granularity of the buddy, in which -case we are no longer talking about huge pages but instead gigantic -pages. - -Having pageblock_order >= MAX_ORDER can only make alloc_contig_range() -of such gigantic pages more likely to succeed. - -Reliable use of gigantic pages either requires boot time allcoation or -CMA, no need to overcomplicate some places in the kernel to optimize for -corner cases that are broken in other areas of the kernel. - -This patch (of 2): - -Let's enforce pageblock_order < MAX_ORDER and simplify. - -Especially patch #1 can be regarded a cleanup before: - [PATCH v5 0/6] Use pageblock_order for cma and alloc_contig_range - alignment. [2] - -[1] https://lkml.kernel.org/r/87r189a2ks.fsf@linux.ibm.com -[2] https://lkml.kernel.org/r/20220211164135.1803616-1-zi.yan@sent.com - -Link: https://lkml.kernel.org/r/20220214174132.219303-2-david@redhat.com -Signed-off-by: David Hildenbrand -Reviewed-by: Zi Yan -Acked-by: Rob Herring -Cc: Aneesh Kumar K.V -Cc: Michael Ellerman -Cc: Benjamin Herrenschmidt -Cc: Paul Mackerras -Cc: Frank Rowand -Cc: Michael S. Tsirkin -Cc: Christoph Hellwig -Cc: Marek Szyprowski -Cc: Robin Murphy -Cc: Minchan Kim -Cc: Vlastimil Babka -Cc: John Garry via iommu - -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Stable-dep-of: b174f139bdc8 ("mm/cma: drop incorrect alignment check in cma_init_reserved_mem") -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/fadump-internal.h | 5 ----- - arch/powerpc/kernel/fadump.c | 2 +- - drivers/of/of_reserved_mem.c | 9 +++------ - include/linux/cma.h | 9 +++++++++ - kernel/dma/contiguous.c | 4 +--- - mm/cma.c | 20 +++++--------------- - 6 files changed, 19 insertions(+), 30 deletions(-) - -diff --git a/arch/powerpc/include/asm/fadump-internal.h b/arch/powerpc/include/asm/fadump-internal.h -index 8d61c8f3fec47..d06b2be645326 100644 ---- a/arch/powerpc/include/asm/fadump-internal.h -+++ b/arch/powerpc/include/asm/fadump-internal.h -@@ -19,11 +19,6 @@ - - #define memblock_num_regions(memblock_type) (memblock.memblock_type.cnt) - --/* Alignment per CMA requirement. */ --#define FADUMP_CMA_ALIGNMENT (PAGE_SIZE << \ -- max_t(unsigned long, MAX_ORDER - 1, \ -- pageblock_order)) -- - /* FAD commands */ - #define FADUMP_REGISTER 1 - #define FADUMP_UNREGISTER 2 -diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c -index d496dc5151aa1..35b142ad0e40e 100644 ---- a/arch/powerpc/kernel/fadump.c -+++ b/arch/powerpc/kernel/fadump.c -@@ -544,7 +544,7 @@ int __init fadump_reserve_mem(void) - if (!fw_dump.nocma) { - fw_dump.boot_memory_size = - ALIGN(fw_dump.boot_memory_size, -- FADUMP_CMA_ALIGNMENT); -+ CMA_MIN_ALIGNMENT_BYTES); - } - #endif - -diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c -index 9e949ddcb1464..6ec668ae2d6fa 100644 ---- a/drivers/of/of_reserved_mem.c -+++ b/drivers/of/of_reserved_mem.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - #include "of_private.h" - -@@ -117,12 +118,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node, - if (IS_ENABLED(CONFIG_CMA) - && of_flat_dt_is_compatible(node, "shared-dma-pool") - && of_get_flat_dt_prop(node, "reusable", NULL) -- && !nomap) { -- unsigned long order = -- max_t(unsigned long, MAX_ORDER - 1, pageblock_order); -- -- align = max(align, (phys_addr_t)PAGE_SIZE << order); -- } -+ && !nomap) -+ align = max_t(phys_addr_t, align, CMA_MIN_ALIGNMENT_BYTES); - - prop = of_get_flat_dt_prop(node, "alloc-ranges", &len); - if (prop) { -diff --git a/include/linux/cma.h b/include/linux/cma.h -index 53fd8c3cdbd04..1b302e204c09b 100644 ---- a/include/linux/cma.h -+++ b/include/linux/cma.h -@@ -20,6 +20,15 @@ - - #define CMA_MAX_NAME 64 - -+/* -+ * TODO: once the buddy -- especially pageblock merging and alloc_contig_range() -+ * -- can deal with only some pageblocks of a higher-order page being -+ * MIGRATE_CMA, we can use pageblock_nr_pages. -+ */ -+#define CMA_MIN_ALIGNMENT_PAGES max_t(phys_addr_t, MAX_ORDER_NR_PAGES, \ -+ pageblock_nr_pages) -+#define CMA_MIN_ALIGNMENT_BYTES (PAGE_SIZE * CMA_MIN_ALIGNMENT_PAGES) -+ - struct cma; - - extern unsigned long totalcma_pages; -diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c -index 3d63d91cba5cf..6ea80ae426228 100644 ---- a/kernel/dma/contiguous.c -+++ b/kernel/dma/contiguous.c -@@ -399,8 +399,6 @@ static const struct reserved_mem_ops rmem_cma_ops = { - - static int __init rmem_cma_setup(struct reserved_mem *rmem) - { -- phys_addr_t align = PAGE_SIZE << max(MAX_ORDER - 1, pageblock_order); -- phys_addr_t mask = align - 1; - unsigned long node = rmem->fdt_node; - bool default_cma = of_get_flat_dt_prop(node, "linux,cma-default", NULL); - struct cma *cma; -@@ -416,7 +414,7 @@ static int __init rmem_cma_setup(struct reserved_mem *rmem) - of_get_flat_dt_prop(node, "no-map", NULL)) - return -EINVAL; - -- if ((rmem->base & mask) || (rmem->size & mask)) { -+ if (!IS_ALIGNED(rmem->base | rmem->size, CMA_MIN_ALIGNMENT_BYTES)) { - pr_err("Reserved memory: incorrect alignment of CMA region\n"); - return -EINVAL; - } -diff --git a/mm/cma.c b/mm/cma.c -index 26967c70e9c73..5208aee4f45ad 100644 ---- a/mm/cma.c -+++ b/mm/cma.c -@@ -169,7 +169,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, - struct cma **res_cma) - { - struct cma *cma; -- phys_addr_t alignment; - - /* Sanity checks */ - if (cma_area_count == ARRAY_SIZE(cma_areas)) { -@@ -180,15 +179,12 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, - if (!size || !memblock_is_region_reserved(base, size)) - return -EINVAL; - -- /* ensure minimal alignment required by mm core */ -- alignment = PAGE_SIZE << -- max_t(unsigned long, MAX_ORDER - 1, pageblock_order); -- - /* alignment should be aligned with order_per_bit */ -- if (!IS_ALIGNED(alignment >> PAGE_SHIFT, 1 << order_per_bit)) -+ if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit)) - return -EINVAL; - -- if (ALIGN(base, alignment) != base || ALIGN(size, alignment) != size) -+ /* ensure minimal alignment required by mm core */ -+ if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES)) - return -EINVAL; - - /* -@@ -263,14 +259,8 @@ int __init cma_declare_contiguous_nid(phys_addr_t base, - if (alignment && !is_power_of_2(alignment)) - return -EINVAL; - -- /* -- * Sanitise input arguments. -- * Pages both ends in CMA area could be merged into adjacent unmovable -- * migratetype page by page allocator's buddy algorithm. In the case, -- * you couldn't get a contiguous memory, which is not what we want. -- */ -- alignment = max(alignment, (phys_addr_t)PAGE_SIZE << -- max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); -+ /* Sanitise input arguments. */ -+ alignment = max_t(phys_addr_t, alignment, CMA_MIN_ALIGNMENT_BYTES); - if (fixed && base & (alignment - 1)) { - ret = -EINVAL; - pr_err("Region at %pa must be aligned to %pa bytes\n", --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch b/queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch deleted file mode 100644 index 0d4a00f0c85..00000000000 --- a/queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch +++ /dev/null @@ -1,190 +0,0 @@ -From aa5d2fb014aac47ef4182aca7ff801989be6f6a0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 15:25:55 +0800 -Subject: drm/amd/display: Clean up some inconsistent indenting -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Jiapeng Chong - -[ Upstream commit 1da2fcc435114ea5a65d7e15fc31b4d0ce11113c ] - -Eliminate the follow smatch warning: - -drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_srv.c:622 -dmub_srv_cmd_execute() warn: inconsistent indenting. - -Reported-by: Abaci Robot -Reviewed-by: Christian König -Signed-off-by: Jiapeng Chong -Signed-off-by: Alex Deucher -Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST") -Signed-off-by: Sasha Levin ---- - .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++++++---------- - 1 file changed, 36 insertions(+), 36 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -index ed2f6802b0e20..fc0f6b0089ba0 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -@@ -1315,9 +1315,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -1421,9 +1421,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx || !pipe_ctx->stream) -@@ -1506,9 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -1610,9 +1610,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx || !pipe_ctx->stream) -@@ -1695,9 +1695,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -1799,9 +1799,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx || !pipe_ctx->stream) -@@ -1880,9 +1880,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -1981,9 +1981,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx || !pipe_ctx->stream) -@@ -2060,9 +2060,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -2121,9 +2121,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -2197,9 +2197,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { -@@ -2273,9 +2273,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -- break; -+ if (pipe_ctx && pipe_ctx->stream && -+ pipe_ctx->stream->link == aconnector->dc_link) -+ break; - } - - if (!pipe_ctx) { --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch b/queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch deleted file mode 100644 index 152f193afc9..00000000000 --- a/queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch +++ /dev/null @@ -1,235 +0,0 @@ -From d0bfe387038bc7b99948146c0ed1e5dccf9c366d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Dec 2022 20:04:15 +0300 -Subject: drm/amd/display: drop unnecessary NULL checks in debugfs - -From: Alexey Kodanev - -[ Upstream commit f8e12e770e8049917f82387033b3cf44bc43b915 ] - -pipe_ctx pointer cannot be NULL when getting the address of -an element of the pipe_ctx array. Moreover, the MAX_PIPES is -defined as 6, so pipe_ctx is not NULL after the loop either. - -Detected using the static analysis tool - Svace. - -Signed-off-by: Alexey Kodanev -Signed-off-by: Hamza Mahfooz -Signed-off-by: Alex Deucher -Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST") -Signed-off-by: Sasha Levin ---- - .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++-------------- - 1 file changed, 16 insertions(+), 56 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -index fc0f6b0089ba0..939734eecf709 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -@@ -1315,16 +1315,11 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -1421,12 +1416,12 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx || !pipe_ctx->stream) -+ if (!pipe_ctx->stream) - goto done; - - // Get CRTC state -@@ -1506,16 +1501,11 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -1610,12 +1600,12 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx || !pipe_ctx->stream) -+ if (!pipe_ctx->stream) - goto done; - - // Safely get CRTC state -@@ -1695,16 +1685,11 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -1799,12 +1784,12 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx || !pipe_ctx->stream) -+ if (!pipe_ctx->stream) - goto done; - - // Get CRTC state -@@ -1880,16 +1865,11 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -1981,12 +1961,12 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx || !pipe_ctx->stream) -+ if (!pipe_ctx->stream) - goto done; - - // Get CRTC state -@@ -2060,16 +2040,11 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -2121,16 +2096,11 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -2197,16 +2167,11 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); -@@ -2273,16 +2238,11 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf, - - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; -- if (pipe_ctx && pipe_ctx->stream && -+ if (pipe_ctx->stream && - pipe_ctx->stream->link == aconnector->dc_link) - break; - } - -- if (!pipe_ctx) { -- kfree(rd_buf); -- return -ENXIO; -- } -- - dsc = pipe_ctx->stream_res.dsc; - if (dsc) - dsc->funcs->dsc_read_state(dsc, &dsc_state); --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch b/queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch deleted file mode 100644 index 4efd191482a..00000000000 --- a/queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 961b1d2a069a0595b8b3afd8b7094469d9ca1308 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 13 Feb 2024 14:26:06 -0500 -Subject: drm/amd/display: Fix incorrect DSC instance for MST - -From: Hersen Wu - -[ Upstream commit 892b41b16f6163e6556545835abba668fcab4eea ] - -[Why] DSC debugfs, such as dp_dsc_clock_en_read, -use aconnector->dc_link to find pipe_ctx for display. -Displays connected to MST hub share the same dc_link. -DSC instance is from pipe_ctx. This causes incorrect -DSC instance for display connected to MST hub. - -[How] Add aconnector->sink check to find pipe_ctx. - -CC: stable@vger.kernel.org -Reviewed-by: Aurabindo Pillai -Signed-off-by: Hersen Wu -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 48 ++++++++++++++----- - 1 file changed, 36 insertions(+), 12 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -index 939734eecf709..8ccd43ec68829 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -@@ -1316,7 +1316,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1417,7 +1419,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1502,7 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1601,7 +1607,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1686,7 +1694,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1785,7 +1795,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1866,7 +1878,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -1962,7 +1976,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -2041,7 +2057,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -2097,7 +2115,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -2168,7 +2188,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - -@@ -2239,7 +2261,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf, - for (i = 0; i < MAX_PIPES; i++) { - pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; - if (pipe_ctx->stream && -- pipe_ctx->stream->link == aconnector->dc_link) -+ pipe_ctx->stream->link == aconnector->dc_link && -+ pipe_ctx->stream->sink && -+ pipe_ctx->stream->sink == aconnector->dc_sink) - break; - } - --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch b/queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch deleted file mode 100644 index 5d45444a8a2..00000000000 --- a/queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch +++ /dev/null @@ -1,44 +0,0 @@ -From ae2b75cf1443bc3a0d7f3bcbf705251d594ad09c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 16 Sep 2021 19:55:39 -0400 -Subject: drm/amd/display: Handle Y carry-over in VCP X.Y calculation - -From: George Shen - -[ Upstream commit 3626a6aebe62ce7067cdc460c0c644e9445386bb ] - -[Why/How] -Theoretically rare corner case where ceil(Y) results in rounding -up to an integer. If this happens, the 1 should be carried over to -the X value. - -Reviewed-by: Wenjing Liu -Acked-by: Anson Jacob -Signed-off-by: George Shen -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c -index cf364ae931386..d0799c426a84d 100644 ---- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c -@@ -644,6 +644,12 @@ void enc1_stream_encoder_set_throttled_vcp_size( - x), - 26)); - -+ // If y rounds up to integer, carry it over to x. -+ if (y >> 26) { -+ x += 1; -+ y = 0; -+ } -+ - REG_SET_2(DP_MSE_RATE_CNTL, 0, - DP_MSE_RATE_X, x, - DP_MSE_RATE_Y, y); --- -2.43.0 - diff --git a/queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch b/queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch deleted file mode 100644 index 7e42bcb67a8..00000000000 --- a/queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch +++ /dev/null @@ -1,175 +0,0 @@ -From e8887fbea9da99ad55188ba9a0829f88c1d44ef0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 10 May 2024 03:28:59 +0800 -Subject: ftrace: Fix possible use-after-free issue in ftrace_location() - -From: Zheng Yejian - -[ Upstream commit e60b613df8b6253def41215402f72986fee3fc8d ] - -KASAN reports a bug: - - BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 - Read of size 8 at addr ffff888141d40010 by task insmod/424 - CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ - [...] - Call Trace: - - dump_stack_lvl+0x68/0xa0 - print_report+0xcf/0x610 - kasan_report+0xb5/0xe0 - ftrace_location+0x90/0x120 - register_kprobe+0x14b/0xa40 - kprobe_init+0x2d/0xff0 [kprobe_example] - do_one_initcall+0x8f/0x2d0 - do_init_module+0x13a/0x3c0 - load_module+0x3082/0x33d0 - init_module_from_file+0xd2/0x130 - __x64_sys_finit_module+0x306/0x440 - do_syscall_64+0x68/0x140 - entry_SYSCALL_64_after_hwframe+0x71/0x79 - -The root cause is that, in lookup_rec(), ftrace record of some address -is being searched in ftrace pages of some module, but those ftrace pages -at the same time is being freed in ftrace_release_mod() as the -corresponding module is being deleted: - - CPU1 | CPU2 - register_kprobes() { | delete_module() { - check_kprobe_address_safe() { | - arch_check_ftrace_location() { | - ftrace_location() { | - lookup_rec() // USE! | ftrace_release_mod() // Free! - -To fix this issue: - 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); - 2. Use ftrace_location_range() instead of lookup_rec() in - ftrace_location(); - 3. Call synchronize_rcu() before freeing any ftrace pages both in - ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem(). - -Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengyejian1@huawei.com - -Cc: stable@vger.kernel.org -Cc: -Cc: -Cc: -Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization") -Suggested-by: Steven Rostedt -Signed-off-by: Zheng Yejian -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Sasha Levin ---- - kernel/trace/ftrace.c | 39 +++++++++++++++++++++++---------------- - 1 file changed, 23 insertions(+), 16 deletions(-) - -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 3dce1a107a7c7..780f1c0563f58 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -1566,12 +1566,15 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end) - unsigned long ftrace_location_range(unsigned long start, unsigned long end) - { - struct dyn_ftrace *rec; -+ unsigned long ip = 0; - -+ rcu_read_lock(); - rec = lookup_rec(start, end); - if (rec) -- return rec->ip; -+ ip = rec->ip; -+ rcu_read_unlock(); - -- return 0; -+ return ip; - } - - /** -@@ -1584,25 +1587,22 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) - */ - unsigned long ftrace_location(unsigned long ip) - { -- struct dyn_ftrace *rec; -+ unsigned long loc; - unsigned long offset; - unsigned long size; - -- rec = lookup_rec(ip, ip); -- if (!rec) { -+ loc = ftrace_location_range(ip, ip); -+ if (!loc) { - if (!kallsyms_lookup_size_offset(ip, &size, &offset)) - goto out; - - /* map sym+0 to __fentry__ */ - if (!offset) -- rec = lookup_rec(ip, ip + size - 1); -+ loc = ftrace_location_range(ip, ip + size - 1); - } - -- if (rec) -- return rec->ip; -- - out: -- return 0; -+ return loc; - } - - /** -@@ -6325,6 +6325,8 @@ static int ftrace_process_locs(struct module *mod, - /* We should have used all pages unless we skipped some */ - if (pg_unuse) { - WARN_ON(!skipped); -+ /* Need to synchronize with ftrace_location_range() */ -+ synchronize_rcu(); - ftrace_free_pages(pg_unuse); - } - return ret; -@@ -6507,6 +6509,9 @@ void ftrace_release_mod(struct module *mod) - out_unlock: - mutex_unlock(&ftrace_lock); - -+ /* Need to synchronize with ftrace_location_range() */ -+ if (tmp_page) -+ synchronize_rcu(); - for (pg = tmp_page; pg; pg = tmp_page) { - - /* Needs to be called outside of ftrace_lock */ -@@ -6829,6 +6834,7 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) - unsigned long start = (unsigned long)(start_ptr); - unsigned long end = (unsigned long)(end_ptr); - struct ftrace_page **last_pg = &ftrace_pages_start; -+ struct ftrace_page *tmp_page = NULL; - struct ftrace_page *pg; - struct dyn_ftrace *rec; - struct dyn_ftrace key; -@@ -6872,12 +6878,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) - ftrace_update_tot_cnt--; - if (!pg->index) { - *last_pg = pg->next; -- if (pg->records) { -- free_pages((unsigned long)pg->records, pg->order); -- ftrace_number_of_pages -= 1 << pg->order; -- } -- ftrace_number_of_groups--; -- kfree(pg); -+ pg->next = tmp_page; -+ tmp_page = pg; - pg = container_of(last_pg, struct ftrace_page, next); - if (!(*last_pg)) - ftrace_pages = pg; -@@ -6894,6 +6896,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) - clear_func_from_hashes(func); - kfree(func); - } -+ /* Need to synchronize with ftrace_location_range() */ -+ if (tmp_page) { -+ synchronize_rcu(); -+ ftrace_free_pages(tmp_page); -+ } - } - - void __init ftrace_free_init_mem(void) --- -2.43.0 - diff --git a/queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch b/queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch deleted file mode 100644 index e6b26720fdf..00000000000 --- a/queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch +++ /dev/null @@ -1,158 +0,0 @@ -From d4c7d1bb33b84b3c22d3f68f53d01f37f26edcb7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 13 Mar 2024 11:16:32 +1300 -Subject: i2c: acpi: Unbind mux adapters before delete - -From: Hamish Martin - -[ Upstream commit 3f858bbf04dbac934ac279aaee05d49eb9910051 ] - -There is an issue with ACPI overlay table removal specifically related -to I2C multiplexers. - -Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an -existing I2C bus. When this table is loaded we see the creation of a -device for the overall PCA9548 chip and 8 further devices - one -i2c_adapter each for the mux channels. These are all bound to their -ACPI equivalents via an eventual invocation of acpi_bind_one(). - -When we unload the SSDT overlay we run into the problem. The ACPI -devices are deleted as normal via acpi_device_del_work_fn() and the -acpi_device_del_list. - -However, the following warning and stack trace is output as the -deletion does not go smoothly: -------------[ cut here ]------------ -kernfs: can not remove 'physical_node', no directory -WARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0 -Modules linked in: -CPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1 -Hardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023 -Workqueue: kacpi_hotplug acpi_device_del_work_fn -RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0 -Code: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 -RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286 -RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000 -RDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780 -RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff -R10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50 -R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8 -FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0 -Call Trace: - - ? kernfs_remove_by_name_ns+0xb9/0xc0 - ? __warn+0x7c/0x130 - ? kernfs_remove_by_name_ns+0xb9/0xc0 - ? report_bug+0x171/0x1a0 - ? handle_bug+0x3c/0x70 - ? exc_invalid_op+0x17/0x70 - ? asm_exc_invalid_op+0x1a/0x20 - ? kernfs_remove_by_name_ns+0xb9/0xc0 - ? kernfs_remove_by_name_ns+0xb9/0xc0 - acpi_unbind_one+0x108/0x180 - device_del+0x18b/0x490 - ? srso_return_thunk+0x5/0x5f - ? srso_return_thunk+0x5/0x5f - device_unregister+0xd/0x30 - i2c_del_adapter.part.0+0x1bf/0x250 - i2c_mux_del_adapters+0xa1/0xe0 - i2c_device_remove+0x1e/0x80 - device_release_driver_internal+0x19a/0x200 - bus_remove_device+0xbf/0x100 - device_del+0x157/0x490 - ? __pfx_device_match_fwnode+0x10/0x10 - ? srso_return_thunk+0x5/0x5f - device_unregister+0xd/0x30 - i2c_acpi_notify+0x10f/0x140 - notifier_call_chain+0x58/0xd0 - blocking_notifier_call_chain+0x3a/0x60 - acpi_device_del_work_fn+0x85/0x1d0 - process_one_work+0x134/0x2f0 - worker_thread+0x2f0/0x410 - ? __pfx_worker_thread+0x10/0x10 - kthread+0xe3/0x110 - ? __pfx_kthread+0x10/0x10 - ret_from_fork+0x2f/0x50 - ? __pfx_kthread+0x10/0x10 - ret_from_fork_asm+0x1b/0x30 - ----[ end trace 0000000000000000 ]--- -... -repeated 7 more times, 1 for each channel of the mux -... - -The issue is that the binding of the ACPI devices to their peer I2C -adapters is not correctly cleaned up. Digging deeper into the issue we -see that the deletion order is such that the ACPI devices matching the -mux channel i2c adapters are deleted first during the SSDT overlay -removal. For each of the channels we see a call to i2c_acpi_notify() -with ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not -actually i2c_clients, nothing is done for them. - -Later on, after each of the mux channels has been dealt with, we come -to delete the i2c_client representing the PCA9548 device. This is the -call stack we see above, whereby the kernel cleans up the i2c_client -including destruction of the mux and its channel adapters. At this -point we do attempt to unbind from the ACPI peers but those peers no -longer exist and so we hit the kernfs errors. - -The fix is to augment i2c_acpi_notify() to handle i2c_adapters. But, -given that the life cycle of the adapters is linked to the i2c_client, -instead of deleting the i2c_adapters during the i2c_acpi_notify(), we -just trigger unbinding of the ACPI device from the adapter device, and -allow the clean up of the adapter to continue in the way it always has. - -Signed-off-by: Hamish Martin -Reviewed-by: Mika Westerberg -Reviewed-by: Andi Shyti -Fixes: 525e6fabeae2 ("i2c / ACPI: add support for ACPI reconfigure notifications") -Cc: # v4.8+ -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-core-acpi.