From b185b5f6034181c4c511a020e8fa31da83e67553 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 22 Oct 2024 13:39:26 -0400 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...x-the-for-loop-used-to-walk-sg-table.patch | 74 +++ ...cs8409-fix-possible-null-dereference.patch | 45 ++ ...37-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch | 42 ++ ...ix-wild-memory-access-in-proto_unreg.patch | 50 ++ ...-to-perf_event-bpf_link_info-records.patch | 138 ++++ ...issed-value-to-kprobe-perf-link-info.patch | 230 +++++++ ...pf-devmap-provide-rxq-after-redirect.patch | 156 +++++ .../bpf-fix-iter-task-tid-filtering.patch | 40 ++ ...pf-fix-kfunc-btf-caching-for-modules.patch | 82 +++ ...o-netfilter-flags-to-populate-defrag.patch | 44 ++ ...pf-fix-memory-leak-in-bpf_core_apply.patch | 36 ++ ...ncation-bug-in-coerce_reg_to_size_sx.patch | 67 ++ ...ted-name_len-field-in-perf_event-lin.patch | 128 ++++ ...ternal-and-uapi-bpf_redirect-flags-d.patch | 103 +++ ...rop-on-attempted-redirects-of-unsupp.patch | 83 +++ ...static-vsock_bpf_prot-initialization.patch | 45 ++ ...ier_nospec-in-cdrom_ioctl_media_chan.patch | 44 ++ ...te-fix-amd_pstate-mode-switch-on-sha.patch | 55 ++ ...ix-double-unlock-in-amdgpu_mes_add_r.patch | 183 ++++++ ...-memory-for-disp-snapshot-with-kvzal.patch | 57 ++ ...ll-dereference-in-msm_disp_state_pri.patch | 79 +++ ...k-for-overflow-in-_dpu_crtc_setup_lm.patch | 82 +++ ...-don-t-always-program-merge_3d-block.patch | 39 ++ ...-sure-phys-resources-are-properly-in.patch | 62 ++ ...32-bit-signed-integer-extension-in-p.patch | 47 ++ ...dsi-improve-fix-dsc-pclk-calculation.patch | 39 ++ ...e-possible-enomem-in-vmw_stdu_connec.patch | 42 ++ ...i-fix-the-double-free-in-scmi_debugf.patch | 51 ++ ...i-queue-in-scmi-layer-for-mailbox-im.patch | 115 ++++ .../genetlink-hold-rcu-in-genlmsg_mcast.patch | 242 +++++++ ...-fix-uninitialized-variable-field_va.patch | 46 ++ ...064-add-missing-select-iio_-triggere.patch | 41 ++ ...mv4420-adrf6780-format-kconfig-entri.patch | 70 +++ ...mv4420-fix-missing-select-remap_spi-.patch | 37 ++ ...give-an-ipv4-dev-to-blackhole_netdev.patch | 112 ++++ ...rzg2l-add-support-for-suspend-to-ram.patch | 208 +++++++ ...rzg2l-align-struct-member-names-to-t.patch | 43 ++ ...sas-rzg2l-document-structure-members.patch | 42 ++ ...renesas-rzg2l-fix-missing-put_device.patch | 81 +++ ...rt-alloc_charge_hpage-to-alloc_charg.patch | 99 +++ ...ed-inline-hpage_collapse_alloc_folio.patch | 77 +++ ...aged-remove-hpage-from-collapse_file.patch | 219 +++++++ ...g-fix-grammar-in-rust_build_assert_a.patch | 39 ++ ...crement-counters-for-an-unrelated-sa.patch | 83 +++ ...rt-collapse_huge_page-to-use-a-folio.patch | 66 ++ ...nvert-alloc_charge_hpage-to-use-foli.patch | 113 ++++ ...x-the-arguments-order-in-khugepaged_.patch | 83 +++ ...ed-use-a-folio-more-in-collapse_file.patch | 80 +++ ...potential-memory-leak-in-bcmasp_xmit.patch | 37 ++ ...x-fix-the-max_vid-definition-for-the.patch | 42 ++ ...oflex-fix-potential-memory-leak-in-g.patch | 47 ++ ...or-invalid-vector-index-on-eq-creati.patch | 47 ++ ...5-fix-command-bitmask-initialization.patch | 100 +++ ...ter-notifier-on-eswitch-init-failure.patch | 72 +++ ...vertise-rx-tx-timestamps-if-hardware.patch | 76 +++ ...x-memory-leak-when-using-percpu-refs.patch | 57 ++ ...ching-in-list-of-known-pnetids-in-sm.patch | 41 ++ ...mac-tegra-fix-link-bring-up-sequence.patch | 91 +++ ...ix-potential-memory-leak-in-bcm_sysp.patch | 36 ++ ...usb-usbnet-fix-race-in-probe-failure.patch | 37 ++ ...et-fix-potential-memory-leak-in-axie.patch | 46 ++ ...nd_resched-in-nsim_dev_trap_report_w.patch | 111 ++++ ...e-condition-between-reset-and-nvme_d.patch | 89 +++ ...t-doorbell-config-before-unquiescing.patch | 41 ++ ...-potential-integer-overflows-on-inte.patch | 49 ++ ...ove-setting-of-rx-software-timestamp.patch | 54 ++ ...re-add-a-check-for-memory-allocation.patch | 40 ++ ...-a-bug-while-setting-up-level-2-pbl-.patch | 59 ++ ...a-bnxt_re-fix-a-possible-memory-leak.patch | 43 ++ ...-incorrect-avid-type-in-wqe-structur.patch | 47 ++ .../rdma-bnxt_re-fix-out-of-bound-check.patch | 42 ++ ...dma-bnxt_re-fix-the-gid-table-length.patch | 51 ++ ...x-the-max-cq-wqes-for-older-adapters.patch | 52 ++ ...bnxt_re-return-more-meaningful-error.patch | 41 ++ ...bnxt_re-support-new-5760x-p7-devices.patch | 309 +++++++++ .../rdma-bnxt_re-update-the-bar-offsets.patch | 95 +++ ...nodev-error-for-iwarp-test-over-vlan.patch | 42 ++ ...dma_cm_event_unreachable-error-for-i.patch | 65 ++ ...rdma-irdma-fix-misspelling-of-accept.patch | 37 ++ ...ma-srpt-make-slab-cache-names-unique.patch | 195 ++++++ ...v-bpf-make-bpf_cmpxchg-fully-ordered.patch | 89 +++ ...psw-mask-in-perf_arch_fetch_caller_r.patch | 38 ++ ...ndle-pci-error-codes-other-than-0x3a.patch | 65 ++ ...le-page-allocation-in-task_tick_mm_c.patch | 132 ++++ ...-fix-null-ptr-deref-in-target_alloc_.patch | 54 ++ ...d-cookies-check-for-perf_event-fill_.patch | 113 ++++ ...bpf-fix-cross-compiling-urandom_read.patch | 41 ++ ...x-perf_event-link-info-name_len-asse.patch | 63 ++ ...e-bpf_link__destroy-in-fill_link_inf.patch | 134 ++++ queue-6.6/series | 106 ++++ ...obs-when-building-smb2_ioctl-request.patch | 107 ++++ ...-possible-double-free-in-smb2_set_ea.patch | 59 ++ ...a_nmi_current-as-an-additional-notif.patch | 114 ++++ ...se-timer_pending-in-reqsk_queue_unli.patch | 180 ++++++ ...x-system-suspend-on-ti-am62-platform.patch | 111 ++++ ...2-fix-non-newline-terminated-functio.patch | 48 ++ ...2-fix-return-value-for-uac2_attribut.patch | 58 ++ ...2-replace-snprintf-with-the-safer-sc.patch | 68 ++ ...mode-should-keep-reference-to-parent.patch | 130 ++++ ...et-corruption-in-vmxnet3_xdp_xmit_fr.patch | 64 ++ .../vsock-update-msg_count-on-read_skb.patch | 40 ++ .../vsock-update-rx_bytes-on-read_skb.patch | 68 ++ ...d-overflow-in-mb-settings-in-bw_vali.patch | 102 +++ ...c-honor-usb-transfer-size-boundaries.patch | 149 +++++ ...xhci-dbgtty-remove-kfifo_out-wrapper.patch | 61 ++ ...bgtty-use-kfifo-from-tty_port-struct.patch | 117 ++++ ...rt-and-caps-macros-into-dedicated-fi.patch | 589 ++++++++++++++++++ 107 files changed, 9130 insertions(+) create mode 100644 queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch create mode 100644 queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch create mode 100644 queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch create mode 100644 queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch create mode 100644 queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch create mode 100644 queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch create mode 100644 queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch create mode 100644 queue-6.6/bpf-fix-iter-task-tid-filtering.patch create mode 100644 queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch create mode 100644 queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch create mode 100644 queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch create mode 100644 queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch create mode 100644 queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch create mode 100644 queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch create mode 100644 queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch create mode 100644 queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch create mode 100644 queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch create mode 100644 queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch create mode 100644 queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch create mode 100644 queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch create mode 100644 queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch create mode 100644 queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch create mode 100644 queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch create mode 100644 queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch create mode 100644 queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch create mode 100644 queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch create mode 100644 queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch create mode 100644 queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch create mode 100644 queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch create mode 100644 queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch create mode 100644 queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch create mode 100644 queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch create mode 100644 queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch create mode 100644 queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch create mode 100644 queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch create mode 100644 queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch create mode 100644 queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch create mode 100644 queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch create mode 100644 queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch create mode 100644 queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch create mode 100644 queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch create mode 100644 queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch create mode 100644 queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch create mode 100644 queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch create mode 100644 queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch create mode 100644 queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch create mode 100644 queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch create mode 100644 queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch create mode 100644 queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch create mode 100644 queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch create mode 100644 queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch create mode 100644 queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch create mode 100644 queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch create mode 100644 queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch create mode 100644 queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch create mode 100644 queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch create mode 100644 queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch create mode 100644 queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch create mode 100644 queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch create mode 100644 queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch create mode 100644 queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch create mode 100644 queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch create mode 100644 queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch create mode 100644 queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch create mode 100644 queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch create mode 100644 queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch create mode 100644 queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch create mode 100644 queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch create mode 100644 queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch create mode 100644 queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch create mode 100644 queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch create mode 100644 queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch create mode 100644 queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch create mode 100644 queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch create mode 100644 queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch create mode 100644 queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch create mode 100644 queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch create mode 100644 queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch create mode 100644 queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch create mode 100644 queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch create mode 100644 queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch create mode 100644 queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch create mode 100644 queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch create mode 100644 queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch create mode 100644 queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch create mode 100644 queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch create mode 100644 queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch create mode 100644 queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch create mode 100644 queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch create mode 100644 queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch create mode 100644 queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch create mode 100644 queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch create mode 100644 queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch create mode 100644 queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch create mode 100644 queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch create mode 100644 queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch create mode 100644 queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch create mode 100644 queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch create mode 100644 queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch create mode 100644 queue-6.6/vsock-update-msg_count-on-read_skb.patch create mode 100644 queue-6.6/vsock-update-rx_bytes-on-read_skb.patch create mode 100644 queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch create mode 100644 queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch create mode 100644 queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch create mode 100644 queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch create mode 100644 queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch diff --git a/queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch b/queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch new file mode 100644 index 00000000000..61c2e3e6692 --- /dev/null +++ b/queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch @@ -0,0 +1,74 @@ +From 087442f17f403f0a2af0559a0b6142849066dcf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 13:32:52 -0600 +Subject: accel/qaic: Fix the for loop used to walk SG table + +From: Pranjal Ramajor Asha Kanojiya + +[ Upstream commit c5e8e93897b7bb0a336bf3332f82f8d9f2b33f14 ] + +Only for_each_sgtable_dma_sg() should be used to walk through a SG table +to grab correct bus address and length pair after calling DMA MAP API on +a SG table as DMA MAP APIs updates the SG table and for_each_sgtable_sg() +walks through the original SG table. + +Fixes: ff13be830333 ("accel/qaic: Add datapath") +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Jeffrey Hugo +Signed-off-by: Jeffrey Hugo +Reviewed-by: Jacek Lawrynowicz +Link: https://patchwork.freedesktop.org/patch/msgid/20241004193252.3888544-1-quic_jhugo@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/accel/qaic/qaic_control.c | 2 +- + drivers/accel/qaic/qaic_data.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c +index 388abd40024ba..f3db3fa91dd52 100644 +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -496,7 +496,7 @@ static int encode_addr_size_pairs(struct dma_xfer *xfer, struct wrapper_list *wr + nents = sgt->nents; + nents_dma = nents; + *size = QAIC_MANAGE_EXT_MSG_LENGTH - msg_hdr_len - sizeof(**out_trans); +- for_each_sgtable_sg(sgt, sg, i) { ++ for_each_sgtable_dma_sg(sgt, sg, i) { + *size -= sizeof(*asp); + /* Save 1K for possible follow-up transactions. */ + if (*size < SZ_1K) { +diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c +index ed1a5af434f24..d2f8c70a77a5b 100644 +--- a/drivers/accel/qaic/qaic_data.c ++++ b/drivers/accel/qaic/qaic_data.c +@@ -177,7 +177,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl + nents = 0; + + size = size ? size : PAGE_SIZE; +- for (sg = sgt_in->sgl; sg; sg = sg_next(sg)) { ++ for_each_sgtable_dma_sg(sgt_in, sg, j) { + len = sg_dma_len(sg); + + if (!len) +@@ -214,7 +214,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl + + /* copy relevant sg node and fix page and length */ + sgn = sgf; +- for_each_sgtable_sg(sgt, sg, j) { ++ for_each_sgtable_dma_sg(sgt, sg, j) { + memcpy(sg, sgn, sizeof(*sg)); + if (sgn == sgf) { + sg_dma_address(sg) += offf; +@@ -294,7 +294,7 @@ static int encode_reqs(struct qaic_device *qdev, struct bo_slice *slice, + * fence. + */ + dev_addr = req->dev_addr; +- for_each_sgtable_sg(slice->sgt, sg, i) { ++ for_each_sgtable_dma_sg(slice->sgt, sg, i) { + slice->reqs[i].cmd = cmd; + slice->reqs[i].src_addr = cpu_to_le64(slice->dir == DMA_TO_DEVICE ? + sg_dma_address(sg) : dev_addr); +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch b/queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..dc90c6838dc --- /dev/null +++ b/queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch @@ -0,0 +1,45 @@ +From 050629f4187d49348f235d80f774f7825beca95f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 01:16:45 +0300 +Subject: ALSA: hda/cs8409: Fix possible NULL dereference + +From: Murad Masimov + +[ Upstream commit c9bd4a82b4ed32c6d1c90500a52063e6e341517f ] + +If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then +NULL pointer dereference will occur in the next line. + +Since dolphin_fixups function is a hda_fixup function which is not supposed +to return any errors, add simple check before dereference, ignore the fail. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin") +Signed-off-by: Murad Masimov +Link: https://patch.msgid.link/20241010221649.1305-1-m.masimov@maxima.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_cs8409.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c +index e41316e2e9833..892223d9e64ab 100644 +--- a/sound/pci/hda/patch_cs8409.c ++++ b/sound/pci/hda/patch_cs8409.c +@@ -1411,8 +1411,9 @@ void dolphin_fixups(struct hda_codec *codec, const struct hda_fixup *fix, int ac + kctrl = snd_hda_gen_add_kctl(&spec->gen, "Line Out Playback Volume", + &cs42l42_dac_volume_mixer); + /* Update Line Out kcontrol template */ +- kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1, +- HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE; ++ if (kctrl) ++ kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1, ++ HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE; + cs8409_enable_ur(codec, 0); + snd_hda_codec_set_name(codec, "CS8409/CS42L42"); + break; +-- +2.43.0 + diff --git a/queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch b/queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch new file mode 100644 index 00000000000..a01a17d2f4c --- /dev/null +++ b/queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch @@ -0,0 +1,42 @@ +From cd0d3111802015d87e22970c4196f90e0cd1f5d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 02:03:11 +0300 +Subject: ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin + +From: Florian Klink + +[ Upstream commit dc7785e4723510616d776862ddb4c08857a1bdb2 ] + +HDMI_HPD_N_1V8 is connected to GPIO pin 0, not 1. + +This fixes HDMI hotplug/output detection. + +See https://datasheets.raspberrypi.com/cm/cm3-schematics.pdf + +Signed-off-by: Florian Klink +Reviewed-by: Stefan Wahren +Link: https://lore.kernel.org/r/20240715230311.685641-1-flokli@flokli.de +Reviewed-by: Stefan Wahren +Fixes: a54fe8a6cf66 ("ARM: dts: add Raspberry Pi Compute Module 3 and IO board") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts +index 72d26d130efaa..85f54fa595aa8 100644 +--- a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts ++++ b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts +@@ -77,7 +77,7 @@ + }; + + &hdmi { +- hpd-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>; ++ hpd-gpios = <&expgpio 0 GPIO_ACTIVE_LOW>; + power-domains = <&power RPI_POWER_DOMAIN_HDMI>; + status = "okay"; + }; +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch b/queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch new file mode 100644 index 00000000000..bbd59a6b14e --- /dev/null +++ b/queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch @@ -0,0 +1,50 @@ +From 0fc8b8e9934cc29aabaa70020e3ed1f8a189c0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 17:07:08 +0800 +Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister + +From: Ye Bin + +[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ] + +There's issue as follows: + KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] + CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W + RIP: 0010:proto_unregister+0xee/0x400 + Call Trace: + + __do_sys_delete_module+0x318/0x580 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() +will cleanup all resource. Then when remove bnep module will call +bnep_sock_cleanup() to cleanup sock's resource. +To solve above issue just return bnep_sock_init()'s return value in +bnep_exit(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ye Bin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index a660c428e2207..38f542665f196 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -745,8 +745,7 @@ static int __init bnep_init(void) + if (flt[0]) + BT_INFO("BNEP filters: %s", flt); + +- bnep_sock_init(); +- return 0; ++ return bnep_sock_init(); + } + + static void __exit bnep_exit(void) +-- +2.43.0 + diff --git a/queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch b/queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch new file mode 100644 index 00000000000..9b4f7571e56 --- /dev/null +++ b/queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch @@ -0,0 +1,138 @@ +From e694863fd2d7f73184cf3a52891b3b0ae0d29512 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 12:04:58 +0100 +Subject: bpf: Add cookie to perf_event bpf_link_info records + +From: Jiri Olsa + +[ Upstream commit d5c16492c66fbfca85f36e42363d32212df5927b ] + +At the moment we don't store cookie for perf_event probes, +while we do that for the rest of the probes. + +Adding cookie fields to struct bpf_link_info perf event +probe records: + + perf_event.uprobe + perf_event.kprobe + perf_event.tracepoint + perf_event.perf_event + +And the code to store that in bpf_link_info struct. + +Signed-off-by: Jiri Olsa +Acked-by: Song Liu +Acked-by: Yafang Shao +Link: https://lore.kernel.org/r/20240119110505.400573-2-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 4deecdd29cf2 ("bpf: fix unpopulated name_len field in perf_event link info") +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 6 ++++++ + kernel/bpf/syscall.c | 4 ++++ + tools/include/uapi/linux/bpf.h | 6 ++++++ + 3 files changed, 16 insertions(+) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 6ea588d1ae149..431bc700bcfb9 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -6556,6 +6556,7 @@ struct bpf_link_info { + __aligned_u64 file_name; /* in/out */ + __u32 name_len; + __u32 offset; /* offset from file_name */ ++ __u64 cookie; + } uprobe; /* BPF_PERF_EVENT_UPROBE, BPF_PERF_EVENT_URETPROBE */ + struct { + __aligned_u64 func_name; /* in/out */ +@@ -6563,14 +6564,19 @@ struct bpf_link_info { + __u32 offset; /* offset from func_name */ + __u64 addr; + __u64 missed; ++ __u64 cookie; + } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */ + struct { + __aligned_u64 tp_name; /* in/out */ + __u32 name_len; ++ __u32 :32; ++ __u64 cookie; + } tracepoint; /* BPF_PERF_EVENT_TRACEPOINT */ + struct { + __u64 config; + __u32 type; ++ __u32 :32; ++ __u64 cookie; + } event; /* BPF_PERF_EVENT_EVENT */ + }; + } perf_event; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 9c76f21f187f6..1d04d098f57db 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3500,6 +3500,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + if (!kallsyms_show_value(current_cred())) + addr = 0; + info->perf_event.kprobe.addr = addr; ++ info->perf_event.kprobe.cookie = event->bpf_cookie; + return 0; + } + #endif +@@ -3525,6 +3526,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event, + else + info->perf_event.type = BPF_PERF_EVENT_UPROBE; + info->perf_event.uprobe.offset = offset; ++ info->perf_event.uprobe.cookie = event->bpf_cookie; + return 0; + } + #endif +@@ -3552,6 +3554,7 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event, + uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name); + ulen = info->perf_event.tracepoint.name_len; + info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT; ++ info->perf_event.tracepoint.cookie = event->bpf_cookie; + return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL); + } + +@@ -3560,6 +3563,7 @@ static int bpf_perf_link_fill_perf_event(const struct perf_event *event, + { + info->perf_event.event.type = event->attr.type; + info->perf_event.event.config = event->attr.config; ++ info->perf_event.event.cookie = event->bpf_cookie; + info->perf_event.type = BPF_PERF_EVENT_EVENT; + return 0; + } +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index acda713f8b4d1..977ec094bc2a6 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -6559,6 +6559,7 @@ struct bpf_link_info { + __aligned_u64 file_name; /* in/out */ + __u32 name_len; + __u32 offset; /* offset from file_name */ ++ __u64 cookie; + } uprobe; /* BPF_PERF_EVENT_UPROBE, BPF_PERF_EVENT_URETPROBE */ + struct { + __aligned_u64 func_name; /* in/out */ +@@ -6566,14 +6567,19 @@ struct bpf_link_info { + __u32 offset; /* offset from func_name */ + __u64 addr; + __u64 missed; ++ __u64 cookie; + } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */ + struct { + __aligned_u64 tp_name; /* in/out */ + __u32 name_len; ++ __u32 :32; ++ __u64 cookie; + } tracepoint; /* BPF_PERF_EVENT_TRACEPOINT */ + struct { + __u64 config; + __u32 type; ++ __u32 :32; ++ __u64 cookie; + } event; /* BPF_PERF_EVENT_EVENT */ + }; + } perf_event; +-- +2.43.0 + diff --git a/queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch b/queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch new file mode 100644 index 00000000000..5a45d49bc48 --- /dev/null +++ b/queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch @@ -0,0 +1,230 @@ +From a60c16cdffe27ae93b2e484fcf0744346dd59736 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 23:31:39 +0200 +Subject: bpf: Add missed value to kprobe perf link info + +From: Jiri Olsa + +[ Upstream commit 3acf8ace68230e9558cf916847f1cc9f208abdf1 ] + +Add missed value to kprobe attached through perf link info to +hold the stats of missed kprobe handler execution. + +The kprobe's missed counter gets incremented when kprobe handler +is not executed due to another kprobe running on the same cpu. + +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230920213145.1941596-4-jolsa@kernel.org +Stable-dep-of: 4deecdd29cf2 ("bpf: fix unpopulated name_len field in perf_event link info") +Signed-off-by: Sasha Levin +--- + include/linux/trace_events.h | 6 ++++-- + include/uapi/linux/bpf.h | 1 + + kernel/bpf/syscall.c | 14 ++++++++------ + kernel/trace/bpf_trace.c | 5 +++-- + kernel/trace/trace_kprobe.c | 14 +++++++++++--- + tools/include/uapi/linux/bpf.h | 1 + + 6 files changed, 28 insertions(+), 13 deletions(-) + +diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h +index cb8bd759e8005..9d799777c333c 100644 +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -765,7 +765,8 @@ struct bpf_raw_event_map *bpf_get_raw_tracepoint(const char *name); + void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp); + int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id, + u32 *fd_type, const char **buf, +- u64 *probe_offset, u64 *probe_addr); ++ u64 *probe_offset, u64 *probe_addr, ++ unsigned long *missed); + int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog); + int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog); + #else +@@ -805,7 +806,7 @@ static inline void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp) + static inline int bpf_get_perf_event_info(const struct perf_event *event, + u32 *prog_id, u32 *fd_type, + const char **buf, u64 *probe_offset, +- u64 *probe_addr) ++ u64 *probe_addr, unsigned long *missed) + { + return -EOPNOTSUPP; + } +@@ -880,6 +881,7 @@ extern void perf_kprobe_destroy(struct perf_event *event); + extern int bpf_get_kprobe_info(const struct perf_event *event, + u32 *fd_type, const char **symbol, + u64 *probe_offset, u64 *probe_addr, ++ unsigned long *missed, + bool perf_type_tracepoint); + #endif + #ifdef CONFIG_UPROBE_EVENTS +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 4bb38409b26ad..6ea588d1ae149 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -6562,6 +6562,7 @@ struct bpf_link_info { + __u32 