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c -index 29a482abf1eed..6ce05441178a3 100644 ---- a/drivers/i2c/i2c-core-acpi.c -+++ b/drivers/i2c/i2c-core-acpi.c -@@ -424,6 +424,11 @@ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev) - return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev)); - } - -+static struct i2c_adapter *i2c_acpi_find_adapter_by_adev(struct acpi_device *adev) -+{ -+ return i2c_find_adapter_by_fwnode(acpi_fwnode_handle(adev)); -+} -+ - static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, - void *arg) - { -@@ -450,11 +455,17 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, - break; - - client = i2c_acpi_find_client_by_adev(adev); -- if (!client) -- break; -+ if (client) { -+ i2c_unregister_device(client); -+ put_device(&client->dev); -+ } -+ -+ adapter = i2c_acpi_find_adapter_by_adev(adev); -+ if (adapter) { -+ acpi_unbind_one(&adapter->dev); -+ put_device(&adapter->dev); -+ } - -- i2c_unregister_device(client); -- put_device(&client->dev); - break; - } - --- -2.43.0 - diff --git a/queue-5.15/i2c-add-fwnode-apis.patch b/queue-5.15/i2c-add-fwnode-apis.patch deleted file mode 100644 index 8cad9ffddd5..00000000000 --- a/queue-5.15/i2c-add-fwnode-apis.patch +++ /dev/null @@ -1,290 +0,0 @@ -From 6b51c4fd816685f533c92a285f28dd79b97699c4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 11 Jan 2023 10:54:21 +0000 -Subject: i2c: add fwnode APIs - -From: Russell King (Oracle) - -[ Upstream commit 373c612d72461ddaea223592df31e62c934aae61 ] - -Add fwnode APIs for finding and getting I2C adapters, which will be -used by the SFP code. These are passed the fwnode corresponding to -the adapter, and return the I2C adapter. It is the responsibility of -the caller to find the appropriate fwnode. - -We keep the DT and ACPI interfaces, but where appropriate, recode them -to use the fwnode interfaces internally. - -Reviewed-by: Mika Westerberg -Signed-off-by: Russell King (Oracle) -Signed-off-by: Wolfram Sang -Stable-dep-of: 3f858bbf04db ("i2c: acpi: Unbind mux adapters before delete") -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-core-acpi.c | 13 +---- - drivers/i2c/i2c-core-base.c | 98 +++++++++++++++++++++++++++++++++++++ - drivers/i2c/i2c-core-of.c | 66 ------------------------- - include/linux/i2c.h | 24 +++++++-- - 4 files changed, 120 insertions(+), 81 deletions(-) - -diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c -index 546cc935e035a..29a482abf1eed 100644 ---- a/drivers/i2c/i2c-core-acpi.c -+++ b/drivers/i2c/i2c-core-acpi.c -@@ -421,18 +421,7 @@ EXPORT_SYMBOL_GPL(i2c_acpi_find_adapter_by_handle); - - static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev) - { -- struct device *dev; -- struct i2c_client *client; -- -- dev = bus_find_device_by_acpi_dev(&i2c_bus_type, adev); -- if (!dev) -- return NULL; -- -- client = i2c_verify_client(dev); -- if (!client) -- put_device(dev); -- -- return client; -+ return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev)); - } - - static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, -diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c -index 1810a994c07ca..505eebbc98a09 100644 ---- a/drivers/i2c/i2c-core-base.c -+++ b/drivers/i2c/i2c-core-base.c -@@ -1009,6 +1009,35 @@ void i2c_unregister_device(struct i2c_client *client) - } - EXPORT_SYMBOL_GPL(i2c_unregister_device); - -+/** -+ * i2c_find_device_by_fwnode() - find an i2c_client for the fwnode -+ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_client -+ * -+ * Look up and return the &struct i2c_client corresponding to the @fwnode. -+ * If no client can be found, or @fwnode is NULL, this returns NULL. -+ * -+ * The user must call put_device(&client->dev) once done with the i2c client. -+ */ -+struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode) -+{ -+ struct i2c_client *client; -+ struct device *dev; -+ -+ if (!fwnode) -+ return NULL; -+ -+ dev = bus_find_device_by_fwnode(&i2c_bus_type, fwnode); -+ if (!dev) -+ return NULL; -+ -+ client = i2c_verify_client(dev); -+ if (!client) -+ put_device(dev); -+ -+ return client; -+} -+EXPORT_SYMBOL(i2c_find_device_by_fwnode); -+ - - static const struct i2c_device_id dummy_id[] = { - { "dummy", 0 }, -@@ -1764,6 +1793,75 @@ int devm_i2c_add_adapter(struct device *dev, struct i2c_adapter *adapter) - } - EXPORT_SYMBOL_GPL(devm_i2c_add_adapter); - -+static int i2c_dev_or_parent_fwnode_match(struct device *dev, const void *data) -+{ -+ if (dev_fwnode(dev) == data) -+ return 1; -+ -+ if (dev->parent && dev_fwnode(dev->parent) == data) -+ return 1; -+ -+ return 0; -+} -+ -+/** -+ * i2c_find_adapter_by_fwnode() - find an i2c_adapter for the fwnode -+ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter -+ * -+ * Look up and return the &struct i2c_adapter corresponding to the @fwnode. -+ * If no adapter can be found, or @fwnode is NULL, this returns NULL. -+ * -+ * The user must call put_device(&adapter->dev) once done with the i2c adapter. -+ */ -+struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode) -+{ -+ struct i2c_adapter *adapter; -+ struct device *dev; -+ -+ if (!fwnode) -+ return NULL; -+ -+ dev = bus_find_device(&i2c_bus_type, NULL, fwnode, -+ i2c_dev_or_parent_fwnode_match); -+ if (!dev) -+ return NULL; -+ -+ adapter = i2c_verify_adapter(dev); -+ if (!adapter) -+ put_device(dev); -+ -+ return adapter; -+} -+EXPORT_SYMBOL(i2c_find_adapter_by_fwnode); -+ -+/** -+ * i2c_get_adapter_by_fwnode() - find an i2c_adapter for the fwnode -+ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter -+ * -+ * Look up and return the &struct i2c_adapter corresponding to the @fwnode, -+ * and increment the adapter module's use count. If no adapter can be found, -+ * or @fwnode is NULL, this returns NULL. -+ * -+ * The user must call i2c_put_adapter(adapter) once done with the i2c adapter. -+ * Note that this is different from i2c_find_adapter_by_node(). -+ */ -+struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode) -+{ -+ struct i2c_adapter *adapter; -+ -+ adapter = i2c_find_adapter_by_fwnode(fwnode); -+ if (!adapter) -+ return NULL; -+ -+ if (!try_module_get(adapter->owner)) { -+ put_device(&adapter->dev); -+ adapter = NULL; -+ } -+ -+ return adapter; -+} -+EXPORT_SYMBOL(i2c_get_adapter_by_fwnode); -+ - static void i2c_parse_timing(struct device *dev, char *prop_name, u32 *cur_val_p, - u32 def_val, bool use_def) - { -diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c -index 3ed74aa4b44bb..bce6b796e04c2 100644 ---- a/drivers/i2c/i2c-core-of.c -+++ b/drivers/i2c/i2c-core-of.c -@@ -113,72 +113,6 @@ void of_i2c_register_devices(struct i2c_adapter *adap) - of_node_put(bus); - } - --static int of_dev_or_parent_node_match(struct device *dev, const void *data) --{ -- if (dev->of_node == data) -- return 1; -- -- if (dev->parent) -- return dev->parent->of_node == data; -- -- return 0; --} -- --/* must call put_device() when done with returned i2c_client device */ --struct i2c_client *of_find_i2c_device_by_node(struct device_node *node) --{ -- struct device *dev; -- struct i2c_client *client; -- -- dev = bus_find_device_by_of_node(&i2c_bus_type, node); -- if (!dev) -- return NULL; -- -- client = i2c_verify_client(dev); -- if (!client) -- put_device(dev); -- -- return client; --} --EXPORT_SYMBOL(of_find_i2c_device_by_node); -- --/* must call put_device() when done with returned i2c_adapter device */ --struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node) --{ -- struct device *dev; -- struct i2c_adapter *adapter; -- -- dev = bus_find_device(&i2c_bus_type, NULL, node, -- of_dev_or_parent_node_match); -- if (!dev) -- return NULL; -- -- adapter = i2c_verify_adapter(dev); -- if (!adapter) -- put_device(dev); -- -- return adapter; --} --EXPORT_SYMBOL(of_find_i2c_adapter_by_node); -- --/* must call i2c_put_adapter() when done with returned i2c_adapter device */ --struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node) --{ -- struct i2c_adapter *adapter; -- -- adapter = of_find_i2c_adapter_by_node(node); -- if (!adapter) -- return NULL; -- -- if (!try_module_get(adapter->owner)) { -- put_device(&adapter->dev); -- adapter = NULL; -- } -- -- return adapter; --} --EXPORT_SYMBOL(of_get_i2c_adapter_by_node); -- - static const struct of_device_id* - i2c_of_match_device_sysfs(const struct of_device_id *matches, - struct i2c_client *client) -diff --git a/include/linux/i2c.h b/include/linux/i2c.h -index 2ce3efbe9198a..f071a121ed914 100644 ---- a/include/linux/i2c.h -+++ b/include/linux/i2c.h -@@ -954,15 +954,33 @@ int i2c_handle_smbus_host_notify(struct i2c_adapter *adap, unsigned short addr); - - #endif /* I2C */ - -+/* must call put_device() when done with returned i2c_client device */ -+struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode); -+ -+/* must call put_device() when done with returned i2c_adapter device */ -+struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode); -+ -+/* must call i2c_put_adapter() when done with returned i2c_adapter device */ -+struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode); -+ - #if IS_ENABLED(CONFIG_OF) - /* must call put_device() when done with returned i2c_client device */ --struct i2c_client *of_find_i2c_device_by_node(struct device_node *node); -+static inline struct i2c_client *of_find_i2c_device_by_node(struct device_node *node) -+{ -+ return i2c_find_device_by_fwnode(of_fwnode_handle(node)); -+} - - /* must call put_device() when done with returned i2c_adapter device */ --struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node); -+static inline struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node) -+{ -+ return i2c_find_adapter_by_fwnode(of_fwnode_handle(node)); -+} - - /* must call i2c_put_adapter() when done with returned i2c_adapter device */ --struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node); -+static inline struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node) -+{ -+ return i2c_get_adapter_by_fwnode(of_fwnode_handle(node)); -+} - - const struct of_device_id - *i2c_of_match_device(const struct of_device_id *matches, --- -2.43.0 - diff --git a/queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch b/queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch deleted file mode 100644 index 8529a197c40..00000000000 --- a/queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 5ec1f0816a672a4ab79c27ec0ab1f6d269ccb84a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Mar 2024 12:37:00 +0100 -Subject: iio: accel: mxc4005: Reset chip on probe() and resume() - -From: Hans de Goede - -[ Upstream commit 6b8cffdc4a31e4a72f75ecd1bc13fbf0dafee390 ] - -On some designs the chip is not properly reset when powered up at boot or -after a suspend/resume cycle. - -Use the sw-reset feature to ensure that the chip is in a clean state -after probe() / resume() and in the case of resume() restore the settings -(scale, trigger-enabled). - -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218578 -Signed-off-by: Hans de Goede -Link: https://lore.kernel.org/r/20240326113700.56725-3-hdegoede@redhat.com -Cc: -Signed-off-by: Jonathan Cameron -Signed-off-by: Sasha Levin ---- - drivers/iio/accel/mxc4005.c | 68 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 68 insertions(+) - -diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c -index ffae30e5eb5be..8db5611134da4 100644 ---- a/drivers/iio/accel/mxc4005.c -+++ b/drivers/iio/accel/mxc4005.c -@@ -5,6 +5,7 @@ - * Copyright (c) 2014, Intel Corporation. - */ - -+#include - #include - #include - #include -@@ -36,6 +37,7 @@ - - #define MXC4005_REG_INT_CLR1 0x01 - #define MXC4005_REG_INT_CLR1_BIT_DRDYC 0x01 -+#define MXC4005_REG_INT_CLR1_SW_RST 0x10 - - #define MXC4005_REG_CONTROL 0x0D - #define MXC4005_REG_CONTROL_MASK_FSR GENMASK(6, 5) -@@ -43,6 +45,9 @@ - - #define MXC4005_REG_DEVICE_ID 0x0E - -+/* Datasheet does not specify a reset time, this is a conservative guess */ -+#define MXC4005_RESET_TIME_US 2000 -+ - enum mxc4005_axis { - AXIS_X, - AXIS_Y, -@@ -66,6 +71,8 @@ struct mxc4005_data { - s64 timestamp __aligned(8); - } scan; - bool trigger_enabled; -+ unsigned int control; -+ unsigned int int_mask1; - }; - - /* -@@ -349,6 +356,7 @@ static int mxc4005_set_trigger_state(struct iio_trigger *trig, - return ret; - } - -+ data->int_mask1 = val; - data->trigger_enabled = state; - mutex_unlock(&data->mutex); - -@@ -384,6 +392,13 @@ static int mxc4005_chip_init(struct mxc4005_data *data) - - dev_dbg(data->dev, "MXC4005 chip id %02x\n", reg); - -+ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1, -+ MXC4005_REG_INT_CLR1_SW_RST); -+ if (ret < 0) -+ return dev_err_probe(data->dev, ret, "resetting chip\n"); -+ -+ fsleep(MXC4005_RESET_TIME_US); -+ - ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0); - if (ret < 0) - return dev_err_probe(data->dev, ret, "writing INT_MASK0\n"); -@@ -480,6 +495,58 @@ static int mxc4005_probe(struct i2c_client *client, - return devm_iio_device_register(&client->dev, indio_dev); - } - -+static int mxc4005_suspend(struct device *dev) -+{ -+ struct iio_dev *indio_dev = dev_get_drvdata(dev); -+ struct mxc4005_data *data = iio_priv(indio_dev); -+ int ret; -+ -+ /* Save control to restore it on resume */ -+ ret = regmap_read(data->regmap, MXC4005_REG_CONTROL, &data->control); -+ if (ret < 0) -+ dev_err(data->dev, "failed to read reg_control\n"); -+ -+ return ret; -+} -+ -+static int mxc4005_resume(struct device *dev) -+{ -+ struct iio_dev *indio_dev = dev_get_drvdata(dev); -+ struct mxc4005_data *data = iio_priv(indio_dev); -+ int ret; -+ -+ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1, -+ MXC4005_REG_INT_CLR1_SW_RST); -+ if (ret) { -+ dev_err(data->dev, "failed to reset chip: %d\n", ret); -+ return ret; -+ } -+ -+ fsleep(MXC4005_RESET_TIME_US); -+ -+ ret = regmap_write(data->regmap, MXC4005_REG_CONTROL, data->control); -+ if (ret) { -+ dev_err(data->dev, "failed to restore control register\n"); -+ return ret; -+ } -+ -+ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0); -+ if (ret) { -+ dev_err(data->dev, "failed to restore interrupt 0 mask\n"); -+ return ret; -+ } -+ -+ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK1, data->int_mask1); -+ if (ret) { -+ dev_err(data->dev, "failed to restore interrupt 1 mask\n"); -+ return ret; -+ } -+ -+ return 0; -+} -+ -+static DEFINE_SIMPLE_DEV_PM_OPS(mxc4005_pm_ops, mxc4005_suspend, mxc4005_resume); -+ - static const struct acpi_device_id mxc4005_acpi_match[] = { - {"MXC4005", 0}, - {"MXC6655", 0}, -@@ -498,6 +565,7 @@ static struct i2c_driver mxc4005_driver = { - .driver = { - .name = MXC4005_DRV_NAME, - .acpi_match_table = ACPI_PTR(mxc4005_acpi_match), -+ .pm = pm_sleep_ptr(&mxc4005_pm_ops), - }, - .probe = mxc4005_probe, - .id_table = mxc4005_id, --- -2.43.0 - diff --git a/queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch b/queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch deleted file mode 100644 index 8f274083617..00000000000 --- a/queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 04c9445b5ceb19ca07135611ecd02104fb94ff93 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 19:35:49 +0000 -Subject: ipv6: fix possible race in __fib6_drop_pcpu_from() - -From: Eric Dumazet - -[ Upstream commit b01e1c030770ff3b4fe37fc7cc6bca03f594133f ] - -syzbot found a race in __fib6_drop_pcpu_from() [1] - -If compiler reads more than once (*ppcpu_rt), -second read could read NULL, if another cpu clears -the value in rt6_get_pcpu_route(). - -Add a READ_ONCE() to prevent this race. - -Also add rcu_read_lock()/rcu_read_unlock() because -we rely on RCU protection while dereferencing pcpu_rt. - -[1] - -Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI -KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] -CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 -Workqueue: netns cleanup_net - RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 -Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 -RSP: 0018:ffffc900040df070 EFLAGS: 00010206 -RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 -RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 -RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 -R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 -R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 -FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - - __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] - fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] - fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 - fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] - fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 - fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 - fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 - fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 - fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 - __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 - rt6_sync_down_dev net/ipv6/route.c:4906 [inline] - rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 - addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 - addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 - notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 - call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 - call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] - call_netdevice_notifiers net/core/dev.c:2044 [inline] - dev_close_many+0x333/0x6a0 net/core/dev.c:1585 - unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 - unregister_netdevice_many net/core/dev.c:11276 [inline] - default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 - ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 - cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 - process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 - process_scheduled_works kernel/workqueue.c:3312 [inline] - worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 - kthread+0x2c1/0x3a0 kernel/kthread.c:389 - ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 - ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 - -Fixes: d52d3997f843 ("ipv6: Create percpu rt6_info") -Signed-off-by: Eric Dumazet -Cc: Martin KaFai Lau -Link: https://lore.kernel.org/r/20240604193549.981839-1-edumazet@google.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/ipv6/ip6_fib.c | 6 +++++- - net/ipv6/route.c | 1 + - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c -index c0ff5ee490e7b..7d09193c14445 100644 ---- a/net/ipv6/ip6_fib.c -+++ b/net/ipv6/ip6_fib.c -@@ -961,6 +961,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh, - if (!fib6_nh->rt6i_pcpu) - return; - -+ rcu_read_lock(); - /* release the reference to this fib entry from - * all of its cached pcpu routes - */ -@@ -969,7 +970,9 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh, - struct rt6_info *pcpu_rt; - - ppcpu_rt = per_cpu_ptr(fib6_nh->rt6i_pcpu, cpu); -- pcpu_rt = *ppcpu_rt; -+ -+ /* Paired with xchg() in rt6_get_pcpu_route() */ -+ pcpu_rt = READ_ONCE(*ppcpu_rt); - - /* only dropping the 'from' reference if the cached route - * is using 'match'. The cached pcpu_rt->from only changes -@@ -983,6 +986,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh, - fib6_info_release(from); - } - } -+ rcu_read_unlock(); - } - - struct fib6_nh_pcpu_arg { -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 3bc3a30363e19..2c60270c5798b 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -1398,6 +1398,7 @@ static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res) - struct rt6_info *prev, **p; - - p = this_cpu_ptr(res->nh->rt6i_pcpu); -+ /* Paired with READ_ONCE() in __fib6_drop_pcpu_from() */ - prev = xchg(p, NULL); - if (prev) { - dst_dev_put(&prev->dst); --- -2.43.0 - diff --git a/queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch b/queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch deleted file mode 100644 index e24117a1d66..00000000000 --- a/queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 93568aa9547731c6c2711c5caa0d7a8c76e3787f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 31 May 2024 13:26:34 +0000 -Subject: ipv6: sr: block BH in seg6_output_core() and seg6_input_core() - -From: Eric Dumazet - -[ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ] - -As explained in commit 1378817486d6 ("tipc: block BH -before using dst_cache"), net/core/dst_cache.c -helpers need to be called with BH disabled. - -Disabling preemption in seg6_output_core() is not good enough, -because seg6_output_core() is called from process context, -lwtunnel_output() only uses rcu_read_lock(). - -We might be interrupted by a softirq, re-enter seg6_output_core() -and corrupt dst_cache data structures. - -Fix the race by using local_bh_disable() instead of -preempt_disable(). - -Apply a similar change in seg6_input_core(). - -Fixes: fa79581ea66c ("ipv6: sr: fix several BUGs when preemption is enabled") -Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") -Signed-off-by: Eric Dumazet -Cc: David Lebrun -Acked-by: Paolo Abeni -Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/seg6_iptunnel.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c -index f98bb719190be..135712649d25f 100644 ---- a/net/ipv6/seg6_iptunnel.c -+++ b/net/ipv6/seg6_iptunnel.c -@@ -332,9 +332,8 @@ static int seg6_input_core(struct net *net, struct sock *sk, - - slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); - -- preempt_disable(); -+ local_bh_disable(); - dst = dst_cache_get(&slwt->cache); -- preempt_enable(); - - skb_dst_drop(skb); - -@@ -342,14 +341,13 @@ static int seg6_input_core(struct net *net, struct sock *sk, - ip6_route_input(skb); - dst = skb_dst(skb); - if (!dst->error) { -- preempt_disable(); - dst_cache_set_ip6(&slwt->cache, dst, - &ipv6_hdr(skb)->saddr); -- preempt_enable(); - } - } else { - skb_dst_set(skb, dst); - } -+ local_bh_enable(); - - err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); - if (unlikely(err)) -@@ -405,9 +403,9 @@ static int seg6_output_core(struct net *net, struct sock *sk, - - slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); - -- preempt_disable(); -+ local_bh_disable(); - dst = dst_cache_get(&slwt->cache); -- preempt_enable(); -+ local_bh_enable(); - - if (unlikely(!dst)) { - struct ipv6hdr *hdr = ipv6_hdr(skb); -@@ -427,9 +425,9 @@ static int seg6_output_core(struct net *net, struct sock *sk, - goto drop; - } - -- preempt_disable(); -+ local_bh_disable(); - dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr); -- preempt_enable(); -+ local_bh_enable(); - } - - skb_dst_drop(skb); --- -2.43.0 - diff --git a/queue-5.15/misc-pvpanic-deduplicate-common-code.patch b/queue-5.15/misc-pvpanic-deduplicate-common-code.patch deleted file mode 100644 index f7c07d7dcbe..00000000000 --- a/queue-5.15/misc-pvpanic-deduplicate-common-code.patch +++ /dev/null @@ -1,328 +0,0 @@ -From 667d7657871bd1a717461173de1518aac7a9233c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 11 Oct 2023 09:18:27 +0200 -Subject: misc/pvpanic: deduplicate common code -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Thomas Weißschuh - -[ Upstream commit c1426d392aebc51da4944d950d89e483e43f6f14 ] - -pvpanic-mmio.c and pvpanic-pci.c share a lot of code. -Refactor it into pvpanic.c where it doesn't have to be kept in sync -manually and where the core logic can be understood more easily. - -No functional change. - -Signed-off-by: Thomas Weißschuh -Link: https://lore.kernel.org/r/20231011-pvpanic-cleanup-v2-1-4b21d56f779f@weissschuh.net -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver") -Signed-off-by: Sasha Levin ---- - drivers/misc/pvpanic/pvpanic-mmio.c | 58 +--------------------- - drivers/misc/pvpanic/pvpanic-pci.c | 58 +--------------------- - drivers/misc/pvpanic/pvpanic.c | 76 ++++++++++++++++++++++++++++- - drivers/misc/pvpanic/pvpanic.h | 10 +--- - 4 files changed, 80 insertions(+), 122 deletions(-) - -diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c -index eb97167c03fb4..9715798acce3d 100644 ---- a/drivers/misc/pvpanic/pvpanic-mmio.c -+++ b/drivers/misc/pvpanic/pvpanic-mmio.c -@@ -24,52 +24,9 @@ MODULE_AUTHOR("Hu Tao "); - MODULE_DESCRIPTION("pvpanic-mmio device driver"); - MODULE_LICENSE("GPL"); - --static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) --{ -- struct pvpanic_instance *pi = dev_get_drvdata(dev); -- -- return sysfs_emit(buf, "%x\n", pi->capability); --} --static DEVICE_ATTR_RO(capability); -- --static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) --{ -- struct pvpanic_instance *pi = dev_get_drvdata(dev); -- -- return sysfs_emit(buf, "%x\n", pi->events); --} -- --static ssize_t events_store(struct device *dev, struct device_attribute *attr, -- const char *buf, size_t count) --{ -- struct pvpanic_instance *pi = dev_get_drvdata(dev); -- unsigned int tmp; -- int err; -- -- err = kstrtouint(buf, 16, &tmp); -- if (err) -- return err; -- -- if ((tmp & pi->capability) != tmp) -- return -EINVAL; -- -- pi->events = tmp; -- -- return count; --} --static DEVICE_ATTR_RW(events); -- --static struct attribute *pvpanic_mmio_dev_attrs[] = { -- &dev_attr_capability.attr, -- &dev_attr_events.attr, -- NULL --}; --ATTRIBUTE_GROUPS(pvpanic_mmio_dev); -- - static int pvpanic_mmio_probe(struct platform_device *pdev) - { - struct device *dev = &pdev->dev; -- struct pvpanic_instance *pi; - struct resource *res; - void __iomem *base; - -@@ -92,18 +49,7 @@ static int pvpanic_mmio_probe(struct platform_device *pdev) - return -EINVAL; - } - -- pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL); -- if (!pi) -- return -ENOMEM; -- -- pi->base = base; -- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED; -- -- /* initialize capability by RDPT */ -- pi->capability &= ioread8(base); -- pi->events = pi->capability; -- -- return devm_pvpanic_probe(dev, pi); -+ return devm_pvpanic_probe(dev, base); - } - - static const struct of_device_id pvpanic_mmio_match[] = { -@@ -123,7 +69,7 @@ static struct platform_driver pvpanic_mmio_driver = { - .name = "pvpanic-mmio", - .of_match_table = pvpanic_mmio_match, - .acpi_match_table = pvpanic_device_ids, -- .dev_groups = pvpanic_mmio_dev_groups, -+ .dev_groups = pvpanic_dev_groups, - }, - .probe = pvpanic_mmio_probe, - }; -diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c -index 07eddb5ea30fa..689af4c28c2a9 100644 ---- a/drivers/misc/pvpanic/pvpanic-pci.c -+++ b/drivers/misc/pvpanic/pvpanic-pci.c -@@ -22,51 +22,8 @@ MODULE_AUTHOR("Mihai Carabas "); - MODULE_DESCRIPTION("pvpanic device driver"); - MODULE_LICENSE("GPL"); - --static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) --{ -- struct pvpanic_instance *pi = dev_get_drvdata(dev); -- -- return sysfs_emit(buf, "%x\n", pi->capability); --} --static DEVICE_ATTR_RO(capability); -- --static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) --{ -- struct pvpanic_instance *pi = dev_get_drvdata(dev); -- -- return sysfs_emit(buf, "%x\n", pi->events); --} -- --static ssize_t events_store(struct device *dev, struct device_attribute *attr, -- const char *buf, size_t count) --{ -- struct pvpanic_instance *pi = dev_get_drvdata(dev); -- unsigned int tmp; -- int err; -- -- err = kstrtouint(buf, 16, &tmp); -- if (err) -- return err; -- -- if ((tmp & pi->capability) != tmp) -- return -EINVAL; -- -- pi->events = tmp; -- -- return count; --} --static DEVICE_ATTR_RW(events); -- --static struct attribute *pvpanic_pci_dev_attrs[] = { -- &dev_attr_capability.attr, -- &dev_attr_events.attr, -- NULL --}; --ATTRIBUTE_GROUPS(pvpanic_pci_dev); -- - static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - { -- struct pvpanic_instance *pi; - void __iomem *base; - int ret; - -@@ -78,18 +35,7 @@ static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *e - if (!base) - return -ENOMEM; - -- pi = devm_kmalloc(&pdev->dev, sizeof(*pi), GFP_KERNEL); -- if (!pi) -- return -ENOMEM; -- -- pi->base = base; -- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED; -- -- /* initlize capability by RDPT */ -- pi->capability &= ioread8(base); -- pi->events = pi->capability; -- -- return devm_pvpanic_probe(&pdev->dev, pi); -+ return devm_pvpanic_probe(&pdev->dev, base); - } - - static const struct pci_device_id pvpanic_pci_id_tbl[] = { -@@ -103,7 +49,7 @@ static struct pci_driver pvpanic_pci_driver = { - .id_table = pvpanic_pci_id_tbl, - .probe = pvpanic_pci_probe, - .driver = { -- .dev_groups = pvpanic_pci_dev_groups, -+ .dev_groups = pvpanic_dev_groups, - }, - }; - module_pci_driver(pvpanic_pci_driver); -diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c -index 049a120063489..305b367e0ce34 100644 ---- a/drivers/misc/pvpanic/pvpanic.c -+++ b/drivers/misc/pvpanic/pvpanic.c -@@ -7,6 +7,7 @@ - * Copyright (C) 2021 Oracle. - */ - -+#include - #include - #include - #include -@@ -26,6 +27,13 @@ MODULE_AUTHOR("Mihai Carabas "); - MODULE_DESCRIPTION("pvpanic device driver"); - MODULE_LICENSE("GPL"); - -+struct pvpanic_instance { -+ void __iomem *base; -+ unsigned int capability; -+ unsigned int events; -+ struct list_head list; -+}; -+ - static struct list_head pvpanic_list; - static spinlock_t pvpanic_lock; - -@@ -81,11 +89,75 @@ static void pvpanic_remove(void *param) - spin_unlock(&pvpanic_lock); - } - --int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi) -+static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) -+{ -+ struct pvpanic_instance *pi = dev_get_drvdata(dev); -+ -+ return sysfs_emit(buf, "%x\n", pi->capability); -+} -+static DEVICE_ATTR_RO(capability); -+ -+static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) -+{ -+ struct pvpanic_instance *pi = dev_get_drvdata(dev); -+ -+ return sysfs_emit(buf, "%x\n", pi->events); -+} -+ -+static ssize_t events_store(struct device *dev, struct device_attribute *attr, -+ const char *buf, size_t count) -+{ -+ struct pvpanic_instance *pi = dev_get_drvdata(dev); -+ unsigned int tmp; -+ int err; -+ -+ err = kstrtouint(buf, 16, &tmp); -+ if (err) -+ return err; -+ -+ if ((tmp & pi->capability) != tmp) -+ return -EINVAL; -+ -+ pi->events = tmp; -+ -+ return count; -+} -+static DEVICE_ATTR_RW(events); -+ -+static struct attribute *pvpanic_dev_attrs[] = { -+ &dev_attr_capability.attr, -+ &dev_attr_events.attr, -+ NULL -+}; -+ -+static const struct attribute_group pvpanic_dev_group = { -+ .attrs = pvpanic_dev_attrs, -+}; -+ -+const struct attribute_group *pvpanic_dev_groups[] = { -+ &pvpanic_dev_group, -+ NULL -+}; -+EXPORT_SYMBOL_GPL(pvpanic_dev_groups); -+ -+int devm_pvpanic_probe(struct device *dev, void __iomem *base) - { -- if (!pi || !pi->base) -+ struct pvpanic_instance *pi; -+ -+ if (!base) - return -EINVAL; - -+ pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL); -+ if (!pi) -+ return -ENOMEM; -+ -+ pi->base = base; -+ pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED; -+ -+ /* initlize capability by RDPT */ -+ pi->capability &= ioread8(base); -+ pi->events = pi->capability; -+ - spin_lock(&pvpanic_lock); - list_add(&pi->list, &pvpanic_list); - spin_unlock(&pvpanic_lock); -diff --git a/drivers/misc/pvpanic/pvpanic.h b/drivers/misc/pvpanic/pvpanic.h -index 4935459517548..46ffb10438adf 100644 ---- a/drivers/misc/pvpanic/pvpanic.h -+++ b/drivers/misc/pvpanic/pvpanic.h -@@ -8,13 +8,7 @@ - #ifndef PVPANIC_H_ - #define PVPANIC_H_ - --struct pvpanic_instance { -- void __iomem *base; -- unsigned int capability; -- unsigned int events; -- struct list_head list; --}; -- --int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi); -+int devm_pvpanic_probe(struct device *dev, void __iomem *base); -+extern const struct attribute_group *pvpanic_dev_groups[]; - - #endif /* PVPANIC_H_ */ --- -2.43.0 - diff --git a/queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch b/queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch deleted file mode 100644 index c6659317ba9..00000000000 --- a/queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d12d57cd2c7be519b412445578f9d583ff77f91a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 23:33:51 +0200 -Subject: misc/pvpanic-pci: register attributes via pci_driver -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Thomas Weißschuh - -[ Upstream commit ee59be35d7a8be7fcaa2d61fb89734ab5c25e4ee ] - -In __pci_register_driver(), the pci core overwrites the dev_groups field of -the embedded struct device_driver with the dev_groups from the outer -struct pci_driver unconditionally. - -Set dev_groups in the pci_driver to make sure it is used. - -This was broken since the introduction of pvpanic-pci. - -Fixes: db3a4f0abefd ("misc/pvpanic: add PCI driver") -Cc: stable@vger.kernel.org -Signed-off-by: Thomas Weißschuh -Fixes: ded13b9cfd59 ("PCI: Add support for dev_groups to struct pci_driver") -Link: https://lore.kernel.org/r/20240411-pvpanic-pci-dev-groups-v1-1-db8cb69f1b09@weissschuh.net -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/misc/pvpanic/pvpanic-pci.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c -index 689af4c28c2a9..2494725dfacfa 100644 ---- a/drivers/misc/pvpanic/pvpanic-pci.c -+++ b/drivers/misc/pvpanic/pvpanic-pci.c -@@ -48,8 +48,6 @@ static struct pci_driver pvpanic_pci_driver = { - .name = "pvpanic-pci", - .id_table = pvpanic_pci_id_tbl, - .probe = pvpanic_pci_probe, -- .driver = { -- .dev_groups = pvpanic_dev_groups, -- }, -+ .dev_groups = pvpanic_dev_groups, - }; - module_pci_driver(pvpanic_pci_driver); --- -2.43.0 - diff --git a/queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch b/queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch deleted file mode 100644 index dfb5deeeb96..00000000000 --- a/queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 6f73cf81e6438c334ae03321c915e9d376501fd8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 May 2022 18:20:50 -0700 -Subject: mm: avoid unnecessary flush on change_huge_pmd() - -From: Nadav Amit - -[ Upstream commit 4f83145721f362c2f4d312edc4755269a2069488 ] - -Calls to change_protection_range() on THP can trigger, at least on x86, -two TLB flushes for one page: one immediately, when pmdp_invalidate() is -called by change_huge_pmd(), and then another one later (that can be -batched) when change_protection_range() finishes. - -The first TLB flush is only necessary to prevent the dirty bit (and with a -lesser importance the access bit) from changing while the PTE is modified. -However, this is not necessary as the x86 CPUs set the dirty-bit -atomically with an additional check that the PTE is (still) present. One -caveat is Intel's Knights Landing that has a bug and does not do so. - -Leverage this behavior to eliminate the unnecessary TLB flush in -change_huge_pmd(). Introduce a new arch specific pmdp_invalidate_ad() -that only invalidates the access and dirty bit from further changes. - -Link: https://lkml.kernel.org/r/20220401180821.1986781-4-namit@vmware.com -Signed-off-by: Nadav Amit -Cc: Andrea Arcangeli -Cc: Andrew Cooper -Cc: Andy Lutomirski -Cc: Dave Hansen -Cc: Peter Xu -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: Will Deacon -Cc: Yu Zhao -Cc: Nick Piggin -Signed-off-by: Andrew Morton -Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") -Signed-off-by: Sasha Levin ---- - arch/x86/include/asm/pgtable.h | 5 +++++ - arch/x86/mm/pgtable.c | 10 ++++++++++ - include/linux/pgtable.h | 20 ++++++++++++++++++++ - mm/huge_memory.c | 4 ++-- - mm/pgtable-generic.c | 8 ++++++++ - 5 files changed, 45 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index 448cd01eb3ecb..c04be133a6cd7 100644 ---- a/arch/x86/include/asm/pgtable.h -+++ b/arch/x86/include/asm/pgtable.h -@@ -1146,6 +1146,11 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma, - } - } - #endif -+ -+#define __HAVE_ARCH_PMDP_INVALIDATE_AD -+extern pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, -+ unsigned long address, pmd_t *pmdp); -+ - /* - * Page table pages are page-aligned. The lower half of the top - * level is used for userspace and the top half for the kernel. -diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index 3481b35cb4ec7..f16059e9a85e7 100644 ---- a/arch/x86/mm/pgtable.c -+++ b/arch/x86/mm/pgtable.c -@@ -608,6 +608,16 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, - - return young; - } -+ -+pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, -+ pmd_t *pmdp) -+{ -+ /* -+ * No flush is necessary. Once an invalid PTE is established, the PTE's -+ * access and dirty bits cannot be updated. -+ */ -+ return pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); -+} - #endif - - /** -diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h -index d468efcf48f45..952969aa19ec1 100644 ---- a/include/linux/pgtable.h -+++ b/include/linux/pgtable.h -@@ -562,6 +562,26 @@ extern pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - pmd_t *pmdp); - #endif - -+#ifndef __HAVE_ARCH_PMDP_INVALIDATE_AD -+ -+/* -+ * pmdp_invalidate_ad() invalidates the PMD while changing a transparent -+ * hugepage mapping in the page tables. This function is similar to -+ * pmdp_invalidate(), but should only be used if the access and dirty bits would -+ * not be cleared by the software in the new PMD value. The function ensures -+ * that hardware changes of the access and dirty bits updates would not be lost. -+ * -+ * Doing so can allow in certain architectures to avoid a TLB flush in most -+ * cases. Yet, another TLB flush might be necessary later if the PMD update -+ * itself requires such flush (e.g., if protection was set to be stricter). Yet, -+ * even when a TLB flush is needed because of the update, the caller may be able -+ * to batch these TLB flushing operations, so fewer TLB flush operations are -+ * needed. -+ */ -+extern pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, -+ unsigned long address, pmd_t *pmdp); -+#endif -+ - #ifndef __HAVE_ARCH_PTE_SAME - static inline int pte_same(pte_t pte_a, pte_t pte_b) - { -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 8ab6316d85391..265ef8d1393c5 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -1798,10 +1798,10 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, - * The race makes MADV_DONTNEED miss the huge pmd and don't clear it - * which may break userspace. - * -- * pmdp_invalidate() is required to make sure we don't miss -+ * pmdp_invalidate_ad() is required to make sure we don't miss - * dirty/young flags set by hardware. - */ -- oldpmd = pmdp_invalidate(vma, addr, pmd); -+ oldpmd = pmdp_invalidate_ad(vma, addr, pmd); - - entry = pmd_modify(oldpmd, newprot); - if (preserve_write) -diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c -index 4e640baf97948..b0ce6c7391bf4 100644 ---- a/mm/pgtable-generic.c -+++ b/mm/pgtable-generic.c -@@ -200,6 +200,14 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - } - #endif - -+#ifndef __HAVE_ARCH_PMDP_INVALIDATE_AD -+pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, -+ pmd_t *pmdp) -+{ -+ return pmdp_invalidate(vma, address, pmdp); -+} -+#endif -+ - #ifndef pmdp_collapse_flush - pmd_t pmdp_collapse_flush(struct vm_area_struct *vma, unsigned long address, - pmd_t *pmdp) --- -2.43.0 - diff --git a/queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch b/queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch deleted file mode 100644 index 54af2d70372..00000000000 --- a/queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f3f649041a190cda4c4b0f15f9898ad8f6653c30 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Apr 2024 16:25:14 +0000 -Subject: mm/cma: drop incorrect alignment check in cma_init_reserved_mem - -From: Frank van der Linden - -[ Upstream commit b174f139bdc8aaaf72f5b67ad1bd512c4868a87e ] - -cma_init_reserved_mem uses IS_ALIGNED to check if the size represented by -one bit in the cma allocation bitmask is aligned with -CMA_MIN_ALIGNMENT_BYTES (pageblock size). - -However, this is too strict, as this will fail if order_per_bit > -pageblock_order, which is a valid configuration. - -We could check IS_ALIGNED both ways, but since both numbers are powers of -two, no check is needed at all. - -Link: https://lkml.kernel.org/r/20240404162515.527802-1-fvdl@google.com -Fixes: de9e14eebf33 ("drivers: dma-contiguous: add initialization from device tree") -Signed-off-by: Frank van der Linden -Acked-by: David Hildenbrand -Cc: Marek Szyprowski -Cc: Muchun Song -Cc: Roman Gushchin -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - mm/cma.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/mm/cma.c b/mm/cma.c -index 5208aee4f45ad..88fbd4f8124d3 100644 ---- a/mm/cma.c -+++ b/mm/cma.c -@@ -179,10 +179,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, - if (!size || !memblock_is_region_reserved(base, size)) - return -EINVAL; - -- /* alignment should be aligned with order_per_bit */ -- if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit)) -- return -EINVAL; -- - /* ensure minimal alignment required by mm core */ - if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES)) - return -EINVAL; --- -2.43.0 - diff --git a/queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch b/queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch deleted file mode 100644 index d682d9ad3bf..00000000000 --- a/queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch +++ /dev/null @@ -1,242 +0,0 @@ -From dca09ad288fc1dd6652c82f0aa90f993a357f4f8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 May 2024 15:33:10 +0100 -Subject: mm: fix race between __split_huge_pmd_locked() and GUP-fast - -From: Ryan Roberts - -[ Upstream commit 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 ] - -__split_huge_pmd_locked() can be called for a present THP, devmap or -(non-present) migration entry. It calls pmdp_invalidate() unconditionally -on the pmdp and only determines if it is present or not based on the -returned old pmd. This is a problem for the migration entry case because -pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a -present pmd. - -On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future -call to pmd_present() will return true. And therefore any lockless -pgtable walker could see the migration entry pmd in this state and start -interpretting the fields as if it were present, leading to BadThings (TM). -GUP-fast appears to be one such lockless pgtable walker. - -x86 does not suffer the above problem, but instead pmd_mkinvalid() will -corrupt the offset field of the swap entry within the swap pte. See link -below for discussion of that problem. - -Fix all of this by only calling pmdp_invalidate() for a present pmd. And -for good measure let's add a warning to all implementations of -pmdp_invalidate[_ad](). I've manually reviewed all other -pmdp_invalidate[_ad]() call sites and believe all others to be conformant. - -This is a theoretical bug found during code review. I don't have any test -case to trigger it in practice. - -Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com -Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ -Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") -Signed-off-by: Ryan Roberts -Reviewed-by: Zi Yan -Reviewed-by: Anshuman Khandual -Acked-by: David Hildenbrand -Cc: Andreas Larsson -Cc: Andy Lutomirski -Cc: Aneesh Kumar K.V -Cc: Borislav Petkov (AMD) -Cc: Catalin Marinas -Cc: Christian Borntraeger -Cc: Christophe Leroy -Cc: Dave Hansen -Cc: "David S. Miller" -Cc: Ingo Molnar -Cc: Jonathan Corbet -Cc: Mark Rutland -Cc: Naveen N. Rao -Cc: Nicholas Piggin -Cc: Peter Zijlstra -Cc: Sven Schnelle -Cc: Thomas Gleixner -Cc: Will Deacon -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - Documentation/vm/arch_pgtable_helpers.rst | 6 ++- - arch/powerpc/mm/book3s64/pgtable.c | 1 + - arch/s390/include/asm/pgtable.h | 4 +- - arch/sparc/mm/tlb.c | 1 + - arch/x86/mm/pgtable.c | 2 + - mm/huge_memory.c | 49 ++++++++++++----------- - mm/pgtable-generic.c | 2 + - 7 files changed, 39 insertions(+), 26 deletions(-) - -diff --git a/Documentation/vm/arch_pgtable_helpers.rst b/Documentation/vm/arch_pgtable_helpers.rst -index 552567d863b86..b8ae5d040b998 100644 ---- a/Documentation/vm/arch_pgtable_helpers.rst -+++ b/Documentation/vm/arch_pgtable_helpers.rst -@@ -134,7 +134,8 @@ PMD Page Table Helpers - +---------------------------+--------------------------------------------------+ - | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | - +---------------------------+--------------------------------------------------+ --| pmd_mkinvalid | Invalidates a mapped PMD [1] | -+| pmd_mkinvalid | Invalidates a present PMD; do not call for | -+| | non-present PMD [1] | - +---------------------------+--------------------------------------------------+ - | pmd_set_huge | Creates a PMD huge mapping | - +---------------------------+--------------------------------------------------+ -@@ -190,7 +191,8 @@ PUD Page Table Helpers - +---------------------------+--------------------------------------------------+ - | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | - +---------------------------+--------------------------------------------------+ --| pud_mkinvalid | Invalidates a mapped PUD [1] | -+| pud_mkinvalid | Invalidates a present PUD; do not call for | -+| | non-present PUD [1] | - +---------------------------+--------------------------------------------------+ - | pud_set_huge | Creates a PUD huge mapping | - +---------------------------+--------------------------------------------------+ -diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c -index da15f28c7b13a..3a22e7d970f33 100644 ---- a/arch/powerpc/mm/book3s64/pgtable.c -+++ b/arch/powerpc/mm/book3s64/pgtable.c -@@ -115,6 +115,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - { - unsigned long old_pmd; - -+ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); - old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); - flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); - return __pmd(old_pmd); -diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h -index b61426c9ef178..b65ce0c90dd0e 100644 ---- a/arch/s390/include/asm/pgtable.h -+++ b/arch/s390/include/asm/pgtable.h -@@ -1625,8 +1625,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, - static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, - unsigned long addr, pmd_t *pmdp) - { -- pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); -+ pmd_t pmd; - -+ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); -+ pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); - return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); - } - -diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c -index 9a725547578e8..946f33c1b032f 100644 ---- a/arch/sparc/mm/tlb.c -+++ b/arch/sparc/mm/tlb.c -@@ -245,6 +245,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - { - pmd_t old, entry; - -+ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); - entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); - old = pmdp_establish(vma, address, pmdp, entry); - flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); -diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index f16059e9a85e7..5c2be867a2ed9 100644 ---- a/arch/x86/mm/pgtable.c -+++ b/arch/x86/mm/pgtable.c -@@ -612,6 +612,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, - pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, - pmd_t *pmdp) - { -+ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); -+ - /* - * No flush is necessary. Once an invalid PTE is established, the PTE's - * access and dirty bits cannot be updated. -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 265ef8d1393c5..99d38f712863b 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -2024,32 +2024,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, - return __split_huge_zero_page_pmd(vma, haddr, pmd); - } - -- /* -- * Up to this point the pmd is present and huge and userland has the -- * whole access to the hugepage during the split (which happens in -- * place). If we overwrite the pmd with the not-huge version pointing -- * to the pte here (which of course we could if all CPUs were bug -- * free), userland could trigger a small page size TLB miss on the -- * small sized TLB while the hugepage TLB entry is still established in -- * the huge TLB. Some CPU doesn't like that. -- * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum -- * 383 on page 105. Intel should be safe but is also warns that it's -- * only safe if the permission and cache attributes of the two entries -- * loaded in the two TLB is identical (which should be the case here). -- * But it is generally safer to never allow small and huge TLB entries -- * for the same virtual address to be loaded simultaneously. So instead -- * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the -- * current pmd notpresent (atomically because here the pmd_trans_huge -- * must remain set at all times on the pmd until the split is complete -- * for this pmd), then we flush the SMP TLB and finally we write the -- * non-huge version of the pmd entry with pmd_populate. -- */ -- old_pmd = pmdp_invalidate(vma, haddr, pmd); -- -- pmd_migration = is_pmd_migration_entry(old_pmd); -+ pmd_migration = is_pmd_migration_entry(*pmd); - if (unlikely(pmd_migration)) { - swp_entry_t entry; - -+ old_pmd = *pmd; - entry = pmd_to_swp_entry(old_pmd); - page = pfn_swap_entry_to_page(entry); - write = is_writable_migration_entry(entry); -@@ -2057,6 +2036,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, - soft_dirty = pmd_swp_soft_dirty(old_pmd); - uffd_wp = pmd_swp_uffd_wp(old_pmd); - } else { -+ /* -+ * Up to this point the pmd is present and huge and userland has -+ * the whole access to the hugepage during the split (which -+ * happens in place). If we overwrite the pmd with the not-huge -+ * version pointing to the pte here (which of course we could if -+ * all CPUs were bug free), userland could trigger a small page -+ * size TLB miss on the small sized TLB while the hugepage TLB -+ * entry is still established in the huge TLB. Some CPU doesn't -+ * like that. See -+ * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum -+ * 383 on page 105. Intel should be safe but is also warns that -+ * it's only safe if the permission and cache attributes of the -+ * two entries loaded in the two TLB is identical (which should -+ * be the case here). But it is generally safer to never allow -+ * small and huge TLB entries for the same virtual address to be -+ * loaded simultaneously. So instead of doing "pmd_populate(); -+ * flush_pmd_tlb_range();" we first mark the current pmd -+ * notpresent (atomically because here the pmd_trans_huge must -+ * remain set at all times on the pmd until the split is -+ * complete for this pmd), then we flush the SMP TLB and finally -+ * we write the non-huge version of the pmd entry with -+ * pmd_populate. -+ */ -+ old_pmd = pmdp_invalidate(vma, haddr, pmd); - page = pmd_page(old_pmd); - if (pmd_dirty(old_pmd)) - SetPageDirty(page); -diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c -index b0ce6c7391bf4..cc8b11724cf5a 100644 ---- a/mm/pgtable-generic.c -+++ b/mm/pgtable-generic.c -@@ -194,6 +194,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) - pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - pmd_t *pmdp) - { -+ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); - pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); - flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); - return old; -@@ -204,6 +205,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, - pmd_t *pmdp) - { -+ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); - return pmdp_invalidate(vma, address, pmdp); - } - #endif --- -2.43.0 - diff --git a/queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch b/queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch deleted file mode 100644 index dc8b5c585ae..00000000000 --- a/queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 2031c117202f5d2e11b95194e0012d36553e6e78 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 May 2022 18:20:50 -0700 -Subject: mm/mprotect: do not flush when not required architecturally - -From: Nadav Amit - -[ Upstream commit c9fe66560bf2dc7d109754414e309888cb8c9ba9 ] - -Currently, using mprotect() to unprotect a memory region or uffd to -unprotect a memory region causes a TLB flush. However, in such cases the -PTE is often not modified (i.e., remain RO) and therefore not TLB flush is -needed. - -Add an arch-specific pte_needs_flush() which tells whether a TLB flush is -needed based on the old PTE and the new one. Implement an x86 -pte_needs_flush(). - -Always flush the TLB when it is architecturally needed even when skipping -a TLB flush might only result in a spurious page-faults by skipping the -flush. - -Even with such conservative manner, we can in the future further refine -the checks to test whether a PTE is present by only considering the -architectural _PAGE_PRESENT flag instead of {pte|pmd}_preesnt(). For not -be careful and use the latter. - -Link: https://lkml.kernel.org/r/20220401180821.1986781-3-namit@vmware.com -Signed-off-by: Nadav Amit -Cc: Andrea Arcangeli -Cc: Andy Lutomirski -Cc: Dave Hansen -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: Will Deacon -Cc: Yu Zhao -Cc: Nick Piggin -Cc: Andrew Cooper -Cc: Peter Xu -Signed-off-by: Andrew Morton -Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") -Signed-off-by: Sasha Levin ---- - arch/x86/include/asm/pgtable_types.h | 2 + - arch/x86/include/asm/tlbflush.h | 97 ++++++++++++++++++++++++++++ - include/asm-generic/tlb.h | 14 ++++ - mm/huge_memory.c | 9 +-- - mm/mprotect.c | 3 +- - 5 files changed, 120 insertions(+), 5 deletions(-) - -diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h -index 28e59576c75be..de9e3c635618e 100644 ---- a/arch/x86/include/asm/pgtable_types.h -+++ b/arch/x86/include/asm/pgtable_types.h -@@ -110,9 +110,11 @@ - #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) - #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX) - #define _PAGE_DEVMAP (_AT(u64, 1) << _PAGE_BIT_DEVMAP) -+#define _PAGE_SOFTW4 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW4) - #else - #define _PAGE_NX (_AT(pteval_t, 0)) - #define _PAGE_DEVMAP (_AT(pteval_t, 0)) -+#define _PAGE_SOFTW4 (_AT(pteval_t, 0)) - #endif - - #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE) -diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index b587a9ee9cb25..8be1ff9081728 100644 ---- a/arch/x86/include/asm/tlbflush.h -+++ b/arch/x86/include/asm/tlbflush.h -@@ -259,6 +259,103 @@ static inline void arch_tlbbatch_add_mm(struct arch_tlbflush_unmap_batch *batch, - - extern void arch_tlbbatch_flush(struct arch_tlbflush_unmap_batch *batch); - -+static inline bool pte_flags_need_flush(unsigned long oldflags, -+ unsigned long newflags, -+ bool ignore_access) -+{ -+ /* -+ * Flags that require a flush when cleared but not when they are set. -+ * Only include flags that would not trigger spurious page-faults. -+ * Non-present entries are not cached. Hardware would set the -+ * dirty/access bit if needed without a fault. -+ */ -+ const pteval_t flush_on_clear = _PAGE_DIRTY | _PAGE_PRESENT | -+ _PAGE_ACCESSED; -+ const pteval_t software_flags = _PAGE_SOFTW1 | _PAGE_SOFTW2 | -+ _PAGE_SOFTW3 | _PAGE_SOFTW4; -+ const pteval_t flush_on_change = _PAGE_RW | _PAGE_USER | _PAGE_PWT | -+ _PAGE_PCD | _PAGE_PSE | _PAGE_GLOBAL | _PAGE_PAT | -+ _PAGE_PAT_LARGE | _PAGE_PKEY_BIT0 | _PAGE_PKEY_BIT1 | -+ _PAGE_PKEY_BIT2 | _PAGE_PKEY_BIT3 | _PAGE_NX; -+ unsigned long diff = oldflags ^ newflags; -+ -+ BUILD_BUG_ON(flush_on_clear & software_flags); -+ BUILD_BUG_ON(flush_on_clear & flush_on_change); -+ BUILD_BUG_ON(flush_on_change & software_flags); -+ -+ /* Ignore software flags */ -+ diff &= ~software_flags; -+ -+ if (ignore_access) -+ diff &= ~_PAGE_ACCESSED; -+ -+ /* -+ * Did any of the 'flush_on_clear' flags was clleared set from between -+ * 'oldflags' and 'newflags'? -+ */ -+ if (diff & oldflags & flush_on_clear) -+ return true; -+ -+ /* Flush on modified flags. */ -+ if (diff & flush_on_change) -+ return true; -+ -+ /* Ensure there are no flags that were left behind */ -+ if (IS_ENABLED(CONFIG_DEBUG_VM) && -+ (diff & ~(flush_on_clear | software_flags | flush_on_change))) { -+ VM_WARN_ON_ONCE(1); -+ return true; -+ } -+ -+ return false; -+} -+ -+/* -+ * pte_needs_flush() checks whether permissions were demoted and require a -+ * flush. It should only be used for userspace PTEs. -+ */ -+static inline bool pte_needs_flush(pte_t oldpte, pte_t newpte) -+{ -+ /* !PRESENT -> * ; no need for flush */ -+ if (!(pte_flags(oldpte) & _PAGE_PRESENT)) -+ return false; -+ -+ /* PFN changed ; needs flush */ -+ if (pte_pfn(oldpte) != pte_pfn(newpte)) -+ return true; -+ -+ /* -+ * check PTE flags; ignore access-bit; see comment in -+ * ptep_clear_flush_young(). -+ */ -+ return pte_flags_need_flush(pte_flags(oldpte), pte_flags(newpte), -+ true); -+} -+#define pte_needs_flush pte_needs_flush -+ -+/* -+ * huge_pmd_needs_flush() checks whether permissions were demoted and require a -+ * flush. It should only be used for userspace huge PMDs. -+ */ -+static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd) -+{ -+ /* !PRESENT -> * ; no need for flush */ -+ if (!(pmd_flags(oldpmd) & _PAGE_PRESENT)) -+ return false; -+ -+ /* PFN changed ; needs flush */ -+ if (pmd_pfn(oldpmd) != pmd_pfn(newpmd)) -+ return true; -+ -+ /* -+ * check PMD flags; do not ignore access-bit; see -+ * pmdp_clear_flush_young(). -+ */ -+ return pte_flags_need_flush(pmd_flags(oldpmd), pmd_flags(newpmd), -+ false); -+} -+#define huge_pmd_needs_flush huge_pmd_needs_flush -+ - #endif /* !MODULE */ - - #endif /* _ASM_X86_TLBFLUSH_H */ -diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h -index c99710b3027a0..7afde1eff2398 100644 ---- a/include/asm-generic/tlb.h -+++ b/include/asm-generic/tlb.h -@@ -662,6 +662,20 @@ static inline void tlb_flush_p4d_range(struct mmu_gather *tlb, - } while (0) - #endif - -+#ifndef pte_needs_flush -+static inline bool pte_needs_flush(pte_t oldpte, pte_t newpte) -+{ -+ return true; -+} -+#endif -+ -+#ifndef huge_pmd_needs_flush -+static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd) -+{ -+ return true; -+} -+#endif -+ - #endif /* CONFIG_MMU */ - - #endif /* _ASM_GENERIC__TLB_H */ -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 661dd29642ebc..8ab6316d85391 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -1726,7 +1726,7 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, - { - struct mm_struct *mm = vma->vm_mm; - spinlock_t *ptl; -- pmd_t entry; -+ pmd_t oldpmd, entry; - bool preserve_write; - int ret; - bool prot_numa = cp_flags & MM_CP_PROT_NUMA; -@@ -1801,9 +1801,9 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, - * pmdp_invalidate() is required to make sure we don't miss - * dirty/young flags set by hardware. - */ -- entry = pmdp_invalidate(vma, addr, pmd); -+ oldpmd = pmdp_invalidate(vma, addr, pmd); - -- entry = pmd_modify(entry, newprot); -+ entry = pmd_modify(oldpmd, newprot); - if (preserve_write) - entry = pmd_mk_savedwrite(entry); - if (uffd_wp) { -@@ -1820,7 +1820,8 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, - ret = HPAGE_PMD_NR; - set_pmd_at(mm, addr, pmd, entry); - -- tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE); -+ if (huge_pmd_needs_flush(oldpmd, entry)) -+ tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE); - - BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry)); - unlock: -diff --git a/mm/mprotect.c b/mm/mprotect.c -index fe1196be9ca28..09c5c448b9e7c 100644 ---- a/mm/mprotect.c -+++ b/mm/mprotect.c -@@ -141,7 +141,8 @@ static unsigned long change_pte_range(struct mmu_gather *tlb, - ptent = pte_mkwrite(ptent); - } - ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent); -- tlb_flush_pte_range(tlb, addr, PAGE_SIZE); -+ if (pte_needs_flush(oldpte, ptent)) -+ tlb_flush_pte_range(tlb, addr, PAGE_SIZE); - pages++; - } else if (is_swap_pte(oldpte)) { - swp_entry_t entry = pte_to_swp_entry(oldpte); --- -2.43.0 - diff --git a/queue-5.15/mm-mprotect-use-mmu_gather.patch b/queue-5.15/mm-mprotect-use-mmu_gather.patch deleted file mode 100644 index fe42d2d0f2b..00000000000 --- a/queue-5.15/mm-mprotect-use-mmu_gather.patch +++ /dev/null @@ -1,537 +0,0 @@ -From 61cba6a6dc1cc6682b9aeff3aff3114f0ff30462 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 May 2022 18:20:50 -0700 -Subject: mm/mprotect: use mmu_gather - -From: Nadav Amit - -[ Upstream commit 4a18419f71cdf9155d2d2a6c79546f720978b990 ] - -Patch series "mm/mprotect: avoid unnecessary TLB flushes", v6. - -This patchset is intended to remove unnecessary TLB flushes during -mprotect() syscalls. Once this patch-set make it through, similar and -further optimizations for MADV_COLD and userfaultfd would be possible. - -Basically, there are 3 optimizations in this patch-set: - -1. Use TLB batching infrastructure to batch flushes across VMAs and do - better/fewer flushes. This would also be handy for later userfaultfd - enhancements. - -2. Avoid unnecessary TLB flushes. This optimization is the one that - provides most of the performance benefits. Unlike previous versions, - we now only avoid flushes that would not result in spurious - page-faults. - -3. Avoiding TLB flushes on change_huge_pmd() that are only needed to - prevent the A/D bits from changing. - -Andrew asked for some benchmark numbers. I do not have an easy -determinate macrobenchmark in which it is easy to show benefit. I -therefore ran a microbenchmark: a loop that does the following on -anonymous memory, just as a sanity check to see that time is saved by -avoiding TLB flushes. The loop goes: - - mprotect(p, PAGE_SIZE, PROT_READ) - mprotect(p, PAGE_SIZE, PROT_READ|PROT_WRITE) - *p = 0; // make the page writable - -The test was run in KVM guest with 1 or 2 threads (the second thread was -busy-looping). I measured the time (cycles) of each operation: - - 1 thread 2 threads - mmots +patch mmots +patch -PROT_READ 3494 2725 (-22%) 8630 7788 (-10%) -PROT_READ|WRITE 3952 2724 (-31%) 9075 2865 (-68%) - -[ mmots = v5.17-rc6-mmots-2022-03-06-20-38 ] - -The exact numbers are really meaningless, but the benefit is clear. There -are 2 interesting results though. - -(1) PROT_READ is cheaper, while one can expect it not to be affected. -This is presumably due to TLB miss that is saved - -(2) Without memory access (*p = 0), the speedup of the patch is even -greater. In that scenario mprotect(PROT_READ) also avoids the TLB flush. -As a result both operations on the patched kernel take roughly ~1500 -cycles (with either 1 or 2 threads), whereas on mmotm their cost is as -high as presented in the table. - -This patch (of 3): - -change_pXX_range() currently does not use mmu_gather, but instead -implements its own deferred TLB flushes scheme. This both complicates the -code, as developers need to be aware of different invalidation schemes, -and prevents opportunities to avoid TLB flushes or perform them in finer -granularity. - -The use of mmu_gather for modified PTEs has benefits in various scenarios -even if pages are not released. For instance, if only a single page needs -to be flushed out of a range of many pages, only that page would be -flushed. If a THP page is flushed, on x86 a single TLB invlpg instruction -can be used instead