name_len; + __u32 offset; /* offset from func_name */ + __u64 addr; ++ __u64 missed; + } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */ + struct { + __aligned_u64 tp_name; /* in/out */ +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index b1933d074f051..9c76f21f187f6 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3444,7 +3444,7 @@ static void bpf_perf_link_dealloc(struct bpf_link *link) + static int bpf_perf_link_fill_common(const struct perf_event *event, + char __user *uname, u32 ulen, + u64 *probe_offset, u64 *probe_addr, +- u32 *fd_type) ++ u32 *fd_type, unsigned long *missed) + { + const char *buf; + u32 prog_id; +@@ -3455,7 +3455,7 @@ static int bpf_perf_link_fill_common(const struct perf_event *event, + return -EINVAL; + + err = bpf_get_perf_event_info(event, &prog_id, fd_type, &buf, +- probe_offset, probe_addr); ++ probe_offset, probe_addr, missed); + if (err) + return err; + if (!uname) +@@ -3478,6 +3478,7 @@ static int bpf_perf_link_fill_common(const struct perf_event *event, + static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + struct bpf_link_info *info) + { ++ unsigned long missed; + char __user *uname; + u64 addr, offset; + u32 ulen, type; +@@ -3486,7 +3487,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + uname = u64_to_user_ptr(info->perf_event.kprobe.func_name); + ulen = info->perf_event.kprobe.name_len; + err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr, +- &type); ++ &type, &missed); + if (err) + return err; + if (type == BPF_FD_TYPE_KRETPROBE) +@@ -3495,6 +3496,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + info->perf_event.type = BPF_PERF_EVENT_KPROBE; + + info->perf_event.kprobe.offset = offset; ++ info->perf_event.kprobe.missed = missed; + if (!kallsyms_show_value(current_cred())) + addr = 0; + info->perf_event.kprobe.addr = addr; +@@ -3514,7 +3516,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event, + uname = u64_to_user_ptr(info->perf_event.uprobe.file_name); + ulen = info->perf_event.uprobe.name_len; + err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr, +- &type); ++ &type, NULL); + if (err) + return err; + +@@ -3550,7 +3552,7 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event, + uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name); + ulen = info->perf_event.tracepoint.name_len; + info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT; +- return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL); ++ return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL); + } + + static int bpf_perf_link_fill_perf_event(const struct perf_event *event, +@@ -4897,7 +4899,7 @@ static int bpf_task_fd_query(const union bpf_attr *attr, + + err = bpf_get_perf_event_info(event, &prog_id, &fd_type, + &buf, &probe_offset, +- &probe_addr); ++ &probe_addr, NULL); + if (!err) + err = bpf_task_fd_query_copy(attr, uattr, prog_id, + fd_type, buf, +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index eca858bde8047..bbdc4199748bd 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -2389,7 +2389,8 @@ int bpf_probe_unregister(struct bpf_raw_event_map *btp, struct bpf_prog *prog) + + int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id, + u32 *fd_type, const char **buf, +- u64 *probe_offset, u64 *probe_addr) ++ u64 *probe_offset, u64 *probe_addr, ++ unsigned long *missed) + { + bool is_tracepoint, is_syscall_tp; + struct bpf_prog *prog; +@@ -2424,7 +2425,7 @@ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id, + #ifdef CONFIG_KPROBE_EVENTS + if (flags & TRACE_EVENT_FL_KPROBE) + err = bpf_get_kprobe_info(event, fd_type, buf, +- probe_offset, probe_addr, ++ probe_offset, probe_addr, missed, + event->attr.type == PERF_TYPE_TRACEPOINT); + #endif + #ifdef CONFIG_UPROBE_EVENTS +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 47812aa16bb57..52f8b537dd0a0 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1249,6 +1249,12 @@ static const struct file_operations kprobe_events_ops = { + .write = probes_write, + }; + ++static unsigned long trace_kprobe_missed(struct trace_kprobe *tk) ++{ ++ return trace_kprobe_is_return(tk) ? ++ tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed; ++} ++ + /* Probes profiling interfaces */ + static int probes_profile_seq_show(struct seq_file *m, void *v) + { +@@ -1260,8 +1266,7 @@ static int probes_profile_seq_show(struct seq_file *m, void *v) + return 0; + + tk = to_trace_kprobe(ev); +- nmissed = trace_kprobe_is_return(tk) ? +- tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed; ++ nmissed = trace_kprobe_missed(tk); + seq_printf(m, " %-44s %15lu %15lu\n", + trace_probe_name(&tk->tp), + trace_kprobe_nhit(tk), +@@ -1607,7 +1612,8 @@ NOKPROBE_SYMBOL(kretprobe_perf_func); + + int bpf_get_kprobe_info(const struct perf_event *event, u32 *fd_type, + const char **symbol, u64 *probe_offset, +- u64 *probe_addr, bool perf_type_tracepoint) ++ u64 *probe_addr, unsigned long *missed, ++ bool perf_type_tracepoint) + { + const char *pevent = trace_event_name(event->tp_event); + const char *group = event->tp_event->class->system; +@@ -1626,6 +1632,8 @@ int bpf_get_kprobe_info(const struct perf_event *event, u32 *fd_type, + *probe_addr = kallsyms_show_value(current_cred()) ? + (unsigned long)tk->rp.kp.addr : 0; + *symbol = tk->symbol; ++ if (missed) ++ *missed = trace_kprobe_missed(tk); + return 0; + } + #endif /* CONFIG_PERF_EVENTS */ +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index ba6e346c8d669..acda713f8b4d1 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -6565,6 +6565,7 @@ struct bpf_link_info { + __u32 name_len; + __u32 offset; /* offset from func_name */ + __u64 addr; ++ __u64 missed; + } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */ + struct { + __aligned_u64 tp_name; /* in/out */ +-- +2.43.0 + diff --git a/queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch b/queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch new file mode 100644 index 00000000000..44776bd86e3 --- /dev/null +++ b/queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch @@ -0,0 +1,156 @@ +From 8de3f8ae6f79fed297e22563dd0efd14a8f6f713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:41:18 +0200 +Subject: bpf: devmap: provide rxq after redirect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Kauer + +[ Upstream commit ca9984c5f0ab3690d98b13937b2485a978c8dd73 ] + +rxq contains a pointer to the device from where +the redirect happened. Currently, the BPF program +that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* +does not have it set. + +This is particularly bad since accessing ingress_ifindex, e.g. + +SEC("xdp") +int prog(struct xdp_md *pkt) +{ + return bpf_redirect_map(&dev_redirect_map, 0, 0); +} + +SEC("xdp/devmap") +int prog_after_redirect(struct xdp_md *pkt) +{ + bpf_printk("ifindex %i", pkt->ingress_ifindex); + return XDP_PASS; +} + +depends on access to rxq, so a NULL pointer gets dereferenced: + +<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 +<1>[ 574.475188] #PF: supervisor read access in kernel mode +<1>[ 574.475194] #PF: error_code(0x0000) - not-present page +<6>[ 574.475199] PGD 0 P4D 0 +<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 +<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 +<4>[ 574.475231] Workqueue: mld mld_ifc_work +<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c +<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b +<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 +<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 +<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 +<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 +<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 +<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 +<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 +<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 +<4>[ 574.475303] PKRU: 55555554 +<4>[ 574.475306] Call Trace: +<4>[ 574.475313] +<4>[ 574.475318] ? __die+0x23/0x70 +<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 +<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 +<4>[ 574.475346] ? kmem_cache_free+0x257/0x280 +<4>[ 574.475357] ? exc_page_fault+0x67/0x150 +<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30 +<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c +<4>[ 574.475386] bq_xmit_all+0x158/0x420 +<4>[ 574.475397] __dev_flush+0x30/0x90 +<4>[ 574.475407] veth_poll+0x216/0x250 [veth] +<4>[ 574.475421] __napi_poll+0x28/0x1c0 +<4>[ 574.475430] net_rx_action+0x32d/0x3a0 +<4>[ 574.475441] handle_softirqs+0xcb/0x2c0 +<4>[ 574.475451] do_softirq+0x40/0x60 +<4>[ 574.475458] +<4>[ 574.475461] +<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70 +<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40 +<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420 +<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0 +<4>[ 574.475502] ip6_finish_output2+0x2be/0x640 +<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0 +<4>[ 574.475521] ip6_finish_output+0x194/0x300 +<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 +<4>[ 574.475538] mld_sendpack+0x17c/0x240 +<4>[ 574.475548] mld_ifc_work+0x192/0x410 +<4>[ 574.475557] process_one_work+0x15d/0x380 +<4>[ 574.475566] worker_thread+0x29d/0x3a0 +<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10 +<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10 +<4>[ 574.475587] kthread+0xcd/0x100 +<4>[ 574.475597] ? __pfx_kthread+0x10/0x10 +<4>[ 574.475606] ret_from_fork+0x31/0x50 +<4>[ 574.475615] ? __pfx_kthread+0x10/0x10 +<4>[ 574.475623] ret_from_fork_asm+0x1a/0x30 +<4>[ 574.475635] +<4>[ 574.475637] Modules linked in: veth br_netfilter bridge stp llc iwlmvm x86_pkg_temp_thermal iwlwifi efivarfs nvme nvme_core +<4>[ 574.475662] CR2: 0000000000000000 +<4>[ 574.475668] ---[ end trace 0000000000000000 ]--- + +Therefore, provide it to the program by setting rxq properly. + +Fixes: cb261b594b41 ("bpf: Run devmap xdp_prog on flush instead of bulk enqueue") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Florian Kauer +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20240911-devel-koalo-fix-ingress-ifindex-v4-1-5c643ae10258@linutronix.de +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index 69e78dc4bb18e..96b0345f76c2c 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -322,9 +322,11 @@ static int dev_map_hash_get_next_key(struct bpf_map *map, void *key, + + static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + struct xdp_frame **frames, int n, +- struct net_device *dev) ++ struct net_device *tx_dev, ++ struct net_device *rx_dev) + { +- struct xdp_txq_info txq = { .dev = dev }; ++ struct xdp_txq_info txq = { .dev = tx_dev }; ++ struct xdp_rxq_info rxq = { .dev = rx_dev }; + struct xdp_buff xdp; + int i, nframes = 0; + +@@ -335,6 +337,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + + xdp_convert_frame_to_buff(xdpf, &xdp); + xdp.txq = &txq; ++ xdp.rxq = &rxq; + + act = bpf_prog_run_xdp(xdp_prog, &xdp); + switch (act) { +@@ -349,7 +352,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog, + bpf_warn_invalid_xdp_action(NULL, xdp_prog, act); + fallthrough; + case XDP_ABORTED: +- trace_xdp_exception(dev, xdp_prog, act); ++ trace_xdp_exception(tx_dev, xdp_prog, act); + fallthrough; + case XDP_DROP: + xdp_return_frame_rx_napi(xdpf); +@@ -377,7 +380,7 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags) + } + + if (bq->xdp_prog) { +- to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev); ++ to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev, bq->dev_rx); + if (!to_send) + goto out; + } +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-iter-task-tid-filtering.patch b/queue-6.6/bpf-fix-iter-task-tid-filtering.patch new file mode 100644 index 00000000000..b984100de26 --- /dev/null +++ b/queue-6.6/bpf-fix-iter-task-tid-filtering.patch @@ -0,0 +1,40 @@ +From 12eb8ce4056e3f8939ce627d0f948877d8ef346e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 14:00:47 -0700 +Subject: bpf: Fix iter/task tid filtering + +From: Jordan Rome + +[ Upstream commit 9495a5b731fcaf580448a3438d63601c88367661 ] + +In userspace, you can add a tid filter by setting +the "task.tid" field for "bpf_iter_link_info". +However, `get_pid_task` when called for the +`BPF_TASK_ITER_TID` type should have been using +`PIDTYPE_PID` (tid) instead of `PIDTYPE_TGID` (pid). + +Fixes: f0d74c4da1f0 ("bpf: Parameterize task iterators.") +Signed-off-by: Jordan Rome +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241016210048.1213935-1-linux@jordanrome.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/task_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c +index c4ab9d6cdbe9c..f7ef58090c7d0 100644 +--- a/kernel/bpf/task_iter.c ++++ b/kernel/bpf/task_iter.c +@@ -119,7 +119,7 @@ static struct task_struct *task_seq_get_next(struct bpf_iter_seq_task_common *co + rcu_read_lock(); + pid = find_pid_ns(common->pid, common->ns); + if (pid) { +- task = get_pid_task(pid, PIDTYPE_TGID); ++ task = get_pid_task(pid, PIDTYPE_PID); + *tid = common->pid; + } + rcu_read_unlock(); +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch b/queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch new file mode 100644 index 00000000000..b4c2f7d79b0 --- /dev/null +++ b/queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch @@ -0,0 +1,82 @@ +From 95792cd4e5b7702acba24370c124fe9dd8218e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 15:27:07 +0200 +Subject: bpf: fix kfunc btf caching for modules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 6cb86a0fdece87e126323ec1bb19deb16a52aedf ] + +The verifier contains a cache for looking up module BTF objects when +calling kfuncs defined in modules. This cache uses a 'struct +bpf_kfunc_btf_tab', which contains a sorted list of BTF objects that +were already seen in the current verifier run, and the BTF objects are +looked up by the offset stored in the relocated call instruction using +bsearch(). + +The first time a given offset is seen, the module BTF is loaded from the +file descriptor passed in by libbpf, and stored into the cache. However, +there's a bug in the code storing the new entry: it stores a pointer to +the new cache entry, then calls sort() to keep the cache sorted for the +next lookup using bsearch(), and then returns the entry that was just +stored through the stored pointer. However, because sort() modifies the +list of entries in place *by value*, the stored pointer may no longer +point to the right entry, in which case the wrong BTF object will be +returned. + +The end result of this is an intermittent bug where, if a BPF program +calls two functions with the same signature in two different modules, +the function from the wrong module may sometimes end up being called. +Whether this happens depends on the order of the calls in the BPF +program (as that affects whether sort() reorders the array of BTF +objects), making it especially hard to track down. Simon, credited as +reporter below, spent significant effort analysing and creating a +reproducer for this issue. The reproducer is added as a selftest in a +subsequent patch. + +The fix is straight forward: simply don't use the stored pointer after +calling sort(). Since we already have an on-stack pointer to the BTF +object itself at the point where the function return, just use that, and +populate it from the cache entry in the branch where the lookup +succeeds. + +Fixes: 2357672c54c3 ("bpf: Introduce BPF support for kernel module function calls") +Reported-by: Simon Sundberg +Acked-by: Jiri Olsa +Acked-by: Kumar Kartikeya Dwivedi +Signed-off-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20241010-fix-kfunc-btf-caching-for-modules-v2-1-745af6c1af98@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 3032a464d31bb..d1050479cbb33 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2799,10 +2799,16 @@ static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, + b->module = mod; + b->offset = offset; + ++ /* sort() reorders entries by value, so b may no longer point ++ * to the right entry after this ++ */ + sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]), + kfunc_btf_cmp_by_off, NULL); ++ } else { ++ btf = b->btf; + } +- return b->btf; ++ ++ return btf; + } + + void bpf_free_kfunc_btf_tab(struct bpf_kfunc_btf_tab *tab) +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch b/queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch new file mode 100644 index 00000000000..d922ba9f68b --- /dev/null +++ b/queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch @@ -0,0 +1,44 @@ +From 420ddcbfd92753965bea2e6072dfb15264583fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 19:32:51 +0000 +Subject: bpf: Fix link info netfilter flags to populate defrag flag + +From: Tyrone Wu + +[ Upstream commit 92f3715e1eba1d41e55be06159dc3d856b18326d ] + +This fix correctly populates the `bpf_link_info.netfilter.flags` field +when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag. + +Fixes: 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link") +Signed-off-by: Tyrone Wu +Signed-off-by: Daniel Borkmann +Acked-by: Florian Westphal +Cc: Daniel Xu +Link: https://lore.kernel.org/bpf/20241011193252.178997-1-wudevelops@gmail.com +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 0e4beae421f83..96015a59db09e 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -150,11 +150,12 @@ static int bpf_nf_link_fill_link_info(const struct bpf_link *link, + struct bpf_link_info *info) + { + struct bpf_nf_link *nf_link = container_of(link, struct bpf_nf_link, link); ++ const struct nf_defrag_hook *hook = nf_link->defrag_hook; + + info->netfilter.pf = nf_link->hook_ops.pf; + info->netfilter.hooknum = nf_link->hook_ops.hooknum; + info->netfilter.priority = nf_link->hook_ops.priority; +- info->netfilter.flags = 0; ++ info->netfilter.flags = hook ? BPF_F_NETFILTER_IP_DEFRAG : 0; + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch b/queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch new file mode 100644 index 00000000000..e7639d012fd --- /dev/null +++ b/queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch @@ -0,0 +1,36 @@ +From a05e07699ca84a232fca25d368f864e4f663ba1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:09:58 +0200 +Subject: bpf: Fix memory leak in bpf_core_apply + +From: Jiri Olsa + +[ Upstream commit 45126b155e3b5201179cdc038504bf93a8ccd921 ] + +We need to free specs properly. + +Fixes: 3d2786d65aaa ("bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos") +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/bpf/20241007160958.607434-1-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index e0e4d4f490e87..c8828016a66fd 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -8435,6 +8435,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, + if (!type) { + bpf_log(ctx->log, "relo #%u: bad type id %u\n", + relo_idx, relo->type_id); ++ kfree(specs); + return -EINVAL; + } + +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch b/queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch new file mode 100644 index 00000000000..d0e0d680ab6 --- /dev/null +++ b/queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch @@ -0,0 +1,67 @@ +From fc1d5959960aebc4453c53bacea0d87ee3ad9dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 15:11:53 +0300 +Subject: bpf: Fix truncation bug in coerce_reg_to_size_sx() + +From: Dimitar Kanaliev + +[ Upstream commit ae67b9fb8c4e981e929a665dcaa070f4b05ebdb4 ] + +coerce_reg_to_size_sx() updates the register state after a sign-extension +operation. However, there's a bug in the assignment order of the unsigned +min/max values, leading to incorrect truncation: + + 0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar() + 1: (57) r0 &= 1 ; R0_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1,var_off=(0x0; 0x1)) + 2: (07) r0 += 254 ; R0_w=scalar(smin=umin=smin32=umin32=254,smax=umax=smax32=umax32=255,var_off=(0xfe; 0x1)) + 3: (bf) r0 = (s8)r0 ; R0_w=scalar(smin=smin32=-2,smax=smax32=-1,umin=umin32=0xfffffffe,umax=0xffffffff,var_off=(0xfffffffffffffffe; 0x1)) + +In the current implementation, the unsigned 32-bit min/max values +(u32_min_value and u32_max_value) are assigned directly from the 64-bit +signed min/max values (s64_min and s64_max): + + reg->umin_value = reg->u32_min_value = s64_min; + reg->umax_value = reg->u32_max_value = s64_max; + +Due to the chain assigmnent, this is equivalent to: + + reg->u32_min_value = s64_min; // Unintended truncation + reg->umin_value = reg->u32_min_value; + reg->u32_max_value = s64_max; // Unintended truncation + reg->umax_value = reg->u32_max_value; + +Fixes: 1f9a1ea821ff ("bpf: Support new sign-extension load insns") +Reported-by: Shung-Hsi Yu +Reported-by: Zac Ecob +Signed-off-by: Dimitar Kanaliev +Acked-by: Yonghong Song +Reviewed-by: Shung-Hsi Yu +Link: https://lore.kernel.org/r/20241014121155.92887-2-dimitar.kanaliev@siteground.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d1050479cbb33..28b09ca5525f0 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6143,10 +6143,10 @@ static void coerce_reg_to_size_sx(struct bpf_reg_state *reg, int size) + + /* both of s64_max/s64_min positive or negative */ + if ((s64_max >= 0) == (s64_min >= 0)) { +- reg->smin_value = reg->s32_min_value = s64_min; +- reg->smax_value = reg->s32_max_value = s64_max; +- reg->umin_value = reg->u32_min_value = s64_min; +- reg->umax_value = reg->u32_max_value = s64_max; ++ reg->s32_min_value = reg->smin_value = s64_min; ++ reg->s32_max_value = reg->smax_value = s64_max; ++ reg->u32_min_value = reg->umin_value = s64_min; ++ reg->u32_max_value = reg->umax_value = s64_max; + reg->var_off = tnum_range(s64_min, s64_max); + return; + } +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch b/queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch new file mode 100644 index 00000000000..1cdd5f98508 --- /dev/null +++ b/queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch @@ -0,0 +1,128 @@ +From bceed7581c7b402570686be6902f012ffdc90fd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:43:11 +0000 +Subject: bpf: fix unpopulated name_len field in perf_event link info + +From: Tyrone Wu + +[ Upstream commit 4deecdd29cf29844c7bd164d72dc38d2e672f64e ] + +Previously when retrieving `bpf_link_info.perf_event` for +kprobe/uprobe/tracepoint, the `name_len` field was not populated by the +kernel, leaving it to reflect the value initially set by the user. This +behavior was inconsistent with how other input/output string buffer +fields function (e.g. `raw_tracepoint.tp_name_len`). + +This patch fills `name_len` with the actual size of the string name. + +Fixes: 1b715e1b0ec5 ("bpf: Support ->fill_link_info for perf_event") +Signed-off-by: Tyrone Wu +Acked-by: Jiri Olsa +Acked-by: Yafang Shao +Link: https://lore.kernel.org/r/20241008164312.46269-1-wudevelops@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 1d04d098f57db..b43302c80cac5 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3442,15 +3442,16 @@ static void bpf_perf_link_dealloc(struct bpf_link *link) + } + + static int bpf_perf_link_fill_common(const struct perf_event *event, +- char __user *uname, u32 ulen, ++ char __user *uname, u32 *ulenp, + u64 *probe_offset, u64 *probe_addr, + u32 *fd_type, unsigned long *missed) + { + const char *buf; +- u32 prog_id; ++ u32 prog_id, ulen; + size_t len; + int err; + ++ ulen = *ulenp; + if (!ulen ^ !uname) + return -EINVAL; + +@@ -3458,10 +3459,17 @@ static int bpf_perf_link_fill_common(const struct perf_event *event, + probe_offset, probe_addr, missed); + if (err) + return err; ++ ++ if (buf) { ++ len = strlen(buf); ++ *ulenp = len + 1; ++ } else { ++ *ulenp = 1; ++ } + if (!uname) + return 0; ++ + if (buf) { +- len = strlen(buf); + err = bpf_copy_to_user(uname, buf, ulen, len); + if (err) + return err; +@@ -3486,7 +3494,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + + uname = u64_to_user_ptr(info->perf_event.kprobe.func_name); + ulen = info->perf_event.kprobe.name_len; +- err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr, ++ err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr, + &type, &missed); + if (err) + return err; +@@ -3494,7 +3502,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event, + info->perf_event.type = BPF_PERF_EVENT_KRETPROBE; + else + info->perf_event.type = BPF_PERF_EVENT_KPROBE; +- ++ info->perf_event.kprobe.name_len = ulen; + info->perf_event.kprobe.offset = offset; + info->perf_event.kprobe.missed = missed; + if (!kallsyms_show_value(current_cred())) +@@ -3516,7 +3524,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event, + + uname = u64_to_user_ptr(info->perf_event.uprobe.file_name); + ulen = info->perf_event.uprobe.name_len; +- err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr, ++ err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr, + &type, NULL); + if (err) + return err; +@@ -3525,6 +3533,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event, + info->perf_event.type = BPF_PERF_EVENT_URETPROBE; + else + info->perf_event.type = BPF_PERF_EVENT_UPROBE; ++ info->perf_event.uprobe.name_len = ulen; + info->perf_event.uprobe.offset = offset; + info->perf_event.uprobe.cookie = event->bpf_cookie; + return 0; +@@ -3550,12 +3559,18 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event, + { + char __user *uname; + u32 ulen; ++ int err; + + uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name); + ulen = info->perf_event.tracepoint.name_len; ++ err = bpf_perf_link_fill_common(event, uname, &ulen, NULL, NULL, NULL, NULL); ++ if (err) ++ return err; ++ + info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT; ++ info->perf_event.tracepoint.name_len = ulen; + info->perf_event.tracepoint.cookie = event->bpf_cookie; +- return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL); ++ return 0; + } + + static int bpf_perf_link_fill_perf_event(const struct perf_event *event, +-- +2.43.0 + diff --git a/queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch b/queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch new file mode 100644 index 00000000000..3ec8d76578d --- /dev/null +++ b/queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch @@ -0,0 +1,103 @@ +From 61bac79e02698a536beae04caf2326851c8f4ac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2024 14:56:24 +0200 +Subject: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 09d88791c7cd888d5195c84733caf9183dcfbd16 ] + +The bpf_redirect_info is shared between the SKB and XDP redirect paths, +and the two paths use the same numeric flag values in the ri->flags +field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that +if skb bpf_redirect_neigh() is used with a non-NULL params argument and, +subsequently, an XDP redirect is performed using the same +bpf_redirect_info struct, the XDP path will get confused and end up +crashing, which syzbot managed to trigger. + +With the stack-allocated bpf_redirect_info, the structure is no longer +shared between the SKB and XDP paths, so the crash doesn't happen +anymore. However, different code paths using identically-numbered flag +values in the same struct field still seems like a bit of a mess, so +this patch cleans that up by moving the flag definitions together and +redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap +with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make +sure the overlap is not re-introduced by mistake. + +Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support") +Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6 +Link: https://lore.kernel.org/bpf/20240920125625.59465-1-toke@redhat.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 13 +++++-------- + net/core/filter.c | 8 +++++--- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index ba6e346c8d669..4bb38409b26ad 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -5921,11 +5921,6 @@ enum { + BPF_F_MARK_ENFORCE = (1ULL << 6), + }; + +-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */ +-enum { +- BPF_F_INGRESS = (1ULL << 0), +-}; +- + /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */ + enum { + BPF_F_TUNINFO_IPV6 = (1ULL << 0), +@@ -6072,10 +6067,12 @@ enum { + BPF_F_BPRM_SECUREEXEC = (1ULL << 0), + }; + +-/* Flags for bpf_redirect_map helper */ ++/* Flags for bpf_redirect and bpf_redirect_map helpers */ + enum { +- BPF_F_BROADCAST = (1ULL << 3), +- BPF_F_EXCLUDE_INGRESS = (1ULL << 4), ++ BPF_F_INGRESS = (1ULL << 0), /* used for skb path */ ++ BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */ ++ BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */ ++#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS) + }; + + #define __bpf_md_ptr(type, name) \ +diff --git a/net/core/filter.c b/net/core/filter.c +index 8bfd46a070c16..bbb1432488430 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2423,9 +2423,9 @@ static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *dev, + + /* Internal, non-exposed redirect flags. */ + enum { +- BPF_F_NEIGH = (1ULL << 1), +- BPF_F_PEER = (1ULL << 2), +- BPF_F_NEXTHOP = (1ULL << 3), ++ BPF_F_NEIGH = (1ULL << 16), ++ BPF_F_PEER = (1ULL << 17), ++ BPF_F_NEXTHOP = (1ULL << 18), + #define BPF_F_REDIRECT_INTERNAL (BPF_F_NEIGH | BPF_F_PEER | BPF_F_NEXTHOP) + }; + +@@ -2435,6 +2435,8 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags) + struct sk_buff *clone; + int ret; + ++ BUILD_BUG_ON(BPF_F_REDIRECT_INTERNAL & BPF_F_REDIRECT_FLAGS); ++ + if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL))) + return -EINVAL; + +-- +2.43.0 + diff --git a/queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch b/queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch new file mode 100644 index 00000000000..d5e6f79cfa3 --- /dev/null +++ b/queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch @@ -0,0 +1,83 @@ +From c9cee25c21add629f55c38f961bc85fcafcbfad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:39 +0200 +Subject: bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock + +From: Michal Luczaj + +[ Upstream commit 9c5bd93edf7b8834aecaa7c340b852d5990d7c78 ] + +Don't mislead the callers of bpf_{sk,msg}_redirect_{map,hash}(): make sure +to immediately and visibly fail the forwarding of unsupported af_vsock +packets. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-1-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 5 +++++ + net/core/sock_map.c | 8 ++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index c3961050b8e39..e0be8bd983960 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2826,6 +2826,11 @@ static inline bool sk_is_stream_unix(const struct sock *sk) + return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM; + } + ++static inline bool sk_is_vsock(const struct sock *sk) ++{ ++ return sk->sk_family == AF_VSOCK; ++} ++ + /** + * sk_eat_skb - Release a skb if it is no longer needed + * @sk: socket to eat this skb from +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 2afac40bb83ca..2da881a8e7983 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -644,6 +644,8 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb, + sk = __sock_map_lookup_elem(map, key); + if (unlikely(!sk || !sock_map_redirect_allowed(sk))) + return SK_DROP; ++ if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk)) ++ return SK_DROP; + + skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS); + return SK_PASS; +@@ -672,6 +674,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg, + return SK_DROP; + if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk)) + return SK_DROP; ++ if (sk_is_vsock(sk)) ++ return SK_DROP; + + msg->flags = flags; + msg->sk_redir = sk; +@@ -1246,6 +1250,8 @@ BPF_CALL_4(bpf_sk_redirect_hash, struct sk_buff *, skb, + sk = __sock_hash_lookup_elem(map, key); + if (unlikely(!sk || !sock_map_redirect_allowed(sk))) + return SK_DROP; ++ if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk)) ++ return SK_DROP; + + skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS); + return SK_PASS; +@@ -1274,6 +1280,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg, + return SK_DROP; + if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk)) + return SK_DROP; ++ if (sk_is_vsock(sk)) ++ return SK_DROP; + + msg->flags = flags; + msg->sk_redir = sk; +-- +2.43.0 + diff --git a/queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch b/queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch new file mode 100644 index 00000000000..8a909ff7541 --- /dev/null +++ b/queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch @@ -0,0 +1,45 @@ +From 6dc89356241833e054060bd6b5f67d49b38f98f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:42 +0200 +Subject: bpf, vsock: Drop static vsock_bpf_prot initialization + +From: Michal Luczaj + +[ Upstream commit 19039f279797efbe044cae41ee216c5fe481fc33 ] + +vsock_bpf_prot is set up at runtime. Remove the superfluous init. + +No functional change intended. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-4-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/vsock_bpf.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c +index c42c5cc18f324..4aa6e74ec2957 100644 +--- a/net/vmw_vsock/vsock_bpf.c ++++ b/net/vmw_vsock/vsock_bpf.c +@@ -114,14 +114,6 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg, + return copied; + } + +-/* Copy of original proto with updated sock_map methods */ +-static struct proto vsock_bpf_prot = { +- .close = sock_map_close, +- .recvmsg = vsock_bpf_recvmsg, +- .sock_is_readable = sk_msg_is_readable, +- .unhash = sock_map_unhash, +-}; +- + static void vsock_bpf_rebuild_protos(struct proto *prot, const struct proto *base) + { + *prot = *base; +-- +2.43.0 + diff --git a/queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch b/queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch new file mode 100644 index 00000000000..ee4ab7086c4 --- /dev/null +++ b/queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch @@ -0,0 +1,44 @@ +From 164e64cfa5af69e9dd94835e60f535cb1a0f71cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 15:09:02 -0700 +Subject: cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed() + +From: Josh Poimboeuf + +[ Upstream commit b0bf1afde7c34698cf61422fa8ee60e690dc25c3 ] + +The barrier_nospec() after the array bounds check is overkill and +painfully slow for arches which implement it. + +Furthermore, most arches don't implement it, so they remain exposed to +Spectre v1 (which can affect pretty much any CPU with branch +prediction). + +Instead, clamp the user pointer to a valid range so it's guaranteed to +be a valid array index even when the bounds check mispredicts. + +Fixes: 8270cb10c068 ("cdrom: Fix spectre-v1 gadget") +Signed-off-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/1d86f4d9d8fba68e5ca64cdeac2451b95a8bf872.1729202937.git.jpoimboe@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 01f46caf1f88b..54b80911f3e28 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2313,7 +2313,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, + return -EINVAL; + + /* Prevent arg from speculatively bypassing the length check */ +- barrier_nospec(); ++ arg = array_index_nospec(arg, cdi->capacity); + + info = kmalloc(sizeof(*info), GFP_KERNEL); + if (!info) +-- +2.43.0 + diff --git a/queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch b/queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch new file mode 100644 index 00000000000..acf90853277 --- /dev/null +++ b/queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch @@ -0,0 +1,55 @@ +From 599abd586b287d402752d61b1cbd8860ac1c1eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 12:23:04 +0000 +Subject: cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory + systems + +From: Dhananjay Ugwekar + +[ Upstream commit c10e50a469b5ec91eabf653526a22bdce03a9bca ] + +While switching the driver mode between active and passive, Collaborative +Processor Performance Control (CPPC) is disabled in +amd_pstate_unregister_driver(). But, it is not enabled back while registering +the new driver (passive or active). This leads to the new driver mode not +working correctly, so enable it back in amd_pstate_register_driver(). + +Fixes: 3ca7bc818d8c ("cpufreq: amd-pstate: Add guided mode control support via sysfs") +Signed-off-by: Dhananjay Ugwekar +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20241004122303.94283-1-Dhananjay.Ugwekar@amd.com +Signed-off-by: Mario Limonciello +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/amd-pstate.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c +index f461f99eb040c..8c16d67b98bfe 100644 +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -1061,11 +1061,21 @@ static int amd_pstate_register_driver(int mode) + return -EINVAL; + + cppc_state = mode; ++ ++ ret = amd_pstate_enable(true); ++ if (ret) { ++ pr_err("failed to enable cppc during amd-pstate driver registration, return %d\n", ++ ret); ++ amd_pstate_driver_cleanup(); ++ return ret; ++ } ++ + ret = cpufreq_register_driver(current_pstate_driver); + if (ret) { + amd_pstate_driver_cleanup(); + return ret; + } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch b/queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch new file mode 100644 index 00000000000..097a8d16f47 --- /dev/null +++ b/queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch @@ -0,0 +1,183 @@ +From 33ae26354641f3c2cafaf65a608d82bfb1c37ff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 19:01:48 +0530 +Subject: drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit e7457532cb7167516263150ceae86f36d6ef9683 ] + +This patch addresses a double unlock issue in the amdgpu_mes_add_ring +function. The mutex was being unlocked twice under certain error +conditions, which could lead to undefined behavior. + +The fix ensures that the mutex is unlocked only once before jumping to +the clean_up_memory label. The unlock operation is moved to just before +the goto statement within the conditional block that checks the return +value of amdgpu_ring_init. This prevents the second unlock attempt after +the clean_up_memory label, which is no longer necessary as the mutex is +already unlocked by this point in the code flow. + +This change resolves the potential double unlock and maintains the +correct mutex handling throughout the function. + +Fixes below: +Commit d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue +submission"), leads to the following Smatch static checker warning: + + drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c:1240 amdgpu_mes_add_ring() + warn: double unlock '&adev->mes.mutex_hidden' (orig line 1213) + +drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c + 1143 int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id, + 1144 int queue_type, int idx, + 1145 struct amdgpu_mes_ctx_data *ctx_data, + 1146 struct amdgpu_ring **out) + 1147 { + 1148 struct amdgpu_ring *ring; + 1149 struct amdgpu_mes_gang *gang; + 1150 struct amdgpu_mes_queue_properties qprops = {0}; + 1151 int r, queue_id, pasid; + 1152 + 1153 /* + 1154 * Avoid taking any other locks under MES lock to avoid circular + 1155 * lock dependencies. + 1156 */ + 1157 amdgpu_mes_lock(&adev->mes); + 1158 gang = idr_find(&adev->mes.gang_id_idr, gang_id); + 1159 if (!gang) { + 1160 DRM_ERROR("gang id %d doesn't exist\n", gang_id); + 1161 amdgpu_mes_unlock(&adev->mes); + 1162 return -EINVAL; + 1163 } + 1164 pasid = gang->process->pasid; + 1165 + 1166 ring = kzalloc(sizeof(struct amdgpu_ring), GFP_KERNEL); + 1167 if (!ring) { + 1168 amdgpu_mes_unlock(&adev->mes); + 1169 return -ENOMEM; + 1170 } + 1171 + 1172 ring->ring_obj = NULL; + 1173 ring->use_doorbell = true; + 1174 ring->is_mes_queue = true; + 1175 ring->mes_ctx = ctx_data; + 1176 ring->idx = idx; + 1177 ring->no_scheduler = true; + 1178 + 1179 if (queue_type == AMDGPU_RING_TYPE_COMPUTE) { + 1180 int offset = offsetof(struct amdgpu_mes_ctx_meta_data, + 1181 compute[ring->idx].mec_hpd); + 1182 ring->eop_gpu_addr = + 1183 amdgpu_mes_ctx_get_offs_gpu_addr(ring, offset); + 1184 } + 1185 + 1186 switch (queue_type) { + 1187 case AMDGPU_RING_TYPE_GFX: + 1188 ring->funcs = adev->gfx.gfx_ring[0].funcs; + 1189 ring->me = adev->gfx.gfx_ring[0].me; + 1190 ring->pipe = adev->gfx.gfx_ring[0].pipe; + 1191 break; + 1192 case AMDGPU_RING_TYPE_COMPUTE: + 1193 ring->funcs = adev->gfx.compute_ring[0].funcs; + 1194 ring->me = adev->gfx.compute_ring[0].me; + 1195 ring->pipe = adev->gfx.compute_ring[0].pipe; + 1196 break; + 1197 case AMDGPU_RING_TYPE_SDMA: + 1198 ring->funcs = adev->sdma.instance[0].ring.funcs; + 1199 break; + 1200 default: + 1201 BUG(); + 1202 } + 1203 + 1204 r = amdgpu_ring_init(adev, ring, 1024, NULL, 0, + 1205 AMDGPU_RING_PRIO_DEFAULT, NULL); + 1206 if (r) + 1207 goto clean_up_memory; + 1208 + 1209 amdgpu_mes_ring_to_queue_props(adev, ring, &qprops); + 1210 + 1211 dma_fence_wait(gang->process->vm->last_update, false); + 1212 dma_fence_wait(ctx_data->meta_data_va->last_pt_update, false); + 1213 amdgpu_mes_unlock(&adev->mes); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + 1214 + 1215 r = amdgpu_mes_add_hw_queue(adev, gang_id, &qprops, &queue_id); + 1216 if (r) + 1217 goto clean_up_ring; + ^^^^^^^^^^^^^^^^^^ + + 1218 + 1219 ring->hw_queue_id = queue_id; + 1220 ring->doorbell_index = qprops.doorbell_off; + 1221 + 1222 if (queue_type == AMDGPU_RING_TYPE_GFX) + 1223 sprintf(ring->name, "gfx_%d.%d.%d", pasid, gang_id, queue_id); + 1224 else if (queue_type == AMDGPU_RING_TYPE_COMPUTE) + 1225 sprintf(ring->name, "compute_%d.%d.%d", pasid, gang_id, + 1226 queue_id); + 1227 else if (queue_type == AMDGPU_RING_TYPE_SDMA) + 1228 sprintf(ring->name, "sdma_%d.%d.%d", pasid, gang_id, + 1229 queue_id); + 1230 else + 1231 BUG(); + 1232 + 1233 *out = ring; + 1234 return 0; + 1235 + 1236 clean_up_ring: + 1237 amdgpu_ring_fini(ring); + 1238 clean_up_memory: + 1239 kfree(ring); +--> 1240 amdgpu_mes_unlock(&adev->mes); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + 1241 return r; + 1242 } + +Fixes: d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue submission") +Cc: Christian König +Cc: Alex Deucher +Cc: Hawking Zhang +Suggested-by: Jack Xiao +Reported by: Dan Carpenter +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Jack Xiao +Signed-off-by: Alex Deucher +(cherry picked from commit bfaf1883605fd0c0dbabacd67ed49708470d5ea4) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +index c5c55e132af21..5e3abdd0805b6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +@@ -1053,8 +1053,10 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id, + + r = amdgpu_ring_init(adev, ring, 1024, NULL, 0, + AMDGPU_RING_PRIO_DEFAULT, NULL); +- if (r) ++ if (r) { ++ amdgpu_mes_unlock(&adev->mes); + goto clean_up_memory; ++ } + + amdgpu_mes_ring_to_queue_props(adev, ring, &qprops); + +@@ -1087,7 +1089,6 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id, + amdgpu_ring_fini(ring); + clean_up_memory: + kfree(ring); +- amdgpu_mes_unlock(&adev->mes); + return r; + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch b/queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch new file mode 100644 index 00000000000..8010ff9424f --- /dev/null +++ b/queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch @@ -0,0 +1,57 @@ +From 38d3e410a2f2cee6984a719e165fe4b898aadb4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:36:09 -0700 +Subject: drm/msm: Allocate memory for disp snapshot with kvzalloc() + +From: Douglas Anderson + +[ Upstream commit e4a45582db1b792c57bdb52c45958264f7fcfbdc ] + +With the "drm/msm: add a display mmu fault handler" series [1] we saw +issues in the field where memory allocation was failing when +allocating space for registers in msm_disp_state_dump_regs(). +Specifically we were seeing an order 5 allocation fail. It's not +surprising that order 5 allocations will sometimes fail after the +system has been up and running for a while. + +There's no need here for contiguous memory. Change the allocation to +kvzalloc() which should make it much less likely to fail. + +[1] https://lore.kernel.org/r/20240628214848.4075651-1-quic_abhinavk@quicinc.com/ + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/619658/ +Link: https://lore.kernel.org/r/20241014093605.2.I72441365ffe91f3dceb17db0a8ec976af8139590@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index bb149281d31fa..4d55e3cf570f0 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -26,7 +26,7 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b + end_addr = base_addr + aligned_len; + + if (!(*reg)) +- *reg = kzalloc(len_padded, GFP_KERNEL); ++ *reg = kvzalloc(len_padded, GFP_KERNEL); + + if (*reg) + dump_addr = *reg; +@@ -162,7 +162,7 @@ void msm_disp_state_free(void *data) + + list_for_each_entry_safe(block, tmp, &disp_state->blocks, node) { + list_del(&block->node); +- kfree(block->state); ++ kvfree(block->state); + kfree(block); + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch b/queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch new file mode 100644 index 00000000000..1531a039165 --- /dev/null +++ b/queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch @@ -0,0 +1,79 @@ +From 2ec6a32a9a9e0749e7f717e9a6f4208abd1be8f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:36:08 -0700 +Subject: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() + +From: Douglas Anderson + +[ Upstream commit 293f53263266bc4340d777268ab4328a97f041fa ] + +If the allocation in msm_disp_state_dump_regs() failed then +`block->state` can be NULL. The msm_disp_state_print_regs() function +_does_ have code to try to handle it with: + + if (*reg) + dump_addr = *reg; + +...but since "dump_addr" is initialized to NULL the above is actually +a noop. The code then goes on to dereference `dump_addr`. + +Make the function print "Registers not stored" when it sees a NULL to +solve this. Since we're touching the code, fix +msm_disp_state_print_regs() not to pointlessly take a double-pointer +and properly mark the pointer as `const`. + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/619657/ +Link: https://lore.kernel.org/r/20241014093605.1.Ia1217cecec9ef09eb3c6d125360cc6c8574b0e73@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index add72bbc28b17..bb149281d31fa 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -48,20 +48,21 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b + } + } + +-static void msm_disp_state_print_regs(u32 **reg, u32 len, void __iomem *base_addr, +- struct drm_printer *p) ++static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len, ++ void __iomem *base_addr, struct drm_printer *p) + { + int i; +- u32 *dump_addr = NULL; + void __iomem *addr; + u32 num_rows; + ++ if (!dump_addr) { ++ drm_printf(p, "Registers not stored\n"); ++ return; ++ } ++ + addr = base_addr; + num_rows = len / REG_DUMP_ALIGN; + +- if (*reg) +- dump_addr = *reg; +- + for (i = 0; i < num_rows; i++) { + drm_printf(p, "0x%lx : %08x %08x %08x %08x\n", + (unsigned long)(addr - base_addr), +@@ -89,7 +90,7 @@ void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p) + + list_for_each_entry_safe(block, tmp, &state->blocks, node) { + drm_printf(p, "====================%s================\n", block->name); +- msm_disp_state_print_regs(&block->state, block->size, block->base_addr, p); ++ msm_disp_state_print_regs(block->state, block->size, block->base_addr, p); + } + + drm_printf(p, "===================dpu drm state================\n"); +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch b/queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch new file mode 100644 index 00000000000..384776f4734 --- /dev/null +++ b/queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch @@ -0,0 +1,82 @@ +From 4b54358fd021b04d1dbe06a840fda891b17a9a2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 06:22:46 +0300 +Subject: drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds() + +From: Dmitry Baryshkov + +[ Upstream commit 3a0851b442d1f63ba42ecfa2506d3176cfabf9d4 ] + +Make _dpu_crtc_setup_lm_bounds() check that CRTC width is not +overflowing LM requirements. Rename the function accordingly. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Reviewed-by: Abhinav Kumar +Tested-by: Abhinav Kumar # sc7280 +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/612237/ +Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-3-617e1ecc4b7a@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index e238e4e8116ca..ad57368dc13f0 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -722,12 +722,13 @@ void dpu_crtc_complete_commit(struct drm_crtc *crtc) + _dpu_crtc_complete_flip(crtc); + } + +-static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc, ++static int _dpu_crtc_check_and_setup_lm_bounds(struct drm_crtc *crtc, + struct drm_crtc_state *state) + { + struct dpu_crtc_state *cstate = to_dpu_crtc_state(state); + struct drm_display_mode *adj_mode = &state->adjusted_mode; + u32 crtc_split_width = adj_mode->hdisplay / cstate->num_mixers; ++ struct dpu_kms *dpu_kms = _dpu_crtc_get_kms(crtc); + int i; + + for (i = 0; i < cstate->num_mixers; i++) { +@@ -738,7 +739,12 @@ static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc, + r->y2 = adj_mode->vdisplay; + + trace_dpu_crtc_setup_lm_bounds(DRMID(crtc), i, r); ++ ++ if (drm_rect_width(r) > dpu_kms->catalog->caps->max_mixer_width) ++ return -E2BIG; + } ++ ++ return 0; + } + + static void _dpu_crtc_get_pcc_coeff(struct drm_crtc_state *state, +@@ -814,7 +820,7 @@ static void dpu_crtc_atomic_begin(struct drm_crtc *crtc, + + DRM_DEBUG_ATOMIC("crtc%d\n", crtc->base.id); + +- _dpu_crtc_setup_lm_bounds(crtc, crtc->state); ++ _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc->state); + + /* encoder will trigger pending mask now */ + drm_for_each_encoder_mask(encoder, crtc->dev, crtc->state->encoder_mask) +@@ -1208,8 +1214,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + if (crtc_state->active_changed) + crtc_state->mode_changed = true; + +- if (cstate->num_mixers) +- _dpu_crtc_setup_lm_bounds(crtc, crtc_state); ++ if (cstate->num_mixers) { ++ rc = _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc_state); ++ if (rc) ++ return rc; ++ } + + /* FIXME: move this to dpu_plane_atomic_check? */ + drm_atomic_crtc_state_for_each_plane_state(plane, pstate, crtc_state) { +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch b/queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch new file mode 100644 index 00000000000..5582ce330db --- /dev/null +++ b/queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch @@ -0,0 +1,39 @@ +From e582332b2eba2bc8b18b82d2f4d14cb3e271df81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 20:46:19 -0700 +Subject: drm/msm/dpu: don't always program merge_3d block + +From: Jessica Zhang + +[ Upstream commit f87f3b80abaf7949e638dd17dfdc267066eb52d5 ] + +Only program the merge_3d block for the video phys encoder when the 3d +blend mode is not NONE + +Fixes: 3e79527a33a8 ("drm/msm/dpu: enable merge_3d support on sm8150/sm8250") +Suggested-by: Abhinav Kumar +Signed-off-by: Jessica Zhang +Patchwork: https://patchwork.freedesktop.org/patch/619095/ +Link: https://lore.kernel.org/r/20241009-merge3d-fix-v1-1-0d0b6f5c244e@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +index daaf0e6047538..20c8b9af7a219 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +@@ -280,7 +280,7 @@ static void dpu_encoder_phys_vid_setup_timing_engine( + intf_cfg.stream_sel = 0; /* Don't care value for video mode */ + intf_cfg.mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc); + intf_cfg.dsc = dpu_encoder_helper_get_dsc(phys_enc); +- if (phys_enc->hw_pp->merge_3d) ++ if (intf_cfg.mode_3d && phys_enc->hw_pp->merge_3d) + intf_cfg.merge_3d = phys_enc->hw_pp->merge_3d->idx; + + spin_lock_irqsave(phys_enc->enc_spinlock, lock_flags); +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch b/queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch new file mode 100644 index 00000000000..6a734165c48 --- /dev/null +++ b/queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch @@ -0,0 +1,62 @@ +From f8ea4b0cdf9d2f2b4213aaf986440be65fa7ce01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 06:22:44 +0300 +Subject: drm/msm/dpu: make sure phys resources are properly initialized + +From: Dmitry Baryshkov + +[ Upstream commit bfecbc2cfba9b06d67d9d249c33d92e570e2fa70 ] + +The commit b954fa6baaca ("drm/msm/dpu: Refactor rm iterator") removed +zero-init of the hw_ctl array, but didn't change the error condition, +that checked for hw_ctl[i] being NULL. At the same time because of the +early returns in case of an error dpu_encoder_phys might be left with +the resources assigned in the previous state. Rework assigning of hw_pp +/ hw_ctl to the dpu_encoder_phys in order to make sure they are always +set correctly. + +Fixes: b954fa6baaca ("drm/msm/dpu: Refactor rm iterator") +Suggested-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/612233/ +Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-1-617e1ecc4b7a@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 6262ec5e40204..10c68de1bf22c 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -1122,21 +1122,20 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc, + for (i = 0; i < dpu_enc->num_phys_encs; i++) { + struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i]; + +- if (!dpu_enc->hw_pp[i]) { ++ phys->hw_pp = dpu_enc->hw_pp[i]; ++ if (!phys->hw_pp) { + DPU_ERROR_ENC(dpu_enc, + "no pp block assigned at idx: %d\n", i); + return; + } + +- if (!hw_ctl[i]) { ++ phys->hw_ctl = i < num_ctl ? to_dpu_hw_ctl(hw_ctl[i]) : NULL; ++ if (!phys->hw_ctl) { + DPU_ERROR_ENC(dpu_enc, + "no ctl block assigned at idx: %d\n", i); + return; + } + +- phys->hw_pp = dpu_enc->hw_pp[i]; +- phys->hw_ctl = to_dpu_hw_ctl(hw_ctl[i]); +- + phys->cached_mode = crtc_state->adjusted_mode; + if (phys->ops.atomic_mode_set) + phys->ops.atomic_mode_set(phys, crtc_state, conn_state); +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch b/queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch new file mode 100644 index 00000000000..85de02d1a35 --- /dev/null +++ b/queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch @@ -0,0 +1,47 @@ +From f7e9c4be3421040a9782633d0a5d905aad4e337a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 01:01:49 -0400 +Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate + calculation + +From: Jonathan Marek + +[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ] + +When (mode->clock * 1000) is larger than (1<<31), int to unsigned long +conversion will sign extend the int to 64 bits and the pclk_rate value +will be incorrect. + +Fix this by making the result of the multiplication unsigned. + +Note that above (1<<32) would still be broken and require more changes, but +its unlikely anyone will need that anytime soon. + +Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions") +Signed-off-by: Jonathan Marek +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/618434/ +Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index fcfe612416b0b..f920329fe2e09 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -545,7 +545,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, + { + unsigned long pclk_rate; + +- pclk_rate = mode->clock * 1000; ++ pclk_rate = mode->clock * 1000u; + + if (dsc) + pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc); +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch b/queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch new file mode 100644 index 00000000000..024d4fad12b --- /dev/null +++ b/queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch @@ -0,0 +1,39 @@ +From c36a392ff4b7a091e90e45d112ba9187379a150a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 01:01:48 -0400 +Subject: drm/msm/dsi: improve/fix dsc pclk calculation + +From: Jonathan Marek + +[ Upstream commit 24436a540d16ca6a523b8e5441180001c31b6b35 ] + +drm_mode_vrefresh() can introduce a large rounding error, avoid it. + +Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression") +Signed-off-by: Jonathan Marek +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/618432/ +Link: https://lore.kernel.org/r/20241007050157.26855-1-jonathan@marek.ca +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 77b805eacb1b1..fcfe612416b0b 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -537,7 +537,7 @@ static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mo + + int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; + +- return new_htotal * mode->vtotal * drm_mode_vrefresh(mode); ++ return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal); + } + + static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, +-- +2.43.0 + diff --git a/queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch b/queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch new file mode 100644 index 00000000000..7c540500eec --- /dev/null +++ b/queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch @@ -0,0 +1,42 @@ +From 3736fdfc57b508d5005a9ceb2de2671b26d8d6cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2024 13:37:56 -0500 +Subject: drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check + +From: Ian Forbes + +[ Upstream commit 4809a017a2bc42ff239d53ade4b2e70f2fe81348 ] + +Handle unlikely ENOMEN condition and other errors in +vmw_stdu_connector_atomic_check. + +Signed-off-by: Ian Forbes +Reported-by: Dan Carpenter +Fixes: 75c3e8a26a35 ("drm/vmwgfx: Trigger a modeset when the screen moves") +Reviewed-by: Zack Rusin +Reviewed-by: Martin Krastev +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240809183756.27283-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +index b22ae25db4e17..52ea0c50c852c 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +@@ -881,6 +881,10 @@ static int vmw_stdu_connector_atomic_check(struct drm_connector *conn, + struct drm_crtc_state *new_crtc_state; + + conn_state = drm_atomic_get_connector_state(state, conn); ++ ++ if (IS_ERR(conn_state)) ++ return PTR_ERR(conn_state); ++ + du = vmw_connector_to_stdu(conn); + + if (!conn_state->crtc) +-- +2.43.0 + diff --git a/queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch b/queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch new file mode 100644 index 00000000000..eaad35f25fb --- /dev/null +++ b/queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch @@ -0,0 +1,51 @@ +From 8b96623e04d3640d4824e64e0a1c7f09b66b3a74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 18:40:02 +0800 +Subject: firmware: arm_scmi: Fix the double free in + scmi_debugfs_common_setup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit 39b13dce1a91cdfc3bec9238f9e89094551bd428 ] + +Clang static checker(scan-build) throws below warning: + | drivers/firmware/arm_scmi/driver.c:line 2915, column 2 + | Attempt to free released memory. + +When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup() +will run twice which causes double free of 'dbg->name'. + +Remove the redundant scmi_debugfs_common_cleanup() to fix this problem. + +Fixes: c3d4aed763ce ("firmware: arm_scmi: Populate a common SCMI debugfs root") +Signed-off-by: Su Hui +Reviewed-by: Cristian Marussi +Message-Id: <20241011104001.1546476-1-suhui@nfschina.