of 512 instructions (or a full TLB flush, which would -Linux would actually use by default). mprotect() over multiple VMAs -requires a single flush. - -Use mmu_gather in change_pXX_range(). As the pages are not released, only -record the flushed range using tlb_flush_pXX_range(). - -Handle THP similarly and get rid of flush_cache_range() which becomes -redundant since tlb_start_vma() calls it when needed. - -Link: https://lkml.kernel.org/r/20220401180821.1986781-1-namit@vmware.com -Link: https://lkml.kernel.org/r/20220401180821.1986781-2-namit@vmware.com -Signed-off-by: Nadav Amit -Acked-by: Peter Zijlstra (Intel) -Cc: Andrea Arcangeli -Cc: Andrew Cooper -Cc: Andy Lutomirski -Cc: Dave Hansen -Cc: Peter Xu -Cc: Thomas Gleixner -Cc: Will Deacon -Cc: Yu Zhao -Cc: Nick Piggin -Signed-off-by: Andrew Morton -Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") -Signed-off-by: Sasha Levin ---- - fs/exec.c | 6 ++- - include/linux/huge_mm.h | 5 ++- - include/linux/mm.h | 5 ++- - mm/huge_memory.c | 10 ++++- - mm/mempolicy.c | 9 +++- - mm/mprotect.c | 92 ++++++++++++++++++++++------------------- - mm/userfaultfd.c | 6 ++- - 7 files changed, 82 insertions(+), 51 deletions(-) - -diff --git a/fs/exec.c b/fs/exec.c -index 03516b704d8a4..3cf38e5e8b733 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -758,6 +758,7 @@ int setup_arg_pages(struct linux_binprm *bprm, - unsigned long stack_size; - unsigned long stack_expand; - unsigned long rlim_stack; -+ struct mmu_gather tlb; - - #ifdef CONFIG_STACK_GROWSUP - /* Limit stack size */ -@@ -812,8 +813,11 @@ int setup_arg_pages(struct linux_binprm *bprm, - vm_flags |= mm->def_flags; - vm_flags |= VM_STACK_INCOMPLETE_SETUP; - -- ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, -+ tlb_gather_mmu(&tlb, mm); -+ ret = mprotect_fixup(&tlb, vma, &prev, vma->vm_start, vma->vm_end, - vm_flags); -+ tlb_finish_mmu(&tlb); -+ - if (ret) - goto out_unlock; - BUG_ON(prev != vma); -diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h -index f123e15d966e8..6cb3e6fe11e7f 100644 ---- a/include/linux/huge_mm.h -+++ b/include/linux/huge_mm.h -@@ -36,8 +36,9 @@ int zap_huge_pud(struct mmu_gather *tlb, struct vm_area_struct *vma, pud_t *pud, - unsigned long addr); - bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, - unsigned long new_addr, pmd_t *old_pmd, pmd_t *new_pmd); --int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr, -- pgprot_t newprot, unsigned long cp_flags); -+int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, -+ pmd_t *pmd, unsigned long addr, pgprot_t newprot, -+ unsigned long cp_flags); - vm_fault_t vmf_insert_pfn_pmd_prot(struct vm_fault *vmf, pfn_t pfn, - pgprot_t pgprot, bool write); - -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 5692055f202cb..e05c91ea5735d 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -1899,10 +1899,11 @@ extern unsigned long move_page_tables(struct vm_area_struct *vma, - #define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \ - MM_CP_UFFD_WP_RESOLVE) - --extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, -+extern unsigned long change_protection(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, unsigned long start, - unsigned long end, pgprot_t newprot, - unsigned long cp_flags); --extern int mprotect_fixup(struct vm_area_struct *vma, -+extern int mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma, - struct vm_area_struct **pprev, unsigned long start, - unsigned long end, unsigned long newflags); - -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 98ff57c8eda69..661dd29642ebc 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -1720,8 +1720,9 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, - * or if prot_numa but THP migration is not supported - * - HPAGE_PMD_NR if protections changed and TLB flush necessary - */ --int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, -- unsigned long addr, pgprot_t newprot, unsigned long cp_flags) -+int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, -+ pmd_t *pmd, unsigned long addr, pgprot_t newprot, -+ unsigned long cp_flags) - { - struct mm_struct *mm = vma->vm_mm; - spinlock_t *ptl; -@@ -1732,6 +1733,8 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, - bool uffd_wp = cp_flags & MM_CP_UFFD_WP; - bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE; - -+ tlb_change_page_size(tlb, HPAGE_PMD_SIZE); -+ - if (prot_numa && !thp_migration_supported()) - return 1; - -@@ -1816,6 +1819,9 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, - } - ret = HPAGE_PMD_NR; - set_pmd_at(mm, addr, pmd, entry); -+ -+ tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE); -+ - BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry)); - unlock: - spin_unlock(ptl); -diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 818753635e427..c05e979fd8695 100644 ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -104,6 +104,7 @@ - #include - - #include -+#include - #include - - #include "internal.h" -@@ -634,12 +635,18 @@ static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask, - unsigned long change_prot_numa(struct vm_area_struct *vma, - unsigned long addr, unsigned long end) - { -+ struct mmu_gather tlb; - int nr_updated; - -- nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA); -+ tlb_gather_mmu(&tlb, vma->vm_mm); -+ -+ nr_updated = change_protection(&tlb, vma, addr, end, PAGE_NONE, -+ MM_CP_PROT_NUMA); - if (nr_updated) - count_vm_numa_events(NUMA_PTE_UPDATES, nr_updated); - -+ tlb_finish_mmu(&tlb); -+ - return nr_updated; - } - #else -diff --git a/mm/mprotect.c b/mm/mprotect.c -index ed18dc49533f6..fe1196be9ca28 100644 ---- a/mm/mprotect.c -+++ b/mm/mprotect.c -@@ -32,12 +32,13 @@ - #include - #include - #include -+#include - - #include "internal.h" - --static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, -- unsigned long addr, unsigned long end, pgprot_t newprot, -- unsigned long cp_flags) -+static unsigned long change_pte_range(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr, -+ unsigned long end, pgprot_t newprot, unsigned long cp_flags) - { - pte_t *pte, oldpte; - spinlock_t *ptl; -@@ -48,6 +49,8 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, - bool uffd_wp = cp_flags & MM_CP_UFFD_WP; - bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE; - -+ tlb_change_page_size(tlb, PAGE_SIZE); -+ - /* - * Can be called with only the mmap_lock for reading by - * prot_numa so we must check the pmd isn't constantly -@@ -138,6 +141,7 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, - ptent = pte_mkwrite(ptent); - } - ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent); -+ tlb_flush_pte_range(tlb, addr, PAGE_SIZE); - pages++; - } else if (is_swap_pte(oldpte)) { - swp_entry_t entry = pte_to_swp_entry(oldpte); -@@ -219,9 +223,9 @@ static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd) - return 0; - } - --static inline unsigned long change_pmd_range(struct vm_area_struct *vma, -- pud_t *pud, unsigned long addr, unsigned long end, -- pgprot_t newprot, unsigned long cp_flags) -+static inline unsigned long change_pmd_range(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, pud_t *pud, unsigned long addr, -+ unsigned long end, pgprot_t newprot, unsigned long cp_flags) - { - pmd_t *pmd; - unsigned long next; -@@ -261,8 +265,12 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, - if (next - addr != HPAGE_PMD_SIZE) { - __split_huge_pmd(vma, pmd, addr, false, NULL); - } else { -- int nr_ptes = change_huge_pmd(vma, pmd, addr, -- newprot, cp_flags); -+ /* -+ * change_huge_pmd() does not defer TLB flushes, -+ * so no need to propagate the tlb argument. -+ */ -+ int nr_ptes = change_huge_pmd(tlb, vma, pmd, -+ addr, newprot, cp_flags); - - if (nr_ptes) { - if (nr_ptes == HPAGE_PMD_NR) { -@@ -276,8 +284,8 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, - } - /* fall through, the trans huge pmd just split */ - } -- this_pages = change_pte_range(vma, pmd, addr, next, newprot, -- cp_flags); -+ this_pages = change_pte_range(tlb, vma, pmd, addr, next, -+ newprot, cp_flags); - pages += this_pages; - next: - cond_resched(); -@@ -291,9 +299,9 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, - return pages; - } - --static inline unsigned long change_pud_range(struct vm_area_struct *vma, -- p4d_t *p4d, unsigned long addr, unsigned long end, -- pgprot_t newprot, unsigned long cp_flags) -+static inline unsigned long change_pud_range(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, p4d_t *p4d, unsigned long addr, -+ unsigned long end, pgprot_t newprot, unsigned long cp_flags) - { - pud_t *pud; - unsigned long next; -@@ -304,16 +312,16 @@ static inline unsigned long change_pud_range(struct vm_area_struct *vma, - next = pud_addr_end(addr, end); - if (pud_none_or_clear_bad(pud)) - continue; -- pages += change_pmd_range(vma, pud, addr, next, newprot, -+ pages += change_pmd_range(tlb, vma, pud, addr, next, newprot, - cp_flags); - } while (pud++, addr = next, addr != end); - - return pages; - } - --static inline unsigned long change_p4d_range(struct vm_area_struct *vma, -- pgd_t *pgd, unsigned long addr, unsigned long end, -- pgprot_t newprot, unsigned long cp_flags) -+static inline unsigned long change_p4d_range(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, pgd_t *pgd, unsigned long addr, -+ unsigned long end, pgprot_t newprot, unsigned long cp_flags) - { - p4d_t *p4d; - unsigned long next; -@@ -324,44 +332,40 @@ static inline unsigned long change_p4d_range(struct vm_area_struct *vma, - next = p4d_addr_end(addr, end); - if (p4d_none_or_clear_bad(p4d)) - continue; -- pages += change_pud_range(vma, p4d, addr, next, newprot, -+ pages += change_pud_range(tlb, vma, p4d, addr, next, newprot, - cp_flags); - } while (p4d++, addr = next, addr != end); - - return pages; - } - --static unsigned long change_protection_range(struct vm_area_struct *vma, -- unsigned long addr, unsigned long end, pgprot_t newprot, -- unsigned long cp_flags) -+static unsigned long change_protection_range(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, unsigned long addr, -+ unsigned long end, pgprot_t newprot, unsigned long cp_flags) - { - struct mm_struct *mm = vma->vm_mm; - pgd_t *pgd; - unsigned long next; -- unsigned long start = addr; - unsigned long pages = 0; - - BUG_ON(addr >= end); - pgd = pgd_offset(mm, addr); -- flush_cache_range(vma, addr, end); -- inc_tlb_flush_pending(mm); -+ tlb_start_vma(tlb, vma); - do { - next = pgd_addr_end(addr, end); - if (pgd_none_or_clear_bad(pgd)) - continue; -- pages += change_p4d_range(vma, pgd, addr, next, newprot, -+ pages += change_p4d_range(tlb, vma, pgd, addr, next, newprot, - cp_flags); - } while (pgd++, addr = next, addr != end); - -- /* Only flush the TLB if we actually modified any entries: */ -- if (pages) -- flush_tlb_range(vma, start, end); -- dec_tlb_flush_pending(mm); -+ tlb_end_vma(tlb, vma); - - return pages; - } - --unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, -+unsigned long change_protection(struct mmu_gather *tlb, -+ struct vm_area_struct *vma, unsigned long start, - unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { -@@ -372,7 +376,7 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, - if (is_vm_hugetlb_page(vma)) - pages = hugetlb_change_protection(vma, start, end, newprot); - else -- pages = change_protection_range(vma, start, end, newprot, -+ pages = change_protection_range(tlb, vma, start, end, newprot, - cp_flags); - - return pages; -@@ -406,8 +410,9 @@ static const struct mm_walk_ops prot_none_walk_ops = { - }; - - int --mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, -- unsigned long start, unsigned long end, unsigned long newflags) -+mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma, -+ struct vm_area_struct **pprev, unsigned long start, -+ unsigned long end, unsigned long newflags) - { - struct mm_struct *mm = vma->vm_mm; - unsigned long oldflags = vma->vm_flags; -@@ -494,7 +499,7 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, - dirty_accountable = vma_wants_writenotify(vma, vma->vm_page_prot); - vma_set_page_prot(vma); - -- change_protection(vma, start, end, vma->vm_page_prot, -+ change_protection(tlb, vma, start, end, vma->vm_page_prot, - dirty_accountable ? MM_CP_DIRTY_ACCT : 0); - - /* -@@ -528,6 +533,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, - const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP); - const bool rier = (current->personality & READ_IMPLIES_EXEC) && - (prot & PROT_READ); -+ struct mmu_gather tlb; - - start = untagged_addr(start); - -@@ -584,6 +590,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, - if (start > vma->vm_start) - prev = vma; - -+ tlb_gather_mmu(&tlb, current->mm); - for (nstart = start ; ; ) { - unsigned long mask_off_old_flags; - unsigned long newflags; -@@ -610,18 +617,18 @@ static int do_mprotect_pkey(unsigned long start, size_t len, - /* newflags >> 4 shift VM_MAY% in place of VM_% */ - if ((newflags & ~(newflags >> 4)) & VM_ACCESS_FLAGS) { - error = -EACCES; -- goto out; -+ break; - } - - /* Allow architectures to sanity-check the new flags */ - if (!arch_validate_flags(newflags)) { - error = -EINVAL; -- goto out; -+ break; - } - - error = security_file_mprotect(vma, reqprot, prot); - if (error) -- goto out; -+ break; - - tmp = vma->vm_end; - if (tmp > end) -@@ -630,27 +637,28 @@ static int do_mprotect_pkey(unsigned long start, size_t len, - if (vma->vm_ops && vma->vm_ops->mprotect) { - error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags); - if (error) -- goto out; -+ break; - } - -- error = mprotect_fixup(vma, &prev, nstart, tmp, newflags); -+ error = mprotect_fixup(&tlb, vma, &prev, nstart, tmp, newflags); - if (error) -- goto out; -+ break; - - nstart = tmp; - - if (nstart < prev->vm_end) - nstart = prev->vm_end; - if (nstart >= end) -- goto out; -+ break; - - vma = prev->vm_next; - if (!vma || vma->vm_start != nstart) { - error = -ENOMEM; -- goto out; -+ break; - } - prot = reqprot; - } -+ tlb_finish_mmu(&tlb); - out: - mmap_write_unlock(current->mm); - return error; -diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c -index 98a9d0ef2d917..eafdc112ac7aa 100644 ---- a/mm/userfaultfd.c -+++ b/mm/userfaultfd.c -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - #include "internal.h" - - static __always_inline -@@ -698,6 +699,7 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, - atomic_t *mmap_changing) - { - struct vm_area_struct *dst_vma; -+ struct mmu_gather tlb; - pgprot_t newprot; - int err; - -@@ -739,8 +741,10 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, - else - newprot = vm_get_page_prot(dst_vma->vm_flags); - -- change_protection(dst_vma, start, start + len, newprot, -+ tlb_gather_mmu(&tlb, dst_mm); -+ change_protection(&tlb, dst_vma, start, start + len, newprot, - enable_wp ? MM_CP_UFFD_WP : MM_CP_UFFD_WP_RESOLVE); -+ tlb_finish_mmu(&tlb); - - err = 0; - out_unlock: --- -2.43.0 - diff --git a/queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch b/queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch deleted file mode 100644 index 7ca4525c05c..00000000000 --- a/queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch +++ /dev/null @@ -1,59 +0,0 @@ -From db1dc85c7dd16e575bad700b7761451733db9665 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 24 Mar 2024 12:40:17 +0100 -Subject: mmc: davinci: Don't strip remove function when driver is builtin -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Uwe Kleine-König - -[ Upstream commit 55c421b364482b61c4c45313a535e61ed5ae4ea3 ] - -Using __exit for the remove function results in the remove callback being -discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. -using sysfs or hotplug), the driver is just removed without the cleanup -being performed. This results in resource leaks. Fix it by compiling in the -remove callback unconditionally. - -This also fixes a W=1 modpost warning: - -WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in -reference: davinci_mmcsd_driver+0x10 (section: .data) -> -davinci_mmcsd_remove (section: .exit.text) - -Fixes: b4cff4549b7a ("DaVinci: MMC: MMC/SD controller driver for DaVinci family") -Signed-off-by: Uwe Kleine-König -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20240324114017.231936-2-u.kleine-koenig@pengutronix.de -Signed-off-by: Ulf Hansson -Signed-off-by: Sasha Levin ---- - drivers/mmc/host/davinci_mmc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c -index 36c45867eb643..e0175808c3b0d 100644 ---- a/drivers/mmc/host/davinci_mmc.c -+++ b/drivers/mmc/host/davinci_mmc.c -@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev) - return ret; - } - --static void __exit davinci_mmcsd_remove(struct platform_device *pdev) -+static void davinci_mmcsd_remove(struct platform_device *pdev) - { - struct mmc_davinci_host *host = platform_get_drvdata(pdev); - -@@ -1402,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = { - .of_match_table = davinci_mmc_dt_ids, - }, - .probe = davinci_mmcsd_probe, -- .remove_new = __exit_p(davinci_mmcsd_remove), -+ .remove_new = davinci_mmcsd_remove, - .id_table = davinci_mmc_devtype, - }; - --- -2.43.0 - diff --git a/queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch b/queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch deleted file mode 100644 index 9de90e1b57f..00000000000 --- a/queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From d2d80526ac7c82e3143dd7b830c6843e7acbbf7d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 27 Jul 2023 14:59:56 +0800 -Subject: mmc: davinci_mmc: Convert to platform remove callback returning void -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Yangtao Li - -[ Upstream commit bc1711e8332da03648d8fe1950189237e66313af ] - -The .remove() callback for a platform driver returns an int which makes -many driver authors wrongly assume it's possible to do error handling by -returning an error code. However the value returned is (mostly) ignored -and this typically results in resource leaks. To improve here there is a -quest to make the remove callback return void. In the first step of this -quest all drivers are converted to .remove_new() which already returns -void. - -Trivially convert this driver from always returning zero in the remove -callback to the void returning variant. - -Cc: Uwe Kleine-König -Signed-off-by: Yangtao Li -Link: https://lore.kernel.org/r/20230727070051.17778-7-frank.li@vivo.com -Signed-off-by: Ulf Hansson -Stable-dep-of: 55c421b36448 ("mmc: davinci: Don't strip remove function when driver is builtin") -Signed-off-by: Sasha Levin ---- - drivers/mmc/host/davinci_mmc.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c -index 80de660027d89..36c45867eb643 100644 ---- a/drivers/mmc/host/davinci_mmc.c -+++ b/drivers/mmc/host/davinci_mmc.c -@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev) - return ret; - } - --static int __exit davinci_mmcsd_remove(struct platform_device *pdev) -+static void __exit davinci_mmcsd_remove(struct platform_device *pdev) - { - struct mmc_davinci_host *host = platform_get_drvdata(pdev); - -@@ -1356,8 +1356,6 @@ static int __exit davinci_mmcsd_remove(struct platform_device *pdev) - davinci_release_dma_channels(host); - clk_disable_unprepare(host->clk); - mmc_free_host(host->mmc); -- -- return 0; - } - - #ifdef CONFIG_PM -@@ -1404,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = { - .of_match_table = davinci_mmc_dt_ids, - }, - .probe = davinci_mmcsd_probe, -- .remove = __exit_p(davinci_mmcsd_remove), -+ .remove_new = __exit_p(davinci_mmcsd_remove), - .id_table = davinci_mmc_devtype, - }; - --- -2.43.0 - diff --git a/queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch b/queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch deleted file mode 100644 index 242a294b239..00000000000 --- a/queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch +++ /dev/null @@ -1,258 +0,0 @@ -From 273f0826c81d3fcfcfdbcf1cd99efe2202aa4709 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Nov 2021 09:11:50 -0800 -Subject: net: drop nopreempt requirement on sock_prot_inuse_add() - -From: Eric Dumazet - -[ Upstream commit b3cb764aa1d753cf6a58858f9e2097ba71e8100b ] - -This is distracting really, let's make this simpler, -because many callers had to take care of this -by themselves, even if on x86 this adds more -code than really needed. - -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - include/net/sock.h | 4 ++-- - net/ieee802154/socket.c | 4 ++-- - net/ipv4/raw.c | 2 +- - net/ipv6/ipv6_sockglue.c | 8 ++++---- - net/netlink/af_netlink.c | 4 ---- - net/packet/af_packet.c | 4 ---- - net/sctp/socket.c | 5 ----- - net/smc/af_smc.c | 2 +- - net/unix/af_unix.c | 4 ---- - net/xdp/xsk.c | 4 ---- - 10 files changed, 10 insertions(+), 31 deletions(-) - -diff --git a/include/net/sock.h b/include/net/sock.h -index c13c284222424..146f1b9c30636 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -1464,11 +1464,11 @@ proto_memory_pressure(struct proto *prot) - struct prot_inuse { - int val[PROTO_INUSE_NR]; - }; --/* Called with local bh disabled */ -+ - static inline void sock_prot_inuse_add(const struct net *net, - const struct proto *prot, int val) - { -- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); -+ this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); - } - int sock_prot_inuse_get(struct net *net, struct proto *proto); - int sock_inuse_get(struct net *net); -diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c -index c33f46c9b6b34..586a6c4adf246 100644 ---- a/net/ieee802154/socket.c -+++ b/net/ieee802154/socket.c -@@ -174,8 +174,8 @@ static int raw_hash(struct sock *sk) - { - write_lock_bh(&raw_lock); - sk_add_node(sk, &raw_head); -- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - write_unlock_bh(&raw_lock); -+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - - return 0; - } -@@ -458,8 +458,8 @@ static int dgram_hash(struct sock *sk) - { - write_lock_bh(&dgram_lock); - sk_add_node(sk, &dgram_head); -- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - write_unlock_bh(&dgram_lock); -+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - - return 0; - } -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index f532589d26926..cc8e946768e43 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -99,8 +99,8 @@ int raw_hash_sk(struct sock *sk) - - write_lock_bh(&h->lock); - sk_add_node(sk, head); -- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - write_unlock_bh(&h->lock); -+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - - return 0; - } -diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c -index 197e12d5607f1..2071a212a2679 100644 ---- a/net/ipv6/ipv6_sockglue.c -+++ b/net/ipv6/ipv6_sockglue.c -@@ -471,10 +471,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, - - if (sk->sk_protocol == IPPROTO_TCP) { - struct inet_connection_sock *icsk = inet_csk(sk); -- local_bh_disable(); -+ - sock_prot_inuse_add(net, sk->sk_prot, -1); - sock_prot_inuse_add(net, &tcp_prot, 1); -- local_bh_enable(); -+ - sk->sk_prot = &tcp_prot; - icsk->icsk_af_ops = &ipv4_specific; - sk->sk_socket->ops = &inet_stream_ops; -@@ -485,10 +485,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, - - if (sk->sk_protocol == IPPROTO_UDPLITE) - prot = &udplite_prot; -- local_bh_disable(); -+ - sock_prot_inuse_add(net, sk->sk_prot, -1); - sock_prot_inuse_add(net, prot, 1); -- local_bh_enable(); -+ - sk->sk_prot = prot; - sk->sk_socket->ops = &inet_dgram_ops; - sk->sk_family = PF_INET; -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 216445dd44db9..18a38db2b27eb 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -711,9 +711,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol, - if (err < 0) - goto out_module; - -- local_bh_disable(); - sock_prot_inuse_add(net, &netlink_proto, 1); -- local_bh_enable(); - - nlk = nlk_sk(sock->sk); - nlk->module = module; -@@ -813,9 +811,7 @@ static int netlink_release(struct socket *sock) - netlink_table_ungrab(); - } - -- local_bh_disable(); - sock_prot_inuse_add(sock_net(sk), &netlink_proto, -1); -- local_bh_enable(); - call_rcu(&nlk->rcu, deferred_put_nlk_sk); - return 0; - } -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 0ab3b09f863ba..4f920502f92fe 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3092,9 +3092,7 @@ static int packet_release(struct socket *sock) - sk_del_node_init_rcu(sk); - mutex_unlock(&net->packet.sklist_lock); - -- preempt_disable(); - sock_prot_inuse_add(net, sk->sk_prot, -1); -- preempt_enable(); - - spin_lock(&po->bind_lock); - unregister_prot_hook(sk, false); -@@ -3361,9 +3359,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, - sk_add_node_tail_rcu(sk, &net->packet.sklist); - mutex_unlock(&net->packet.sklist_lock); - -- preempt_disable(); - sock_prot_inuse_add(net, &packet_proto, 1); -- preempt_enable(); - - return 0; - out2: -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 57acf7ed80de3..d9271ffb29781 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -5073,12 +5073,9 @@ static int sctp_init_sock(struct sock *sk) - - SCTP_DBG_OBJCNT_INC(sock); - -- local_bh_disable(); - sk_sockets_allocated_inc(sk); - sock_prot_inuse_add(net, sk->sk_prot, 1); - -- local_bh_enable(); -- - return 0; - } - -@@ -5104,10 +5101,8 @@ static void sctp_destroy_sock(struct sock *sk) - list_del(&sp->auto_asconf_list); - } - sctp_endpoint_free(sp->ep); -- local_bh_disable(); - sk_sockets_allocated_dec(sk); - sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); -- local_bh_enable(); - } - - /* Triggered when there are no references on the socket anymore */ -diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c -index 8c11eb70c0f69..bd0b3a8b95d50 100644 ---- a/net/smc/af_smc.c -+++ b/net/smc/af_smc.c -@@ -88,8 +88,8 @@ int smc_hash_sk(struct sock *sk) - - write_lock_bh(&h->lock); - sk_add_node(sk, head); -- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - write_unlock_bh(&h->lock); -+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); - - return 0; - } -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 73b287b7a1154..262aeaea9861c 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -515,9 +515,7 @@ static void unix_sock_destructor(struct sock *sk) - unix_release_addr(u->addr); - - atomic_long_dec(&unix_nr_socks); -- local_bh_disable(); - sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); -- local_bh_enable(); - #ifdef UNIX_REFCNT_DEBUG - pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk, - atomic_long_read(&unix_nr_socks)); -@@ -890,9 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, - memset(&u->scm_stat, 0, sizeof(struct scm_stat)); - unix_insert_socket(unix_sockets_unbound(sk), sk); - -- local_bh_disable(); - sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); -- local_bh_enable(); - - return sk; - -diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c -index 1f61d15b3d1d4..da31a99ce6521 100644 ---- a/net/xdp/xsk.c -+++ b/net/xdp/xsk.c -@@ -842,9 +842,7 @@ static int xsk_release(struct socket *sock) - sk_del_node_init_rcu(sk); - mutex_unlock(&net->xdp.lock); - -- local_bh_disable(); - sock_prot_inuse_add(net, sk->sk_prot, -1); -- local_bh_enable(); - - xsk_delete_from_maps(xs); - mutex_lock(&xs->mutex); -@@ -1465,9 +1463,7 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol, - sk_add_node_rcu(sk, &net->xdp.list); - mutex_unlock(&net->xdp.lock); - -- local_bh_disable(); - sock_prot_inuse_add(net, &xsk_proto, 1); -- local_bh_enable(); - - return 0; - } --- -2.43.0 - diff --git a/queue-5.15/net-inline-sock_prot_inuse_add.patch b/queue-5.15/net-inline-sock_prot_inuse_add.patch deleted file mode 100644 index 6c694b38209..00000000000 --- a/queue-5.15/net-inline-sock_prot_inuse_add.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ab981fed621a211beeedabf25d14259651bfa005 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Nov 2021 09:11:47 -0800 -Subject: net: inline sock_prot_inuse_add() - -From: Eric Dumazet - -[ Upstream commit 2a12ae5d433df3d3c3f1a930799ec09cb2b8058f ] - -sock_prot_inuse_add() is very small, we can inline it. - -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") -Signed-off-by: Sasha Levin ---- - include/net/sock.h | 14 +++++++++++--- - net/core/sock.c | 11 ----------- - 2 files changed, 11 insertions(+), 14 deletions(-) - -diff --git a/include/net/sock.h b/include/net/sock.h -index b8de579b916e8..c13c284222424 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -1460,13 +1460,21 @@ proto_memory_pressure(struct proto *prot) - - - #ifdef CONFIG_PROC_FS -+#define PROTO_INUSE_NR 64 /* should be enough for the first time */ -+struct prot_inuse { -+ int val[PROTO_INUSE_NR]; -+}; - /* Called with local bh disabled */ --void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc); -+static inline void sock_prot_inuse_add(const struct net *net, -+ const struct proto *prot, int val) -+{ -+ __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); -+} - int sock_prot_inuse_get(struct net *net, struct proto *proto); - int sock_inuse_get(struct net *net); - #else --static inline void sock_prot_inuse_add(struct net *net, struct proto *prot, -- int inc) -+static inline void sock_prot_inuse_add(const struct net *net, -+ const struct proto *prot, int val) - { - } - #endif -diff --git a/net/core/sock.c b/net/core/sock.c -index 62e376f09f957..e79e1c7933537 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -3497,19 +3497,8 @@ void sk_get_meminfo(const struct sock *sk, u32 *mem) - } - - #ifdef CONFIG_PROC_FS --#define PROTO_INUSE_NR 64 /* should be enough for the first time */ --struct prot_inuse { -- int val[PROTO_INUSE_NR]; --}; -- - static DECLARE_BITMAP(proto_inuse_idx, PROTO_INUSE_NR); - --void sock_prot_inuse_add(struct net *net, struct proto *prot, int val) --{ -- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); --} --EXPORT_SYMBOL_GPL(sock_prot_inuse_add); -- - int sock_prot_inuse_get(struct net *net, struct proto *prot) - { - int cpu, idx = prot->inuse_idx; --- -2.43.0 - diff --git a/queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch b/queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch deleted file mode 100644 index ce1ea6ca0a8..00000000000 --- a/queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch +++ /dev/null @@ -1,220 +0,0 @@ -From 26e01ee3bec1ebf251e1e9c3050de28cba208228 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 29 May 2024 14:58:55 +0800 -Subject: net/ncsi: Fix the multi thread manner of NCSI driver - -From: DelphineCCChiu - -[ Upstream commit e85e271dec0270982afed84f70dc37703fcc1d52 ] - -Currently NCSI driver will send several NCSI commands back to back without -waiting the response of previous NCSI command or timeout in some state -when NIC have multi channel. This operation against the single thread -manner defined by NCSI SPEC(section 6.3.2.3 in DSP0222_1.1.1) - -According to NCSI SPEC(section 6.2.13.1 in DSP0222_1.1.1), we should probe -one channel at a time by sending NCSI commands (Clear initial state, Get -version ID, Get capabilities...), than repeat this steps until the max -number of channels which we got from NCSI command (Get capabilities) has -been probed. - -Fixes: e6f44ed6d04d ("net/ncsi: Package and channel management") -Signed-off-by: DelphineCCChiu -Link: https://lore.kernel.org/r/20240529065856.825241-1-delphine_cc_chiu@wiwynn.