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/driver.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 87383c05424bd..3962683e2af9d 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -2603,10 +2603,8 @@ static struct scmi_debug_info *scmi_debugfs_common_setup(struct scmi_info *info) + dbg->top_dentry = top_dentry; + + if (devm_add_action_or_reset(info->dev, +- scmi_debugfs_common_cleanup, dbg)) { +- scmi_debugfs_common_cleanup(dbg); ++ scmi_debugfs_common_cleanup, dbg)) + return NULL; +- } + + return dbg; + } +-- +2.43.0 + diff --git a/queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch b/queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch new file mode 100644 index 00000000000..172ab208aa7 --- /dev/null +++ b/queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch @@ -0,0 +1,115 @@ +From 125a02ec9422a4e3eceed36ae5ad9e0b83985a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 09:07:17 -0700 +Subject: firmware: arm_scmi: Queue in scmi layer for mailbox implementation + +From: Justin Chen + +[ Upstream commit da1642bc97c4ef67f347edcd493bd0a52f88777b ] + +send_message() does not block in the MBOX implementation. This is +because the mailbox layer has its own queue. However, this confuses +the per xfer timeouts as they all start their timeout ticks in +parallel. + +Consider a case where the xfer timeout is 30ms and a SCMI transaction +takes 25ms: + + | 0ms: Message #0 is queued in mailbox layer and sent out, then sits + | at scmi_wait_for_message_response() with a timeout of 30ms + | 1ms: Message #1 is queued in mailbox layer but not sent out yet. + | Since send_message() doesn't block, it also sits at + | scmi_wait_for_message_response() with a timeout of 30ms + | ... + | 25ms: Message #0 is completed, txdone is called and message #1 is sent + | 31ms: Message #1 times out since the count started at 1ms. Even though + | it has only been inflight for 6ms. + +Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type") +Signed-off-by: Justin Chen +Message-Id: <20241014160717.1678953-1-justin.chen@broadcom.com> +Reviewed-by: Cristian Marussi +Tested-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/mailbox.c | 32 +++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/mailbox.c b/drivers/firmware/arm_scmi/mailbox.c +index b8d470417e8f9..8e513f70b75d4 100644 +--- a/drivers/firmware/arm_scmi/mailbox.c ++++ b/drivers/firmware/arm_scmi/mailbox.c +@@ -23,6 +23,7 @@ + * @chan_receiver: Optional Receiver mailbox unidirectional channel + * @cinfo: SCMI channel info + * @shmem: Transmit/Receive shared memory area ++ * @chan_lock: Lock that prevents multiple xfers from being queued + */ + struct scmi_mailbox { + struct mbox_client cl; +@@ -30,6 +31,7 @@ struct scmi_mailbox { + struct mbox_chan *chan_receiver; + struct scmi_chan_info *cinfo; + struct scmi_shared_mem __iomem *shmem; ++ struct mutex chan_lock; + }; + + #define client_to_scmi_mailbox(c) container_of(c, struct scmi_mailbox, cl) +@@ -228,6 +230,7 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev, + + cinfo->transport_info = smbox; + smbox->cinfo = cinfo; ++ mutex_init(&smbox->chan_lock); + + return 0; + } +@@ -255,13 +258,23 @@ static int mailbox_send_message(struct scmi_chan_info *cinfo, + struct scmi_mailbox *smbox = cinfo->transport_info; + int ret; + +- ret = mbox_send_message(smbox->chan, xfer); ++ /* ++ * The mailbox layer has its own queue. However the mailbox queue ++ * confuses the per message SCMI timeouts since the clock starts when ++ * the message is submitted into the mailbox queue. So when multiple ++ * messages are queued up the clock starts on all messages instead of ++ * only the one inflight. ++ */ ++ mutex_lock(&smbox->chan_lock); + +- /* mbox_send_message returns non-negative value on success, so reset */ +- if (ret > 0) +- ret = 0; ++ ret = mbox_send_message(smbox->chan, xfer); ++ /* mbox_send_message returns non-negative value on success */ ++ if (ret < 0) { ++ mutex_unlock(&smbox->chan_lock); ++ return ret; ++ } + +- return ret; ++ return 0; + } + + static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret, +@@ -269,13 +282,10 @@ static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret, + { + struct scmi_mailbox *smbox = cinfo->transport_info; + +- /* +- * NOTE: we might prefer not to need the mailbox ticker to manage the +- * transfer queueing since the protocol layer queues things by itself. +- * Unfortunately, we have to kick the mailbox framework after we have +- * received our message. +- */ + mbox_client_txdone(smbox->chan, ret); ++ ++ /* Release channel */ ++ mutex_unlock(&smbox->chan_lock); + } + + static void mailbox_fetch_response(struct scmi_chan_info *cinfo, +-- +2.43.0 + diff --git a/queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch b/queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch new file mode 100644 index 00000000000..dc03496a592 --- /dev/null +++ b/queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch @@ -0,0 +1,242 @@ +From f80b1af82f4a9bbc71993fe99da3e6dccc26ba77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:12:17 +0000 +Subject: genetlink: hold RCU in genlmsg_mcast() + +From: Eric Dumazet + +[ Upstream commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db ] + +While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw +one lockdep splat [1]. + +genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU. + +Instead of letting all callers guard genlmsg_multicast_allns() +with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast(). + +This also means the @flags parameter is useless, we need to always use +GFP_ATOMIC. + +[1] +[10882.424136] ============================= +[10882.424166] WARNING: suspicious RCU usage +[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted +[10882.424400] ----------------------------- +[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!! +[10882.424469] +other info that might help us debug this: + +[10882.424500] +rcu_scheduler_active = 2, debug_locks = 1 +[10882.424744] 2 locks held by ip/15677: +[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219) +[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209) +[10882.426465] +stack backtrace: +[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156 +[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[10882.427046] Call Trace: +[10882.427131] +[10882.427244] dump_stack_lvl (lib/dump_stack.c:123) +[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) +[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7)) +[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink +[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink +[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115) +[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210) +[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink +[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201) +[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551) +[10882.428069] genl_rcv (net/netlink/genetlink.c:1220) +[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357) +[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901) +[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1)) + +Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners") +Signed-off-by: Eric Dumazet +Cc: James Chapman +Cc: Tom Parkin +Cc: Johannes Berg +Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + include/net/genetlink.h | 3 +-- + net/l2tp/l2tp_netlink.c | 4 ++-- + net/netlink/genetlink.c | 28 ++++++++++++++-------------- + net/wireless/nl80211.c | 8 ++------ + 5 files changed, 20 insertions(+), 25 deletions(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 22cc6cac0ba2b..2e100b76914a0 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -2130,7 +2130,7 @@ static int tcmu_netlink_event_send(struct tcmu_dev *udev, + } + + ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0, +- TCMU_MCGRP_CONFIG, GFP_KERNEL); ++ TCMU_MCGRP_CONFIG); + + /* Wait during an add as the listener may not be up yet */ + if (ret == 0 || +diff --git a/include/net/genetlink.h b/include/net/genetlink.h +index c53244f204370..e8c34aa4a640d 100644 +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -478,13 +478,12 @@ static inline int genlmsg_multicast(const struct genl_family *family, + * @skb: netlink message as socket buffer + * @portid: own netlink portid to avoid sending to yourself + * @group: offset of multicast group in groups array +- * @flags: allocation flags + * + * This function must hold the RTNL or rcu_read_lock(). + */ + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags); ++ unsigned int group); + + /** + * genlmsg_unicast - unicast a netlink message +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index a901fd14fe3bf..e27e00cb16c6b 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -115,7 +115,7 @@ static int l2tp_tunnel_notify(struct genl_family *family, + NLM_F_ACK, tunnel, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +@@ -143,7 +143,7 @@ static int l2tp_session_notify(struct genl_family *family, + NLM_F_ACK, session, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index d41c4a936ad0c..d6eee5140c8be 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1355,15 +1355,11 @@ static int genl_ctrl_event(int event, const struct genl_family *family, + if (IS_ERR(msg)) + return PTR_ERR(msg); + +- if (!family->netnsok) { ++ if (!family->netnsok) + genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0, + 0, GFP_KERNEL); +- } else { +- rcu_read_lock(); +- genlmsg_multicast_allns(&genl_ctrl, msg, 0, +- 0, GFP_ATOMIC); +- rcu_read_unlock(); +- } ++ else ++ genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0); + + return 0; + } +@@ -1752,23 +1748,23 @@ static int __init genl_init(void) + + core_initcall(genl_init); + +-static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, +- gfp_t flags) ++static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group) + { + struct sk_buff *tmp; + struct net *net, *prev = NULL; + bool delivered = false; + int err; + ++ rcu_read_lock(); + for_each_net_rcu(net) { + if (prev) { +- tmp = skb_clone(skb, flags); ++ tmp = skb_clone(skb, GFP_ATOMIC); + if (!tmp) { + err = -ENOMEM; + goto error; + } + err = nlmsg_multicast(prev->genl_sock, tmp, +- portid, group, flags); ++ portid, group, GFP_ATOMIC); + if (!err) + delivered = true; + else if (err != -ESRCH) +@@ -1777,27 +1773,31 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + + prev = net; + } ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC); ++ ++ rcu_read_unlock(); + +- err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); + if (!err) + delivered = true; + else if (err != -ESRCH) + return err; + return delivered ? 0 : -ESRCH; + error: ++ rcu_read_unlock(); ++ + kfree_skb(skb); + return err; + } + + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags) ++ unsigned int group) + { + if (WARN_ON_ONCE(group >= family->n_mcgrps)) + return -EINVAL; + + group = family->mcgrp_offset + group; +- return genlmsg_mcast(skb, portid, group, flags); ++ return genlmsg_mcast(skb, portid, group); + } + EXPORT_SYMBOL(genlmsg_multicast_allns); + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 9e74f249cb45f..7979073036698 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -17905,10 +17905,8 @@ void nl80211_common_reg_change_event(enum nl80211_commands cmd_id, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +@@ -18605,10 +18603,8 @@ void nl80211_send_beacon_hint_event(struct wiphy *wiphy, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +-- +2.43.0 + diff --git a/queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch b/queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch new file mode 100644 index 00000000000..d2a8c570f44 --- /dev/null +++ b/queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch @@ -0,0 +1,46 @@ +From 3ece4173b045239300a1f6b99ec0985e2a802ebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 04:36:20 -0400 +Subject: iio: accel: bma400: Fix uninitialized variable field_value in tap + event handling. + +From: Mikhail Lobanov + +[ Upstream commit db9795a43dc944f048a37b65e06707f60f713e34 ] + +In the current implementation, the local variable field_value is used +without prior initialization, which may lead to reading uninitialized +memory. Specifically, in the macro set_mask_bits, the initial +(potentially uninitialized) value of the buffer is copied into old__, +and a mask is applied to calculate new__. A similar issue was resolved in +commit 6ee2a7058fea ("iio: accel: bma400: Fix smatch warning based on use +of unintialized value."). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 961db2da159d ("iio: accel: bma400: Add support for single and double tap events") +Signed-off-by: Mikhail Lobanov +Link: https://patch.msgid.link/20240910083624.27224-1-m.lobanov@rosalinux.ru +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/bma400_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/accel/bma400_core.c b/drivers/iio/accel/bma400_core.c +index e90e2f01550ad..04083b7395ab8 100644 +--- a/drivers/iio/accel/bma400_core.c ++++ b/drivers/iio/accel/bma400_core.c +@@ -1219,7 +1219,8 @@ static int bma400_activity_event_en(struct bma400_data *data, + static int bma400_tap_event_en(struct bma400_data *data, + enum iio_event_direction dir, int state) + { +- unsigned int mask, field_value; ++ unsigned int mask; ++ unsigned int field_value = 0; + int ret; + + /* +-- +2.43.0 + diff --git a/queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch b/queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch new file mode 100644 index 00000000000..21475ac8ef6 --- /dev/null +++ b/queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch @@ -0,0 +1,41 @@ +From 6257c233d8d09fb76805b842b12d877c23525157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 23:04:52 +0200 +Subject: iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in + Kconfig + +From: Javier Carrasco + +[ Upstream commit a985576af824426e33100554a5958a6beda60a13 ] + +This driver makes use of triggered buffers, but does not select the +required modules. + +Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. + +Fixes: 6c7bc1d27bb2 ("iio: adc: ti-lmp92064: add buffering support") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241003-iio-select-v1-6-67c0385197cd@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig +index e46817cb5581c..6dee3b686effd 100644 +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -1335,6 +1335,8 @@ config TI_LMP92064 + tristate "Texas Instruments LMP92064 ADC driver" + depends on SPI + select REGMAP_SPI ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say yes here to build support for the LMP92064 Precision Current and Voltage + sensor. +-- +2.43.0 + diff --git a/queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch b/queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch new file mode 100644 index 00000000000..a4335500ce4 --- /dev/null +++ b/queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch @@ -0,0 +1,70 @@ +From b1f07d3247815b6ab9cb8db42945cf88c8aa811f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 22:06:38 +0200 +Subject: iio: frequency: {admv4420,adrf6780}: format Kconfig entries + +From: Javier Carrasco + +[ Upstream commit 5c9644a683e1690387a476a4f5f6bd5cf9a1d695 ] + +Format the entries of these drivers in the Kconfig, where spaces +instead of tabs were used. + +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-1-7345d228040f@gmail.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 6b8e9dbfaed4 ("iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig") +Signed-off-by: Sasha Levin +--- + drivers/iio/frequency/Kconfig | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig +index 71de6cc4a1584..f7534dd8a8cae 100644 +--- a/drivers/iio/frequency/Kconfig ++++ b/drivers/iio/frequency/Kconfig +@@ -82,25 +82,25 @@ config ADMV1014 + module will be called admv1014. + + config ADMV4420 +- tristate "Analog Devices ADMV4420 K Band Downconverter" +- depends on SPI +- help +- Say yes here to build support for Analog Devices K Band +- Downconverter with integrated Fractional-N PLL and VCO. ++ tristate "Analog Devices ADMV4420 K Band Downconverter" ++ depends on SPI ++ help ++ Say yes here to build support for Analog Devices K Band ++ Downconverter with integrated Fractional-N PLL and VCO. + +- To compile this driver as a module, choose M here: the +- module will be called admv4420. ++ To compile this driver as a module, choose M here: the ++ module will be called admv4420. + + config ADRF6780 +- tristate "Analog Devices ADRF6780 Microwave Upconverter" +- depends on SPI +- depends on COMMON_CLK +- help +- Say yes here to build support for Analog Devices ADRF6780 +- 5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter. +- +- To compile this driver as a module, choose M here: the +- module will be called adrf6780. ++ tristate "Analog Devices ADRF6780 Microwave Upconverter" ++ depends on SPI ++ depends on COMMON_CLK ++ help ++ Say yes here to build support for Analog Devices ADRF6780 ++ 5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter. ++ ++ To compile this driver as a module, choose M here: the ++ module will be called adrf6780. + + endmenu + endmenu +-- +2.43.0 + diff --git a/queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch b/queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch new file mode 100644 index 00000000000..91e60f689d2 --- /dev/null +++ b/queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch @@ -0,0 +1,37 @@ +From e2cd37b7a18f49688d34e54bf78a811896169e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 22:06:39 +0200 +Subject: iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig + +From: Javier Carrasco + +[ Upstream commit 6b8e9dbfaed471627f7b863633b9937717df1d4d ] + +This driver makes use of regmap_spi, but does not select the required +module. +Add the missing 'select REGMAP_SPI'. + +Fixes: b59c04155901 ("iio: frequency: admv4420.c: Add support for ADMV4420") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-2-7345d228040f@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/frequency/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig +index f7534dd8a8cae..036763d3e84c6 100644 +--- a/drivers/iio/frequency/Kconfig ++++ b/drivers/iio/frequency/Kconfig +@@ -84,6 +84,7 @@ config ADMV1014 + config ADMV4420 + tristate "Analog Devices ADMV4420 K Band Downconverter" + depends on SPI ++ select REGMAP_SPI + help + Say yes here to build support for Analog Devices K Band + Downconverter with integrated Fractional-N PLL and VCO. +-- +2.43.0 + diff --git a/queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch b/queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch new file mode 100644 index 00000000000..fdc13c1e2b2 --- /dev/null +++ b/queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch @@ -0,0 +1,112 @@ +From cf6cac963605c3ba9846ec383bd6803706d77c51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:47:13 -0400 +Subject: ipv4: give an IPv4 dev to blackhole_netdev + +From: Xin Long + +[ Upstream commit 22600596b6756b166fd052d5facb66287e6f0bad ] + +After commit 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to +invalidate dst entries"), blackhole_netdev was introduced to invalidate +dst cache entries on the TX path whenever the cache times out or is +flushed. + +When two UDP sockets (sk1 and sk2) send messages to the same destination +simultaneously, they are using the same dst cache. If the dst cache is +invalidated on one path (sk2) while the other (sk1) is still transmitting, +sk1 may try to use the invalid dst entry. + + CPU1 CPU2 + + udp_sendmsg(sk1) udp_sendmsg(sk2) + udp_send_skb() + ip_output() + <--- dst timeout or flushed + dst_dev_put() + ip_finish_output2() + ip_neigh_for_gw() + +This results in a scenario where ip_neigh_for_gw() returns -EINVAL because +blackhole_dev lacks an in_dev, which is needed to initialize the neigh in +arp_constructor(). This error is then propagated back to userspace, +breaking the UDP application. + +The patch fixes this issue by assigning an in_dev to blackhole_dev for +IPv4, similar to what was done for IPv6 in commit e5f80fcf869a ("ipv6: +give an IPv6 dev to blackhole_netdev"). This ensures that even when the +dst entry is invalidated with blackhole_dev, it will not fail to create +the neigh entry. + +As devinet_init() is called ealier than blackhole_netdev_init() in system +booting, it can not assign the in_dev to blackhole_dev in devinet_init(). +As Paolo suggested, add a separate late_initcall() in devinet.c to ensure +inet_blackhole_dev_init() is called after blackhole_netdev_init(). + +Fixes: 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to invalidate dst entries") +Signed-off-by: Xin Long +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/3000792d45ca44e16c785ebe2b092e610e5b3df1.1728499633.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index cb0c80328eebf..4822f68edbf08 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -283,17 +283,19 @@ static struct in_device *inetdev_init(struct net_device *dev) + /* Account for reference dev->ip_ptr (below) */ + refcount_set(&in_dev->refcnt, 1); + +- err = devinet_sysctl_register(in_dev); +- if (err) { +- in_dev->dead = 1; +- neigh_parms_release(&arp_tbl, in_dev->arp_parms); +- in_dev_put(in_dev); +- in_dev = NULL; +- goto out; ++ if (dev != blackhole_netdev) { ++ err = devinet_sysctl_register(in_dev); ++ if (err) { ++ in_dev->dead = 1; ++ neigh_parms_release(&arp_tbl, in_dev->arp_parms); ++ in_dev_put(in_dev); ++ in_dev = NULL; ++ goto out; ++ } ++ ip_mc_init_dev(in_dev); ++ if (dev->flags & IFF_UP) ++ ip_mc_up(in_dev); + } +- ip_mc_init_dev(in_dev); +- if (dev->flags & IFF_UP) +- ip_mc_up(in_dev); + + /* we can receive as soon as ip_ptr is set -- do this last */ + rcu_assign_pointer(dev->ip_ptr, in_dev); +@@ -332,6 +334,19 @@ static void inetdev_destroy(struct in_device *in_dev) + in_dev_put(in_dev); + } + ++static int __init inet_blackhole_dev_init(void) ++{ ++ int err = 0; ++ ++ rtnl_lock(); ++ if (!inetdev_init(blackhole_netdev)) ++ err = -ENOMEM; ++ rtnl_unlock(); ++ ++ return err; ++} ++late_initcall(inet_blackhole_dev_init); ++ + int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b) + { + const struct in_ifaddr *ifa; +-- +2.43.0 + diff --git a/queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch b/queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch new file mode 100644 index 00000000000..e8d6d95b08d --- /dev/null +++ b/queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch @@ -0,0 +1,208 @@ +From 09fc4ae271bc0ff3ed4b345fb6f235c81c82275c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:18:18 +0200 +Subject: irqchip/renesas-rzg2l: Add support for suspend to RAM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Beznea + +[ Upstream commit 74d2ef5f6f4b2437e6292ab2502400e8048db4aa ] + +The irqchip-renesas-rzg2l driver is used on RZ/G3S SoC. RZ/G3S can go into +deep sleep states where power to different SoC's parts is cut off and RAM +is switched to self-refresh. The resume from these states is done with the +help of the bootloader. + +The IA55 IRQ controller needs to be reconfigured when resuming from deep +sleep state. For this the IA55 registers are cached in suspend and restored +in resume. + +The IA55 IRQ controller is connected to GPIO controller and GIC as follows: + + ┌──────────┐ ┌──────────┐ + │ │ SPIX │ │ + │ ├─────────►│ │ + │ │ │ │ + │ │ │ │ + ┌────────┐IRQ0-7 │ IA55 │ │ GIC │ + Pin0 ───────►│ ├─────────────►│ │ │ │ + │ │ │ │ PPIY │ │ + ... │ GPIO │ │ ├─────────►│ │ + │ │GPIOINT0-127 │ │ │ │ + PinN ───────►│ ├─────────────►│ │ │ │ + └────────┘ └──────────┘ └──────────┘ + +where: + - Pin0 is the first GPIO controller pin + - PinN is the last GPIO controller pin + + - SPIX is the SPI interrupt with identifier X + - PPIY is the PPI interrupt with identifier Y + +Implement suspend/resume functionality with syscore_ops to be able to +cache/restore the registers after/before the GPIO controller suspend/resume +functions are invoked. + +As the syscore_ops suspend/resume functions do not take any argument make +the driver private data static so it can be accessed from the +suspend/resume functions. + +The IA55 interrupt controller is resumed before the GPIO controller. As +GPIO pins could be in an a state which causes spurious interrupts, the +reconfiguration of the interrupt controller is restricted to restore the +interrupt type and leave them disabled. + +An eventually required interrupt enable operation will be done as part of +the GPIO controller resume function after restoring the GPIO state. + +[ tglx: Massaged changelog ] + +Signed-off-by: Claudiu Beznea +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20231120111820.87398-8-claudiu.beznea.uj@bp.renesas.com +Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 68 ++++++++++++++++++++++++----- + 1 file changed, 57 insertions(+), 11 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index ac925da17876c..00688043697f0 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #define IRQC_IRQ_START 1 + #define IRQC_IRQ_COUNT 8 +@@ -55,17 +56,29 @@ + #define TINT_EXTRACT_HWIRQ(x) FIELD_GET(GENMASK(15, 0), (x)) + #define TINT_EXTRACT_GPIOINT(x) FIELD_GET(GENMASK(31, 16), (x)) + ++/** ++ * struct rzg2l_irqc_reg_cache - registers cache (necessary for suspend/resume) ++ * @iitsr: IITSR register ++ * @titsr: TITSR registers ++ */ ++struct rzg2l_irqc_reg_cache { ++ u32 iitsr; ++ u32 titsr[2]; ++}; ++ + /** + * struct rzg2l_irqc_priv - IRQ controller private data structure + * @base: Controller's base address + * @fwspec: IRQ firmware specific data + * @lock: Lock to serialize access to hardware registers ++ * @cache: Registers cache for suspend/resume + */ +-struct rzg2l_irqc_priv { ++static struct rzg2l_irqc_priv { + void __iomem *base; + struct irq_fwspec fwspec[IRQC_NUM_IRQ]; + raw_spinlock_t lock; +-}; ++ struct rzg2l_irqc_reg_cache cache; ++} *rzg2l_irqc_data; + + static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data) + { +@@ -282,6 +295,38 @@ static int rzg2l_irqc_set_type(struct irq_data *d, unsigned int type) + return irq_chip_set_type_parent(d, IRQ_TYPE_LEVEL_HIGH); + } + ++static int rzg2l_irqc_irq_suspend(void) ++{ ++ struct rzg2l_irqc_reg_cache *cache = &rzg2l_irqc_data->cache; ++ void __iomem *base = rzg2l_irqc_data->base; ++ ++ cache->iitsr = readl_relaxed(base + IITSR); ++ for (u8 i = 0; i < 2; i++) ++ cache->titsr[i] = readl_relaxed(base + TITSR(i)); ++ ++ return 0; ++} ++ ++static void rzg2l_irqc_irq_resume(void) ++{ ++ struct rzg2l_irqc_reg_cache *cache = &rzg2l_irqc_data->cache; ++ void __iomem *base = rzg2l_irqc_data->base; ++ ++ /* ++ * Restore only interrupt type. TSSRx will be restored at the ++ * request of pin controller to avoid spurious interrupts due ++ * to invalid PIN states. ++ */ ++ for (u8 i = 0; i < 2; i++) ++ writel_relaxed(cache->titsr[i], base + TITSR(i)); ++ writel_relaxed(cache->iitsr, base + IITSR); ++} ++ ++static struct syscore_ops rzg2l_irqc_syscore_ops = { ++ .suspend = rzg2l_irqc_irq_suspend, ++ .resume = rzg2l_irqc_irq_resume, ++}; ++ + static const struct irq_chip irqc_chip = { + .name = "rzg2l-irqc", + .irq_eoi = rzg2l_irqc_eoi, +@@ -366,7 +411,6 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent) + struct irq_domain *irq_domain, *parent_domain; + struct platform_device *pdev; + struct reset_control *resetn; +- struct rzg2l_irqc_priv *priv; + int ret; + + pdev = of_find_device_by_node(node); +@@ -379,15 +423,15 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent) + return -ENODEV; + } + +- priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL); +- if (!priv) ++ rzg2l_irqc_data = devm_kzalloc(&pdev->dev, sizeof(*rzg2l_irqc_data), GFP_KERNEL); ++ if (!rzg2l_irqc_data) + return -ENOMEM; + +- priv->base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL); +- if (IS_ERR(priv->base)) +- return PTR_ERR(priv->base); ++ rzg2l_irqc_data->base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL); ++ if (IS_ERR(rzg2l_irqc_data->base)) ++ return PTR_ERR(rzg2l_irqc_data->base); + +- ret = rzg2l_irqc_parse_interrupts(priv, node); ++ ret = rzg2l_irqc_parse_interrupts(rzg2l_irqc_data, node); + if (ret) { + dev_err(&pdev->dev, "cannot parse interrupts: %d\n", ret); + return ret; +@@ -410,17 +454,19 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent) + goto pm_disable; + } + +- raw_spin_lock_init(&priv->lock); ++ raw_spin_lock_init(&rzg2l_irqc_data->lock); + + irq_domain = irq_domain_add_hierarchy(parent_domain, 0, IRQC_NUM_IRQ, + node, &rzg2l_irqc_domain_ops, +- priv); ++ rzg2l_irqc_data); + if (!irq_domain) { + dev_err(&pdev->dev, "failed to add irq domain\n"); + ret = -ENOMEM; + goto pm_put; + } + ++ register_syscore_ops(&rzg2l_irqc_syscore_ops); ++ + return 0; + + pm_put: +-- +2.43.0 + diff --git a/queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch b/queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch new file mode 100644 index 00000000000..909749becd0 --- /dev/null +++ b/queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch @@ -0,0 +1,43 @@ +From 2c0b357c4b3271d3b5f42e24431049bfbd66a81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:18:14 +0200 +Subject: irqchip/renesas-rzg2l: Align struct member names to tabs + +From: Claudiu Beznea + +[ Upstream commit 02f6507640173addeeb3af035d2c6f0b3cff1567 ] + +Align struct member names to tabs to follow the requirements from +maintainer-tip file. 3 tabs were used at the moment as the next commits +will add a new member which requires 3 tabs for a better view. + +Signed-off-by: Claudiu Beznea +Signed-off-by: Thomas Gleixner +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20231120111820.87398-4-claudiu.beznea.uj@bp.renesas.com +Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index ea4b921e5e158..3ea312a27492b 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -56,9 +56,9 @@ + #define TINT_EXTRACT_GPIOINT(x) FIELD_GET(GENMASK(31, 16), (x)) + + struct rzg2l_irqc_priv { +- void __iomem *base; +- struct irq_fwspec fwspec[IRQC_NUM_IRQ]; +- raw_spinlock_t lock; ++ void __iomem *base; ++ struct irq_fwspec fwspec[IRQC_NUM_IRQ]; ++ raw_spinlock_t lock; + }; + + static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data) +-- +2.43.0 + diff --git a/queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch b/queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch new file mode 100644 index 00000000000..321db6cf8ad --- /dev/null +++ b/queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch @@ -0,0 +1,42 @@ +From 7870098b4f9546fee29b86408f129113837d303a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:18:15 +0200 +Subject: irqchip/renesas-rzg2l: Document structure members + +From: Claudiu Beznea + +[ Upstream commit b94f455372ad6e6b4da8e8ed9864d9c7daaf54b8 ] + +Document structure members to follow the requirements specified in +maintainer-tip, section 4.3.7. Struct declarations and initializers. + +Signed-off-by: Claudiu Beznea +Signed-off-by: Thomas Gleixner +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20231120111820.87398-5-claudiu.beznea.uj@bp.renesas.com +Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index 3ea312a27492b..ac925da17876c 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -55,6 +55,12 @@ + #define TINT_EXTRACT_HWIRQ(x) FIELD_GET(GENMASK(15, 0), (x)) + #define TINT_EXTRACT_GPIOINT(x) FIELD_GET(GENMASK(31, 16), (x)) + ++/** ++ * struct rzg2l_irqc_priv - IRQ controller private data structure ++ * @base: Controller's base address ++ * @fwspec: IRQ firmware specific data ++ * @lock: Lock to serialize access to hardware registers ++ */ + struct rzg2l_irqc_priv { + void __iomem *base; + struct irq_fwspec fwspec[IRQC_NUM_IRQ]; +-- +2.43.0 + diff --git a/queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch b/queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch new file mode 100644 index 00000000000..6bf1e95bfde --- /dev/null +++ b/queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch @@ -0,0 +1,81 @@ +From 5c0b32edd8d8c889fcee25db19f8c33729bc658b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 18:20:03 +0100 +Subject: irqchip/renesas-rzg2l: Fix missing put_device + +From: Fabrizio Castro + +[ Upstream commit d038109ac1c6bf619473dda03a16a6de58170f7f ] + +rzg2l_irqc_common_init() calls of_find_device_by_node(), but the +corresponding put_device() call is missing. This also gets reported by +make coccicheck. + +Make use of the cleanup interfaces from cleanup.h to call into +__free_put_device(), which in turn calls into put_device when leaving +function rzg2l_irqc_common_init() and variable "dev" goes out of scope. + +To prevent that the device is put on successful completion, assign NULL to +"dev" to prevent __free_put_device() from calling into put_device() within +the successful path. + +"make coccicheck" will still complain about missing put_device() calls, +but those are false positives now. + +Fixes: 3fed09559cd8 ("irqchip: Add RZ/G2L IA55 Interrupt Controller driver") +Signed-off-by: Fabrizio Castro +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20241011172003.1242841-1-fabrizio.castro.jz@renesas.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index 00688043697f0..5a7836186fd41 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -408,12 +409,12 @@ static int rzg2l_irqc_parse_interrupts(struct rzg2l_irqc_priv *priv, + + static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent) + { ++ struct platform_device *pdev = of_find_device_by_node(node); ++ struct device *dev __free(put_device) = pdev ? &pdev->dev : NULL; + struct irq_domain *irq_domain, *parent_domain; +- struct platform_device *pdev; + struct reset_control *resetn; + int ret; + +- pdev = of_find_device_by_node(node); + if (!pdev) + return -ENODEV; + +@@ -467,6 +468,17 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent) + + register_syscore_ops(&rzg2l_irqc_syscore_ops); + ++ /* ++ * Prevent the cleanup function from invoking put_device by assigning ++ * NULL to dev. ++ * ++ * make coccicheck will complain about missing put_device calls, but ++ * those are false positives, as dev will be automatically "put" via ++ * __free_put_device on the failing path. ++ * On the successful path we don't actually want to "put" dev. ++ */ ++ dev = NULL; ++ + return 0; + + pm_put: +-- +2.43.0 + diff --git a/queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch b/queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch new file mode 100644 index 00000000000..fc1a15d1d9a --- /dev/null +++ b/queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch @@ -0,0 +1,99 @@ +From 64f56409384b5eb2b3a82c0c9ef725f63a8a5359 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 18:18:31 +0100 +Subject: khugepaged: convert alloc_charge_hpage to alloc_charge_folio + +From: Matthew Wilcox (Oracle) + +[ Upstream commit d5ab50b9412c0bba750eef5a34fd2937de1aee55 ] + +Both callers want to deal with a folio, so return a folio from this +function. + +Link: https://lkml.kernel.org/r/20240403171838.1445826-3-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point") +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index d0fcfa47085b4..b197323450b5a 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1041,7 +1041,7 @@ static int __collapse_huge_page_swapin(struct mm_struct *mm, + return result; + } + +-static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm, ++static int alloc_charge_folio(struct folio **foliop, struct mm_struct *mm, + struct collapse_control *cc) + { + gfp_t gfp = (cc->is_khugepaged ? alloc_hugepage_khugepaged_gfpmask() : +@@ -1051,7 +1051,7 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm, + + folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, &cc->alloc_nmask); + if (!folio) { +- *hpage = NULL; ++ *foliop = NULL; + count_vm_event(THP_COLLAPSE_ALLOC_FAILED); + return SCAN_ALLOC_HUGE_PAGE_FAIL; + } +@@ -1059,13 +1059,13 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm, + count_vm_event(THP_COLLAPSE_ALLOC); + if (unlikely(mem_cgroup_charge(folio, mm, gfp))) { + folio_put(folio); +- *hpage = NULL; ++ *foliop = NULL; + return SCAN_CGROUP_CHARGE_FAIL; + } + + count_memcg_folio_events(folio, THP_COLLAPSE_ALLOC, 1); + +- *hpage = folio_page(folio, 0); ++ *foliop = folio; + return SCAN_SUCCEED; + } + +@@ -1094,7 +1094,8 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address, + */ + mmap_read_unlock(mm); + +- result = alloc_charge_hpage(&hpage, mm, cc); ++ result = alloc_charge_folio(&folio, mm, cc); ++ hpage = &folio->page; + if (result != SCAN_SUCCEED) + goto out_nolock; + +@@ -1197,7 +1198,6 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address, + if (unlikely(result != SCAN_SUCCEED)) + goto out_up_write; + +- folio = page_folio(hpage); + /* + * The smp_wmb() inside __folio_mark_uptodate() ensures the + * copy_huge_page writes become visible before the set_pmd_at() +@@ -1786,7 +1786,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + struct page *hpage; + struct page *page; + struct page *tmp; +- struct folio *folio; ++ struct folio *folio, *new_folio; + pgoff_t index = 0, end = start + HPAGE_PMD_NR; + LIST_HEAD(pagelist); + XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER); +@@ -1797,7 +1797,8 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem); + VM_BUG_ON(start & (HPAGE_PMD_NR - 1)); + +- result = alloc_charge_hpage(&hpage, mm, cc); ++ result = alloc_charge_folio(&new_folio, mm, cc); ++ hpage = &new_folio->page; + if (result != SCAN_SUCCEED) + goto out; + +-- +2.43.0 + diff --git a/queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch b/queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch new file mode 100644 index 00000000000..8bf2358fe7d --- /dev/null +++ b/queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch @@ -0,0 +1,77 @@ +From 6c6042af6a00795d06a79bedb447d718fb96c75e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 18:18:30 +0100 +Subject: khugepaged: inline hpage_collapse_alloc_folio() + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 4746f5ce0fa52e21b5fe432970fe9516d1a45ebc ] + +Patch series "khugepaged folio conversions". + +We've been kind of hacking piecemeal at converting khugepaged to use +folios instead of compound pages, and so this patchset is a little larger +than it should be as I undo some of our wrong moves in the past. In +particular, collapse_file() now consistently uses 'new_folio' for the +freshly allocated folio and 'folio' for the one that's currently in use. + +This patch (of 7): + +This function has one caller, and the combined function is simpler to +read, reason about and modify. + +Link: https://lkml.kernel.org/r/20240403171838.1445826-1-willy@infradead.org +Link: https://lkml.kernel.org/r/20240403171838.1445826-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Vishal Moola (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point") +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index cb6a243688045..d0fcfa47085b4 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -887,20 +887,6 @@ static int hpage_collapse_find_target_node(struct collapse_control *cc) + } + #endif + +-static bool hpage_collapse_alloc_folio(struct folio **folio, gfp_t gfp, int node, +- nodemask_t *nmask) +-{ +- *folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, nmask); +- +- if (unlikely(!*folio)) { +- count_vm_event(THP_COLLAPSE_ALLOC_FAILED); +- return false; +- } +- +- count_vm_event(THP_COLLAPSE_ALLOC); +- return true; +-} +- + /* + * If mmap_lock temporarily dropped, revalidate vma + * before taking mmap_lock. +@@ -1063,11 +1049,14 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm, + int node = hpage_collapse_find_target_node(cc); + struct folio *folio; + +- if (!hpage_collapse_alloc_folio(&folio, gfp, node, &cc->alloc_nmask)) { ++ folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, &cc->alloc_nmask); ++ if (!folio) { + *hpage = NULL; ++ count_vm_event(THP_COLLAPSE_ALLOC_FAILED); + return SCAN_ALLOC_HUGE_PAGE_FAIL; + } + ++ count_vm_event(THP_COLLAPSE_ALLOC); + if (unlikely(mem_cgroup_charge(folio, mm, gfp))) { + folio_put(folio); + *hpage = NULL; +-- +2.43.0 + diff --git a/queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch b/queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch new file mode 100644 index 00000000000..f5eed015e39 --- /dev/null +++ b/queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch @@ -0,0 +1,219 @@ +From 96cb391700104bba00e7908da152de0e959b42ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 18:18:34 +0100 +Subject: khugepaged: remove hpage from collapse_file() + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 610ff817b981921213ae51e5c5f38c76c6f0405e ] + +Use new_folio throughout where we had been using hpage. + +Link: https://lkml.kernel.org/r/20240403171838.1445826-6-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Vishal Moola (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point") +Signed-off-by: Sasha Levin +--- + include/trace/events/huge_memory.h | 6 +-- + mm/khugepaged.c | 77 +++++++++++++++--------------- + 2 files changed, 42 insertions(+), 41 deletions(-) + +diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge_memory.h +index 6e2ef1d4b0028..dc6eeef2d3dac 100644 +--- a/include/trace/events/huge_memory.h ++++ b/include/trace/events/huge_memory.h +@@ -207,10 +207,10 @@ TRACE_EVENT(mm_khugepaged_scan_file, + ); + + TRACE_EVENT(mm_khugepaged_collapse_file, +- TP_PROTO(struct mm_struct *mm, struct page *hpage, pgoff_t index, ++ TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index, + bool is_shmem, unsigned long addr, struct file *file, + int nr, int result), +- TP_ARGS(mm, hpage, index, addr, is_shmem, file, nr, result), ++ TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result), + TP_STRUCT__entry( + __field(struct mm_struct *, mm) + __field(unsigned long, hpfn) +@@ -224,7 +224,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file, + + TP_fast_assign( + __entry->mm = mm; +- __entry->hpfn = hpage ? page_to_pfn(hpage) : -1; ++ __entry->hpfn = new_folio ? folio_pfn(new_folio) : -1; + __entry->index = index; + __entry->addr = addr; + __entry->is_shmem = is_shmem; +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index b197323450b5a..4b00592548f59 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1783,30 +1783,27 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + struct collapse_control *cc) + { + struct address_space *mapping = file->f_mapping; +- struct page *hpage; + struct page *page; +- struct page *tmp; ++ struct page *tmp, *dst; + struct folio *folio, *new_folio; + pgoff_t index = 0, end = start + HPAGE_PMD_NR; + LIST_HEAD(pagelist); + XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER); + int nr_none = 0, result = SCAN_SUCCEED; + bool is_shmem = shmem_file(file); +- int nr = 0; + + VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem); + VM_BUG_ON(start & (HPAGE_PMD_NR - 1)); + + result = alloc_charge_folio(&new_folio, mm, cc); +- hpage = &new_folio->page; + if (result != SCAN_SUCCEED) + goto out; + +- __SetPageLocked(hpage); ++ __folio_set_locked(new_folio); + if (is_shmem) +- __SetPageSwapBacked(hpage); +- hpage->index = start; +- hpage->mapping = mapping; ++ __folio_set_swapbacked(new_folio); ++ new_folio->index = start; ++ new_folio->mapping = mapping; + + /* + * Ensure we have slots for all the pages in the range. This is +@@ -2039,20 +2036,24 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + * The old pages are locked, so they won't change anymore. + */ + index = start; ++ dst = folio_page(new_folio, 0); + list_for_each_entry(page, &pagelist, lru) { + while (index < page->index) { +- clear_highpage(hpage + (index % HPAGE_PMD_NR)); ++ clear_highpage(dst); + index++; ++ dst++; + } +- if (copy_mc_highpage(hpage + (page->index % HPAGE_PMD_NR), page) > 0) { ++ if (copy_mc_highpage(dst, page) > 0) { + result = SCAN_COPY_MC; + goto rollback; + } + index++; ++ dst++; + } + while (index < end) { +- clear_highpage(hpage + (index % HPAGE_PMD_NR)); ++ clear_highpage(dst); + index++; ++ dst++; + } + + if (nr_none) { +@@ -2080,16 +2081,17 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + } + + /* +- * If userspace observed a missing page in a VMA with a MODE_MISSING +- * userfaultfd, then it might expect a UFFD_EVENT_PAGEFAULT for that +- * page. If so, we need to roll back to avoid suppressing such an +- * event. Since wp/minor userfaultfds don't give userspace any +- * guarantees that the kernel doesn't fill a missing page with a zero +- * page, so they don't matter here. ++ * If userspace observed a missing page in a VMA with ++ * a MODE_MISSING userfaultfd, then it might expect a ++ * UFFD_EVENT_PAGEFAULT for that page. If so, we need to ++ * roll back to avoid suppressing such an event. Since ++ * wp/minor userfaultfds don't give userspace any ++ * guarantees that the kernel doesn't fill a missing ++ * page with a zero page, so they don't matter here. + * +- * Any userfaultfds registered after this point will not be able to +- * observe any missing pages due to the previously inserted retry +- * entries. ++ * Any userfaultfds registered after this point will ++ * not be able to observe any missing pages due to the ++ * previously inserted retry entries. + */ + vma_interval_tree_foreach(vma, &mapping->i_mmap, start, end) { + if (userfaultfd_missing(vma)) { +@@ -2114,33 +2116,32 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + xas_lock_irq(&xas); + } + +- folio = page_folio(hpage); +- nr = folio_nr_pages(folio); + if (is_shmem) +- __lruvec_stat_mod_folio(folio, NR_SHMEM_THPS, nr); ++ __lruvec_stat_mod_folio(new_folio, NR_SHMEM_THPS, HPAGE_PMD_NR); + else +- __lruvec_stat_mod_folio(folio, NR_FILE_THPS, nr); ++ __lruvec_stat_mod_folio(new_folio, NR_FILE_THPS, HPAGE_PMD_NR); + + if (nr_none) { +- __lruvec_stat_mod_folio(folio, NR_FILE_PAGES, nr_none); ++ __lruvec_stat_mod_folio(new_folio, NR_FILE_PAGES, nr_none); + /* nr_none is always 0 for non-shmem. */ +- __lruvec_stat_mod_folio(folio, NR_SHMEM, nr_none); ++ __lruvec_stat_mod_folio(new_folio, NR_SHMEM, nr_none); + } + + /* +- * Mark hpage as uptodate before inserting it into the page cache so +- * that it isn't mistaken for an fallocated but unwritten page. ++ * Mark new_folio as uptodate before inserting it into the ++ * page cache so that it isn't mistaken for an fallocated but ++ * unwritten page. + */ +- folio_mark_uptodate(folio); +- folio_ref_add(folio, HPAGE_PMD_NR - 1); ++ folio_mark_uptodate(new_folio); ++ folio_ref_add(new_folio, HPAGE_PMD_NR - 1); + + if (is_shmem) +- folio_mark_dirty(folio); +- folio_add_lru(folio); ++ folio_mark_dirty(new_folio); ++ folio_add_lru(new_folio); + + /* Join all the small entries into a single multi-index entry. */ + xas_set_order(&xas, start, HPAGE_PMD_ORDER); +- xas_store(&xas, folio); ++ xas_store(&xas, new_folio); + WARN_ON_ONCE(xas_error(&xas)); + xas_unlock_irq(&xas); + +@@ -2151,7 +2152,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + retract_page_tables(mapping, start); + if (cc && !cc->is_khugepaged) + result = SCAN_PTE_MAPPED_HUGEPAGE; +- folio_unlock(folio); ++ folio_unlock(new_folio); + + /* + * The collapse has succeeded, so free the old pages. +@@ -2196,13 +2197,13 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + smp_mb(); + } + +- hpage->mapping = NULL; ++ new_folio->mapping = NULL; + +- unlock_page(hpage); +- put_page(hpage); ++ folio_unlock(new_folio); ++ folio_put(new_folio); + out: + VM_BUG_ON(!list_empty(&pagelist)); +- trace_mm_khugepaged_collapse_file(mm, hpage, index, is_shmem, addr, file, nr, result); ++ trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result); + return result; + } + +-- +2.43.0 + diff --git a/queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch b/queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch new file mode 100644 index 00000000000..1ed90612168 --- /dev/null +++ b/queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch @@ -0,0 +1,39 @@ +From 5df2ac601e6c49eb99ed68a7c2fbe1e9aeb9f08b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 16:02:44 +0200 +Subject: lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW + +From: Timo Grautstueck + +[ Upstream commit ab8851431bef5cc44f0f3f0da112e883fd4d0df5 ] + +Just a grammar fix in lib/Kconfig.debug, under the config option +RUST_BUILD_ASSERT_ALLOW. + +Reported-by: Miguel Ojeda +Closes: https://github.com/Rust-for-Linux/linux/issues/1006 +Fixes: ecaa6ddff2fd ("rust: add `build_error` crate") +Signed-off-by: Timo Grautstueck +Link: https://lore.kernel.org/r/20241006140244.5509-1-timo.grautstueck@web.de +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index da5513cfc1258..f94c3e957b829 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -2999,7 +2999,7 @@ config RUST_BUILD_ASSERT_ALLOW + bool "Allow unoptimized build-time assertions" + depends on RUST + help +- Controls how are `build_error!` and `build_assert!` handled during build. ++ Controls how `build_error!` and `build_assert!` are handled during the build. + + If calls to them exist in the binary, it may indicate a violated invariant + or that the optimizer failed to verify the invariant during compilation. +-- +2.43.0 + diff --git a/queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch b/queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch new file mode 100644 index 00000000000..38ed84841cd --- /dev/null +++ b/queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch @@ -0,0 +1,83 @@ +From a071ba4d8ce55b3e87576ab0ffb7d1de0555f41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:16:37 +0200 +Subject: macsec: don't increment counters for an unrelated SA + +From: Sabrina Dubroca + +[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ] + +On RX, we shouldn't be incrementing the stats for an arbitrary SA in +case the actual SA hasn't been set up. Those counters are intended to +track packets for their respective AN when the SA isn't currently +configured. Due to the way MACsec is implemented, we don't keep +counters unless the SA is configured, so we can't track those packets, +and those counters will remain at 0. + +The RXSC's stats keeps track of those packets without telling us which +AN they belonged to. We could add counters for non-existent SAs, and +then find a way to integrate them in the dump to userspace, but I +don't think it's worth the effort. + +Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics") +Reported-by: Paolo Abeni +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 778fb77c5a937..2ada8baf815b1 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -151,19 +151,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) + return sa; + } + +-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc) +-{ +- struct macsec_rx_sa *sa = NULL; +- int an; +- +- for (an = 0; an < MACSEC_NUM_AN; an++) { +- sa = macsec_rxsa_get(rx_sc->sa[an]); +- if (sa) +- break; +- } +- return sa; +-} +- + static void free_rx_sc_rcu(struct rcu_head *head) + { + struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); +@@ -1205,15 +1192,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + /* If validateFrames is Strict or the C bit in the + * SecTAG is set, discard + */ +- struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc); + if (hdr->tci_an & MACSEC_TCI_C || + secy->validate_frames == MACSEC_VALIDATE_STRICT) { + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotUsingSA++; + u64_stats_update_end(&rxsc_stats->syncp); + DEV_STATS_INC(secy->netdev, rx_errors); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); + goto drop_nosa; + } + +@@ -1223,8 +1207,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsUnusedSA++; + u64_stats_update_end(&rxsc_stats->syncp); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA); + goto deliver; + } + +-- +2.43.0 + diff --git a/queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch b/queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch new file mode 100644 index 00000000000..f132d376107 --- /dev/null +++ b/queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch @@ -0,0 +1,66 @@ +From 1027a453bcac73c5978b5a542057c2ebc2d00e34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 16:22:13 +0000 +Subject: mm: convert collapse_huge_page() to use a folio + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 5432726848bb27a01badcbc93b596f39ee6c5ffb ] + +Replace three calls to compound_head() with one. + +Link: https://lkml.kernel.org/r/20231211162214.2146080-9-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: David Hildenbrand +Signed-off-by: Andrew Morton +Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point") +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 97cc4ef061832..24d05e0a672dc 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1088,6 +1088,7 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address, + pmd_t *pmd, _pmd; + pte_t *pte; + pgtable_t pgtable; ++ struct folio *folio; + struct page *hpage; + spinlock_t *pmd_ptl, *pte_ptl; + int result = SCAN_FAIL; +@@ -1207,13 +1208,13 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address, + if (unlikely(result != SCAN_SUCCEED)) + goto out_up_write; + ++ folio = page_folio(hpage); + /* +- * spin_lock() below is not the equivalent of smp_wmb(), but +- * the smp_wmb() inside __SetPageUptodate() can be reused to +- * avoid the copy_huge_page writes to become visible after +- * the set_pmd_at() write. ++ * The smp_wmb() inside __folio_mark_uptodate() ensures the ++ * copy_huge_page writes become visible before the set_pmd_at() ++ * write. + */ +- __SetPageUptodate(hpage); ++ __folio_mark_uptodate(folio); + pgtable = pmd_pgtable(_pmd); + + _pmd = mk_huge_pmd(hpage, vma->vm_page_prot); +@@ -1221,8 +1222,8 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address, + + spin_lock(pmd_ptl); + BUG_ON(!pmd_none(*pmd)); +- page_add_new_anon_rmap(hpage, vma, address); +- lru_cache_add_inactive_or_unevictable(hpage, vma); ++ folio_add_new_anon_rmap(folio, vma, address); ++ folio_add_lru_vma(folio, vma); + pgtable_trans_huge_deposit(mm, pmd, pgtable); + set_pmd_at(mm, address, pmd, _pmd); + update_mmu_cache_pmd(vma, address, pmd); +-- +2.43.0 + diff --git a/queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch b/queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch new file mode 100644 index 00000000000..38214ee250c --- /dev/null +++ b/queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch @@ -0,0 +1,113 @@ +From 7f4c7302b5c4a2c4a695a3870390d32f8c792181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 11:33:30 -0700 +Subject: mm/khugepaged: convert alloc_charge_hpage() to use folios + +From: Vishal Moola (Oracle) + +[ Upstream commit b455f39d228935f88eebcd1f7c1a6981093c6a3b ] + +Also remove count_memcg_page_event now that its last caller no longer uses +it and reword hpage_collapse_alloc_page() to hpage_collapse_alloc_folio(). + +This removes 1 call to compound_head() and helps convert khugepaged to +use folios throughout. + +Link: https://lkml.kernel.org/r/20231020183331.10770-5-vishal.moola@gmail.com +Signed-off-by: Vishal Moola (Oracle) +Reviewed-by: Rik van Riel +Reviewed-by: Yang Shi +Cc: Kefeng Wang +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point") +Signed-off-by: Sasha Levin +--- + include/linux/memcontrol.h | 14 -------------- + mm/khugepaged.c | 17 ++++++++++------- + 2 files changed, 10 insertions(+), 21 deletions(-) + +diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h +index e4e24da16d2c3..b1fdb1554f2f9 100644 +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -1080,15 +1080,6 @@ static inline void count_memcg_events(struct mem_cgroup *memcg, + local_irq_restore(flags); + } + +-static inline void count_memcg_page_event(struct page *page, +- enum vm_event_item idx) +-{ +- struct mem_cgroup *memcg = page_memcg(page); +- +- if (memcg) +- count_memcg_events(memcg, idx, 1); +-} +- + static inline void count_memcg_folio_events(struct folio *folio, + enum vm_event_item idx, unsigned long nr) + { +@@ -1565,11 +1556,6 @@ static inline void __count_memcg_events(struct mem_cgroup *memcg, + { + } + +-static inline void count_memcg_page_event(struct page *page, +- int idx) +-{ +-} +- + static inline void count_memcg_folio_events(struct folio *folio, + enum vm_event_item idx, unsigned long nr) + { +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 88433cc25d8a5..97cc4ef061832 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -887,16 +887,16 @@ static int hpage_collapse_find_target_node(struct collapse_control *cc) + } + #endif + +-static bool hpage_collapse_alloc_page(struct page **hpage, gfp_t gfp, int node, ++static bool hpage_collapse_alloc_folio(struct folio **folio, gfp_t gfp, int node, + nodemask_t *nmask) + { +- *hpage = __alloc_pages(gfp, HPAGE_PMD_ORDER, node, nmask); +- if (unlikely(!*hpage)) { ++ *folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, nmask); ++ ++ if (unlikely(!