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ncsi/internal.h | 2 ++ - net/ncsi/ncsi-manage.c | 73 +++++++++++++++++++++--------------------- - net/ncsi/ncsi-rsp.c | 4 ++- - 3 files changed, 41 insertions(+), 38 deletions(-) - -diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h -index 374412ed780b6..ef0f8f73826f5 100644 ---- a/net/ncsi/internal.h -+++ b/net/ncsi/internal.h -@@ -325,6 +325,7 @@ struct ncsi_dev_priv { - spinlock_t lock; /* Protect the NCSI device */ - unsigned int package_probe_id;/* Current ID during probe */ - unsigned int package_num; /* Number of packages */ -+ unsigned int channel_probe_id;/* Current cahnnel ID during probe */ - struct list_head packages; /* List of packages */ - struct ncsi_channel *hot_channel; /* Channel was ever active */ - struct ncsi_request requests[256]; /* Request table */ -@@ -343,6 +344,7 @@ struct ncsi_dev_priv { - bool multi_package; /* Enable multiple packages */ - bool mlx_multi_host; /* Enable multi host Mellanox */ - u32 package_whitelist; /* Packages to configure */ -+ unsigned char channel_count; /* Num of channels to probe */ - }; - - struct ncsi_cmd_arg { -diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c -index 734feb2352fbc..30f5502530374 100644 ---- a/net/ncsi/ncsi-manage.c -+++ b/net/ncsi/ncsi-manage.c -@@ -510,17 +510,19 @@ static void ncsi_suspend_channel(struct ncsi_dev_priv *ndp) - - break; - case ncsi_dev_state_suspend_gls: -- ndp->pending_req_num = np->channel_num; -+ ndp->pending_req_num = 1; - - nca.type = NCSI_PKT_CMD_GLS; - nca.package = np->id; -+ nca.channel = ndp->channel_probe_id; -+ ret = ncsi_xmit_cmd(&nca); -+ if (ret) -+ goto error; -+ ndp->channel_probe_id++; - -- nd->state = ncsi_dev_state_suspend_dcnt; -- NCSI_FOR_EACH_CHANNEL(np, nc) { -- nca.channel = nc->id; -- ret = ncsi_xmit_cmd(&nca); -- if (ret) -- goto error; -+ if (ndp->channel_probe_id == ndp->channel_count) { -+ ndp->channel_probe_id = 0; -+ nd->state = ncsi_dev_state_suspend_dcnt; - } - - break; -@@ -1340,7 +1342,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - { - struct ncsi_dev *nd = &ndp->ndev; - struct ncsi_package *np; -- struct ncsi_channel *nc; - struct ncsi_cmd_arg nca; - unsigned char index; - int ret; -@@ -1418,23 +1419,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - - nd->state = ncsi_dev_state_probe_cis; - break; -- case ncsi_dev_state_probe_cis: -- ndp->pending_req_num = NCSI_RESERVED_CHANNEL; -- -- /* Clear initial state */ -- nca.type = NCSI_PKT_CMD_CIS; -- nca.package = ndp->active_package->id; -- for (index = 0; index < NCSI_RESERVED_CHANNEL; index++) { -- nca.channel = index; -- ret = ncsi_xmit_cmd(&nca); -- if (ret) -- goto error; -- } -- -- nd->state = ncsi_dev_state_probe_gvi; -- if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)) -- nd->state = ncsi_dev_state_probe_keep_phy; -- break; - case ncsi_dev_state_probe_keep_phy: - ndp->pending_req_num = 1; - -@@ -1447,14 +1431,17 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - - nd->state = ncsi_dev_state_probe_gvi; - break; -+ case ncsi_dev_state_probe_cis: - case ncsi_dev_state_probe_gvi: - case ncsi_dev_state_probe_gc: - case ncsi_dev_state_probe_gls: - np = ndp->active_package; -- ndp->pending_req_num = np->channel_num; -+ ndp->pending_req_num = 1; - -- /* Retrieve version, capability or link status */ -- if (nd->state == ncsi_dev_state_probe_gvi) -+ /* Clear initial state Retrieve version, capability or link status */ -+ if (nd->state == ncsi_dev_state_probe_cis) -+ nca.type = NCSI_PKT_CMD_CIS; -+ else if (nd->state == ncsi_dev_state_probe_gvi) - nca.type = NCSI_PKT_CMD_GVI; - else if (nd->state == ncsi_dev_state_probe_gc) - nca.type = NCSI_PKT_CMD_GC; -@@ -1462,19 +1449,29 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - nca.type = NCSI_PKT_CMD_GLS; - - nca.package = np->id; -- NCSI_FOR_EACH_CHANNEL(np, nc) { -- nca.channel = nc->id; -- ret = ncsi_xmit_cmd(&nca); -- if (ret) -- goto error; -- } -+ nca.channel = ndp->channel_probe_id; - -- if (nd->state == ncsi_dev_state_probe_gvi) -+ ret = ncsi_xmit_cmd(&nca); -+ if (ret) -+ goto error; -+ -+ if (nd->state == ncsi_dev_state_probe_cis) { -+ nd->state = ncsi_dev_state_probe_gvi; -+ if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) && ndp->channel_probe_id == 0) -+ nd->state = ncsi_dev_state_probe_keep_phy; -+ } else if (nd->state == ncsi_dev_state_probe_gvi) { - nd->state = ncsi_dev_state_probe_gc; -- else if (nd->state == ncsi_dev_state_probe_gc) -+ } else if (nd->state == ncsi_dev_state_probe_gc) { - nd->state = ncsi_dev_state_probe_gls; -- else -+ } else { -+ nd->state = ncsi_dev_state_probe_cis; -+ ndp->channel_probe_id++; -+ } -+ -+ if (ndp->channel_probe_id == ndp->channel_count) { -+ ndp->channel_probe_id = 0; - nd->state = ncsi_dev_state_probe_dp; -+ } - break; - case ncsi_dev_state_probe_dp: - ndp->pending_req_num = 1; -@@ -1775,6 +1772,7 @@ struct ncsi_dev *ncsi_register_dev(struct net_device *dev, - ndp->requests[i].ndp = ndp; - timer_setup(&ndp->requests[i].timer, ncsi_request_timeout, 0); - } -+ ndp->channel_count = NCSI_RESERVED_CHANNEL; - - spin_lock_irqsave(&ncsi_dev_lock, flags); - list_add_tail_rcu(&ndp->node, &ncsi_dev_list); -@@ -1807,6 +1805,7 @@ int ncsi_start_dev(struct ncsi_dev *nd) - - if (!(ndp->flags & NCSI_DEV_PROBED)) { - ndp->package_probe_id = 0; -+ ndp->channel_probe_id = 0; - nd->state = ncsi_dev_state_probe; - schedule_work(&ndp->work); - return 0; -diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c -index 480e80e3c2836..f22d67cb04d37 100644 ---- a/net/ncsi/ncsi-rsp.c -+++ b/net/ncsi/ncsi-rsp.c -@@ -795,12 +795,13 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) - struct ncsi_rsp_gc_pkt *rsp; - struct ncsi_dev_priv *ndp = nr->ndp; - struct ncsi_channel *nc; -+ struct ncsi_package *np; - size_t size; - - /* Find the channel */ - rsp = (struct ncsi_rsp_gc_pkt *)skb_network_header(nr->rsp); - ncsi_find_package_and_channel(ndp, rsp->rsp.common.channel, -- NULL, &nc); -+ &np, &nc); - if (!nc) - return -ENODEV; - -@@ -835,6 +836,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) - */ - nc->vlan_filter.bitmap = U64_MAX; - nc->vlan_filter.n_vids = rsp->vlan_cnt; -+ np->ndp->channel_count = rsp->channel_cnt; - - return 0; - } --- -2.43.0 - diff --git a/queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch b/queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch deleted file mode 100644 index 69fbccf8ff7..00000000000 --- a/queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch +++ /dev/null @@ -1,152 +0,0 @@ -From db8e971e5aefe4855b8299f3e2aafa6081ffedcd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Nov 2023 10:07:33 -0600 -Subject: net/ncsi: Simplify Kconfig/dts control flow - -From: Peter Delevoryas - -[ Upstream commit c797ce168930ce3d62a9b7fc4d7040963ee6a01e ] - -Background: - -1. CONFIG_NCSI_OEM_CMD_KEEP_PHY - -If this is enabled, we send an extra OEM Intel command in the probe -sequence immediately after discovering a channel (e.g. after "Clear -Initial State"). - -2. CONFIG_NCSI_OEM_CMD_GET_MAC - -If this is enabled, we send one of 3 OEM "Get MAC Address" commands from -Broadcom, Mellanox (Nvidida), and Intel in the *configuration* sequence -for a channel. - -3. mellanox,multi-host (or mlx,multi-host) - -Introduced by this patch: - -https://lore.kernel.org/all/20200108234341.2590674-1-vijaykhemka@fb.com/ - -Which was actually originally from cosmo.chou@quantatw.com: - -https://github.com/facebook/openbmc-linux/commit/9f132a10ec48db84613519258cd8a317fb9c8f1b - -Cosmo claimed that the Nvidia ConnectX-4 and ConnectX-6 NIC's don't -respond to Get Version ID, et. al in the probe sequence unless you send -the Set MC Affinity command first. - -Problem Statement: - -We've been using a combination of #ifdef code blocks and IS_ENABLED() -conditions to conditionally send these OEM commands. - -It makes adding any new code around these commands hard to understand. - -Solution: - -In this patch, I just want to remove the conditionally compiled blocks -of code, and always use IS_ENABLED(...) to do dynamic control flow. - -I don't think the small amount of code this adds to non-users of the OEM -Kconfigs is a big deal. - -Signed-off-by: Peter Delevoryas -Signed-off-by: David S. Miller -Stable-dep-of: e85e271dec02 ("net/ncsi: Fix the multi thread manner of NCSI driver") -Signed-off-by: Sasha Levin ---- - net/ncsi/ncsi-manage.c | 20 +++----------------- - 1 file changed, 3 insertions(+), 17 deletions(-) - -diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c -index 7121ce2a47c0b..734feb2352fbc 100644 ---- a/net/ncsi/ncsi-manage.c -+++ b/net/ncsi/ncsi-manage.c -@@ -689,8 +689,6 @@ static int set_one_vid(struct ncsi_dev_priv *ndp, struct ncsi_channel *nc, - return 0; - } - --#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) -- - static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca) - { - unsigned char data[NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN]; -@@ -716,10 +714,6 @@ static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca) - return ret; - } - --#endif -- --#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) -- - /* NCSI OEM Command APIs */ - static int ncsi_oem_gma_handler_bcm(struct ncsi_cmd_arg *nca) - { -@@ -856,8 +850,6 @@ static int ncsi_gma_handler(struct ncsi_cmd_arg *nca, unsigned int mf_id) - return nch->handler(nca); - } - --#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */ -- - /* Determine if a given channel from the channel_queue should be used for Tx */ - static bool ncsi_channel_is_tx(struct ncsi_dev_priv *ndp, - struct ncsi_channel *nc) -@@ -1039,20 +1031,18 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp) - goto error; - } - -- nd->state = ncsi_dev_state_config_oem_gma; -+ nd->state = IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) -+ ? ncsi_dev_state_config_oem_gma -+ : ncsi_dev_state_config_clear_vids; - break; - case ncsi_dev_state_config_oem_gma: - nd->state = ncsi_dev_state_config_clear_vids; -- ret = -1; - --#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) - nca.type = NCSI_PKT_CMD_OEM; - nca.package = np->id; - nca.channel = nc->id; - ndp->pending_req_num = 1; - ret = ncsi_gma_handler(&nca, nc->version.mf_id); --#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */ -- - if (ret < 0) - schedule_work(&ndp->work); - -@@ -1404,7 +1394,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - - schedule_work(&ndp->work); - break; --#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) - case ncsi_dev_state_probe_mlx_gma: - ndp->pending_req_num = 1; - -@@ -1429,7 +1418,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - - nd->state = ncsi_dev_state_probe_cis; - break; --#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */ - case ncsi_dev_state_probe_cis: - ndp->pending_req_num = NCSI_RESERVED_CHANNEL; - -@@ -1447,7 +1435,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)) - nd->state = ncsi_dev_state_probe_keep_phy; - break; --#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) - case ncsi_dev_state_probe_keep_phy: - ndp->pending_req_num = 1; - -@@ -1460,7 +1447,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) - - nd->state = ncsi_dev_state_probe_gvi; - break; --#endif /* CONFIG_NCSI_OEM_CMD_KEEP_PHY */ - case ncsi_dev_state_probe_gvi: - case ncsi_dev_state_probe_gc: - case ncsi_dev_state_probe_gls: --- -2.43.0 - diff --git a/queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch b/queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch deleted file mode 100644 index a383053a0fa..00000000000 --- a/queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 012580408a8964b935cf4734390a75966d84b01b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jun 2024 15:13:03 +0800 -Subject: net: sched: sch_multiq: fix possible OOB write in multiq_tune() - -From: Hangyu Hua - -[ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ] - -q->bands will be assigned to qopt->bands to execute subsequent code logic -after kmalloc. So the old q->bands should not be used in kmalloc. -Otherwise, an out-of-bounds write will occur. - -Fixes: c2999f7fb05b ("net: sched: multiq: don't call qdisc_put() while holding tree lock") -Signed-off-by: Hangyu Hua -Acked-by: Cong Wang -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/sch_multiq.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c -index 8b99f07aa3a76..caa76c96b02ba 100644 ---- a/net/sched/sch_multiq.c -+++ b/net/sched/sch_multiq.c -@@ -185,7 +185,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt, - - qopt->bands = qdisc_dev(sch)->real_num_tx_queues; - -- removed = kmalloc(sizeof(*removed) * (q->max_bands - q->bands), -+ removed = kmalloc(sizeof(*removed) * (q->max_bands - qopt->bands), - GFP_KERNEL); - if (!removed) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch b/queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch deleted file mode 100644 index e1d3c7d5b3d..00000000000 --- a/queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch +++ /dev/null @@ -1,63 +0,0 @@ -From cb00efe7d5844d0eb017cce05e8791cb4c6f0650 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 18:15:11 +0000 -Subject: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP - -From: Eric Dumazet - -[ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ] - -If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, -taprio_parse_mqprio_opt() must validate it, or userspace -can inject arbitrary data to the kernel, the second time -taprio_change() is called. - -First call (with valid attributes) sets dev->num_tc -to a non zero value. - -Second call (with arbitrary mqprio attributes) -returns early from taprio_parse_mqprio_opt() -and bad things can happen. - -Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") -Reported-by: Noam Rathaus -Signed-off-by: Eric Dumazet -Acked-by: Vinicius Costa Gomes -Reviewed-by: Vladimir Oltean -Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/sched/sch_taprio.c | 15 ++++++--------- - 1 file changed, 6 insertions(+), 9 deletions(-) - -diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c -index e40b4425eb6b5..4a0986843fb5d 100644 ---- a/net/sched/sch_taprio.c -+++ b/net/sched/sch_taprio.c -@@ -947,16 +947,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev, - { - int i, j; - -- if (!qopt && !dev->num_tc) { -- NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); -- return -EINVAL; -- } -- -- /* If num_tc is already set, it means that the user already -- * configured the mqprio part -- */ -- if (dev->num_tc) -+ if (!qopt) { -+ if (!dev->num_tc) { -+ NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); -+ return -EINVAL; -+ } - return 0; -+ } - - /* Verify num_tc is not out of max range */ - if (qopt->num_tc > TC_MAX_QUEUE) { --- -2.43.0 - diff --git a/queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch b/queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch deleted file mode 100644 index c93300a624c..00000000000 --- a/queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 9d2b4690a8d80d81e80ac17bbfc4cf4183de4f43 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 22:42:55 +0900 -Subject: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors - -From: Ryusuke Konishi - -[ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ] - -The error handling in nilfs_empty_dir() when a directory folio/page read -fails is incorrect, as in the old ext2 implementation, and if the -folio/page cannot be read or nilfs_check_folio() fails, it will falsely -determine the directory as empty and corrupt the file system. - -In addition, since nilfs_empty_dir() does not immediately return on a -failed folio/page read, but continues to loop, this can cause a long loop -with I/O if i_size of the directory's inode is also corrupted, causing the -log writer thread to wait and hang, as reported by syzbot. - -Fix these issues by making nilfs_empty_dir() immediately return a false -value (0) if it fails to get a directory folio/page. - -Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com -Signed-off-by: Ryusuke Konishi -Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87 -Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") -Tested-by: Ryusuke Konishi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - fs/nilfs2/dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c -index 22f1f75a90c1a..552234ef22fe7 100644 ---- a/fs/nilfs2/dir.c -+++ b/fs/nilfs2/dir.c -@@ -627,7 +627,7 @@ int nilfs_empty_dir(struct inode *inode) - - kaddr = nilfs_get_page(inode, i, &page); - if (IS_ERR(kaddr)) -- continue; -+ return 0; - - de = (struct nilfs_dir_entry *)kaddr; - kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1); --- -2.43.0 - diff --git a/queue-5.15/nilfs2-remove-check-for-pageerror.patch b/queue-5.15/nilfs2-remove-check-for-pageerror.patch deleted file mode 100644 index d18859b2367..00000000000 --- a/queue-5.15/nilfs2-remove-check-for-pageerror.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ab84725bc1775d0a3ef5fd2ea6a661463a5fd832 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 17 May 2022 18:12:25 -0400 -Subject: nilfs2: Remove check for PageError - -From: Matthew Wilcox (Oracle) - -[ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ] - -If read_mapping_page() encounters an error, it returns an errno, not a -page with PageError set, so this test is not needed. - -Signed-off-by: Matthew Wilcox (Oracle) -Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors") -Signed-off-by: Sasha Levin ---- - fs/nilfs2/dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c -index eb7de9e2a384e..24cfe9db66e02 100644 ---- a/fs/nilfs2/dir.c -+++ b/fs/nilfs2/dir.c -@@ -194,7 +194,7 @@ static struct page *nilfs_get_page(struct inode *dir, unsigned long n) - if (!IS_ERR(page)) { - kmap(page); - if (unlikely(!PageChecked(page))) { -- if (PageError(page) || !nilfs_check_page(page)) -+ if (!nilfs_check_page(page)) - goto fail; - } - } --- -2.43.0 - diff --git a/queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch b/queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch deleted file mode 100644 index 2257830607f..00000000000 --- a/queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 396dd465c29ba59fbc07ee78f1ad824e6b0a42b4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Nov 2023 23:30:25 +0900 -Subject: nilfs2: return the mapped address from nilfs_get_page() - -From: Matthew Wilcox (Oracle) - -[ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ] - -In prepartion for switching from kmap() to kmap_local(), return the kmap -address from nilfs_get_page() instead of having the caller look up -page_address(). - -[konishi.ryusuke: fixed a missing blank line after declaration] -Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com -Signed-off-by: Matthew Wilcox (Oracle) -Signed-off-by: Ryusuke Konishi -Signed-off-by: Andrew Morton -Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors") -Signed-off-by: Sasha Levin ---- - fs/nilfs2/dir.c | 57 +++++++++++++++++++++++-------------------------- - 1 file changed, 27 insertions(+), 30 deletions(-) - -diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c -index 24cfe9db66e02..22f1f75a90c1a 100644 ---- a/fs/nilfs2/dir.c -+++ b/fs/nilfs2/dir.c -@@ -186,19 +186,24 @@ static bool nilfs_check_page(struct page *page) - return false; - } - --static struct page *nilfs_get_page(struct inode *dir, unsigned long n) -+static void *nilfs_get_page(struct inode *dir, unsigned long n, -+ struct page **pagep) - { - struct address_space *mapping = dir->i_mapping; - struct page *page = read_mapping_page(mapping, n, NULL); -+ void *kaddr; - -- if (!IS_ERR(page)) { -- kmap(page); -- if (unlikely(!PageChecked(page))) { -- if (!nilfs_check_page(page)) -- goto fail; -- } -+ if (IS_ERR(page)) -+ return page; -+ -+ kaddr = kmap(page); -+ if (unlikely(!PageChecked(page))) { -+ if (!nilfs_check_page(page)) -+ goto fail; - } -- return page; -+ -+ *pagep = page; -+ return kaddr; - - fail: - nilfs_put_page(page); -@@ -275,14 +280,14 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx) - for ( ; n < npages; n++, offset = 0) { - char *kaddr, *limit; - struct nilfs_dir_entry *de; -- struct page *page = nilfs_get_page(inode, n); -+ struct page *page; - -- if (IS_ERR(page)) { -+ kaddr = nilfs_get_page(inode, n, &page); -+ if (IS_ERR(kaddr)) { - nilfs_error(sb, "bad page in #%lu", inode->i_ino); - ctx->pos += PAGE_SIZE - offset; - return -EIO; - } -- kaddr = page_address(page); - de = (struct nilfs_dir_entry *)(kaddr + offset); - limit = kaddr + nilfs_last_byte(inode, n) - - NILFS_DIR_REC_LEN(1); -@@ -345,11 +350,9 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr, - start = 0; - n = start; - do { -- char *kaddr; -+ char *kaddr = nilfs_get_page(dir, n, &page); - -- page = nilfs_get_page(dir, n); -- if (!IS_ERR(page)) { -- kaddr = page_address(page); -+ if (!IS_ERR(kaddr)) { - de = (struct nilfs_dir_entry *)kaddr; - kaddr += nilfs_last_byte(dir, n) - reclen; - while ((char *) de <= kaddr) { -@@ -387,15 +390,11 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr, - - struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p) - { -- struct page *page = nilfs_get_page(dir, 0); -- struct nilfs_dir_entry *de = NULL; -+ struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p); - -- if (!IS_ERR(page)) { -- de = nilfs_next_entry( -- (struct nilfs_dir_entry *)page_address(page)); -- *p = page; -- } -- return de; -+ if (IS_ERR(de)) -+ return NULL; -+ return nilfs_next_entry(de); - } - - ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) -@@ -459,12 +458,11 @@ int nilfs_add_link(struct dentry *dentry, struct inode *inode) - for (n = 0; n <= npages; n++) { - char *dir_end; - -- page = nilfs_get_page(dir, n); -- err = PTR_ERR(page); -- if (IS_ERR(page)) -+ kaddr = nilfs_get_page(dir, n, &page); -+ err = PTR_ERR(kaddr); -+ if (IS_ERR(kaddr)) - goto out; - lock_page(page); -- kaddr = page_address(page); - dir_end = kaddr + nilfs_last_byte(dir, n); - de = (struct nilfs_dir_entry *)kaddr; - kaddr += PAGE_SIZE - reclen; -@@ -627,11 +625,10 @@ int nilfs_empty_dir(struct inode *inode) - char *kaddr; - struct nilfs_dir_entry *de; - -- page = nilfs_get_page(inode, i); -- if (IS_ERR(page)) -+ kaddr = nilfs_get_page(inode, i, &page); -+ if (IS_ERR(kaddr)) - continue; - -- kaddr = page_address(page); - de = (struct nilfs_dir_entry *)kaddr; - kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1); - --- -2.43.0 - diff --git a/queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch b/queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch deleted file mode 100644 index a9945ff8149..00000000000 --- a/queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 6cbbf3cbece256826d736dea4d0ab50d3dca35cc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 29 May 2024 20:59:44 +0530 -Subject: octeontx2-af: Always allocate PF entries from low prioriy zone - -From: Subbaraya Sundeep - -[ Upstream commit 8b0f7410942cdc420c4557eda02bfcdf60ccec17 ] - -PF mcam entries has to be at low priority always so that VF -can install longest prefix match rules at higher priority. -This was taken care currently but when priority allocation -wrt reference entry is requested then entries are allocated -from mid-zone instead of low priority zone. Fix this and -always allocate entries from low priority zone for PFs. - -Fixes: 7df5b4b260dd ("octeontx2-af: Allocate low priority entries for PF") -Signed-off-by: Subbaraya Sundeep -Reviewed-by: Jacob Keller -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - .../ethernet/marvell/octeontx2/af/rvu_npc.c | 33 ++++++++++++------- - 1 file changed, 22 insertions(+), 11 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c -index c6b6d709e5908..84003243e3b75 100644 ---- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c -+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c -@@ -2459,7 +2459,17 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc, - * - when available free entries are less. - * Lower priority ones out of avaialble free entries are always - * chosen when 'high vs low' question arises. -+ * -+ * For a VF base MCAM match rule is set by its PF. And all the -+ * further MCAM rules installed by VF on its own are -+ * concatenated with the base rule set by its PF. Hence PF entries -+ * should be at lower priority compared to VF entries. Otherwise -+ * base rule is hit always and rules installed by VF will be of -+ * no use. Hence if the request is from PF then allocate low -+ * priority entries. - */ -+ if (!(pcifunc & RVU_PFVF_FUNC_MASK)) -+ goto lprio_alloc; - - /* Get the search range for priority allocation request */ - if (req->priority) { -@@ -2468,17 +2478,6 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc, - goto alloc; - } - -- /* For a VF base MCAM match rule is set by its PF. And all the -- * further MCAM rules installed by VF on its own are -- * concatenated with the base rule set by its PF. Hence PF entries -- * should be at lower priority compared to VF entries. Otherwise -- * base rule is hit always and rules installed by VF will be of -- * no use. Hence if the request is from PF and NOT a priority -- * allocation request then allocate low priority entries. -- */ -- if (!(pcifunc & RVU_PFVF_FUNC_MASK)) -- goto lprio_alloc; -- - /* Find out the search range for non-priority allocation request - * - * Get MCAM free entry count in middle zone. -@@ -2508,6 +2507,18 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc, - reverse = true; - start = 0; - end = mcam->bmap_entries; -+ /* Ensure PF requests are always at bottom and if PF requests -+ * for higher/lower priority entry wrt reference entry then -+ * honour that criteria and start search for entries from bottom -+ * and not in mid zone. -+ */ -+ if (!(pcifunc & RVU_PFVF_FUNC_MASK) && -+ req->priority == NPC_MCAM_HIGHER_PRIO) -+ end = req->ref_entry; -+ -+ if (!(pcifunc & RVU_PFVF_FUNC_MASK) && -+ req->priority == NPC_MCAM_LOWER_PRIO) -+ start = req->ref_entry; - } - - alloc: --- -2.43.0 - diff --git a/queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch b/queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch deleted file mode 100644 index a4ffc848315..00000000000 --- a/queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f37792d6c0c499db4e2e02e7a69d41d5e837ce08 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 14:05:27 +0200 -Subject: ptp: Fix error message on failed pin verification - -From: Karol Kolacinski - -[ Upstream commit 323a359f9b077f382f4483023d096a4d316fd135 ] - -On failed verification of PTP clock pin, error message prints channel -number instead of pin index after "pin", which is incorrect. - -Fix error message by adding channel number to the message and printing -pin number instead of channel number. - -Fixes: 6092315dfdec ("ptp: introduce programmable pins.") -Signed-off-by: Karol Kolacinski -Acked-by: Richard Cochran -Link: https://lore.kernel.org/r/20240604120555.16643-1-karol.kolacinski@intel.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/ptp/ptp_chardev.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c -index 9311f3d09c8fc..8eb902fe73a98 100644 ---- a/drivers/ptp/ptp_chardev.c -+++ b/drivers/ptp/ptp_chardev.c -@@ -84,7 +84,8 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin, - } - - if (info->verify(info, pin, func, chan)) { -- pr_err("driver cannot use function %u on pin %u\n", func, chan); -+ pr_err("driver cannot use function %u and channel %u on pin %u\n", -+ func, chan, pin); - return -EOPNOTSUPP; - } - --- -2.43.0 - diff --git a/queue-5.15/pvpanic-indentation-fixes-here-and-there.patch b/queue-5.15/pvpanic-indentation-fixes-here-and-there.patch deleted file mode 100644 index 610adcbcce0..00000000000 --- a/queue-5.15/pvpanic-indentation-fixes-here-and-there.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 06f0f18c3ad2b8622e86d452bf46b13e1f0c79f3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 29 Aug 2021 15:43:54 +0300 -Subject: pvpanic: Indentation fixes here and there - -From: Andy Shevchenko - -[ Upstream commit 84b0f12a953c4feff9994b1c4583ed18b441f482 ] - -1) replace double spaces with single; -2) relax line width limitation a bit. - -Reviewed-by: Mihai Carabas -Signed-off-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20210829124354.81653-3-andriy.shevchenko@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver") -Signed-off-by: Sasha Levin ---- - drivers/misc/pvpanic/pvpanic-mmio.c | 7 +++---- - drivers/misc/pvpanic/pvpanic-pci.c | 12 +++++------- - drivers/misc/pvpanic/pvpanic.c | 11 ++++------- - 3 files changed, 12 insertions(+), 18 deletions(-) - -diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c -index 61dbff5f0065c..eb97167c03fb4 100644 ---- a/drivers/misc/pvpanic/pvpanic-mmio.c -+++ b/drivers/misc/pvpanic/pvpanic-mmio.c -@@ -24,8 +24,7 @@ MODULE_AUTHOR("Hu Tao "); - MODULE_DESCRIPTION("pvpanic-mmio device driver"); - MODULE_LICENSE("GPL"); - --static ssize_t capability_show(struct device *dev, -- struct device_attribute *attr, char *buf) -+static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) - { - struct pvpanic_instance *pi = dev_get_drvdata(dev); - -@@ -33,14 +32,14 @@ static ssize_t capability_show(struct device *dev, - } - static DEVICE_ATTR_RO(capability); - --static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) -+static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) - { - struct pvpanic_instance *pi = dev_get_drvdata(dev); - - return sysfs_emit(buf, "%x\n", pi->events); - } - --static ssize_t events_store(struct device *dev, struct device_attribute *attr, -+static ssize_t events_store(struct device *dev, struct device_attribute *attr, - const char *buf, size_t count) - { - struct pvpanic_instance *pi = dev_get_drvdata(dev); -diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c -index 7d1220f4c95bc..07eddb5ea30fa 100644 ---- a/drivers/misc/pvpanic/pvpanic-pci.c -+++ b/drivers/misc/pvpanic/pvpanic-pci.c -@@ -19,11 +19,10 @@ - #define PCI_DEVICE_ID_REDHAT_PVPANIC 0x0011 - - MODULE_AUTHOR("Mihai Carabas "); --MODULE_DESCRIPTION("pvpanic device driver "); -+MODULE_DESCRIPTION("pvpanic device driver"); - MODULE_LICENSE("GPL"); - --static ssize_t capability_show(struct device *dev, -- struct device_attribute *attr, char *buf) -+static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) - { - struct pvpanic_instance *pi = dev_get_drvdata(dev); - -@@ -31,14 +30,14 @@ static ssize_t capability_show(struct device *dev, - } - static DEVICE_ATTR_RO(capability); - --static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) -+static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) - { - struct pvpanic_instance *pi = dev_get_drvdata(dev); - - return sysfs_emit(buf, "%x\n", pi->events); - } - --static ssize_t events_store(struct device *dev, struct device_attribute *attr, -+static ssize_t events_store(struct device *dev, struct device_attribute *attr, - const char *buf, size_t count) - { - struct pvpanic_instance *pi = dev_get_drvdata(dev); -@@ -65,8 +64,7 @@ static struct attribute *pvpanic_pci_dev_attrs[] = { - }; - ATTRIBUTE_GROUPS(pvpanic_pci_dev); - --static int pvpanic_pci_probe(struct pci_dev *pdev, -- const struct pci_device_id *ent) -+static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - { - struct pvpanic_instance *pi; - void __iomem *base; -diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c -index 477bf9c6b6bc5..049a120063489 100644 ---- a/drivers/misc/pvpanic/pvpanic.c -+++ b/drivers/misc/pvpanic/pvpanic.c -@@ -23,7 +23,7 @@ - #include "pvpanic.h" - - MODULE_AUTHOR("Mihai Carabas "); --MODULE_DESCRIPTION("pvpanic device driver "); -+MODULE_DESCRIPTION("pvpanic device driver"); - MODULE_LICENSE("GPL"); - - static struct list_head pvpanic_list; -@@ -45,8 +45,7 @@ pvpanic_send_event(unsigned int event) - } - - static int --pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, -- void *unused) -+pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, void *unused) - { - unsigned int event = PVPANIC_PANICKED; - -@@ -102,8 +101,7 @@ static int pvpanic_init(void) - INIT_LIST_HEAD(&pvpanic_list); - spin_lock_init(&pvpanic_lock); - -- atomic_notifier_chain_register(&panic_notifier_list, -- &pvpanic_panic_nb); -+ atomic_notifier_chain_register(&panic_notifier_list, &pvpanic_panic_nb); - - return 0; - } -@@ -111,8 +109,7 @@ module_init(pvpanic_init); - - static void pvpanic_exit(void) - { -- atomic_notifier_chain_unregister(&panic_notifier_list, -- &pvpanic_panic_nb); -+ atomic_notifier_chain_unregister(&panic_notifier_list, &pvpanic_panic_nb); - - } - module_exit(pvpanic_exit); --- -2.43.0 - diff --git a/queue-5.15/pvpanic-keep-single-style-across-modules.patch b/queue-5.15/pvpanic-keep-single-style-across-modules.patch deleted file mode 100644 index 9a8f3cf8f53..00000000000 --- a/queue-5.15/pvpanic-keep-single-style-across-modules.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 1d75229b9ef3c1ca26bf3b39c0da530ef818899d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 29 Aug 2021 15:43:52 +0300 -Subject: pvpanic: Keep single style across modules - -From: Andy Shevchenko - -[ Upstream commit 33a430419456991480cde9d8889e5a27f6049df4 ] - -We have different style on where we place module_*() and MODULE_*() macros. -Inherit the style from the original module (now pvpanic-mmio.c). - -Reviewed-by: Mihai Carabas -Link: https://lore.kernel.org/r/20210829124354.81653-1-andriy.shevchenko@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver") -Signed-off-by: Sasha Levin ---- - drivers/misc/pvpanic/pvpanic-pci.c | 14 ++++++-------- - drivers/misc/pvpanic/pvpanic.c | 3 +-- - 2 files changed, 7 insertions(+), 10 deletions(-) - -diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c -index 741116b3d9958..7d1220f4c95bc 100644 ---- a/drivers/misc/pvpanic/pvpanic-pci.c -+++ b/drivers/misc/pvpanic/pvpanic-pci.c -@@ -22,11 +22,6 @@ MODULE_AUTHOR("Mihai Carabas "); - MODULE_DESCRIPTION("pvpanic device driver "); - MODULE_LICENSE("GPL"); - --static const struct pci_device_id pvpanic_pci_id_tbl[] = { -- { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)}, -- {} --}; -- - static ssize_t capability_show(struct device *dev, - struct device_attribute *attr, char *buf) - { -@@ -99,6 +94,12 @@ static int pvpanic_pci_probe(struct pci_dev *pdev, - return devm_pvpanic_probe(&pdev->dev, pi); - } - -+static const struct pci_device_id pvpanic_pci_id_tbl[] = { -+ { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)}, -+ {} -+}; -+MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl); -+ - static struct pci_driver pvpanic_pci_driver = { - .name = "pvpanic-pci", - .id_table = pvpanic_pci_id_tbl, -@@ -107,7 +108,4 @@ static struct pci_driver pvpanic_pci_driver = { - .dev_groups = pvpanic_pci_dev_groups, - }, - }; -- --MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl); -- - module_pci_driver(pvpanic_pci_driver); -diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c -index b9e6400a574b0..477bf9c6b6bc5 100644 ---- a/drivers/misc/pvpanic/pvpanic.c -+++ b/drivers/misc/pvpanic/pvpanic.c -@@ -107,6 +107,7 @@ static int pvpanic_init(void) - - return 0; - } -+module_init(pvpanic_init); - - static void pvpanic_exit(void) - { -@@ -114,6 +115,4 @@ static void pvpanic_exit(void) - &pvpanic_panic_nb); - - } -- --module_init(pvpanic_init); - module_exit(pvpanic_exit); --- -2.43.0 - diff --git a/queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch b/queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch deleted file mode 100644 index 8d6212a730a..00000000000 --- a/queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 7942fb2584daa8140ea8680021b03bf0b9c9a0d4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 May 2024 13:13:56 +0530 -Subject: selftests/mm: compaction_test: fix bogus test success on Aarch64 - -From: Dev Jain - -[ Upstream commit d4202e66a4b1fe6968f17f9f09bbc30d08f028a1 ] - -Patch series "Fixes for compaction_test", v2. - -The compaction_test memory selftest introduces fragmentation in memory -and then tries to allocate as many hugepages as possible. This series -addresses some problems. - -On Aarch64, if nr_hugepages == 0, then the test trivially succeeds since -compaction_index becomes 0, which is less than 3, due to no division by -zero exception being raised. We fix that by checking for division by -zero. - -Secondly, correctly set the number of hugepages to zero before trying -to set a large number of them. - -Now, consider a situation in which, at the start of the test, a non-zero -number of hugepages have been already set (while running the entire -selftests/mm suite, or manually by the admin). The test operates on 80% -of memory to avoid OOM-killer invocation, and because some memory is -already blocked by hugepages, it would increase the chance of OOM-killing. -Also, since mem_free used in check_compaction() is the value before we -set nr_hugepages to zero, the chance that the compaction_index will -be small is very high if the preset nr_hugepages was high, leading to a -bogus test success. - -This patch (of 3): - -Currently, if at runtime we are not able to allocate a huge page, the test -will trivially pass on Aarch64 due to no exception being raised on -division by zero while computing compaction_index. Fix that by checking -for nr_hugepages == 0. Anyways, in general, avoid a division by zero by -exiting the program beforehand. While at it, fix a typo, and handle the -case where the number of hugepages may overflow an integer. - -Link: https://lkml.kernel.org/r/20240521074358.675031-1-dev.jain@arm.com -Link: https://lkml.kernel.org/r/20240521074358.675031-2-dev.jain@arm.com -Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") -Signed-off-by: Dev Jain -Cc: Anshuman Khandual -Cc: Shuah Khan -Cc: Sri Jayaramappa -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/vm/compaction_test.c | 20 +++++++++++++------- - 1 file changed, 13 insertions(+), 7 deletions(-) - -diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c -index 6aa6460b854ea..309b3750e57e1 100644 ---- a/tools/testing/selftests/vm/compaction_test.c -+++ b/tools/testing/selftests/vm/compaction_test.c -@@ -82,12 +82,13 @@ int prereq(void) - return -1; - } - --int check_compaction(unsigned long mem_free, unsigned int hugepage_size) -+int check_compaction(unsigned long mem_free, unsigned long hugepage_size) - { -+ unsigned long nr_hugepages_ul; - int fd, ret = -1; - int compaction_index = 0; -- char initial_nr_hugepages[10] = {0}; -- char nr_hugepages[10] = {0}; -+ char initial_nr_hugepages[20] = {0}; -+ char nr_hugepages[20] = {0}; - - /* We want to test with 80% of available memory. Else, OOM killer comes - in to play */ -@@ -136,7 +137,12 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - - /* We should have been able to request at least 1/3 rd of the memory in - huge pages */ -- compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size); -+ nr_hugepages_ul = strtoul(nr_hugepages, NULL, 10); -+ if (!nr_hugepages_ul) { -+ ksft_print_msg("ERROR: No memory is available as huge pages\n"); -+ goto close_fd; -+ } -+ compaction_index = mem_free/(nr_hugepages_ul * hugepage_size); - - lseek(fd, 0, SEEK_SET); - -@@ -147,11 +153,11 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - goto close_fd; - } - -- ksft_print_msg("Number of huge pages allocated = %d\n", -- atoi(nr_hugepages)); -+ ksft_print_msg("Number of huge pages allocated = %lu\n", -+ nr_hugepages_ul); - - if (compaction_index > 3) { -- ksft_print_msg("ERROR: Less that 1/%d of memory is available\n" -+ ksft_print_msg("ERROR: Less than 1/%d of memory is available\n" - "as huge pages\n", compaction_index); - goto close_fd; - } --- -2.43.0 - diff --git a/queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch b/queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch deleted file mode 100644 index ae14829955c..00000000000 --- a/queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 8122b9a1d85ed20baf5b0f0dc31e8a912e38559f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 May 2024 13:13:57 +0530 -Subject: selftests/mm: compaction_test: fix incorrect write of zero to - nr_hugepages - -From: Dev Jain - -[ Upstream commit 9ad665ef55eaad1ead1406a58a34f615a7c18b5e ] - -Currently, the test tries to set nr_hugepages to zero, but that is not -actually done because the file offset is not reset after read(). Fix that -using lseek(). - -Link: https://lkml.kernel.org/r/20240521074358.675031-3-dev.jain@arm.com -Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") -Signed-off-by: Dev Jain -Cc: -Cc: Anshuman Khandual -Cc: Shuah Khan -Cc: Sri Jayaramappa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/vm/compaction_test.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c -index 9b420140ba2ba..55dec92e1e58c 100644 ---- a/tools/testing/selftests/vm/compaction_test.c -+++ b/tools/testing/selftests/vm/compaction_test.c -@@ -103,6 +103,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - goto close_fd; - } - -+ lseek(fd, 0, SEEK_SET); -+ - /* Start with the initial condition of 0 huge pages*/ - if (write(fd, "0", sizeof(char)) != sizeof(char)) { - perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n"); --- -2.43.0 - diff --git a/queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch b/queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch deleted file mode 100644 index 1f6518cd7cb..00000000000 --- a/queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch +++ /dev/null @@ -1,229 +0,0 @@ -From fc916f38ee158cfe606782f4c93fb9e349c54cd6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 1 Jan 2024 13:36:12 +0500 -Subject: selftests/mm: conform test to TAP format output - -From: Muhammad Usama Anjum - -[ Upstream commit 9a21701edc41465de56f97914741bfb7bfc2517d ] - -Conform the layout, informational and status messages to TAP. No -functional change is intended other than the layout of output messages. - -Link: https://lkml.kernel.org/r/20240101083614.1076768-1-usama.anjum@collabora.com -Signed-off-by: Muhammad Usama Anjum -Cc: Shuah Khan -Signed-off-by: Andrew Morton -Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64") -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/vm/compaction_test.c | 91 ++++++++++---------- - 1 file changed, 44 insertions(+), 47 deletions(-) - -diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c -index 55dec92e1e58c..f81931c1f8386 100644 ---- a/tools/testing/selftests/vm/compaction_test.c -+++ b/tools/testing/selftests/vm/compaction_test.c -@@ -33,7 +33,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize) - FILE *cmdfile = popen(cmd, "r"); - - if (!(fgets(buffer, sizeof(buffer), cmdfile))) { -- perror("Failed to read meminfo\n"); -+ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno)); - return -1; - } - -@@ -44,7 +44,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize) - cmdfile = popen(cmd, "r"); - - if (!(fgets(buffer, sizeof(buffer), cmdfile))) { -- perror("Failed to read meminfo\n"); -+ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno)); - return -1; - } - -@@ -62,14 +62,14 @@ int prereq(void) - fd = open("/proc/sys/vm/compact_unevictable_allowed", - O_RDONLY | O_NONBLOCK); - if (fd < 0) { -- perror("Failed to open\n" -- "/proc/sys/vm/compact_unevictable_allowed\n"); -+ ksft_print_msg("Failed to open /proc/sys/vm/compact_unevictable_allowed: %s\n", -+ strerror(errno)); - return -1; - } - - if (read(fd, &allowed, sizeof(char)) != sizeof(char)) { -- perror("Failed to read from\n" -- "/proc/sys/vm/compact_unevictable_allowed\n"); -+ ksft_print_msg("Failed to read from /proc/sys/vm/compact_unevictable_allowed: %s\n", -+ strerror(errno)); - close(fd); - return -1; - } -@@ -78,12 +78,13 @@ int prereq(void) - if (allowed == '1') - return 0; - -+ ksft_print_msg("Compaction isn't allowed\n"); - return -1; - } - - int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - { -- int fd; -+ int fd, ret = -1; - int compaction_index = 0; - char initial_nr_hugepages[10] = {0}; - char nr_hugepages[10] = {0}; -@@ -94,12 +95,14 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - - fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK); - if (fd < 0) { -- perror("Failed to open /proc/sys/vm/nr_hugepages"); -+ ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - return -1; - } - - if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) { -- perror("Failed to read from /proc/sys/vm/nr_hugepages"); -+ ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -@@ -107,7 +110,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - - /* Start with the initial condition of 0 huge pages*/ - if (write(fd, "0", sizeof(char)) != sizeof(char)) { -- perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n"); -+ ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -@@ -116,14 +120,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - /* Request a large number of huge pages. The Kernel will allocate - as much as it can */ - if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { -- perror("Failed to write 100000 to /proc/sys/vm/nr_hugepages\n"); -+ ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - - lseek(fd, 0, SEEK_SET); - - if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) { -- perror("Failed to re-read from /proc/sys/vm/nr_hugepages\n"); -+ ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -@@ -131,67 +137,58 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - huge pages */ - compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size); - -- if (compaction_index > 3) { -- printf("No of huge pages allocated = %d\n", -- (atoi(nr_hugepages))); -- fprintf(stderr, "ERROR: Less that 1/%d of memory is available\n" -- "as huge pages\n", compaction_index); -- goto close_fd; -- } -- -- printf("No of huge pages allocated = %d\n", -- (atoi(nr_hugepages))); -- - lseek(fd, 0, SEEK_SET); - - if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages)) - != strlen(initial_nr_hugepages)) { -- perror("Failed to write value to /proc/sys/vm/nr_hugepages\n"); -+ ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -- close(fd); -- return 0; -+ if (compaction_index > 3) { -+ ksft_print_msg("ERROR: Less that 1/%d of memory is available\n" -+ "as huge pages\n", compaction_index); -+ ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages))); -+ goto close_fd; -+ } -+ -+ ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n", -+ (atoi(nr_hugepages))); -+ ret = 0; - - close_fd: - close(fd); -- printf("Not OK. Compaction test failed."); -- return -1; -+ return ret; - } - - - int main(int argc, char **argv) - { - struct rlimit lim; -- struct map_list *list, *entry; -+ struct map_list *list = NULL, *entry; - size_t page_size, i; - void *map = NULL; - unsigned long mem_free = 0; - unsigned long hugepage_size = 0; - long mem_fragmentable_MB = 0; - -- if (prereq() != 0) { -- printf("Either the sysctl compact_unevictable_allowed is not\n" -- "set to 1 or couldn't read the proc file.\n" -- "Skipping the test\n"); -- return KSFT_SKIP; -- } -+ ksft_print_header(); -+ -+ if (prereq() != 0) -+ return ksft_exit_pass(); -+ -+ ksft_set_plan(1); - - lim.rlim_cur = RLIM_INFINITY; - lim.rlim_max = RLIM_INFINITY; -- if (setrlimit(RLIMIT_MEMLOCK, &lim)) { -- perror("Failed to set rlimit:\n"); -- return -1; -- } -+ if (setrlimit(RLIMIT_MEMLOCK, &lim)) -+ ksft_exit_fail_msg("Failed to set rlimit: %s\n", strerror(errno)); - - page_size = getpagesize(); - -- list = NULL; -- -- if (read_memory_info(&mem_free, &hugepage_size) != 0) { -- printf("ERROR: Cannot read meminfo\n"); -- return -1; -- } -+ if (read_memory_info(&mem_free, &hugepage_size) != 0) -+ ksft_exit_fail_msg("Failed to get meminfo\n"); - - mem_fragmentable_MB = mem_free * 0.8 / 1024; - -@@ -227,7 +224,7 @@ int main(int argc, char **argv) - } - - if (check_compaction(mem_free, hugepage_size) == 0) -- return 0; -+ return ksft_exit_pass(); - -- return -1; -+ return ksft_exit_fail(); - } --- -2.43.0 - diff --git a/queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch b/queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch deleted file mode 100644 index 7f004635829..00000000000 --- a/queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 853c0f059d7a91d4bd850040a0da0512dbfeedda Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 9 Feb 2024 14:30:04 +0000 -Subject: selftests/mm: log a consistent test name for check_compaction - -From: Mark Brown - -[ Upstream commit f3b7568c49420d2dcd251032c9ca1e069ec8a6c9 ] - -Every test result report in the compaction test prints a distinct log -messae, and some of the reports print a name that varies at runtime. This -causes problems for automation since a lot of automation software uses the -printed string as the name of the test, if the name varies from run to run -and from pass to fail then the automation software can't identify that a -test changed result or that the same tests are being run. - -Refactor the logging to use a consistent name when printing the result of -the test, printing the existing messages as diagnostic information instead -so they are still available for people trying to interpret the results. - -Link: https://lkml.kernel.org/r/20240209-kselftest-mm-cleanup-v1-2-a3c0386496b5@kernel.org -Signed-off-by: Mark Brown -Cc: Muhammad Usama Anjum -Cc: Ryan Roberts -Cc: Shuah Khan -Signed-off-by: Andrew Morton -Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64") -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/vm/compaction_test.c | 35 +++++++++++--------- - 1 file changed, 19 insertions(+), 16 deletions(-) - -diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c -index f81931c1f8386..6aa6460b854ea 100644 ---- a/tools/testing/selftests/vm/compaction_test.c -+++ b/tools/testing/selftests/vm/compaction_test.c -@@ -95,14 +95,15 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - - fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK); - if (fd < 0) { -- ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n", -- strerror(errno)); -- return -1; -+ ksft_print_msg("Failed to open /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); -+ ret = -1; -+ goto out; - } - - if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) { -- ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n", -- strerror(errno)); -+ ksft_print_msg("Failed to read from /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -@@ -110,8 +111,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - - /* Start with the initial condition of 0 huge pages*/ - if (write(fd, "0", sizeof(char)) != sizeof(char)) { -- ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n", -- strerror(errno)); -+ ksft_print_msg("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -@@ -120,16 +121,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - /* Request a large number of huge pages. The Kernel will allocate - as much as it can */ - if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { -- ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", -- strerror(errno)); -+ ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - - lseek(fd, 0, SEEK_SET); - - if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) { -- ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n", -- strerror(errno)); -+ ksft_print_msg("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -@@ -141,24 +142,26 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) - - if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages)) - != strlen(initial_nr_hugepages)) { -- ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n", -- strerror(errno)); -+ ksft_print_msg("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n", -+ strerror(errno)); - goto close_fd; - } - -+ ksft_print_msg("Number of huge pages allocated = %d\n", -+ atoi(nr_hugepages)); -+ - if (compaction_index > 3) { - ksft_print_msg("ERROR: Less that 1/%d of memory is available\n" - "as huge pages\n", compaction_index); -- ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages))); - goto close_fd; - } - -- ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n", -- (atoi(nr_hugepages))); - ret = 0; - - close_fd: - close(fd); -+ out: -+ ksft_test_result(ret == 0, "check_compaction\n"); - return ret; - } - --- -2.43.0 - diff --git a/queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch b/queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch deleted file mode 100644 index c4451f791c8..00000000000 --- a/queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 8caf55f63a641ad26dbc95f25a4d9d3e1308b18b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 16:04:30 -0400 -Subject: serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using - prescaler - -From: Hugo Villeneuve - -[ Upstream commit 8492bd91aa055907c67ef04f2b56f6dadd1f44bf ] - -When using a high speed clock with a low baud rate, the 4x prescaler is -automatically selected if required. In that case, sc16is7xx_set_baud() -properly configures the chip registers, but returns an incorrect baud -rate by not taking into account the prescaler value. This incorrect baud -rate is then fed to uart_update_timeout(). - -For example, with an input clock of 80MHz, and a selected baud rate of 50, -sc16is7xx_set_baud() will return 200 instead of 50. - -Fix this by first changing the prescaler variable to hold the selected -prescaler value instead of the MCR bitfield. Then properly take into -account the selected prescaler value in the return value computation. - -Also add better documentation about the divisor value computation. - -Fixes: dfeae619d781 ("serial: sc16is7xx") -Cc: stable@vger.kernel.org -Signed-off-by: Hugo Villeneuve -Reviewed-by: Jiri Slaby -Link: https://lore.kernel.org/r/20240430200431.4102923-1-hugo@hugovil.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/serial/sc16is7xx.c | 23 ++++++++++++++++++----- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c -index 25e625c2ee74b..d274a847c6ab3 100644 ---- a/drivers/tty/serial/sc16is7xx.c -+++ b/drivers/tty/serial/sc16is7xx.c -@@ -490,16 +490,28 @@ static bool sc16is7xx_regmap_noinc(struct device *dev, unsigned int reg) - return reg == SC16IS7XX_RHR_REG; - } - -+/* -+ * Configure programmable baud rate generator (divisor) according to the -+ * desired baud rate. -+ * -+ * From the datasheet, the divisor is computed according to: -+ * -+ * XTAL1 input frequency -+ * ----------------------- -+ * prescaler -+ * divisor = --------------------------- -+ * baud-rate x sampling-rate -+ */ - static int sc16is7xx_set_baud(struct uart_port *port, int baud) - { - struct sc16is7xx_port *s = dev_get_drvdata(port->dev); - u8 lcr; -- u8 prescaler = 0; -+ unsigned int prescaler = 1; - unsigned long clk = port->uartclk, div = clk / 16 / baud; - - if (div >= BIT(16)) { -- prescaler = SC16IS7XX_MCR_CLKSEL_BIT; -- div /= 4; -+ prescaler = 4; -+ div /= prescaler; - } - - /* In an amazing feat of design, the Enhanced Features Register shares -@@ -534,9 +546,10 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) - - mutex_unlock(&s->efr_lock); - -+ /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */ - sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, - SC16IS7XX_MCR_CLKSEL_BIT, -- prescaler); -+ prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); - - /* Open the LCR divisors for configuration */ - sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, -@@ -551,7 +564,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) - /* Put LCR back to the normal mode */ - sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); - -- return DIV_ROUND_CLOSEST(clk / 16, div); -+ return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); - } - - static void sc16is7xx_handle_rx(struct uart_port *port, unsigned int rxlen, --- -2.43.0 - diff --git a/queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch b/queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch deleted file mode 100644 index 612d1c87426..00000000000 --- a/queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 33192d74cb6f30113e61243ae4fae4f917008d94 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Dec 2023 18:18:19 -0500 -Subject: serial: sc16is7xx: replace hardcoded divisor value with BIT() macro - -From: Hugo Villeneuve - -[ Upstream commit 2e57cefc4477659527f7adab1f87cdbf60ef1ae6 ] - -To better show why the limit is what it is, since we have only 16 bits for -the divisor. - -Reviewed-by: Andy Shevchenko -Suggested-by: Andy Shevchenko -Signed-off-by: Hugo Villeneuve -Link: https://lore.kernel.org/r/20231221231823.2327894-13-hugo@hugovil.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: 8492bd91aa05 ("serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler") -Signed-off-by: Sasha Levin ---- - drivers/tty/serial/sc16is7xx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c -index 35f8675db1d89..25e625c2ee74b 100644 ---- a/drivers/tty/serial/sc16is7xx.c -+++ b/drivers/tty/serial/sc16is7xx.c -@@ -497,7 +497,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) - u8 prescaler = 0; - unsigned long clk = port->uartclk, div = clk / 16 / baud; - -- if (div > 0xffff) { -+ if (div >= BIT(16)) { - prescaler = SC16IS7XX_MCR_CLKSEL_BIT; - div /= 4; - } --- -2.43.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 1821948446c..f81d18d4e95 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -386,89 +386,3 @@ edac-igen6-convert-pcibios_-return-codes-to-errnos.patch nfs-fix-undefined-behavior-in-nfs_block_bits.patch nfs-fix-read_plus-when-server-doesn-t-support-op_read_plus.patch scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch -wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch -wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch -wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch -wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch -wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch -wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch -wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch -wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch -wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch -net-ncsi-simplify-kconfig-dts-control-flow.patch -net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch -ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch -bpf-set-run-context-for-rawtp-test_run-callback.patch -octeontx2-af-always-allocate-pf-entries-from-low-pri.patch -net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch -vxlan-fix-regression-when-dropping-packets-due-to-in.patch -tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch -net-sched-taprio-always-validate-tca_taprio_attr_pri.patch -ptp-fix-error-message-on-failed-pin-verification.patch -af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch -af_unix-annodate-data-races-around-sk-sk_state-for-w.patch -af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch -af_unix-annotate-data-races-around-sk-sk_state-in-un.patch -net-inline-sock_prot_inuse_add.patch -net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch -af_unix-use-offsetof-instead-of-sizeof.patch -af_unix-pass-struct-sock-to-unix_autobind.patch -af_unix-factorise-unix_find_other-based-on-address-t.patch -af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch -af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch -af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch -af_unix-clean-up-some-sock_net-uses.patch -af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch -af_unix-annotate-data-races-around-sk-sk_state-in-se.patch -af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 -af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 -af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch -af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch -af_unix-annotate-lockless-accesses-to-sk-sk_err.patch -af_unix-use-skb_queue_empty_lockless-in-unix_release.patch -af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch -af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch -ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch -usb-gadget-f_fs-use-io_data-status-consistently.patch -usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch -iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch -drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch -drm-amd-display-clean-up-some-inconsistent-indenting.patch -drm-amd-display-drop-unnecessary-null-checks-in-debu.patch -drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch -pvpanic-keep-single-style-across-modules.patch -pvpanic-indentation-fixes-here-and-there.patch -misc-pvpanic-deduplicate-common-code.patch -misc-pvpanic-pci-register-attributes-via-pci_driver.patch -skbuff-introduce-skb_pull_data.patch -bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch -bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch -bluetooth-btqca-add-wcn3988-support.patch -bluetooth-qca-use-switch-case-for-soc-type-behavior.patch -bluetooth-qca-add-support-for-qca2066.patch -bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch -serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch -serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch -x86-ibt-ftrace-search-for-__fentry__-location.patch -ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch -mmc-davinci_mmc-convert-to-platform-remove-callback-.patch -mmc-davinci-don-t-strip-remove-function-when-driver-.patch -mm-mprotect-use-mmu_gather.patch -mm-mprotect-do-not-flush-when-not-required-architect.patch -mm-avoid-unnecessary-flush-on-change_huge_pmd.patch -mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch -i2c-add-fwnode-apis.patch -i2c-acpi-unbind-mux-adapters-before-delete.patch -cma-factor-out-minimum-alignment-requirement.patch -mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch -selftests-mm-compaction_test-fix-incorrect-write-of-.patch -selftests-mm-conform-test-to-tap-format-output.patch -selftests-mm-log-a-consistent-test-name-for-check_co.patch -selftests-mm-compaction_test-fix-bogus-test-success-.patch -wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch -wifi-ath10k-fix-qcom_smem-dependency.patch -wifi-ath10k-fix-qcom_rproc_common-dependency.patch -btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch -nilfs2-remove-check-for-pageerror.patch -nilfs2-return-the-mapped-address-from-nilfs_get_page.patch -nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch diff --git a/queue-5.15/skbuff-introduce-skb_pull_data.patch b/queue-5.15/skbuff-introduce-skb_pull_data.patch deleted file mode 100644 index df44f568fbe..00000000000 --- a/queue-5.15/skbuff-introduce-skb_pull_data.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 2d4f94517222d0fa628417ac8333611548ca21fe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 Dec 2021 10:54:52 -0800 -Subject: skbuff: introduce skb_pull_data - -From: Luiz Augusto von Dentz - -[ Upstream commit 13244cccc2b61ec715f0ac583d3037497004d4a5 ] - -Like skb_pull but returns the original data pointer before pulling the -data after performing a check against sbk->len. - -This allows to change code that does "struct foo *p = (void *)skb->data;" -which is hard to audit and error prone, to: - - p = skb_pull_data(skb, sizeof(*p)); - if (!p) - return; - -Which is both safer and cleaner. - -Acked-by: Jakub Kicinski -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Dan Carpenter -Signed-off-by: Marcel Holtmann -Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") -Signed-off-by: Sasha Levin ---- - include/linux/skbuff.h | 2 ++ - net/core/skbuff.c | 24 ++++++++++++++++++++++++ - 2 files changed, 26 insertions(+) - -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 15de91c65a09a..b230c422dc3b9 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h -@@ -2447,6 +2447,8 @@ static inline void *skb_pull_inline(struct sk_buff *skb, unsigned int len) - return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len); - } - -+void *skb_pull_data(struct sk_buff *skb, size_t len); -+ - void *__pskb_pull_tail(struct sk_buff *skb, int delta); - - static inline void *__pskb_pull(struct sk_buff *skb, unsigned int len) -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 4ec8cfd357eba..17073429cc365 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2071,6 +2071,30 @@ void *skb_pull(struct sk_buff *skb, unsigned int len) - } - EXPORT_SYMBOL(skb_pull); - -+/** -+ * skb_pull_data - remove data from the start of a buffer returning its -+ * original position. -+ * @skb: buffer to use -+ * @len: amount of data to remove -+ * -+ * This function removes data from the start of a buffer, returning -+ * the memory to the headroom. A pointer to the original data in the buffer -+ * is returned after checking if there is enough data to pull. Once the -+ * data has been pulled future pushes will overwrite the old data. -+ */ -+void *skb_pull_data(struct sk_buff *skb, size_t len) -+{ -+ void *data = skb->data; -+ -+ if (skb->len < len) -+ return NULL; -+ -+ skb_pull(skb, len); -+ -+ return data; -+} -+EXPORT_SYMBOL(skb_pull_data); -+ - /** - * skb_trim - remove end from a buffer - * @skb: buffer to alter --- -2.43.0 - diff --git a/queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch b/queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch deleted file mode 100644 index 6b2496d2cd6..00000000000 --- a/queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch +++ /dev/null @@ -1,71 +0,0 @@ -From bd1a843eb8e9bc02a9d6eb451012475bcef63b78 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jun 2024 01:02:16 +0800 -Subject: tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB - -From: Jason Xing - -[ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ] - -According to RFC 1213, we should also take CLOSE-WAIT sockets into -consideration: - - "tcpCurrEstab OBJECT-TYPE - ... - The number of TCP connections for which the current state - is either ESTABLISHED or CLOSE- WAIT." - -After this, CurrEstab counter will display the total number of -ESTABLISHED and CLOSE-WAIT sockets. - -The logic of counting -When we increment the counter? -a) if we change the state to ESTABLISHED. -b) if we change the state from SYN-RECEIVED to CLOSE-WAIT. - -When we decrement the counter? -a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT, -say, on the client side, changing from ESTABLISHED to FIN-WAIT-1. -b) if the socket leaves CLOSE-WAIT, say, on the server side, changing -from CLOSE-WAIT to LAST-ACK. - -Please note: there are two chances that old state of socket can be changed -to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED. -So we have to take care of the former case. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Jason Xing -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 9c7998377d6bd..31c572882b41f 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -2619,6 +2619,10 @@ void tcp_set_state(struct sock *sk, int state) - if (oldstate != TCP_ESTABLISHED) - TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB); - break; -+ case TCP_CLOSE_WAIT: -+ if (oldstate == TCP_SYN_RECV) -+ TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB); -+ break; - - case TCP_CLOSE: - if (oldstate == TCP_CLOSE_WAIT || oldstate == TCP_ESTABLISHED) -@@ -2630,7 +2634,7 @@ void tcp_set_state(struct sock *sk, int state) - inet_put_port(sk); - fallthrough; - default: -- if (oldstate == TCP_ESTABLISHED) -+ if (oldstate == TCP_ESTABLISHED || oldstate == TCP_CLOSE_WAIT) - TCP_DEC_STATS(sock_net(sk), TCP_MIB_CURRESTAB); - } - --- -2.43.0 - diff --git a/queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch b/queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch deleted file mode 100644 index a67da127842..00000000000 --- a/queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 2ad8b03cc0c9d860a128967ac53f5515871ca327 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Apr 2024 18:40:59 -0700 -Subject: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request - complete - -From: Wesley Cheng - -[ Upstream commit 24729b307eefcd7c476065cd7351c1a018082c19 ] - -FFS based applications can utilize the aio_cancel() callback to dequeue -pending USB requests submitted to the UDC. There is a scenario where the -FFS application issues an AIO cancel call, while the UDC is handling a -soft disconnect. For a DWC3 based implementation, the callstack looks -like the following: - - DWC3 Gadget FFS Application -dwc3_gadget_soft_disconnect() ... - --> dwc3_stop_active_transfers() - --> dwc3_gadget_giveback(-ESHUTDOWN) - --> ffs_epfile_async_io_complete() ffs_aio_cancel() - --> usb_ep_free_request() --> usb_ep_dequeue() - -There is currently no locking implemented between the AIO completion -handler and AIO cancel, so the issue occurs if the completion routine is -running in parallel to an AIO cancel call coming from the FFS application. -As the completion call frees the USB request (io_data->req) the FFS -application is also referencing it for the usb_ep_dequeue() call. This can -lead to accessing a stale/hanging pointer. - -commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") -relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). -However, in order to properly implement locking to mitigate this issue, the -spinlock can't be added to ffs_epfile_async_io_complete(), as -usb_ep_dequeue() (if successfully dequeuing a USB request) will call the -function driver's completion handler in the same context. Hence, leading -into a deadlock. - -Fix this issue by moving the usb_ep_free_request() back to -ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req -to NULL after freeing it within the ffs->eps_lock. This resolves the race -condition above, as the ffs_aio_cancel() routine will not continue -attempting to dequeue a request that has already been freed, or the -ffs_user_copy_work() not freeing the USB request until the AIO cancel is -done referencing it. - -This fix depends on - commit b566d38857fc ("usb: gadget: f_fs: use io_data->status - consistently") - -Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") -Cc: stable # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") -Signed-off-by: Wesley Cheng -Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index 37d18e27ddc64..ad858044e0bfd 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -832,6 +832,7 @@ static void ffs_user_copy_worker(struct work_struct *work) - work); - int ret = io_data->status; - bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; -+ unsigned long flags; - - if (io_data->read && ret > 0) { - kthread_use_mm(io_data->mm); -@@ -844,6 +845,11 @@ static void ffs_user_copy_worker(struct work_struct *work) - if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd) - eventfd_signal(io_data->ffs->ffs_eventfd, 1); - -+ spin_lock_irqsave(&io_data->ffs->eps_lock, flags); -+ usb_ep_free_request(io_data->ep, io_data->req); -+ io_data->req = NULL; -+ spin_unlock_irqrestore(&io_data->ffs->eps_lock, flags); -+ - if (io_data->read) - kfree(io_data->to_free); - ffs_free_buffer(io_data); -@@ -859,7 +865,6 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep, - ENTER(); - - io_data->status = req->status ? req->status : req->actual; -- usb_ep_free_request(_ep, req); - - INIT_WORK(&io_data->work, ffs_user_copy_worker); - queue_work(ffs->io_completion_wq, &io_data->work); --- -2.43.0 - diff --git a/queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch b/queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch deleted file mode 100644 index c876cdecfbb..00000000000 --- a/queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch +++ /dev/null @@ -1,65 +0,0 @@ -From b9cb2103b4d487c469b2b22b29d80343f0db2928 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 24 Nov 2022 17:04:28 +0000 -Subject: usb: gadget: f_fs: use io_data->status consistently - -From: John Keeping - -[ Upstream commit b566d38857fcb6777f25b674b90a831eec0817a2 ] - -Commit fb1f16d74e26 ("usb: gadget: f_fs: change ep->status safe in -ffs_epfile_io()") added a new ffs_io_data::status field to fix lifetime -issues in synchronous requests. - -While there are no similar lifetime issues for asynchronous requests -(the separate ep member in ffs_io_data avoids them) using the status -field means the USB request can be freed earlier and that there is more -consistency between the synchronous and asynchronous I/O paths. - -Cc: Linyu Yuan -Signed-off-by: John Keeping -Reviewed-by: Linyu Yuan -Link: https://lore.kernel.org/r/20221124170430.3998755-1-john@metanate.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: 24729b307eef ("usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete") -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index a4367a43cdd87..37d18e27ddc64 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -830,8 +830,7 @@ static void ffs_user_copy_worker(struct work_struct *work) - { - struct ffs_io_data *io_data = container_of(work, struct ffs_io_data, - work); -- int ret = io_data->req->status ? io_data->req->status : -- io_data->req->actual; -+ int ret = io_data->status; - bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; - - if (io_data->read && ret > 0) { -@@ -845,8 +844,6 @@ static void ffs_user_copy_worker(struct work_struct *work) - if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd) - eventfd_signal(io_data->ffs->ffs_eventfd, 1); - -- usb_ep_free_request(io_data->ep, io_data->req); -- - if (io_data->read) - kfree(io_data->to_free); - ffs_free_buffer(io_data); -@@ -861,6 +858,9 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep, - - ENTER(); - -+ io_data->status = req->status ? req->status : req->actual; -+ usb_ep_free_request(_ep, req); -+ - INIT_WORK(&io_data->work, ffs_user_copy_worker); - queue_work(ffs->io_completion_wq, &io_data->work); - } --- -2.43.0 - diff --git a/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch b/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch deleted file mode 100644 index 52f5a77a1a6..00000000000 --- a/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 347d5f5211f188728422fcaa093770a7d47d5931 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jun 2024 10:59:26 +0200 -Subject: vxlan: Fix regression when dropping packets due to invalid src - addresses - -From: Daniel Borkmann - -[ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ] - -Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") -has recently been added to vxlan mainly in the context of source -address snooping/learning so that when it is enabled, an entry in the -FDB is not being created for an invalid address for the corresponding -tunnel endpoint. - -Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in -that it passed through whichever macs were set in the L2 header. It -turns out that this change in behavior breaks setups, for example, -Cilium with netkit in L3 mode for Pods as well as tunnel mode has been -passing before the change in f58f45c1e5b9 for both vxlan and geneve. -After mentioned change it is only passing for geneve as in case of -vxlan packets are dropped due to vxlan_set_mac() returning false as -source and destination macs are zero which for E/W traffic via tunnel -is totally fine. - -Fix it by only opting into the is_valid_ether_addr() check in -vxlan_set_mac() when in fact source address snooping/learning is -actually enabled in vxlan. This is done by moving the check into -vxlan_snoop(). With this change, the Cilium connectivity test suite -passes again for both tunnel flavors. - -Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") -Signed-off-by: Daniel Borkmann -Cc: David Bauer -Cc: Ido Schimmel -Cc: Nikolay Aleksandrov -Cc: Martin KaFai Lau -Reviewed-by: Ido Schimmel -Reviewed-by: Nikolay Aleksandrov -Reviewed-by: David Bauer -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/vxlan/vxlan_core.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c -index 41b1b23fdd3e9..65a2f4ab89970 100644 ---- a/drivers/net/vxlan/vxlan_core.c -+++ b/drivers/net/vxlan/vxlan_core.c -@@ -1493,6 +1493,10 @@ static bool vxlan_snoop(struct net_device *dev, - struct vxlan_fdb *f; - u32 ifindex = 0; - -+ /* Ignore packets from invalid src-address */ -+ if (!is_valid_ether_addr(src_mac)) -+ return true; -+ - #if IS_ENABLED(CONFIG_IPV6) - if (src_ip->sa.sa_family == AF_INET6 && - (ipv6_addr_type(&src_ip->sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL)) --- -2.43.0 - diff --git a/queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch b/queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch deleted file mode 100644 index cbbbd12e40f..00000000000 --- a/queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 007ce78d1573733ad037be53635cf0f2ab6c9ff8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 17 May 2024 10:00:28 +0300 -Subject: wifi: ath10k: fix QCOM_RPROC_COMMON dependency - -From: Dmitry Baryshkov - -[ Upstream commit 21ae74e1bf18331ae5e279bd96304b3630828009 ] - -If ath10k_snoc is built-in, while Qualcomm remoteprocs are built as -modules, compilation fails with: - -/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_init': -drivers/net/wireless/ath/ath10k/snoc.c:1534: undefined reference to `qcom_register_ssr_notifier' -/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_deinit': -drivers/net/wireless/ath/ath10k/snoc.c:1551: undefined reference to `qcom_unregister_ssr_notifier' - -Add corresponding dependency to ATH10K_SNOC Kconfig entry so that it's -built as module if QCOM_RPROC_COMMON is built as module too. - -Fixes: 747ff7d3d742 ("ath10k: Don't always treat modem stop events as crashes") -Cc: stable@vger.kernel.org -Signed-off-by: Dmitry Baryshkov -Signed-off-by: Kalle Valo -Link: https://msgid.link/20240511-ath10k-snoc-dep-v1-1-9666e3af5c27@linaro.org -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath10k/Kconfig | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig -index e6ea884cafc19..4f385f4a8cef2 100644 ---- a/drivers/net/wireless/ath/ath10k/Kconfig -+++ b/drivers/net/wireless/ath/ath10k/Kconfig -@@ -45,6 +45,7 @@ config ATH10K_SNOC - depends on ATH10K - depends on ARCH_QCOM || COMPILE_TEST - depends on QCOM_SMEM -+ depends on QCOM_RPROC_COMMON || QCOM_RPROC_COMMON=n - select QCOM_SCM - select QCOM_QMI_HELPERS - help --- -2.43.0 - diff --git a/queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch b/queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch deleted file mode 100644 index c3aa85fa784..00000000000 --- a/queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 12b52b078e5bfd61b72af37318d48c6d850cce63 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 2 Dec 2022 12:30:27 +0200 -Subject: wifi: ath10k: fix QCOM_SMEM dependency - -From: Kalle Valo - -[ Upstream commit d03407183d97554dfffea70f385b5bdd520f846c ] - -Nathan noticed that when HWSPINLOCK is disabled there's a Kconfig warning: - - WARNING: unmet direct dependencies detected for QCOM_SMEM - Depends on [n]: (ARCH_QCOM [=y] || COMPILE_TEST [=n]) && HWSPINLOCK [=n] - Selected by [m]: - - ATH10K_SNOC [=m] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && ATH10K [=m] && (ARCH_QCOM [=y] || COMPILE_TEST [=n]) - -The problem here is that QCOM_SMEM depends on HWSPINLOCK so we cannot select -QCOM_SMEM and instead we neeed to use 'depends on'. - -Reported-by: Nathan Chancellor -Link: https://lore.kernel.org/all/Y4YsyaIW+CPdHWv3@dev-arch.thelio-3990X/ -Fixes: 4d79f6f34bbb ("wifi: ath10k: Store WLAN firmware version in SMEM image table") -Signed-off-by: Kalle Valo -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20221202103027.25974-1-kvalo@kernel.org -Stable-dep-of: 21ae74e1bf18 ("wifi: ath10k: fix QCOM_RPROC_COMMON dependency") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath10k/Kconfig | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig -index e0a51dad8e420..e6ea884cafc19 100644 ---- a/drivers/net/wireless/ath/ath10k/Kconfig -+++ b/drivers/net/wireless/ath/ath10k/Kconfig -@@ -44,7 +44,7 @@ config ATH10K_SNOC - tristate "Qualcomm ath10k SNOC support" - depends on ATH10K - depends on ARCH_QCOM || COMPILE_TEST -- select QCOM_SMEM -+ depends on QCOM_SMEM - select QCOM_SCM - select QCOM_QMI_HELPERS - help --- -2.43.0 - diff --git a/queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch b/queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch deleted file mode 100644 index 27bf426698a..00000000000 --- a/queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch +++ /dev/null @@ -1,123 +0,0 @@ -From a54a8f74e25cdef2f972684f063bd23c9b4bab95 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 17 Nov 2022 23:35:34 +0530 -Subject: wifi: ath10k: Store WLAN firmware version in SMEM image table - -From: Youghandhar Chintala - -[ Upstream commit 4d79f6f34bbb01c6715b31ef457d5ab0390501a1 ] - -In a SoC based solution, it would be useful to know the versions of the -various binary firmware blobs the system is running on. On a QCOM based -SoC, this info can be obtained from socinfo debugfs infrastructure. For -this to work, respective subsystem drivers have to export the firmware -version information to an SMEM based version information table. - -Having firmware version information at one place will help quickly -figure out the firmware versions of various subsystems on the device -instead of going through builds/logs in an event of a system crash. - -Fill WLAN firmware version information in SMEM version table to be -printed as part of socinfo debugfs infrastructure on a Qualcomm based -SoC. - -This change is applicable only for SNOC/QMI based targets. - -Example: -cat /sys/kernel/debug/qcom_socinfo/cnss/name -QC_IMAGE_VERSION_STRING=WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 - -Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 - -Signed-off-by: Youghandhar Chintala -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20221117180534.2267-1-quic_youghand@quicinc.com -Stable-dep-of: 21ae74e1bf18 ("wifi: ath10k: fix QCOM_RPROC_COMMON dependency") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath10k/Kconfig | 1 + - drivers/net/wireless/ath/ath10k/qmi.c | 35 +++++++++++++++++++++++++ - 2 files changed, 36 insertions(+) - -diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig -index ca007b800f756..e0a51dad8e420 100644 ---- a/drivers/net/wireless/ath/ath10k/Kconfig -+++ b/drivers/net/wireless/ath/ath10k/Kconfig -@@ -44,6 +44,7 @@ config ATH10K_SNOC - tristate "Qualcomm ath10k SNOC support" - depends on ATH10K - depends on ARCH_QCOM || COMPILE_TEST -+ select QCOM_SMEM - select QCOM_SCM - select QCOM_QMI_HELPERS - help -diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c -index 80fcb917fe4e1..22bd97d434cc9 100644 ---- a/drivers/net/wireless/ath/ath10k/qmi.c -+++ b/drivers/net/wireless/ath/ath10k/qmi.c -@@ -14,6 +14,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -22,6 +23,10 @@ - - #define ATH10K_QMI_CLIENT_ID 0x4b4e454c - #define ATH10K_QMI_TIMEOUT 30 -+#define SMEM_IMAGE_VERSION_TABLE 469 -+#define SMEM_IMAGE_TABLE_CNSS_INDEX 13 -+#define SMEM_IMAGE_VERSION_ENTRY_SIZE 128 -+#define SMEM_IMAGE_VERSION_NAME_SIZE 75 - - static int ath10k_qmi_map_msa_permission(struct ath10k_qmi *qmi, - struct ath10k_msa_mem_info *mem_info) -@@ -536,6 +541,33 @@ int ath10k_qmi_wlan_disable(struct ath10k *ar) - return ath10k_qmi_mode_send_sync_msg(ar, QMI_WLFW_OFF_V01); - } - -+static void ath10k_qmi_add_wlan_ver_smem(struct ath10k *ar, const char *fw_build_id) -+{ -+ u8 *table_ptr; -+ size_t smem_item_size; -+ const u32 smem_img_idx_wlan = SMEM_IMAGE_TABLE_CNSS_INDEX * -+ SMEM_IMAGE_VERSION_ENTRY_SIZE; -+ -+ table_ptr = qcom_smem_get(QCOM_SMEM_HOST_ANY, -+ SMEM_IMAGE_VERSION_TABLE, -+ &smem_item_size); -+ -+ if (IS_ERR(table_ptr)) { -+ ath10k_err(ar, "smem image version table not found\n"); -+ return; -+ } -+ -+ if (smem_img_idx_wlan + SMEM_IMAGE_VERSION_ENTRY_SIZE > -+ smem_item_size) { -+ ath10k_err(ar, "smem block size too small: %zu\n", -+ smem_item_size); -+ return; -+ } -+ -+ strscpy(table_ptr + smem_img_idx_wlan, fw_build_id, -+ SMEM_IMAGE_VERSION_NAME_SIZE); -+} -+ - static int ath10k_qmi_cap_send_sync_msg(struct ath10k_qmi *qmi) - { - struct wlfw_cap_resp_msg_v01 *resp; -@@ -606,6 +638,9 @@ static int ath10k_qmi_cap_send_sync_msg(struct ath10k_qmi *qmi) - qmi->fw_version, qmi->fw_build_timestamp, qmi->fw_build_id); - } - -+ if (resp->fw_build_id_valid) -+ ath10k_qmi_add_wlan_ver_smem(ar, qmi->fw_build_id); -+ - kfree(resp); - return 0; - --- -2.43.0 - diff --git a/queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch b/queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch deleted file mode 100644 index c45d1ef7334..00000000000 --- a/queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch +++ /dev/null @@ -1,103 +0,0 @@ -From a54a4bdf1179814d1e07117f7184a40be1b736ee Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 May 2024 21:47:26 +0200 -Subject: wifi: cfg80211: Lock wiphy in cfg80211_get_station - -From: Remi Pommarel - -[ Upstream commit 642f89daa34567d02f312d03e41523a894906dae ] - -Wiphy should be locked before calling rdev_get_station() (see lockdep -assert in ieee80211_get_station()). - -This fixes the following kernel NULL dereference: - - Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 - Mem abort info: - ESR = 0x0000000096000006 - EC = 0x25: DABT (current EL), IL = 32 bits - SET = 0, FnV = 0 - EA = 0, S1PTW = 0 - FSC = 0x06: level 2 translation fault - Data abort info: - ISV = 0, ISS = 0x00000006 - CM = 0, WnR = 0 - user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000 - [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000 - Internal error: Oops: 0000000096000006 [#1] SMP - Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath - CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705 - Hardware name: RPT (r1) (DT) - Workqueue: bat_events batadv_v_elp_throughput_metric_update - pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core] - lr : sta_set_sinfo+0xcc/0xbd4 - sp : ffff000007b43ad0 - x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98 - x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000 - x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc - x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000 - x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d - x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e - x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000 - x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000 - x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90 - x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000 - Call trace: - ath10k_sta_statistics+0x10/0x2dc [ath10k_core] - sta_set_sinfo+0xcc/0xbd4 - ieee80211_get_station+0x2c/0x44 - cfg80211_get_station+0x80/0x154 - batadv_v_elp_get_throughput+0x138/0x1fc - batadv_v_elp_throughput_metric_update+0x1c/0xa4 - process_one_work+0x1ec/0x414 - worker_thread+0x70/0x46c - kthread+0xdc/0xe0 - ret_from_fork+0x10/0x20 - Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814) - -This happens because STA has time to disconnect and reconnect before -batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In -this situation, ath10k_sta_state() can be in the middle of resetting -arsta data when the work queue get chance to be scheduled and ends up -accessing it. Locking wiphy prevents that. - -Fixes: 7406353d43c8 ("cfg80211: implement cfg80211_get_station cfg80211 API") -Signed-off-by: Remi Pommarel -Reviewed-by: Nicolas Escande -Acked-by: Antonio Quartulli -Link: https://msgid.link/983b24a6a176e0800c01aedcd74480d9b551cb13.1716046653.git.repk@triplefau.lt -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/util.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/wireless/util.c b/net/wireless/util.c -index cb15d7f4eb05a..d40c2cf777dc0 100644 ---- a/net/wireless/util.c -+++ b/net/wireless/util.c -@@ -2033,6 +2033,7 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr, - { - struct cfg80211_registered_device *rdev; - struct wireless_dev *wdev; -+ int ret; - - wdev = dev->ieee80211_ptr; - if (!wdev) -@@ -2044,7 +2045,11 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr, - - memset(sinfo, 0, sizeof(*sinfo)); - -- return rdev_get_station(rdev, dev, mac_addr, sinfo); -+ wiphy_lock(&rdev->wiphy); -+ ret = rdev_get_station(rdev, dev, mac_addr, sinfo); -+ wiphy_unlock(&rdev->wiphy); -+ -+ return ret; - } - EXPORT_SYMBOL(cfg80211_get_station); - --- -2.43.0 - diff --git a/queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch b/queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch deleted file mode 100644 index a949bf422b9..00000000000 --- a/queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 48052b5da2a3440cd9119e4c0aef05bed91e3e50 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 May 2024 15:50:59 +0800 -Subject: wifi: cfg80211: pmsr: use correct nla_get_uX functions - -From: Lin Ma - -[ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ] - -The commit 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM -initiator API") defines four attributes NL80211_PMSR_FTM_REQ_ATTR_ -{NUM_BURSTS_EXP}/{BURST_PERIOD}/{BURST_DURATION}/{FTMS_PER_BURST} in -following ways. - -static const struct nla_policy -nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = { - ... - [NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] = - NLA_POLICY_MAX(NLA_U8, 15), - [NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 }, - [NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] = - NLA_POLICY_MAX(NLA_U8, 15), - [NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = - NLA_POLICY_MAX(NLA_U8, 31), - ... -}; - -That is, those attributes are expected to be NLA_U8 and NLA_U16 types. -However, the consumers of these attributes in `pmsr_parse_ftm` blindly -all use `nla_get_u32`, which is incorrect and causes functionality issues -on little-endian platforms. Hence, fix them with the correct `nla_get_u8` -and `nla_get_u16` functions. - -Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") -Signed-off-by: Lin Ma -Link: https://msgid.link/20240521075059.47999-1-linma@zju.edu.cn -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/pmsr.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c -index 328cf54bda826..65fa39275f73f 100644 ---- a/net/wireless/pmsr.c -+++ b/net/wireless/pmsr.c -@@ -58,7 +58,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, - out->ftm.burst_period = 0; - if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]) - out->ftm.burst_period = -- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]); -+ nla_get_u16(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]); - - out->ftm.asap = !!tb[NL80211_PMSR_FTM_REQ_ATTR_ASAP]; - if (out->ftm.asap && !capa->ftm.asap) { -@@ -77,7 +77,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, - out->ftm.num_bursts_exp = 0; - if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]) - out->ftm.num_bursts_exp = -- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]); -+ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]); - - if (capa->ftm.max_bursts_exponent >= 0 && - out->ftm.num_bursts_exp > capa->ftm.max_bursts_exponent) { -@@ -90,7 +90,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, - out->ftm.burst_duration = 15; - if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]) - out->ftm.burst_duration = -- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]); -+ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]); - - out->ftm.ftms_per_burst = 0; - if (tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST]) -@@ -109,7 +109,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, - out->ftm.ftmr_retries = 3; - if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]) - out->ftm.ftmr_retries = -- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]); -+ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]); - - out->ftm.request_lci = !!tb[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI]; - if (out->ftm.request_lci && !capa->ftm.request_lci) { --- -2.43.0 - diff --git a/queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch b/queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch deleted file mode 100644 index ecf1e4fb4f0..00000000000 --- a/queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b8239fdc32879358756bf6bd00e43f9866554f0d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 10 May 2024 17:06:39 +0300 -Subject: wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs - ifdef - -From: Shahar S Matityahu - -[ Upstream commit 87821b67dea87addbc4ab093ba752753b002176a ] - -The driver should call iwl_dbg_tlv_free even if debugfs is not defined -since ini mode does not depend on debugfs ifdef. - -Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file") -Signed-off-by: Shahar S Matityahu -Reviewed-by: Luciano Coelho -Signed-off-by: Miri Korenblit -Link: https://msgid.link/20240510170500.c8e3723f55b0.I5e805732b0be31ee6b83c642ec652a34e974ff10@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -index 524b0ad873578..afa89deb7bc3a 100644 ---- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -@@ -1667,8 +1667,8 @@ struct iwl_drv *iwl_drv_start(struct iwl_trans *trans) - err_fw: - #ifdef CONFIG_IWLWIFI_DEBUGFS - debugfs_remove_recursive(drv->dbgfs_drv); -- iwl_dbg_tlv_free(drv->trans); - #endif -+ iwl_dbg_tlv_free(drv->trans); - kfree(drv); - err: - return ERR_PTR(ret); --- -2.43.0 - diff --git a/queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch b/queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch deleted file mode 100644 index c5c1fcd3270..00000000000 --- a/queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3ecd00c9f7dbcae03177c8a0f79029e10116f6d0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 May 2024 13:27:12 +0300 -Subject: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids - -From: Miri Korenblit - -[ Upstream commit 60d62757df30b74bf397a2847a6db7385c6ee281 ] - -In some versions of cfg80211, the ssids poinet might be a valid one even -though n_ssids is 0. Accessing the pointer in this case will cuase an -out-of-bound access. Fix this by checking n_ssids first. - -Fixes: c1a7515393e4 ("iwlwifi: mvm: add adaptive dwell support") -Signed-off-by: Miri Korenblit -Reviewed-by: Ilan Peer -Reviewed-by: Johannes Berg -Link: https://msgid.link/20240513132416.6e4d1762bf0d.I5a0e6cc8f02050a766db704d15594c61fe583d45@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c -index c0ffa26bc5aaa..0605363b62720 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c -@@ -1312,7 +1312,7 @@ static void iwl_mvm_scan_umac_dwell(struct iwl_mvm *mvm, - if (IWL_MVM_ADWELL_MAX_BUDGET) - cmd->v7.adwell_max_budget = - cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET); -- else if (params->ssids && params->ssids[0].ssid_len) -+ else if (params->n_ssids && params->ssids[0].ssid_len) - cmd->v7.adwell_max_budget = - cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN); - else -@@ -1414,7 +1414,7 @@ iwl_mvm_scan_umac_dwell_v10(struct iwl_mvm *mvm, - if (IWL_MVM_ADWELL_MAX_BUDGET) - general_params->adwell_max_budget = - cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET); -- else if (params->ssids && params->ssids[0].ssid_len) -+ else if (params->n_ssids && params->ssids[0].ssid_len) - general_params->adwell_max_budget = - cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN); - else --- -2.43.0 - diff --git a/queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch b/queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch deleted file mode 100644 index cfb1c9fb220..00000000000 --- a/queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d3db3ca66ecb01738b7ffce54eb38ceaa4894e24 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 May 2024 13:27:14 +0300 -Subject: wifi: iwlwifi: mvm: don't read past the mfuart notifcation - -From: Emmanuel Grumbach - -[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ] - -In case the firmware sends a notification that claims it has more data -than it has, we will read past that was allocated for the notification. -Remove the print of the buffer, we won't see it by default. If needed, -we can see the content with tracing. - -This was reported by KFENCE. - -Fixes: bdccdb854f2f ("iwlwifi: mvm: support MFUART dump in case of MFUART assert") -Signed-off-by: Emmanuel Grumbach -Reviewed-by: Johannes Berg -Signed-off-by: Miri Korenblit -Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ---------- - 1 file changed, 10 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c -index d22a5628f9e0d..578956032e08b 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c -@@ -95,20 +95,10 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm, - { - struct iwl_rx_packet *pkt = rxb_addr(rxb); - struct iwl_mfu_assert_dump_notif *mfu_dump_notif = (void *)pkt->data; -- __le32 *dump_data = mfu_dump_notif->data; -- int n_words = le32_to_cpu(mfu_dump_notif->data_size) / sizeof(__le32); -- int i; - - if (mfu_dump_notif->index_num == 0) - IWL_INFO(mvm, "MFUART assert id 0x%x occurred\n", - le32_to_cpu(mfu_dump_notif->assert_id)); -- -- for (i = 0; i < n_words; i++) -- IWL_DEBUG_INFO(mvm, -- "MFUART assert dump, dword %u: 0x%08x\n", -- le16_to_cpu(mfu_dump_notif->index_num) * -- n_words + i, -- le32_to_cpu(dump_data[i])); - } - - static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, --- -2.43.0 - diff --git a/queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch b/queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch deleted file mode 100644 index 680213e1894..00000000000 --- a/queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f43dd9b31cbdfd1b9a58a2ad68715fa957b39518 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 10 May 2024 17:06:33 +0300 -Subject: wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 - -From: Johannes Berg - -[ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ] - -We don't actually support >64 even for HE devices, so revert -back to 64. This fixes an issue where the session is refused -because the queue is configured differently from the actual -session later. - -Fixes: 514c30696fbc ("iwlwifi: add support for IEEE802.11ax") -Signed-off-by: Johannes Berg -Reviewed-by: Liad Kaufman -Reviewed-by: Luciano Coelho -Signed-off-by: Miri Korenblit -Link: https://msgid.link/20240510170500.52f7b4cf83aa.If47e43adddf7fe250ed7f5571fbb35d8221c7c47@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h -index 32104c9f8f5ee..d59a47637d120 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h -@@ -133,13 +133,8 @@ enum { - - #define LINK_QUAL_AGG_FRAME_LIMIT_DEF (63) - #define LINK_QUAL_AGG_FRAME_LIMIT_MAX (63) --/* -- * FIXME - various places in firmware API still use u8, -- * e.g. LQ command and SCD config command. -- * This should be 256 instead. -- */ --#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (255) --#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (255) -+#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (64) -+#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (64) - #define LINK_QUAL_AGG_FRAME_LIMIT_MIN (0) - - #define LQ_SIZE 2 /* 2 mode tables: "Active" and "Search" */ --- -2.43.0 - diff --git a/queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch b/queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch deleted file mode 100644 index b7bd1c9820d..00000000000 --- a/queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2a41bcec40274c2e17b22cc71054b443bc89ed46 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 16 May 2024 10:18:54 +0800 -Subject: wifi: mac80211: correctly parse Spatial Reuse Parameter Set element - -From: Lingbo Kong - -[ Upstream commit a26d8dc5227f449a54518a8b40733a54c6600a8b ] - -Currently, the way of parsing Spatial Reuse Parameter Set element is -incorrect and some members of struct ieee80211_he_obss_pd are not assigned. - -To address this issue, it must be parsed in the order of the elements of -Spatial Reuse Parameter Set defined in the IEEE Std 802.11ax specification. - -The diagram of the Spatial Reuse Parameter Set element (IEEE Std 802.11ax --2021-9.4.2.252). - -------------------------------------------------------------------------- -| | | | |Non-SRG| SRG | SRG | SRG | SRG | -|Element|Length| Element | SR |OBSS PD|OBSS PD|OBSS PD| BSS |Partial| -| ID | | ID |Control| Max | Min | Max |Color | BSSID | -| | |Extension| | Offset| Offset|Offset |Bitmap|Bitmap | -------------------------------------------------------------------------- - -Fixes: 1ced169cc1c2 ("mac80211: allow setting spatial reuse parameters from bss_conf") -Signed-off-by: Lingbo Kong -Link: https://msgid.link/20240516021854.5682-3-quic_lingbok@quicinc.com -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/mac80211/he.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/net/mac80211/he.c b/net/mac80211/he.c -index c05af7018f79f..c730ce5132cbc 100644 ---- a/net/mac80211/he.c -+++ b/net/mac80211/he.c -@@ -223,15 +223,21 @@ ieee80211_he_spr_ie_to_bss_conf(struct ieee80211_vif *vif, - - if (!he_spr_ie_elem) - return; -+ -+ he_obss_pd->sr_ctrl = he_spr_ie_elem->he_sr_control; - data = he_spr_ie_elem->optional; - - if (he_spr_ie_elem->he_sr_control & - IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT) -- data++; -+ he_obss_pd->non_srg_max_offset = *data++; -+ - if (he_spr_ie_elem->he_sr_control & - IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT) { -- he_obss_pd->max_offset = *data++; - he_obss_pd->min_offset = *data++; -+ he_obss_pd->max_offset = *data++; -+ memcpy(he_obss_pd->bss_color_bitmap, data, 8); -+ data += 8; -+ memcpy(he_obss_pd->partial_bssid_bitmap, data, 8); - he_obss_pd->enable = true; - } - } --- -2.43.0 - diff --git a/queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch b/queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch deleted file mode 100644 index 012b04a7496..00000000000 --- a/queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 6e8dfd5b602d19e685cb7fa1d5ac3c57d4c339c2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 29 May 2024 08:57:53 +0200 -Subject: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() - -From: Remi Pommarel - -[ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ] - -The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to -synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from -softirq context. However using only spin_lock() to get sta->ps_lock in -ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute -on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to -take this same lock ending in deadlock. Below is an example of rcu stall -that arises in such situation. - - rcu: INFO: rcu_sched self-detected stall on CPU - rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 - rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) - CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 - Hardware name: RPT (r1) (DT) - pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : queued_spin_lock_slowpath+0x58/0x2d0 - lr : invoke_tx_handlers_early+0x5b4/0x5c0 - sp : ffff00001ef64660 - x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 - x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 - x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 - x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 - x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 - x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da - x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 - x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 - x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 - x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 - Call trace: - queued_spin_lock_slowpath+0x58/0x2d0 - ieee80211_tx+0x80/0x12c - ieee80211_tx_pending+0x110/0x278 - tasklet_action_common.constprop.0+0x10c/0x144 - tasklet_action+0x20/0x28 - _stext+0x11c/0x284 - ____do_softirq+0xc/0x14 - call_on_irq_stack+0x24/0x34 - do_softirq_own_stack+0x18/0x20 - do_softirq+0x74/0x7c - __local_bh_enable_ip+0xa0/0xa4 - _ieee80211_wake_txqs+0x3b0/0x4b8 - __ieee80211_wake_queue+0x12c/0x168 - ieee80211_add_pending_skbs+0xec/0x138 - ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 - ieee80211_mps_sta_status_update.part.0+0xd8/0x11c - ieee80211_mps_sta_status_update+0x18/0x24 - sta_apply_parameters+0x3bc/0x4c0 - ieee80211_change_station+0x1b8/0x2dc - nl80211_set_station+0x444/0x49c - genl_family_rcv_msg_doit.isra.0+0xa4/0xfc - genl_rcv_msg+0x1b0/0x244 - netlink_rcv_skb+0x38/0x10c - genl_rcv+0x34/0x48 - netlink_unicast+0x254/0x2bc - netlink_sendmsg+0x190/0x3b4 - ____sys_sendmsg+0x1e8/0x218 - ___sys_sendmsg+0x68/0x8c - __sys_sendmsg+0x44/0x84 - __arm64_sys_sendmsg+0x20/0x28 - do_el0_svc+0x6c/0xe8 - el0_svc+0x14/0x48 - el0t_64_sync_handler+0xb0/0xb4 - el0t_64_sync+0x14c/0x150 - -Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise -on the same CPU that is holding the lock. - -Fixes: 1d147bfa6429 ("mac80211: fix AP powersave TX vs. wakeup race") -Signed-off-by: Remi Pommarel -Link: https://msgid.link/8e36fe07d0fbc146f89196cd47a53c8a0afe84aa.1716910344.git.repk@triplefau.lt -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/mac80211/sta_info.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c -index f4deee1926e58..6d2b42cb3ad58 100644 ---- a/net/mac80211/sta_info.c -+++ b/net/mac80211/sta_info.c -@@ -1339,7 +1339,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) - skb_queue_head_init(&pending); - - /* sync with ieee80211_tx_h_unicast_ps_buf */ -- spin_lock(&sta->ps_lock); -+ spin_lock_bh(&sta->ps_lock); - /* Send all buffered frames to the station */ - for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { - int count = skb_queue_len(&pending), tmp; -@@ -1368,7 +1368,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) - */ - clear_sta_flag(sta, WLAN_STA_PSPOLL); - clear_sta_flag(sta, WLAN_STA_UAPSD); -- spin_unlock(&sta->ps_lock); -+ spin_unlock_bh(&sta->ps_lock); - - atomic_dec(&ps->num_sta_ps); - --- -2.43.0 - diff --git a/queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch b/queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch deleted file mode 100644 index e786f7d1223..00000000000 --- a/queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 36c885782014e1a47d629d5661ec18cc037a39db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 May 2024 16:26:05 +0200 -Subject: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects - -From: Nicolas Escande - -[ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ] - -The hwmp code use objects of type mesh_preq_queue, added to a list in -ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath -gets deleted, ex mesh interface is removed, the entries in that list will -never get cleaned. Fix this by flushing all corresponding items of the -preq_queue in mesh_path_flush_pending(). - -This should take care of KASAN reports like this: - -unreferenced object 0xffff00000668d800 (size 128): - comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) - hex dump (first 32 bytes): - 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... - 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... - backtrace: - [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c - [<00000000049bd418>] kmalloc_trace+0x34/0x80 - [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 - [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c - [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 - [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 - [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 - [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 - [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c - [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 - [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 - [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c - [<00000000b36425d1>] worker_thread+0x9c/0x634 - [<0000000005852dd5>] kthread+0x1bc/0x1c4 - [<000000005fccd770>] ret_from_fork+0x10/0x20 -unreferenced object 0xffff000009051f00 (size 128): - comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) - hex dump (first 32 bytes): - 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... - 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... - backtrace: - [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c - [<00000000049bd418>] kmalloc_trace+0x34/0x80 - [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 - [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c - [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 - [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 - [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 - [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 - [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c - [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 - [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 - [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c - [<00000000b36425d1>] worker_thread+0x9c/0x634 - [<0000000005852dd5>] kthread+0x1bc/0x1c4 - [<000000005fccd770>] ret_from_fork+0x10/0x20 - -Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") -Signed-off-by: Nicolas Escande -Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/mac80211/mesh_pathtbl.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c -index 69d5e1ec6edef..e7b9dcf30adc9 100644 ---- a/net/mac80211/mesh_pathtbl.c -+++ b/net/mac80211/mesh_pathtbl.c -@@ -723,10 +723,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, - */ - void mesh_path_flush_pending(struct mesh_path *mpath) - { -+ struct ieee80211_sub_if_data *sdata = mpath->sdata; -+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; -+ struct mesh_preq_queue *preq, *tmp; - struct sk_buff *skb; - - while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL) - mesh_path_discard_frame(mpath->sdata, skb); -+ -+ spin_lock_bh(&ifmsh->mesh_preq_queue_lock); -+ list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) { -+ if (ether_addr_equal(mpath->dst, preq->dst)) { -+ list_del(&preq->list); -+ kfree(preq); -+ --ifmsh->preq_queue_len; -+ } -+ } -+ spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); - } - - /** --- -2.43.0 - diff --git a/queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch b/queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch deleted file mode 100644 index da5b2adca4f..00000000000 --- a/queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch +++ /dev/null @@ -1,218 +0,0 @@ -From 0fb3ba2981bdfeed49e23a1f6c7b020405952b3b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 8 Mar 2022 16:30:29 +0100 -Subject: x86/ibt,ftrace: Search for __fentry__ location - -From: Peter Zijlstra - -[ Upstream commit aebfd12521d9c7d0b502cf6d06314cfbcdccfe3b ] - -Currently a lot of ftrace code assumes __fentry__ is at sym+0. However -with Intel IBT enabled the first instruction of a function will most -likely be ENDBR. - -Change ftrace_location() to not only return the __fentry__ location -when called for the __fentry__ location, but also when called for the -sym+0 location. - -Then audit/update all callsites of this function to consistently use -these new semantics. - -Suggested-by: Steven Rostedt -Signed-off-by: Peter Zijlstra (Intel) -Acked-by: Masami Hiramatsu -Acked-by: Josh Poimboeuf -Link: https://lore.kernel.org/r/20220308154318.227581603@infradead.org -Stable-dep-of: e60b613df8b6 ("ftrace: Fix possible use-after-free issue in ftrace_location()") -Signed-off-by: Sasha Levin ---- - arch/x86/kernel/kprobes/core.c | 11 ++------ - kernel/bpf/trampoline.c | 20 +++----------- - kernel/kprobes.c | 8 ++---- - kernel/trace/ftrace.c | 48 ++++++++++++++++++++++++++++------ - 4 files changed, 48 insertions(+), 39 deletions(-) - -diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c -index 893f040b97b7d..99dd504307fdc 100644 ---- a/arch/x86/kernel/kprobes/core.c -+++ b/arch/x86/kernel/kprobes/core.c -@@ -194,17 +194,10 @@ static unsigned long - __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr) - { - struct kprobe *kp; -- unsigned long faddr; -+ bool faddr; - - kp = get_kprobe((void *)addr); -- faddr = ftrace_location(addr); -- /* -- * Addresses inside the ftrace location are refused by -- * arch_check_ftrace_location(). Something went terribly wrong -- * if such an address is checked here. -- */ -- if (WARN_ON(faddr && faddr != addr)) -- return 0UL; -+ faddr = ftrace_location(addr) == addr; - /* - * Use the current code if it is not modified by Kprobe - * and it cannot be modified by ftrace. -diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c -index 4fa75791b45e2..1bffee0458863 100644 ---- a/kernel/bpf/trampoline.c -+++ b/kernel/bpf/trampoline.c -@@ -108,18 +108,6 @@ static void bpf_trampoline_module_put(struct bpf_trampoline *tr) - tr->mod = NULL; - } - --static int is_ftrace_location(void *ip) --{ -- long addr; -- -- addr = ftrace_location((long)ip); -- if (!addr) -- return 0; -- if (WARN_ON_ONCE(addr != (long)ip)) -- return -EFAULT; -- return 1; --} -- - static int unregister_fentry(struct bpf_trampoline *tr, void *old_addr) - { - void *ip = tr->func.addr; -@@ -151,12 +139,12 @@ static int modify_fentry(struct bpf_trampoline *tr, void *old_addr, void *new_ad - static int register_fentry(struct bpf_trampoline *tr, void *new_addr) - { - void *ip = tr->func.addr; -+ unsigned long faddr; - int ret; - -- ret = is_ftrace_location(ip); -- if (ret < 0) -- return ret; -- tr->func.ftrace_managed = ret; -+ faddr = ftrace_location((unsigned long)ip); -+ if (faddr) -+ tr->func.ftrace_managed = true; - - if (bpf_trampoline_module_get(tr)) - return -ENOENT; -diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index af57705e1fef3..258d425b2c4a5 100644 ---- a/kernel/kprobes.c -+++ b/kernel/kprobes.c -@@ -1526,14 +1526,10 @@ static inline int warn_kprobe_rereg(struct kprobe *p) - - int __weak arch_check_ftrace_location(struct kprobe *p) - { -- unsigned long ftrace_addr; -+ unsigned long addr = (unsigned long)p->addr; - -- ftrace_addr = ftrace_location((unsigned long)p->addr); -- if (ftrace_addr) { -+ if (ftrace_location(addr) == addr) { - #ifdef CONFIG_KPROBES_ON_FTRACE -- /* Given address is not on the instruction boundary */ -- if ((unsigned long)p->addr != ftrace_addr) -- return -EILSEQ; - p->flags |= KPROBE_FLAG_FTRACE; - #else /* !CONFIG_KPROBES_ON_FTRACE */ - return -EINVAL; -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 157a1d2d9802f..3dce1a107a7c7 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -1575,17 +1575,34 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) - } - - /** -- * ftrace_location - return true if the ip giving is a traced location -+ * ftrace_location - return the ftrace location - * @ip: the instruction pointer to check - * -- * Returns rec->ip if @ip given is a pointer to a ftrace location. -- * That is, the instruction that is either a NOP or call to -- * the function tracer. It checks the ftrace internal tables to -- * determine if the address belongs or not. -+ * If @ip matches the ftrace location, return @ip. -+ * If @ip matches sym+0, return sym's ftrace location. -+ * Otherwise, return 0. - */ - unsigned long ftrace_location(unsigned long ip) - { -- return ftrace_location_range(ip, ip); -+ struct dyn_ftrace *rec; -+ unsigned long offset; -+ unsigned long size; -+ -+ rec = lookup_rec(ip, ip); -+ if (!rec) { -+ if (!kallsyms_lookup_size_offset(ip, &size, &offset)) -+ goto out; -+ -+ /* map sym+0 to __fentry__ */ -+ if (!offset) -+ rec = lookup_rec(ip, ip + size - 1); -+ } -+ -+ if (rec) -+ return rec->ip; -+ -+out: -+ return 0; - } - - /** -@@ -4942,7 +4959,8 @@ ftrace_match_addr(struct ftrace_hash *hash, unsigned long ip, int remove) - { - struct ftrace_func_entry *entry; - -- if (!ftrace_location(ip)) -+ ip = ftrace_location(ip); -+ if (!ip) - return -EINVAL; - - if (remove) { -@@ -5090,11 +5108,16 @@ int register_ftrace_direct(unsigned long ip, unsigned long addr) - struct ftrace_func_entry *entry; - struct ftrace_hash *free_hash = NULL; - struct dyn_ftrace *rec; -- int ret = -EBUSY; -+ int ret = -ENODEV; - - mutex_lock(&direct_mutex); - -+ ip = ftrace_location(ip); -+ if (!ip) -+ goto out_unlock; -+ - /* See if there's a direct function at @ip already */ -+ ret = -EBUSY; - if (ftrace_find_rec_direct(ip)) - goto out_unlock; - -@@ -5223,6 +5246,10 @@ int unregister_ftrace_direct(unsigned long ip, unsigned long addr) - - mutex_lock(&direct_mutex); - -+ ip = ftrace_location(ip); -+ if (!ip) -+ goto out_unlock; -+ - entry = find_direct_entry(&ip, NULL); - if (!entry) - goto out_unlock; -@@ -5354,6 +5381,11 @@ int modify_ftrace_direct(unsigned long ip, - mutex_lock(&direct_mutex); - - mutex_lock(&ftrace_lock); -+ -+ ip = ftrace_location(ip); -+ if (!ip) -+ goto out_unlock; -+ - entry = find_direct_entry(&ip, &rec); - if (!entry) - goto out_unlock; --- -2.43.0 - -- 2.47.3