*folio)) { + count_vm_event(THP_COLLAPSE_ALLOC_FAILED); + return false; + } + +- folio_prep_large_rmappable((struct folio *)*hpage); + count_vm_event(THP_COLLAPSE_ALLOC); + return true; + } +@@ -1063,17 +1063,20 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm, + int node = hpage_collapse_find_target_node(cc); + struct folio *folio; + +- if (!hpage_collapse_alloc_page(hpage, gfp, node, &cc->alloc_nmask)) ++ if (!hpage_collapse_alloc_folio(&folio, gfp, node, &cc->alloc_nmask)) { ++ *hpage = NULL; + return SCAN_ALLOC_HUGE_PAGE_FAIL; ++ } + +- folio = page_folio(*hpage); + if (unlikely(mem_cgroup_charge(folio, mm, gfp))) { + folio_put(folio); + *hpage = NULL; + return SCAN_CGROUP_CHARGE_FAIL; + } +- count_memcg_page_event(*hpage, THP_COLLAPSE_ALLOC); + ++ count_memcg_folio_events(folio, THP_COLLAPSE_ALLOC, 1); ++ ++ *hpage = folio_page(folio, 0); + return SCAN_SUCCEED; + } + +-- +2.43.0 + diff --git a/queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch b/queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch new file mode 100644 index 00000000000..c3f65dbbb77 --- /dev/null +++ b/queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch @@ -0,0 +1,83 @@ +From 777dadbb80b9caed50e442d28afd2c31e2e33ac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 18:17:02 -0700 +Subject: mm: khugepaged: fix the arguments order in khugepaged_collapse_file + trace point + +From: Yang Shi + +[ Upstream commit 37f0b47c5143c2957909ced44fc09ffb118c99f7 ] + +The "addr" and "is_shmem" arguments have different order in TP_PROTO and +TP_ARGS. This resulted in the incorrect trace result: + +text-hugepage-644429 [276] 392092.878683: mm_khugepaged_collapse_file: +mm=0xffff20025d52c440, hpage_pfn=0x200678c00, index=512, addr=1, is_shmem=0, +filename=text-hugepage, nr=512, result=failed + +The value of "addr" is wrong because it was treated as bool value, the +type of is_shmem. + +Fix the order in TP_PROTO to keep "addr" is before "is_shmem" since the +original patch review suggested this order to achieve best packing. + +And use "lx" for "addr" instead of "ld" in TP_printk because address is +typically shown in hex. + +After the fix, the trace result looks correct: + +text-hugepage-7291 [004] 128.627251: mm_khugepaged_collapse_file: +mm=0xffff0001328f9500, hpage_pfn=0x20016ea00, index=512, addr=0x400000, +is_shmem=0, filename=text-hugepage, nr=512, result=failed + +Link: https://lkml.kernel.org/r/20241012011702.1084846-1-yang@os.amperecomputing.com +Fixes: 4c9473e87e75 ("mm/khugepaged: add tracepoint to collapse_file()") +Signed-off-by: Yang Shi +Cc: Gautam Menghani +Cc: Steven Rostedt (Google) +Cc: [6.2+] +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/trace/events/huge_memory.h | 4 ++-- + mm/khugepaged.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge_memory.h +index dc6eeef2d3dac..37f2443b3cdb0 100644 +--- a/include/trace/events/huge_memory.h ++++ b/include/trace/events/huge_memory.h +@@ -208,7 +208,7 @@ TRACE_EVENT(mm_khugepaged_scan_file, + + TRACE_EVENT(mm_khugepaged_collapse_file, + TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index, +- bool is_shmem, unsigned long addr, struct file *file, ++ unsigned long addr, bool is_shmem, struct file *file, + int nr, int result), + TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result), + TP_STRUCT__entry( +@@ -233,7 +233,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file, + __entry->result = result; + ), + +- TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%ld, is_shmem=%d, filename=%s, nr=%d, result=%s", ++ TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%lx, is_shmem=%d, filename=%s, nr=%d, result=%s", + __entry->mm, + __entry->hpfn, + __entry->index, +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 4b00592548f59..a87cfe1d4b7be 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -2203,7 +2203,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + folio_put(new_folio); + out: + VM_BUG_ON(!list_empty(&pagelist)); +- trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result); ++ trace_mm_khugepaged_collapse_file(mm, new_folio, index, addr, is_shmem, file, HPAGE_PMD_NR, result); + return result; + } + +-- +2.43.0 + diff --git a/queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch b/queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch new file mode 100644 index 00000000000..a5c9d9d069b --- /dev/null +++ b/queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch @@ -0,0 +1,80 @@ +From 4dc450d895ee3abc843cae039c29fc80a5a6ac86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Dec 2023 08:57:47 +0000 +Subject: mm/khugepaged: use a folio more in collapse_file() + +From: Matthew Wilcox (Oracle) + +[ Upstream commit b54d60b18e850561e8bdb4264ae740676c3b7658 ] + +This function is not yet fully converted to the folio API, but this +removes a few uses of old APIs. + +Link: https://lkml.kernel.org/r/20231228085748.1083901-6-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Zi Yan +Reviewed-by: Vlastimil Babka +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point") +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 24d05e0a672dc..cb6a243688045 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -2124,23 +2124,23 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + xas_lock_irq(&xas); + } + +- nr = thp_nr_pages(hpage); ++ folio = page_folio(hpage); ++ nr = folio_nr_pages(folio); + if (is_shmem) +- __mod_lruvec_page_state(hpage, NR_SHMEM_THPS, nr); ++ __lruvec_stat_mod_folio(folio, NR_SHMEM_THPS, nr); + else +- __mod_lruvec_page_state(hpage, NR_FILE_THPS, nr); ++ __lruvec_stat_mod_folio(folio, NR_FILE_THPS, nr); + + if (nr_none) { +- __mod_lruvec_page_state(hpage, NR_FILE_PAGES, nr_none); ++ __lruvec_stat_mod_folio(folio, NR_FILE_PAGES, nr_none); + /* nr_none is always 0 for non-shmem. */ +- __mod_lruvec_page_state(hpage, NR_SHMEM, nr_none); ++ __lruvec_stat_mod_folio(folio, NR_SHMEM, nr_none); + } + + /* + * Mark hpage as uptodate before inserting it into the page cache so + * that it isn't mistaken for an fallocated but unwritten page. + */ +- folio = page_folio(hpage); + folio_mark_uptodate(folio); + folio_ref_add(folio, HPAGE_PMD_NR - 1); + +@@ -2150,7 +2150,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + + /* Join all the small entries into a single multi-index entry. */ + xas_set_order(&xas, start, HPAGE_PMD_ORDER); +- xas_store(&xas, hpage); ++ xas_store(&xas, folio); + WARN_ON_ONCE(xas_error(&xas)); + xas_unlock_irq(&xas); + +@@ -2161,7 +2161,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, + retract_page_tables(mapping, start); + if (cc && !cc->is_khugepaged) + result = SCAN_PTE_MAPPED_HUGEPAGE; +- unlock_page(hpage); ++ folio_unlock(folio); + + /* + * The collapse has succeeded, so free the old pages. +-- +2.43.0 + diff --git a/queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch b/queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch new file mode 100644 index 00000000000..6f09c1e584f --- /dev/null +++ b/queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch @@ -0,0 +1,37 @@ +From a8bfc25654afd7c56607493aa1b025a3e0555730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:59:01 +0800 +Subject: net: bcmasp: fix potential memory leak in bcmasp_xmit() + +From: Wang Hai + +[ Upstream commit fed07d3eb8a8d9fcc0e455175a89bc6445d6faed ] + +The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb +in case of mapping fails, add dev_kfree_skb() to fix it. + +Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller") +Signed-off-by: Wang Hai +Acked-by: Florian Fainelli +Link: https://patch.msgid.link/20241014145901.48940-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +index 6bf149d645941..f0647286c68b2 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +@@ -322,6 +322,7 @@ static netdev_tx_t bcmasp_xmit(struct sk_buff *skb, struct net_device *dev) + } + /* Rewind so we do not have a hole */ + spb_index = intf->tx_spb_index; ++ dev_kfree_skb(skb); + return NETDEV_TX_OK; + } + +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch b/queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch new file mode 100644 index 00000000000..9330964b563 --- /dev/null +++ b/queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch @@ -0,0 +1,42 @@ +From 186c9720b66379f19bebd6ca0faf864f49fac98f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 13:43:42 -0700 +Subject: net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361 + +From: Peter Rashleigh + +[ Upstream commit 1833d8a26f057128fd63e126b4428203ece84684 ] + +According to the Marvell datasheet the 88E6361 has two VTU pages +(4k VIDs per page) so the max_vid should be 8191, not 4095. + +In the current implementation mv88e6xxx_vtu_walk() gives unexpected +results because of this error. I verified that mv88e6xxx_vtu_walk() +works correctly on the MV88E6361 with this patch in place. + +Fixes: 12899f299803 ("net: dsa: mv88e6xxx: enable support for 88E6361 switch") +Signed-off-by: Peter Rashleigh +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20241014204342.5852-1-peter@rashleigh.ca +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 3877744193e2a..062bcbe6255cf 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -6208,7 +6208,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = { + .invalid_port_mask = BIT(1) | BIT(2) | BIT(8), + .num_internal_phys = 5, + .internal_phys_offset = 3, +- .max_vid = 4095, ++ .max_vid = 8191, + .max_sid = 63, + .port_base_addr = 0x0, + .phy_base_addr = 0x0, +-- +2.43.0 + diff --git a/queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch b/queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch new file mode 100644 index 00000000000..fe819355636 --- /dev/null +++ b/queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch @@ -0,0 +1,47 @@ +From 4f83b7b4b67e44b009977fbc0204fef5ce64b8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 19:04:34 +0800 +Subject: net: ethernet: aeroflex: fix potential memory leak in + greth_start_xmit_gbit() + +From: Wang Hai + +[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ] + +The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb +in case of skb->len being too long, add dev_kfree_skb() to fix it. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Wang Hai +Reviewed-by: Gerhard Engleder +Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 597a02c75d527..e624d31d20d89 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -484,7 +484,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + + if (unlikely(skb->len > MAX_FRAME_SIZE)) { + dev->stats.tx_errors++; +- goto out; ++ goto len_error; + } + + /* Save skb pointer. */ +@@ -575,6 +575,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + map_error: + if (net_ratelimit()) + dev_warn(greth->dev, "Could not create TX DMA mapping\n"); ++len_error: + dev_kfree_skb(skb); + out: + return err; +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch b/queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch new file mode 100644 index 00000000000..cf07bd4736a --- /dev/null +++ b/queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch @@ -0,0 +1,47 @@ +From 3080538f11d037c07166d10c0b6049a20fe1b3c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:05 +0300 +Subject: net/mlx5: Check for invalid vector index on EQ creation + +From: Maher Sanalla + +[ Upstream commit d4f25be27e3ef7e23998fbd3dd4bff0602de7ae5 ] + +Currently, mlx5 driver does not enforce vector index to be lower than +the maximum number of supported completion vectors when requesting a +new completion EQ. Thus, mlx5_comp_eqn_get() fails when trying to +acquire an IRQ with an improper vector index. + +To prevent the case above, enforce that vector index value is +valid and lower than maximum in mlx5_comp_eqn_get() before handling the +request. + +Fixes: f14c1a14e632 ("net/mlx5: Allocate completion EQs dynamically") +Signed-off-by: Maher Sanalla +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +index 40a6cb052a2da..07a0419549092 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +@@ -1073,6 +1073,12 @@ int mlx5_comp_eqn_get(struct mlx5_core_dev *dev, u16 vecidx, int *eqn) + struct mlx5_eq_comp *eq; + int ret = 0; + ++ if (vecidx >= table->max_comp_eqs) { ++ mlx5_core_dbg(dev, "Requested vector index %u should be less than %u", ++ vecidx, table->max_comp_eqs); ++ return -EINVAL; ++ } ++ + mutex_lock(&table->comp_lock); + eq = xa_load(&table->comp_eqs, vecidx); + if (eq) { +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch b/queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch new file mode 100644 index 00000000000..775eb277727 --- /dev/null +++ b/queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch @@ -0,0 +1,100 @@ +From a06f71712c4c7450d2564891d62e1402a316d866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:06 +0300 +Subject: net/mlx5: Fix command bitmask initialization + +From: Shay Drory + +[ Upstream commit d62b14045c6511a7b2d4948d1a83a4e592deeb05 ] + +Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit +isn't Initialize during command bitmask Initialization, only during +MANAGE_PAGES. + +In addition, mlx5_cmd_trigger_completions() is trying to trigger +completion for MANAGE_PAGES command as well. + +Hence, in case health error occurred before any MANAGE_PAGES command +have been invoke (for example, during mlx5_enable_hca()), +mlx5_cmd_trigger_completions() will try to trigger completion for +MANAGE_PAGES command, which will result in null-ptr-deref error.[1] + +Fix it by Initialize command bitmask correctly. + +While at it, re-write the code for better understanding. + +[1] +BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] +Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078 +CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] +Call Trace: + + dump_stack_lvl+0x7e/0xc0 + kasan_report+0xb9/0xf0 + kasan_check_range+0xec/0x190 + mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] + mlx5_cmd_flush+0x94/0x240 [mlx5_core] + enter_error_state+0x6c/0xd0 [mlx5_core] + mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core] + process_one_work+0x787/0x1490 + ? lockdep_hardirqs_on_prepare+0x400/0x400 + ? pwq_dec_nr_in_flight+0xda0/0xda0 + ? assign_work+0x168/0x240 + worker_thread+0x586/0xd30 + ? rescuer_thread+0xae0/0xae0 + kthread+0x2df/0x3b0 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x2d/0x70 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork_asm+0x11/0x20 + + +Fixes: 9b98d395b85d ("net/mlx5: Start health poll at earlier stage of driver load") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Reviewed-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 48dc4ae87af09..80af0fc7101fd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1758,6 +1758,10 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + } + } + ++#define MLX5_MAX_MANAGE_PAGES_CMD_ENT 1 ++#define MLX5_CMD_MASK ((1UL << (cmd->vars.max_reg_cmds + \ ++ MLX5_MAX_MANAGE_PAGES_CMD_ENT)) - 1) ++ + static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + { + struct mlx5_cmd *cmd = &dev->cmd; +@@ -1769,7 +1773,7 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + /* wait for pending handlers to complete */ + mlx5_eq_synchronize_cmd_irq(dev); + spin_lock_irqsave(&dev->cmd.alloc_lock, flags); +- vector = ~dev->cmd.vars.bitmask & ((1ul << (1 << dev->cmd.vars.log_sz)) - 1); ++ vector = ~dev->cmd.vars.bitmask & MLX5_CMD_MASK; + if (!vector) + goto no_trig; + +@@ -2275,7 +2279,7 @@ int mlx5_cmd_enable(struct mlx5_core_dev *dev) + + cmd->state = MLX5_CMDIF_STATE_DOWN; + cmd->vars.max_reg_cmds = (1 << cmd->vars.log_sz) - 1; +- cmd->vars.bitmask = (1UL << cmd->vars.max_reg_cmds) - 1; ++ cmd->vars.bitmask = MLX5_CMD_MASK; + + sema_init(&cmd->vars.sem, cmd->vars.max_reg_cmds); + sema_init(&cmd->vars.pages_sem, 1); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch b/queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch new file mode 100644 index 00000000000..57413b63245 --- /dev/null +++ b/queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch @@ -0,0 +1,72 @@ +From 21ebaa098a4ad18718c93055303f21aed06e8876 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:32:07 +0300 +Subject: net/mlx5: Unregister notifier on eswitch init failure + +From: Cosmin Ratiu + +[ Upstream commit 1da9cfd6c41c2e6bbe624d0568644e1521c33e12 ] + +It otherwise remains registered and a subsequent attempt at eswitch +enabling might trigger warnings of the sort: + +[ 682.589148] ------------[ cut here ]------------ +[ 682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered +[ 682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90 +[...snipped] +[ 682.610052] Call Trace: +[ 682.610369] +[ 682.610663] ? __warn+0x7c/0x110 +[ 682.611050] ? notifier_chain_register+0x3e/0x90 +[ 682.611556] ? report_bug+0x148/0x170 +[ 682.611977] ? handle_bug+0x36/0x70 +[ 682.612384] ? exc_invalid_op+0x13/0x60 +[ 682.612817] ? asm_exc_invalid_op+0x16/0x20 +[ 682.613284] ? notifier_chain_register+0x3e/0x90 +[ 682.613789] atomic_notifier_chain_register+0x25/0x40 +[ 682.614322] mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core] +[ 682.614965] mlx5_eswitch_enable+0xc9/0x100 [mlx5_core] +[ 682.615551] mlx5_device_enable_sriov+0x25/0x340 [mlx5_core] +[ 682.616170] mlx5_core_sriov_configure+0x50/0x170 [mlx5_core] +[ 682.616789] sriov_numvfs_store+0xb0/0x1b0 +[ 682.617248] kernfs_fop_write_iter+0x117/0x1a0 +[ 682.617734] vfs_write+0x231/0x3f0 +[ 682.618138] ksys_write+0x63/0xe0 +[ 682.618536] do_syscall_64+0x4c/0x100 +[ 682.618958] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: 7624e58a8b3a ("net/mlx5: E-switch, register event handler before arming the event") +Signed-off-by: Cosmin Ratiu +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 1789800faaeb6..f6022c135ec02 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1489,7 +1489,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs) + } + + if (err) +- goto abort; ++ goto err_esw_enable; + + esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED; + +@@ -1503,7 +1503,8 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs) + + return 0; + +-abort: ++err_esw_enable: ++ mlx5_eq_notifier_unregister(esw->dev, &esw->nb); + mlx5_esw_acls_ns_cleanup(esw); + return err; + } +-- +2.43.0 + diff --git a/queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch b/queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch new file mode 100644 index 00000000000..2fcf6e76fbb --- /dev/null +++ b/queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch @@ -0,0 +1,76 @@ +From 46bb6444c1e4b9b249ebdcfcccd885ea5d15e9b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 14:43:43 +0200 +Subject: net: ravb: Only advertise Rx/Tx timestamps if hardware supports it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit 126e799602f45e9ce1ded03ee9eadda68bf470e0 ] + +Recent work moving the reporting of Rx software timestamps to the core +[1] highlighted an issue where hardware time stamping was advertised +for the platforms where it is not supported. + +Fix this by covering advertising support for hardware timestamps only if +the hardware supports it. Due to the Tx implementation in RAVB software +Tx timestamping is also only considered if the hardware supports +hardware timestamps. This should be addressed in future, but this fix +only reflects what the driver currently implements. + +1. Commit 277901ee3a26 ("ravb: Remove setting of RX software timestamp") + +Fixes: 7e09a052dc4e ("ravb: Exclude gPTP feature support for RZ/G2L") +Signed-off-by: Niklas Söderlund +Reviewed-by: Paul Barker +Tested-by: Paul Barker +Reviewed-by: Sergey Shtylyov +Link: https://patch.msgid.link/20241014124343.3875285-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 25 ++++++++++++------------ + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 8f62cc4517918..58fdc4f8dd483 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1673,20 +1673,19 @@ static int ravb_get_ts_info(struct net_device *ndev, + struct ravb_private *priv = netdev_priv(ndev); + const struct ravb_hw_info *hw_info = priv->info; + +- info->so_timestamping = +- SOF_TIMESTAMPING_TX_SOFTWARE | +- SOF_TIMESTAMPING_TX_HARDWARE | +- SOF_TIMESTAMPING_RX_HARDWARE | +- SOF_TIMESTAMPING_RAW_HARDWARE; +- info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON); +- info->rx_filters = +- (1 << HWTSTAMP_FILTER_NONE) | +- (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) | +- (1 << HWTSTAMP_FILTER_ALL); +- if (hw_info->gptp || hw_info->ccc_gac) ++ if (hw_info->gptp || hw_info->ccc_gac) { ++ info->so_timestamping = ++ SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_RAW_HARDWARE; ++ info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON); ++ info->rx_filters = ++ (1 << HWTSTAMP_FILTER_NONE) | ++ (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) | ++ (1 << HWTSTAMP_FILTER_ALL); + info->phc_index = ptp_clock_index(priv->ptp.clock); +- else +- info->phc_index = 0; ++ } + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch b/queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch new file mode 100644 index 00000000000..0416636c76e --- /dev/null +++ b/queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch @@ -0,0 +1,57 @@ +From 2ba1dc430ccf87980c6bd62ddd5c3585116f7a47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:56:24 +0000 +Subject: net/smc: Fix memory leak when using percpu refs + +From: Kai Shen + +[ Upstream commit 25c12b459db8365fee84b63f3dd7910f70627f29 ] + +This patch adds missing percpu_ref_exit when releasing percpu refs. +When releasing percpu refs, percpu_ref_exit should be called. +Otherwise, memory leak happens. + +Fixes: 79a22238b4f2 ("net/smc: Use percpu ref for wr tx reference") +Signed-off-by: Kai Shen +Reviewed-by: Dust Li +Reviewed-by: Wenjia Zhang +Link: https://patch.msgid.link/20241010115624.7769-1-KaiShen@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_wr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c +index 0021065a600a0..994c0cd4fddbf 100644 +--- a/net/smc/smc_wr.c ++++ b/net/smc/smc_wr.c +@@ -648,8 +648,10 @@ void smc_wr_free_link(struct smc_link *lnk) + smc_wr_tx_wait_no_pending_sends(lnk); + percpu_ref_kill(&lnk->wr_reg_refs); + wait_for_completion(&lnk->reg_ref_comp); ++ percpu_ref_exit(&lnk->wr_reg_refs); + percpu_ref_kill(&lnk->wr_tx_refs); + wait_for_completion(&lnk->tx_ref_comp); ++ percpu_ref_exit(&lnk->wr_tx_refs); + + if (lnk->wr_rx_dma_addr) { + ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr, +@@ -912,11 +914,13 @@ int smc_wr_create_link(struct smc_link *lnk) + init_waitqueue_head(&lnk->wr_reg_wait); + rc = percpu_ref_init(&lnk->wr_reg_refs, smcr_wr_reg_refs_free, 0, GFP_KERNEL); + if (rc) +- goto dma_unmap; ++ goto cancel_ref; + init_completion(&lnk->reg_ref_comp); + init_waitqueue_head(&lnk->wr_rx_empty_wait); + return rc; + ++cancel_ref: ++ percpu_ref_exit(&lnk->wr_tx_refs); + dma_unmap: + if (lnk->wr_rx_v2_dma_addr) { + ib_dma_unmap_single(ibdev, lnk->wr_rx_v2_dma_addr, +-- +2.43.0 + diff --git a/queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch b/queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch new file mode 100644 index 00000000000..b3fe5fb51f2 --- /dev/null +++ b/queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch @@ -0,0 +1,41 @@ +From 5c437ea72acf2719007a7cf7dfb8cca0ebf40e9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 19:53:21 +0800 +Subject: net/smc: Fix searching in list of known pnetids in + smc_pnet_add_pnetid + +From: Li RongQing + +[ Upstream commit 82ac39ebd6db0c9f7a97a934bda1e3e101a9d201 ] + +pnetid of pi (not newly allocated pe) should be compared + +Fixes: e888a2e8337c ("net/smc: introduce list of pnetids for Ethernet devices") +Reviewed-by: D. Wythe +Reviewed-by: Wen Gu +Signed-off-by: Li RongQing +Reviewed-by: Simon Horman +Reviewed-by: Gerd Bayer +Link: https://patch.msgid.link/20241014115321.33234-1-lirongqing@baidu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_pnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c +index 306b536fa89e9..284cec1e20ec1 100644 +--- a/net/smc/smc_pnet.c ++++ b/net/smc/smc_pnet.c +@@ -753,7 +753,7 @@ static int smc_pnet_add_pnetid(struct net *net, u8 *pnetid) + + write_lock(&sn->pnetids_ndev.lock); + list_for_each_entry(pi, &sn->pnetids_ndev.list, list) { +- if (smc_pnet_match(pnetid, pe->pnetid)) { ++ if (smc_pnet_match(pnetid, pi->pnetid)) { + refcount_inc(&pi->refcnt); + kfree(pe); + goto unlock; +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch b/queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch new file mode 100644 index 00000000000..949374c33e1 --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch @@ -0,0 +1,91 @@ +From 3b35d5ad3abbc9a6e1d65558dc4d51442d33808f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 10:29:08 -0400 +Subject: net: stmmac: dwmac-tegra: Fix link bring-up sequence + +From: Paritosh Dixit + +[ Upstream commit 1cff6ff302f5703a627f9ee1d99131161ea2683e ] + +The Tegra MGBE driver sometimes fails to initialize, reporting the +following error, and as a result, it is unable to acquire an IP +address with DHCP: + + tegra-mgbe 6800000.ethernet: timeout waiting for link to become ready + +As per the recommendation from the Tegra hardware design team, fix this +issue by: +- clearing the PHY_RDY bit before setting the CDR_RESET bit and then +setting PHY_RDY bit before clearing CDR_RESET bit. This ensures valid +data is present at UPHY RX inputs before starting the CDR lock. +- adding the required delays when bringing up the UPHY lane. Note we +need to use delays here because there is no alternative, such as +polling, for these cases. Using the usleep_range() instead of ndelay() +as sleeping is preferred over busy wait loop. + +Without this change we would see link failures on boot sometimes as +often as 1 in 5 boots. With this fix we have not observed any failures +in over 1000 boots. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Signed-off-by: Paritosh Dixit +Link: https://patch.msgid.link/20241010142908.602712-1-paritoshd@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index e0f3cbd36852e..e2d61a3a7712d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -127,10 +127,12 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_ + value &= ~XPCS_WRAP_UPHY_RX_CONTROL_AUX_RX_IDDQ; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_SLEEP; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 500ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CAL_EN; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); +@@ -143,22 +145,30 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_ + return err; + } + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_DATA_EN; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); +- value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; ++ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); +- value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; ++ value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */ + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY; + writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); + ++ msleep(30); /* 30ms delay needed as per HW design */ ++ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); ++ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET; ++ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL); ++ + err = readl_poll_timeout(mgbe->xpcs + XPCS_WRAP_IRQ_STATUS, value, + value & XPCS_WRAP_IRQ_STATUS_PCS_LINK_STS, + 500, 500 * 2000); +-- +2.43.0 + diff --git a/queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch b/queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch new file mode 100644 index 00000000000..bf1bad9cf44 --- /dev/null +++ b/queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch @@ -0,0 +1,36 @@ +From 64309ae523059beb1d2628ea1bc7c04530fea2a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:51:15 +0800 +Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit() + +From: Wang Hai + +[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ] + +The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb() to fix it. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Wang Hai +Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index bf1611cce974a..49e890a7e04a3 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1359,6 +1359,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb, + netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n", + skb->data, skb_len); + ret = NETDEV_TX_OK; ++ dev_kfree_skb_any(skb); + goto out; + } + +-- +2.43.0 + diff --git a/queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch b/queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch new file mode 100644 index 00000000000..355491d1298 --- /dev/null +++ b/queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch @@ -0,0 +1,37 @@ +From 72990d13a7dbd849789e84c6627f59860cc18d09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 15:19:14 +0200 +Subject: net: usb: usbnet: fix race in probe failure + +From: Oliver Neukum + +[ Upstream commit b62f4c186c70aa235fef2da68d07325d85ca3ade ] + +The same bug as in the disconnect code path also exists +in the case of a failure late during the probe process. +The flag must also be set. + +Signed-off-by: Oliver Neukum +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/20241010131934.1499695-1-oneukum@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 60c58dd6d2531..4f5a3a4aac89e 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1874,6 +1874,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + * may trigger an error resubmitting itself and, worse, + * schedule a timer. So we kill it all just in case. + */ ++ usbnet_mark_going_away(dev); + cancel_work_sync(&dev->kevent); + del_timer_sync(&dev->delay); + free_percpu(net->tstats); +-- +2.43.0 + diff --git a/queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch b/queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch new file mode 100644 index 00000000000..4492bec5192 --- /dev/null +++ b/queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch @@ -0,0 +1,46 @@ +From 40e644b4473d930eacfa5511d8448d5f604ba090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:37:04 +0800 +Subject: net: xilinx: axienet: fix potential memory leak in + axienet_start_xmit() + +From: Wang Hai + +[ Upstream commit 99714e37e8333bbc22496fe80f241d5b35380e83 ] + +The axienet_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb_any() to fix it. + +Fixes: 71791dc8bdea ("net: axienet: Check for DMA mapping errors") +Signed-off-by: Wang Hai +Reviewed-by: Radhey Shyam Pandey +Link: https://patch.msgid.link/20241014143704.31938-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 62c10eb4f0adf..9f779653ed622 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -845,6 +845,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + if (net_ratelimit()) + netdev_err(ndev, "TX DMA mapping error\n"); + ndev->stats.tx_dropped++; ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + desc_set_phys_addr(lp, phys, cur_p); +@@ -865,6 +866,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + ndev->stats.tx_dropped++; + axienet_free_tx_chain(lp, orig_tail_ptr, ii + 1, + true, NULL, 0); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + desc_set_phys_addr(lp, phys, cur_p); +-- +2.43.0 + diff --git a/queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch b/queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch new file mode 100644 index 00000000000..7af5d885366 --- /dev/null +++ b/queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch @@ -0,0 +1,111 @@ +From 03462d808886a3a67d4955d5f3a365e6b67de5c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 09:42:30 +0000 +Subject: netdevsim: use cond_resched() in nsim_dev_trap_report_work() + +From: Eric Dumazet + +[ Upstream commit a1494d532e28598bde7a5544892ef9c7dbfafa93 ] + +I am still seeing many syzbot reports hinting that syzbot +might fool nsim_dev_trap_report_work() with hundreds of ports [1] + +Lets use cond_resched(), and system_unbound_wq +instead of implicit system_wq. + +[1] +INFO: task syz-executor:20633 blocked for more than 143 seconds. + Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006 +... +NMI backtrace for cpu 1 +CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: events nsim_dev_trap_report_work + RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210 +Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0 +RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246 +RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00 +RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577 +R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000 +R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00 +FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Call Trace: + + + + __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 + spin_unlock_bh include/linux/spinlock.h:396 [inline] + nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] + nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + +Fixes: ba5e1272142d ("netdevsim: avoid potential loop in nsim_dev_trap_report_work()") +Reported-by: syzbot+d383dc9579a76f56c251@syzkaller.appspotmail.com +Reported-by: syzbot+c596faae21a68bf7afd0@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Link: https://patch.msgid.link/20241012094230.3893510-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/dev.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 92a7a36b93ac0..3e0b61202f0c9 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -836,7 +836,8 @@ static void nsim_dev_trap_report_work(struct work_struct *work) + nsim_dev = nsim_trap_data->nsim_dev; + + if (!devl_trylock(priv_to_devlink(nsim_dev))) { +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 1); ++ queue_delayed_work(system_unbound_wq, ++ &nsim_dev->trap_data->trap_report_dw, 1); + return; + } + +@@ -848,11 +849,12 @@ static void nsim_dev_trap_report_work(struct work_struct *work) + continue; + + nsim_dev_trap_report(nsim_dev_port); ++ cond_resched(); + } + devl_unlock(priv_to_devlink(nsim_dev)); +- +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, +- msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); ++ queue_delayed_work(system_unbound_wq, ++ &nsim_dev->trap_data->trap_report_dw, ++ msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); + } + + static int nsim_dev_traps_init(struct devlink *devlink) +@@ -907,8 +909,9 @@ static int nsim_dev_traps_init(struct devlink *devlink) + + INIT_DELAYED_WORK(&nsim_dev->trap_data->trap_report_dw, + nsim_dev_trap_report_work); +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, +- msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); ++ queue_delayed_work(system_unbound_wq, ++ &nsim_dev->trap_data->trap_report_dw, ++ msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS)); + + return 0; + +-- +2.43.0 + diff --git a/queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch b/queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch new file mode 100644 index 00000000000..1a3681bee25 --- /dev/null +++ b/queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch @@ -0,0 +1,89 @@ +From 59a81aa10080dbe0df980da52e724d3b847c9c31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 13:21:00 +0200 +Subject: nvme-pci: fix race condition between reset and nvme_dev_disable() + +From: Maurizio Lombardi + +[ Upstream commit 26bc0a81f64ce00fc4342c38eeb2eddaad084dd2 ] + +nvme_dev_disable() modifies the dev->online_queues field, therefore +nvme_pci_update_nr_queues() should avoid racing against it, otherwise +we could end up passing invalid values to blk_mq_update_nr_hw_queues(). + + WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347 + pci_irq_get_affinity+0x187/0x210 + Workqueue: nvme-reset-wq nvme_reset_work [nvme] + RIP: 0010:pci_irq_get_affinity+0x187/0x210 + Call Trace: + + ? blk_mq_pci_map_queues+0x87/0x3c0 + ? pci_irq_get_affinity+0x187/0x210 + blk_mq_pci_map_queues+0x87/0x3c0 + nvme_pci_map_queues+0x189/0x460 [nvme] + blk_mq_update_nr_hw_queues+0x2a/0x40 + nvme_reset_work+0x1be/0x2a0 [nvme] + +Fix the bug by locking the shutdown_lock mutex before using +dev->online_queues. Give up if nvme_dev_disable() is running or if +it has been executed already. + +Fixes: 949928c1c731 ("NVMe: Fix possible queue use after freed") +Tested-by: Yi Zhang +Reviewed-by: Christoph Hellwig +Signed-off-by: Maurizio Lombardi +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 61c9b175e035f..b701969cf1c2a 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2469,17 +2469,29 @@ static unsigned int nvme_pci_nr_maps(struct nvme_dev *dev) + return 1; + } + +-static void nvme_pci_update_nr_queues(struct nvme_dev *dev) ++static bool nvme_pci_update_nr_queues(struct nvme_dev *dev) + { + if (!dev->ctrl.tagset) { + nvme_alloc_io_tag_set(&dev->ctrl, &dev->tagset, &nvme_mq_ops, + nvme_pci_nr_maps(dev), sizeof(struct nvme_iod)); +- return; ++ return true; ++ } ++ ++ /* Give up if we are racing with nvme_dev_disable() */ ++ if (!mutex_trylock(&dev->shutdown_lock)) ++ return false; ++ ++ /* Check if nvme_dev_disable() has been executed already */ ++ if (!dev->online_queues) { ++ mutex_unlock(&dev->shutdown_lock); ++ return false; + } + + blk_mq_update_nr_hw_queues(&dev->tagset, dev->online_queues - 1); + /* free previously allocated queues that are no longer usable */ + nvme_free_queues(dev, dev->online_queues); ++ mutex_unlock(&dev->shutdown_lock); ++ return true; + } + + static int nvme_pci_enable(struct nvme_dev *dev) +@@ -2760,7 +2772,8 @@ static void nvme_reset_work(struct work_struct *work) + nvme_dbbuf_set(dev); + nvme_unquiesce_io_queues(&dev->ctrl); + nvme_wait_freeze(&dev->ctrl); +- nvme_pci_update_nr_queues(dev); ++ if (!nvme_pci_update_nr_queues(dev)) ++ goto out; + nvme_unfreeze(&dev->ctrl); + } else { + dev_warn(dev->ctrl.device, "IO queues lost\n"); +-- +2.43.0 + diff --git a/queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch b/queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch new file mode 100644 index 00000000000..140966abd62 --- /dev/null +++ b/queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch @@ -0,0 +1,41 @@ +From eedd08089127ccab9b3f2843e59e1d4da5aee41b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 18:28:55 +0000 +Subject: nvme-pci: set doorbell config before unquiescing + +From: William Butler + +[ Upstream commit 06c59d427017fcde3107c236177fcc74c9db7909 ] + +During resets, if queues are unquiesced first, then the host can submit +IOs to the controller using shadow doorbell logic but the controller +won't be aware. This can lead to necessary MMIO doorbells from being +not issued, causing requests to be delayed and timed-out. + +Signed-off-by: William Butler +Signed-off-by: Keith Busch +Stable-dep-of: 26bc0a81f64c ("nvme-pci: fix race condition between reset and nvme_dev_disable()") +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 32b5cc76a0223..61c9b175e035f 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2757,10 +2757,10 @@ static void nvme_reset_work(struct work_struct *work) + * controller around but remove all namespaces. + */ + if (dev->online_queues > 1) { ++ nvme_dbbuf_set(dev); + nvme_unquiesce_io_queues(&dev->ctrl); + nvme_wait_freeze(&dev->ctrl); + nvme_pci_update_nr_queues(dev); +- nvme_dbbuf_set(dev); + nvme_unfreeze(&dev->ctrl); + } else { + dev_warn(dev->ctrl.device, "IO queues lost\n"); +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch b/queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch new file mode 100644 index 00000000000..28533cb6297 --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch @@ -0,0 +1,49 @@ +From 5165c09ac843bbc55956267b2ff8225b20075f56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 16:45:19 +0100 +Subject: octeontx2-af: Fix potential integer overflows on integer shifts + +From: Colin Ian King + +[ Upstream commit 637c4f6fe40befa04f19c38b5d15429cbb9191d9 ] + +The left shift int 32 bit integer constants 1 is evaluated using 32 bit +arithmetic and then assigned to a 64 bit unsigned integer. In the case +where the shift is 32 or more this can lead to an overflow. Avoid this +by shifting using the BIT_ULL macro instead. + +Fixes: 019aba04f08c ("octeontx2-af: Modify SMQ flush sequence to drop packets") +Signed-off-by: Colin Ian King +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20241010154519.768785-1-colin.i.king@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index 224a025283ca7..29487518ca672 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -2298,7 +2298,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link)); + if (!(cfg & BIT_ULL(12))) + continue; +- bmap |= (1 << i); ++ bmap |= BIT_ULL(i); + cfg &= ~BIT_ULL(12); + rvu_write64(rvu, blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link), cfg); +@@ -2319,7 +2319,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr, + + /* Set NIX_AF_TL3_TL2_LINKX_CFG[ENA] for the TL3/TL2 queue */ + for (i = 0; i < (rvu->hw->cgx_links + rvu->hw->lbk_links); i++) { +- if (!(bmap & (1 << i))) ++ if (!(bmap & BIT_ULL(i))) + continue; + cfg = rvu_read64(rvu, blkaddr, + NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link)); +-- +2.43.0 + diff --git a/queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch b/queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch new file mode 100644 index 00000000000..dbb16191345 --- /dev/null +++ b/queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch @@ -0,0 +1,54 @@ +From 3609e0353851187557f72974ad47c7e2d533e418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 14:27:55 +0300 +Subject: ravb: Remove setting of RX software timestamp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gal Pressman + +[ Upstream commit 277901ee3a2620679e2c8797377d2a72f4358068 ] + +The responsibility for reporting of RX software timestamp has moved to +the core layer (see __ethtool_get_ts_info()), remove usage from the +device drivers. + +Reviewed-by: Carolina Jubran +Reviewed-by: Rahul Rameshbabu +Signed-off-by: Gal Pressman +Reviewed-by: Niklas Söderlund +Reviewed-by: Sergey Shtylyov +Link: https://patch.msgid.link/20240901112803.212753-8-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 126e799602f4 ("net: ravb: Only advertise Rx/Tx timestamps if hardware supports it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index c6897e6ea362d..8f62cc4517918 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1675,8 +1675,6 @@ static int ravb_get_ts_info(struct net_device *ndev, + + info->so_timestamping = + SOF_TIMESTAMPING_TX_SOFTWARE | +- SOF_TIMESTAMPING_RX_SOFTWARE | +- SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_TX_HARDWARE | + SOF_TIMESTAMPING_RX_HARDWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; +@@ -1687,6 +1685,8 @@ static int ravb_get_ts_info(struct net_device *ndev, + (1 << HWTSTAMP_FILTER_ALL); + if (hw_info->gptp || hw_info->ccc_gac) + info->phc_index = ptp_clock_index(priv->ptp.clock); ++ else ++ info->phc_index = 0; + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch b/queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch new file mode 100644 index 00000000000..dc850d4a871 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch @@ -0,0 +1,40 @@ +From acf7799e4a5d76b8587b509717b1b4b286ea4995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:58 -0700 +Subject: RDMA/bnxt_re: Add a check for memory allocation + +From: Kalesh AP + +[ Upstream commit c5c1ae73b7741fa3b58e6e001b407825bb971225 ] + +__alloc_pbl() can return error when memory allocation fails. +Driver is not checking the status on one of the instances. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Link: https://patch.msgid.link/r/1726715161-18941-4-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index ae2bde34e785b..47406ab8879c1 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -244,6 +244,8 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + sginfo.pgsize = npde * pg_size; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); ++ if (rc) ++ goto fail; + + /* Alloc PBL pages */ + sginfo.npages = npbl; +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch b/queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch new file mode 100644 index 00000000000..caa804435ee --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch @@ -0,0 +1,59 @@ +From a268084f0cb0819411753cd6854bce33e1ce94ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:41 -0700 +Subject: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages + +From: Bhargava Chenna Marreddy + +[ Upstream commit 7988bdbbb85ac85a847baf09879edcd0f70521dc ] + +Avoid memory corruption while setting up Level-2 PBL pages for the non MR +resources when num_pages > 256K. + +There will be a single PDE page address (contiguous pages in the case of > +PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid +memory access after 256K PBL entries in the PDE. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Link: https://patch.msgid.link/r/1728373302-19530-10-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Bhargava Chenna Marreddy +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 1fdffd6a0f480..96ceec1e8199a 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -257,22 +257,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + dst_virt_ptr = + (dma_addr_t **)hwq->pbl[PBL_LVL_0].pg_arr; + src_phys_ptr = hwq->pbl[PBL_LVL_1].pg_map_arr; +- if (hwq_attr->type == HWQ_TYPE_MR) { +- /* For MR it is expected that we supply only 1 contigous +- * page i.e only 1 entry in the PDL that will contain +- * all the PBLs for the user supplied memory region +- */ +- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; +- i++) +- dst_virt_ptr[0][i] = src_phys_ptr[i] | +- flag; +- } else { +- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; +- i++) +- dst_virt_ptr[PTR_PG(i)][PTR_IDX(i)] = +- src_phys_ptr[i] | +- PTU_PDE_VALID; +- } ++ for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; i++) ++ dst_virt_ptr[0][i] = src_phys_ptr[i] | flag; ++ + /* Alloc or init PTEs */ + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_2], + hwq_attr->sginfo); +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch b/queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch new file mode 100644 index 00000000000..dcd1bba1fa5 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch @@ -0,0 +1,43 @@ +From beafbeb407d99a1638dfd0bb8cca2212d69ff1a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:56 -0700 +Subject: RDMA/bnxt_re: Fix a possible memory leak + +From: Kalesh AP + +[ Upstream commit 3fc5410f225d1651580a4aeb7c72f55e28673b53 ] + +In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails +driver is not freeing the memory allocated for "rdev->chip_ctx". + +Fixes: 0ac20faf5d83 ("RDMA/bnxt_re: Reorg the bar mapping") +Link: https://patch.msgid.link/r/1726715161-18941-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Kalesh AP +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 039801d93ed8a..c173d0ffc6293 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -176,8 +176,11 @@ static int bnxt_re_setup_chip_ctx(struct bnxt_re_dev *rdev, u8 wqe_mode) + + bnxt_re_set_db_offset(rdev); + rc = bnxt_qplib_map_db_bar(&rdev->qplib_res); +- if (rc) ++ if (rc) { ++ kfree(rdev->chip_ctx); ++ rdev->chip_ctx = NULL; + return rc; ++ } + + if (bnxt_qplib_determine_atomics(en_dev->pdev)) + ibdev_info(&rdev->ibdev, +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch b/queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch new file mode 100644 index 00000000000..6deb891f2f7 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch @@ -0,0 +1,47 @@ +From 4d5ddd6bdf7cdeda2ab667a8235e4c19ffcdc2d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:57 -0700 +Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure + +From: Saravanan Vajravel + +[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ] + +Driver uses internal data structure to construct WQE frame. +It used avid type as u16 which can accommodate up to 64K AVs. +When outstanding AVID crosses 64K, driver truncates AVID and +hence it uses incorrect AVID to WR. This leads to WR failure +due to invalid AV ID and QP is moved to error state with reason +set to 19 (INVALID AVID). When RDMA CM path is used, this issue +hits QP1 and it is moved to error state + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Reviewed-by: Chandramohan Akula +Signed-off-by: Saravanan Vajravel +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +index a6f38d8f12efe..56ddff96b5083 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +@@ -169,7 +169,7 @@ struct bnxt_qplib_swqe { + }; + u32 q_key; + u32 dst_qp; +- u16 avid; ++ u32 avid; + } send; + + /* Send Raw Ethernet and QP1 */ +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch b/queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch new file mode 100644 index 00000000000..c32f5f4b97b --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch @@ -0,0 +1,42 @@ +From e0e5b63429ea70e268ef2baebd6b9891cd87a916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:34 -0700 +Subject: RDMA/bnxt_re: Fix out of bound check + +From: Kalesh AP + +[ Upstream commit a9e6e7443922ac0a48243c35d03834c96926bff1 ] + +Driver exports pacing stats only on GenP5 and P7 adapters. But while +parsing the pacing stats, driver has a check for "rdev->dbr_pacing". This +caused a trace when KASAN is enabled. + +BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re] +Write of size 8 at addr ffff8885942a6340 by task modprobe/4809 + +Fixes: 8b6573ff3420 ("bnxt_re: Update the debug counters for doorbell pacing") +Link: https://patch.msgid.link/r/1728373302-19530-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/hw_counters.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c +index 128651c015956..1e63f80917483 100644 +--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c ++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c +@@ -366,7 +366,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev, + goto done; + } + } +- if (rdev->pacing.dbr_pacing) ++ if (rdev->pacing.dbr_pacing && bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) + bnxt_re_copy_db_pacing_stats(rdev, stats); + } + +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch b/queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch new file mode 100644 index 00000000000..7d6bf2bd01b --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch @@ -0,0 +1,51 @@ +From 4597e420961ef907ae59b3e79db584b00dcffadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:42 -0700 +Subject: RDMA/bnxt_re: Fix the GID table length + +From: Kalesh AP + +[ Upstream commit dc5006cfcf62bea88076a587344ba5e00e66d1c6 ] + +GID table length is reported by FW. The gid index which is passed to the +driver during modify_qp/create_ah is restricted by the sgid_index field of +struct ib_global_route. sgid_index is u8 and the max sgid possible is +256. + +Each GID entry in HW will have 2 GID entries in the kernel gid table. So +we can support twice the gid table size reported by FW. Also, restrict the +max GID to 256 also. + +Fixes: 847b97887ed4 ("RDMA/bnxt_re: Restrict the max_gids to 256") +Link: https://patch.msgid.link/r/1728373302-19530-11-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index 7e550432ccb14..0b98577cd7082 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -156,7 +156,14 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx)) + attr->l2_db_size = (sb->l2_db_space_size + 1) * + (0x01 << RCFW_DBR_BASE_PAGE_SHIFT); +- attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED; ++ /* ++ * Read the max gid supported by HW. ++ * For each entry in HW GID in HW table, we consume 2 ++ * GID entries in the kernel GID table. So max_gid reported ++ * to stack can be up to twice the value reported by the HW, up to 256 gids. ++ */ ++ attr->max_sgid = le32_to_cpu(sb->max_gid); ++ attr->max_sgid = min_t(u32, BNXT_QPLIB_NUM_GIDS_SUPPORTED, 2 * attr->max_sgid); + attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags); + + bnxt_qplib_query_version(rcfw, attr->fw_ver); +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch b/queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch new file mode 100644 index 00000000000..4d20a183c0b --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch @@ -0,0 +1,52 @@ +From 18ef58c49583db7b33d588dde18787e37549d1b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:33 -0700 +Subject: RDMA/bnxt_re: Fix the max CQ WQEs for older adapters + +From: Abhishek Mohapatra + +[ Upstream commit ac6df53738b465053d38d491fff87bd7d37fdc07 ] + +Older adapters doesn't support the MAX CQ WQEs reported by older FW. So +restrict the value reported to 1M always for older adapters. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://patch.msgid.link/r/1728373302-19530-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Abhishek Mohapatra +Reviewed-by: Chandramohan Akula +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 ++ + drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index c580bf78d4c13..2b73bb433b88c 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -137,6 +137,8 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + 6 : sb->max_sge; + attr->max_cq = le32_to_cpu(sb->max_cq); + attr->max_cq_wqes = le32_to_cpu(sb->max_cqe); ++ if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx)) ++ attr->max_cq_wqes = min_t(u32, BNXT_QPLIB_MAX_CQ_WQES, attr->max_cq_wqes); + attr->max_cq_sges = attr->max_qp_sges; + attr->max_mr = le32_to_cpu(sb->max_mr); + attr->max_mw = le32_to_cpu(sb->max_mw); +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.h b/drivers/infiniband/hw/bnxt_re/qplib_sp.h +index d33c78b96217a..755765e68eaab 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.h +@@ -55,6 +55,7 @@ struct bnxt_qplib_dev_attr { + u32 max_qp_wqes; + u32 max_qp_sges; + u32 max_cq; ++#define BNXT_QPLIB_MAX_CQ_WQES 0xfffff + u32 max_cq_wqes; + u32 max_cq_sges; + u32 max_mr; +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch b/queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch new file mode 100644 index 00000000000..86bc404a467 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch @@ -0,0 +1,41 @@ +From 7531275a5debfcecf31b32918c3c086614dd3326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:36 -0700 +Subject: RDMA/bnxt_re: Return more meaningful error + +From: Kalesh AP + +[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ] + +When the HWRM command fails, driver currently returns -EFAULT(Bad +address). This does not look correct. + +Modified to return -EIO(I/O error). + +Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling") +Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command") +Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 3ffaef0c26519..7294221b3316c 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -525,7 +525,7 @@ static int __bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw, + /* failed with status */ + dev_err(&rcfw->pdev->dev, "cmdq[%#x]=%#x status %#x\n", + cookie, opcode, evnt->status); +- rc = -EFAULT; ++ rc = -EIO; + } + + return rc; +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch b/queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch new file mode 100644 index 00000000000..852ae3b038c --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch @@ -0,0 +1,309 @@ +From 0cd5760031b5949d2403705893868f64869aaf71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 02:47:35 -0800 +Subject: RDMA/bnxt_re: Support new 5760X P7 devices + +From: Selvin Xavier + +[ Upstream commit 1801d87b3598b173bce3fbf15c5517796f38db96 ] + +Add basic support for 5760X P7 devices. Add new chip +revisions. The first version support is similar to +the existing P5 adapters. Extend the current support +for P5 adapters to P7 also. + +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1701946060-13931-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Stable-dep-of: ac6df53738b4 ("RDMA/bnxt_re: Fix the max CQ WQEs for older adapters") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/hw_counters.c | 4 ++-- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 10 +++++----- + drivers/infiniband/hw/bnxt_re/main.c | 14 +++++++------- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 ++-- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +- + drivers/infiniband/hw/bnxt_re/qplib_res.h | 20 +++++++++++++++++--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 6 +++--- + 8 files changed, 38 insertions(+), 24 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c +index 93572405d6fae..128651c015956 100644 +--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c ++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c +@@ -371,7 +371,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev, + } + + done: +- return bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ? ++ return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ? + BNXT_RE_NUM_EXT_COUNTERS : BNXT_RE_NUM_STD_COUNTERS; + } + +@@ -381,7 +381,7 @@ struct rdma_hw_stats *bnxt_re_ib_alloc_hw_port_stats(struct ib_device *ibdev, + struct bnxt_re_dev *rdev = to_bnxt_re_dev(ibdev, ibdev); + int num_counters = 0; + +- if (bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) ++ if (bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) + num_counters = BNXT_RE_NUM_EXT_COUNTERS; + else + num_counters = BNXT_RE_NUM_STD_COUNTERS; +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index b4d3e7dfc939f..f2eaecef7570c 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1023,7 +1023,7 @@ static int bnxt_re_init_user_qp(struct bnxt_re_dev *rdev, struct bnxt_re_pd *pd, + bytes = (qplib_qp->sq.max_wqe * qplib_qp->sq.wqe_size); + /* Consider mapping PSN search memory only for RC QPs. */ + if (qplib_qp->type == CMDQ_CREATE_QP_TYPE_RC) { +- psn_sz = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ? ++ psn_sz = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ? + sizeof(struct sq_psn_search_ext) : + sizeof(struct sq_psn_search); + psn_nume = (qplib_qp->wqe_mode == BNXT_QPLIB_WQE_MODE_STATIC) ? +@@ -1234,7 +1234,7 @@ static void bnxt_re_adjust_gsi_rq_attr(struct bnxt_re_qp *qp) + qplqp = &qp->qplib_qp; + dev_attr = &rdev->dev_attr; + +- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) { ++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) { + qplqp->rq.max_sge = dev_attr->max_qp_sges; + if (qplqp->rq.max_sge > dev_attr->max_qp_sges) + qplqp->rq.max_sge = dev_attr->max_qp_sges; +@@ -1301,7 +1301,7 @@ static void bnxt_re_adjust_gsi_sq_attr(struct bnxt_re_qp *qp, + qplqp = &qp->qplib_qp; + dev_attr = &rdev->dev_attr; + +- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) { ++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) { + entries = bnxt_re_init_depth(init_attr->cap.max_send_wr + 1, uctx); + qplqp->sq.max_wqe = min_t(u32, entries, + dev_attr->max_qp_wqes + 1); +@@ -1328,7 +1328,7 @@ static int bnxt_re_init_qp_type(struct bnxt_re_dev *rdev, + goto out; + } + +- if (bnxt_qplib_is_chip_gen_p5(chip_ctx) && ++ if (bnxt_qplib_is_chip_gen_p5_p7(chip_ctx) && + init_attr->qp_type == IB_QPT_GSI) + qptype = CMDQ_CREATE_QP_TYPE_GSI; + out: +@@ -1527,7 +1527,7 @@ int bnxt_re_create_qp(struct ib_qp *ib_qp, struct ib_qp_init_attr *qp_init_attr, + goto fail; + + if (qp_init_attr->qp_type == IB_QPT_GSI && +- !(bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))) { ++ !(bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))) { + rc = bnxt_re_create_gsi_qp(qp, pd, qp_init_attr); + if (rc == -ENODEV) + goto qp_destroy; +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index c173d0ffc6293..594cc6aa7b79d 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -128,7 +128,7 @@ static void bnxt_re_set_drv_mode(struct bnxt_re_dev *rdev, u8 mode) + struct bnxt_qplib_chip_ctx *cctx; + + cctx = rdev->chip_ctx; +- cctx->modes.wqe_mode = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ? ++ cctx->modes.wqe_mode = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ? + mode : BNXT_QPLIB_WQE_MODE_STATIC; + if (bnxt_re_hwrm_qcaps(rdev)) + dev_err(rdev_to_dev(rdev), +@@ -218,7 +218,7 @@ static void bnxt_re_limit_pf_res(struct bnxt_re_dev *rdev) + ctx->srqc_count = min_t(u32, BNXT_RE_MAX_SRQC_COUNT, + attr->max_srq); + ctx->cq_count = min_t(u32, BNXT_RE_MAX_CQ_COUNT, attr->max_cq); +- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) ++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) + for (i = 0; i < MAX_TQM_ALLOC_REQ; i++) + rdev->qplib_ctx.tqm_ctx.qcount[i] = + rdev->dev_attr.tqm_alloc_reqs[i]; +@@ -267,7 +267,7 @@ static void bnxt_re_set_resource_limits(struct bnxt_re_dev *rdev) + memset(&rdev->qplib_ctx.vf_res, 0, sizeof(struct bnxt_qplib_vf_res)); + bnxt_re_limit_pf_res(rdev); + +- num_vfs = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ? ++ num_vfs = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ? + BNXT_RE_GEN_P5_MAX_VF : rdev->num_vfs; + if (num_vfs) + bnxt_re_limit_vf_res(&rdev->qplib_ctx, num_vfs); +@@ -279,7 +279,7 @@ static void bnxt_re_vf_res_config(struct bnxt_re_dev *rdev) + if (test_bit(BNXT_RE_FLAG_ERR_DEVICE_DETACHED, &rdev->flags)) + return; + rdev->num_vfs = pci_sriov_get_totalvfs(rdev->en_dev->pdev); +- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) { ++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) { + bnxt_re_set_resource_limits(rdev); + bnxt_qplib_set_func_resources(&rdev->qplib_res, &rdev->rcfw, + &rdev->qplib_ctx); +@@ -1074,7 +1074,7 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq, + #define BNXT_RE_GEN_P5_VF_NQ_DB 0x4000 + static u32 bnxt_re_get_nqdb_offset(struct bnxt_re_dev *rdev, u16 indx) + { +- return bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ? ++ return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ? + (rdev->is_virtfn ? BNXT_RE_GEN_P5_VF_NQ_DB : + BNXT_RE_GEN_P5_PF_NQ_DB) : + rdev->en_dev->msix_entries[indx].db_offset; +@@ -1539,7 +1539,7 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode) + bnxt_re_set_resource_limits(rdev); + + rc = bnxt_qplib_alloc_ctx(&rdev->qplib_res, &rdev->qplib_ctx, 0, +- bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)); ++ bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)); + if (rc) { + ibdev_err(&rdev->ibdev, + "Failed to allocate QPLIB context: %#x\n", rc); +@@ -1662,7 +1662,7 @@ static void bnxt_re_setup_cc(struct bnxt_re_dev *rdev, bool enable) + return; + + /* Currently enabling only for GenP5 adapters */ +- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) ++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) + return; + + if (enable) { +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 3b28878f62062..4ee11cb4f2bd3 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -995,7 +995,7 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) + + /* SQ */ + if (qp->type == CMDQ_CREATE_QP_TYPE_RC) { +- psn_sz = bnxt_qplib_is_chip_gen_p5(res->cctx) ? ++ psn_sz = bnxt_qplib_is_chip_gen_p5_p7(res->cctx) ? + sizeof(struct sq_psn_search_ext) : + sizeof(struct sq_psn_search); + +@@ -1649,7 +1649,7 @@ static void bnxt_qplib_fill_psn_search(struct bnxt_qplib_qp *qp, + flg_npsn = ((swq->next_psn << SQ_PSN_SEARCH_NEXT_PSN_SFT) & + SQ_PSN_SEARCH_NEXT_PSN_MASK); + +- if (bnxt_qplib_is_chip_gen_p5(qp->cctx)) { ++ if (bnxt_qplib_is_chip_gen_p5_p7(qp->cctx)) { + psns_ext->opcode_start_psn = cpu_to_le32(op_spsn); + psns_ext->flags_next_psn = cpu_to_le32(flg_npsn); + psns_ext->start_slot_idx = cpu_to_le16(swq->slot_idx); +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 5680fe8b890ad..3ffaef0c26519 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -852,7 +852,7 @@ int bnxt_qplib_init_rcfw(struct bnxt_qplib_rcfw *rcfw, + */ + if (is_virtfn) + goto skip_ctx_setup; +- if (bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx)) ++ if (bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx)) + goto config_vf_res; + + lvl = ctx->qpc_tbl.level; +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 47406ab8879c1..1fdffd6a0f480 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -807,7 +807,7 @@ static int bnxt_qplib_alloc_dpi_tbl(struct bnxt_qplib_res *res, + dpit = &res->dpi_tbl; + reg = &dpit->wcreg; + +- if (!bnxt_qplib_is_chip_gen_p5(res->cctx)) { ++ if (!bnxt_qplib_is_chip_gen_p5_p7(res->cctx)) { + /* Offest should come from L2 driver */ + dbr_offset = dev_attr->l2_db_size; + dpit->ucreg.offset = dbr_offset; +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.h b/drivers/infiniband/hw/bnxt_re/qplib_res.h +index 534db462216ac..f9e7aa3757cfb 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.h +@@ -44,6 +44,9 @@ extern const struct bnxt_qplib_gid bnxt_qplib_gid_zero; + #define CHIP_NUM_57508 0x1750 + #define CHIP_NUM_57504 0x1751 + #define CHIP_NUM_57502 0x1752 ++#define CHIP_NUM_58818 0xd818 ++#define CHIP_NUM_57608 0x1760 ++ + + struct bnxt_qplib_drv_modes { + u8 wqe_mode; +@@ -296,6 +299,12 @@ struct bnxt_qplib_res { + struct bnxt_qplib_db_pacing_data *pacing_data; + }; + ++static inline bool bnxt_qplib_is_chip_gen_p7(struct bnxt_qplib_chip_ctx *cctx) ++{ ++ return (cctx->chip_num == CHIP_NUM_58818 || ++ cctx->chip_num == CHIP_NUM_57608); ++} ++ + static inline bool bnxt_qplib_is_chip_gen_p5(struct bnxt_qplib_chip_ctx *cctx) + { + return (cctx->chip_num == CHIP_NUM_57508 || +@@ -303,15 +312,20 @@ static inline bool bnxt_qplib_is_chip_gen_p5(struct bnxt_qplib_chip_ctx *cctx) + cctx->chip_num == CHIP_NUM_57502); + } + ++static inline bool bnxt_qplib_is_chip_gen_p5_p7(struct bnxt_qplib_chip_ctx *cctx) ++{ ++ return bnxt_qplib_is_chip_gen_p5(cctx) || bnxt_qplib_is_chip_gen_p7(cctx); ++} ++ + static inline u8 bnxt_qplib_get_hwq_type(struct bnxt_qplib_res *res) + { +- return bnxt_qplib_is_chip_gen_p5(res->cctx) ? ++ return bnxt_qplib_is_chip_gen_p5_p7(res->cctx) ? + HWQ_TYPE_QUEUE : HWQ_TYPE_L2_CMPL; + } + + static inline u8 bnxt_qplib_get_ring_type(struct bnxt_qplib_chip_ctx *cctx) + { +- return bnxt_qplib_is_chip_gen_p5(cctx) ? ++ return bnxt_qplib_is_chip_gen_p5_p7(cctx) ? + RING_ALLOC_REQ_RING_TYPE_NQ : + RING_ALLOC_REQ_RING_TYPE_ROCE_CMPL; + } +@@ -488,7 +502,7 @@ static inline void bnxt_qplib_ring_nq_db(struct bnxt_qplib_db_info *info, + u32 type; + + type = arm ? DBC_DBC_TYPE_NQ_ARM : DBC_DBC_TYPE_NQ; +- if (bnxt_qplib_is_chip_gen_p5(cctx)) ++ if (bnxt_qplib_is_chip_gen_p5_p7(cctx)) + bnxt_qplib_ring_db(info, type); + else + bnxt_qplib_ring_db32(info, arm); +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index a27b685151647..c580bf78d4c13 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -59,7 +59,7 @@ static bool bnxt_qplib_is_atomic_cap(struct bnxt_qplib_rcfw *rcfw) + { + u16 pcie_ctl2 = 0; + +- if (!bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx)) ++ if (!bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx)) + return false; + + pcie_capability_read_word(rcfw->pdev, PCI_EXP_DEVCTL2, &pcie_ctl2); +@@ -133,7 +133,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + * reporting the max number + */ + attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1; +- attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ? ++ attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx) ? + 6 : sb->max_sge; + attr->max_cq = le32_to_cpu(sb->max_cq); + attr->max_cq_wqes = le32_to_cpu(sb->max_cqe); +@@ -934,7 +934,7 @@ int bnxt_qplib_modify_cc(struct bnxt_qplib_res *res, + req->inactivity_th = cpu_to_le16(cc_param->inact_th); + + /* For chip gen P5 onwards fill extended cmd and header */ +- if (bnxt_qplib_is_chip_gen_p5(res->cctx)) { ++ if (bnxt_qplib_is_chip_gen_p5_p7(res->cctx)) { + struct roce_tlv *hdr; + u32 payload; + u32 chunks; +-- +2.43.0 + diff --git a/queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch b/queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch new file mode 100644 index 00000000000..0d84ef36559 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch @@ -0,0 +1,95 @@ +From 6c0cc86be6d8e080c87b49b37b1972ef138a81ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 02:47:36 -0800 +Subject: RDMA/bnxt_re: Update the BAR offsets + +From: Selvin Xavier + +[ Upstream commit a62d685814416647fbb28b3eb2617744adef2d4f ] + +Update the BAR offsets for handling GenP7 adapters. +Use the values populated by L2 driver for getting the +Doorbell offsets. + +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1701946060-13931-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Stable-dep-of: dc5006cfcf62 ("RDMA/bnxt_re: Fix the GID table length") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 21 +++++++-------------- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 5 +++-- + 2 files changed, 10 insertions(+), 16 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 594cc6aa7b79d..607293794b924 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -107,8 +107,11 @@ static void bnxt_re_set_db_offset(struct bnxt_re_dev *rdev) + dev_info(rdev_to_dev(rdev), + "Couldn't get DB bar size, Low latency framework is disabled\n"); + /* set register offsets for both UC and WC */ +- res->dpi_tbl.ucreg.offset = res->is_vf ? BNXT_QPLIB_DBR_VF_DB_OFFSET : +- BNXT_QPLIB_DBR_PF_DB_OFFSET; ++ if (bnxt_qplib_is_chip_gen_p7(cctx)) ++ res->dpi_tbl.ucreg.offset = offset; ++ else ++ res->dpi_tbl.ucreg.offset = res->is_vf ? BNXT_QPLIB_DBR_VF_DB_OFFSET : ++ BNXT_QPLIB_DBR_PF_DB_OFFSET; + res->dpi_tbl.wcreg.offset = res->dpi_tbl.ucreg.offset; + + /* If WC mapping is disabled by L2 driver then en_dev->l2_db_size +@@ -1070,16 +1073,6 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq, + return 0; + } + +-#define BNXT_RE_GEN_P5_PF_NQ_DB 0x10000 +-#define BNXT_RE_GEN_P5_VF_NQ_DB 0x4000 +-static u32 bnxt_re_get_nqdb_offset(struct bnxt_re_dev *rdev, u16 indx) +-{ +- return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ? +- (rdev->is_virtfn ? BNXT_RE_GEN_P5_VF_NQ_DB : +- BNXT_RE_GEN_P5_PF_NQ_DB) : +- rdev->en_dev->msix_entries[indx].db_offset; +-} +- + static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev) + { + int i; +@@ -1100,7 +1093,7 @@ static int bnxt_re_init_res(struct bnxt_re_dev *rdev) + bnxt_qplib_init_res(&rdev->qplib_res); + + for (i = 1; i < rdev->num_msix ; i++) { +- db_offt = bnxt_re_get_nqdb_offset(rdev, i); ++ db_offt = rdev->en_dev->msix_entries[i].db_offset; + rc = bnxt_qplib_enable_nq(rdev->en_dev->pdev, &rdev->nq[i - 1], + i - 1, rdev->en_dev->msix_entries[i].vector, + db_offt, &bnxt_re_cqn_handler, +@@ -1511,7 +1504,7 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode) + ibdev_err(&rdev->ibdev, "Failed to allocate CREQ: %#x\n", rc); + goto free_rcfw; + } +- db_offt = bnxt_re_get_nqdb_offset(rdev, BNXT_RE_AEQ_IDX); ++ db_offt = rdev->en_dev->msix_entries[BNXT_RE_AEQ_IDX].db_offset; + vid = rdev->en_dev->msix_entries[BNXT_RE_AEQ_IDX].vector; + rc = bnxt_qplib_enable_rcfw_channel(&rdev->rcfw, + vid, db_offt, +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index 2b73bb433b88c..7e550432ccb14 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -153,8 +153,9 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + attr->max_srq_sges = sb->max_srq_sge; + attr->max_pkey = 1; + attr->max_inline_data = le32_to_cpu(sb->max_inline_data); +- attr->l2_db_size = (sb->l2_db_space_size + 1) * +- (0x01 << RCFW_DBR_BASE_PAGE_SHIFT); ++ if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx)) ++ attr->l2_db_size = (sb->l2_db_space_size + 1) * ++ (0x01 << RCFW_DBR_BASE_PAGE_SHIFT); + attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED; + attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags); + +-- +2.43.0 + diff --git a/queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch b/queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch new file mode 100644 index 00000000000..4cd3156e229 --- /dev/null +++ b/queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch @@ -0,0 +1,42 @@ +From 4823f638846364973118db6f32d66c709f5a72c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 17:13:34 +0530 +Subject: RDMA/core: Fix ENODEV error for iWARP test over vlan + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 5069d7e202f640a36cf213a432296c85113a52f7 ] + +If traffic is over vlan, cma_validate_port() fails to match vlan +net_device ifindex with bound_if_index and results in ENODEV error. +It is because rdma_copy_src_l2_addr() always assigns bound_if_index with +real net_device ifindex. +This patch fixes the issue by assigning bound_if_index with vlan +net_device index if traffic is over vlan. + +Fixes: f8ef1be816bf ("RDMA/cma: Avoid GID lookups on iWARP devices") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Link: https://patch.msgid.link/20241008114334.146702-1-anumula@chelsio.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/addr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index f253295795f0a..fd78d678877c4 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -269,6 +269,8 @@ rdma_find_ndev_for_src_ip_rcu(struct net *net, const struct sockaddr *src_in) + break; + #endif + } ++ if (!ret && dev && is_vlan_dev(dev)) ++ dev = vlan_dev_real_dev(dev); + return ret ? ERR_PTR(ret) : dev; + } + +-- +2.43.0 + diff --git a/queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch b/queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch new file mode 100644 index 00000000000..8a8db3183e2 --- /dev/null +++ b/queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch @@ -0,0 +1,65 @@ +From c05ef2e03d7744d1b4f5db4571c3b06dc7924103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:53:11 +0530 +Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP + +From: Anumula Murali Mohan Reddy + +[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ] + +ip_dev_find() always returns real net_device address, whether traffic is +running on a vlan or real device, if traffic is over vlan, filling +endpoint struture with real ndev and an attempt to send a connect request +will results in RDMA_CM_EVENT_UNREACHABLE error. This patch fixes the +issue by using vlan_dev_real_dev(). + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index b3757c6a0457a..8d753e6e0c719 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2086,7 +2086,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENOMEM; + if (n->dev->flags & IFF_LOOPBACK) { + if (iptype == 4) +- pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip); ++ pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false); + else if (IS_ENABLED(CONFIG_IPV6)) + for_each_netdev(&init_net, pdev) { + if (ipv6_chk_addr(&init_net, +@@ -2101,12 +2101,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENODEV; + goto out; + } ++ if (is_vlan_dev(pdev)) ++ pdev = vlan_dev_real_dev(pdev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, + n, pdev, rt_tos2priority(tos)); +- if (!ep->l2t) { +- dev_put(pdev); ++ if (!ep->l2t) + goto out; +- } + ep->mtu = pdev->mtu; + ep->tx_chan = cxgb4_port_chan(pdev); + ep->smac_idx = ((struct port_info *)netdev_priv(pdev))->smt_idx; +@@ -2119,7 +2119,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + ep->rss_qid = cdev->rdev.lldi.rxq_ids[ + cxgb4_port_idx(pdev) * step]; + set_tcp_window(ep, (struct port_info *)netdev_priv(pdev)); +- dev_put(pdev); + } else { + pdev = get_real_dev(n->dev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, +-- +2.43.0 + diff --git a/queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch b/queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch new file mode 100644 index 00000000000..28ac042b356 --- /dev/null +++ b/queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch @@ -0,0 +1,37 @@ +From 11adf49d89bc33e26330fb7783897117c4a76431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 18:19:13 +0200 +Subject: RDMA/irdma: Fix misspelling of "accept*" + +From: Alexander Zubkov + +[ Upstream commit 8cddfa535c931b8d8110c73bfed7354a94cbf891 ] + +There is "accept*" misspelled as "accpet*" in the comments. Fix the +spelling. + +Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") +Link: https://patch.msgid.link/r/20241008161913.19965-1-green@qrator.net +Signed-off-by: Alexander Zubkov +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c +index 42d1e97710669..1916daa8c3323 100644 +--- a/drivers/infiniband/hw/irdma/cm.c ++++ b/drivers/infiniband/hw/irdma/cm.c +@@ -3630,7 +3630,7 @@ void irdma_free_lsmm_rsrc(struct irdma_qp *iwqp) + /** + * irdma_accept - registered call for connection to be accepted + * @cm_id: cm information for passive connection +- * @conn_param: accpet parameters ++ * @conn_param: accept parameters + */ + int irdma_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + { +-- +2.43.0 + diff --git a/queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch b/queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch new file mode 100644 index 00000000000..2d8376b562f --- /dev/null +++ b/queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch @@ -0,0 +1,195 @@ +From 5abe11d8c0bc2a26890e215d888c9b809c3130db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:00:48 -0700 +Subject: RDMA/srpt: Make slab cache names unique + +From: Bart Van Assche + +[ Upstream commit 4d784c042d164f10fc809e2338457036cd7c653d ] + +Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when +DEBUG_VM=y"), slab complains about duplicate cache names. Hence this +patch. The approach is as follows: +- Maintain an xarray with the slab size as index and a reference count + and a kmem_cache pointer as contents. Use srpt-${slab_size} as kmem + cache name. +- Use 512-byte alignment for all slabs instead of only for some of the + slabs. +- Increment the reference count instead of calling kmem_cache_create(). +- Decrement the reference count instead of calling kmem_cache_destroy(). + +Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data") +Link: https://patch.msgid.link/r/20241009210048.4122518-1-bvanassche@acm.org +Reported-by: Shinichiro Kawasaki +Closes: https://lore.kernel.org/linux-block/xpe6bea7rakpyoyfvspvin2dsozjmjtjktpph7rep3h25tv7fb@ooz4cu5z6bq6/ +Suggested-by: Jason Gunthorpe +Signed-off-by: Bart Van Assche +Tested-by: Shin'ichiro Kawasaki +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 80 +++++++++++++++++++++++---- + 1 file changed, 68 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 45547bf281e31..4bebc34a2929b 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -68,6 +68,8 @@ MODULE_LICENSE("Dual BSD/GPL"); + static u64 srpt_service_guid; + static DEFINE_SPINLOCK(srpt_dev_lock); /* Protects srpt_dev_list. */ + static LIST_HEAD(srpt_dev_list); /* List of srpt_device structures. */ ++static DEFINE_MUTEX(srpt_mc_mutex); /* Protects srpt_memory_caches. */ ++static DEFINE_XARRAY(srpt_memory_caches); /* See also srpt_memory_cache_entry */ + + static unsigned srp_max_req_size = DEFAULT_MAX_REQ_SIZE; + module_param(srp_max_req_size, int, 0444); +@@ -105,6 +107,63 @@ static void srpt_recv_done(struct ib_cq *cq, struct ib_wc *wc); + static void srpt_send_done(struct ib_cq *cq, struct ib_wc *wc); + static void srpt_process_wait_list(struct srpt_rdma_ch *ch); + ++/* Type of the entries in srpt_memory_caches. */ ++struct srpt_memory_cache_entry { ++ refcount_t ref; ++ struct kmem_cache *c; ++}; ++ ++static struct kmem_cache *srpt_cache_get(unsigned int object_size) ++{ ++ struct srpt_memory_cache_entry *e; ++ char name[32]; ++ void *res; ++ ++ guard(mutex)(&srpt_mc_mutex); ++ e = xa_load(&srpt_memory_caches, object_size); ++ if (e) { ++ refcount_inc(&e->ref); ++ return e->c; ++ } ++ snprintf(name, sizeof(name), "srpt-%u", object_size); ++ e = kmalloc(sizeof(*e), GFP_KERNEL); ++ if (!e) ++ return NULL; ++ refcount_set(&e->ref, 1); ++ e->c = kmem_cache_create(name, object_size, /*align=*/512, 0, NULL); ++ if (!e->c) ++ goto free_entry; ++ res = xa_store(&srpt_memory_caches, object_size, e, GFP_KERNEL); ++ if (xa_is_err(res)) ++ goto destroy_cache; ++ return e->c; ++ ++destroy_cache: ++ kmem_cache_destroy(e->c); ++ ++free_entry: ++ kfree(e); ++ return NULL; ++} ++ ++static void srpt_cache_put(struct kmem_cache *c) ++{ ++ struct srpt_memory_cache_entry *e = NULL; ++ unsigned long object_size; ++ ++ guard(mutex)(&srpt_mc_mutex); ++ xa_for_each(&srpt_memory_caches, object_size, e) ++ if (e->c == c) ++ break; ++ if (WARN_ON_ONCE(!e)) ++ return; ++ if (!refcount_dec_and_test(&e->ref)) ++ return; ++ WARN_ON_ONCE(xa_erase(&srpt_memory_caches, object_size) != e); ++ kmem_cache_destroy(e->c); ++ kfree(e); ++} ++ + /* + * The only allowed channel state changes are those that change the channel + * state into a state with a higher numerical value. Hence the new > prev test. +@@ -2119,13 +2178,13 @@ static void srpt_release_channel_work(struct work_struct *w) + ch->sport->sdev, ch->rq_size, + ch->rsp_buf_cache, DMA_TO_DEVICE); + +- kmem_cache_destroy(ch->rsp_buf_cache); ++ srpt_cache_put(ch->rsp_buf_cache); + + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_recv_ring, + sdev, ch->rq_size, + ch->req_buf_cache, DMA_FROM_DEVICE); + +- kmem_cache_destroy(ch->req_buf_cache); ++ srpt_cache_put(ch->req_buf_cache); + + kref_put(&ch->kref, srpt_free_ch); + } +@@ -2245,8 +2304,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + INIT_LIST_HEAD(&ch->cmd_wait_list); + ch->max_rsp_size = ch->sport->port_attrib.srp_max_rsp_size; + +- ch->rsp_buf_cache = kmem_cache_create("srpt-rsp-buf", ch->max_rsp_size, +- 512, 0, NULL); ++ ch->rsp_buf_cache = srpt_cache_get(ch->max_rsp_size); + if (!ch->rsp_buf_cache) + goto free_ch; + +@@ -2280,8 +2338,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + alignment_offset = round_up(imm_data_offset, 512) - + imm_data_offset; + req_sz = alignment_offset + imm_data_offset + srp_max_req_size; +- ch->req_buf_cache = kmem_cache_create("srpt-req-buf", req_sz, +- 512, 0, NULL); ++ ch->req_buf_cache = srpt_cache_get(req_sz); + if (!ch->req_buf_cache) + goto free_rsp_ring; + +@@ -2478,7 +2535,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + ch->req_buf_cache, DMA_FROM_DEVICE); + + free_recv_cache: +- kmem_cache_destroy(ch->req_buf_cache); ++ srpt_cache_put(ch->req_buf_cache); + + free_rsp_ring: + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring, +@@ -2486,7 +2543,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev, + ch->rsp_buf_cache, DMA_TO_DEVICE); + + free_rsp_cache: +- kmem_cache_destroy(ch->rsp_buf_cache); ++ srpt_cache_put(ch->rsp_buf_cache); + + free_ch: + if (rdma_cm_id) +@@ -3055,7 +3112,7 @@ static void srpt_free_srq(struct srpt_device *sdev) + srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev, + sdev->srq_size, sdev->req_buf_cache, + DMA_FROM_DEVICE); +- kmem_cache_destroy(sdev->req_buf_cache); ++ srpt_cache_put(sdev->req_buf_cache); + sdev->srq = NULL; + } + +@@ -3082,8 +3139,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev) + pr_debug("create SRQ #wr= %d max_allow=%d dev= %s\n", sdev->srq_size, + sdev->device->attrs.max_srq_wr, dev_name(&device->dev)); + +- sdev->req_buf_cache = kmem_cache_create("srpt-srq-req-buf", +- srp_max_req_size, 0, 0, NULL); ++ sdev->req_buf_cache = srpt_cache_get(srp_max_req_size); + if (!sdev->req_buf_cache) + goto free_srq; + +@@ -3105,7 +3161,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev) + return 0; + + free_cache: +- kmem_cache_destroy(sdev->req_buf_cache); ++ srpt_cache_put(sdev->req_buf_cache); + + free_srq: + ib_destroy_srq(srq); +-- +2.43.0 + diff --git a/queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch b/queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch new file mode 100644 index 00000000000..d2437ef3b2f --- /dev/null +++ b/queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch @@ -0,0 +1,89 @@ +From 8a732a04f6626a6c3aba840a08ac7f8ca03889ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 17:36:28 +0300 +Subject: riscv, bpf: Make BPF_CMPXCHG fully ordered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrea Parri + +[ Upstream commit e59db0623f6955986d1be0880b351a1f56e7fd6d ] + +According to the prototype formal BPF memory consistency model +discussed e.g. in [1] and following the ordering properties of +the C/in-kernel macro atomic_cmpxchg(), a BPF atomic operation +with the BPF_CMPXCHG modifier is fully ordered. However, the +current RISC-V JIT lowerings fail to meet such memory ordering +property. This is illustrated by the following litmus test: + +BPF BPF__MP+success_cmpxchg+fence +{ + 0:r1=x; 0:r3=y; 0:r5=1; + 1:r2=y; 1:r4=f; 1:r7=x; +} + P0 | P1 ; + *(u64 *)(r1 + 0) = 1 | r1 = *(u64 *)(r2 + 0) ; + r2 = cmpxchg_64 (r3 + 0, r4, r5) | r3 = atomic_fetch_add((u64 *)(r4 + 0), r5) ; + | r6 = *(u64 *)(r7 + 0) ; +exists (1:r1=1 /\ 1:r6=0) + +whose "exists" clause is not satisfiable according to the BPF +memory model. Using the current RISC-V JIT lowerings, the test +can be mapped to the following RISC-V litmus test: + +RISCV RISCV__MP+success_cmpxchg+fence +{ + 0:x1=x; 0:x3=y; 0:x5=1; + 1:x2=y; 1:x4=f; 1:x7=x; +} + P0 | P1 ; + sd x5, 0(x1) | ld x1, 0(x2) ; + L00: | amoadd.d.aqrl x3, x5, 0(x4) ; + lr.d x2, 0(x3) | ld x6, 0(x7) ; + bne x2, x4, L01 | ; + sc.d x6, x5, 0(x3) | ; + bne x6, x4, L00 | ; + fence rw, rw | ; + L01: | ; +exists (1:x1=1 /\ 1:x6=0) + +where the two stores in P0 can be reordered. Update the RISC-V +JIT lowerings/implementation of BPF_CMPXCHG to emit an SC with +RELEASE ("rl") annotation in order to meet the expected memory +ordering guarantees. The resulting RISC-V JIT lowerings of +BPF_CMPXCHG match the RISC-V lowerings of the C atomic_cmpxchg(). + +Other lowerings were fixed via 20a759df3bba ("riscv, bpf: make +some atomic operations fully ordered"). + +Fixes: dd642ccb45ec ("riscv, bpf: Implement more atomic operations for RV64") +Signed-off-by: Andrea Parri +Signed-off-by: Daniel Borkmann +Reviewed-by: Puranjay Mohan +Acked-by: Björn Töpel +Link: https://lpc.events/event/18/contributions/1949/attachments/1665/3441/bpfmemmodel.2024.09.19p.pdf [1] +Link: https://lore.kernel.org/bpf/20241017143628.2673894-1-parri.andrea@gmail.com +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 2f041b5cea970..26eeb39736319 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -555,8 +555,8 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64, + rv_lr_w(r0, 0, rd, 0, 0), ctx); + jmp_offset = ninsns_rvoff(8); + emit(rv_bne(RV_REG_T2, r0, jmp_offset >> 1), ctx); +- emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 0) : +- rv_sc_w(RV_REG_T3, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 1) : ++ rv_sc_w(RV_REG_T3, rs, rd, 0, 1), ctx); + jmp_offset = ninsns_rvoff(-6); + emit(rv_bne(RV_REG_T3, 0, jmp_offset >> 1), ctx); + emit(rv_fence(0x3, 0x3), ctx); +-- +2.43.0 + diff --git a/queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch b/queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch new file mode 100644 index 00000000000..80717c3a985 --- /dev/null +++ b/queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch @@ -0,0 +1,38 @@ +From 9d41d3560575dc9fce646fb9c176716088ddcf81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 17:52:39 +0200 +Subject: s390: Initialize psw mask in perf_arch_fetch_caller_regs() + +From: Heiko Carstens + +[ Upstream commit 223e7fb979fa06934f1595b6ad0ae1d4ead1147f ] + +Also initialize regs->psw.mask in perf_arch_fetch_caller_regs(). +This way user_mode(regs) will return false, like it should. + +It looks like all current users initialize regs to zero, so that this +doesn't fix a bug currently. However it is better to not rely on callers +to do this. + +Fixes: 914d52e46490 ("s390: implement perf_arch_fetch_caller_regs") +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/perf_event.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/include/asm/perf_event.h b/arch/s390/include/asm/perf_event.h +index 9917e2717b2b4..66aff768f8151 100644 +--- a/arch/s390/include/asm/perf_event.h ++++ b/arch/s390/include/asm/perf_event.h +@@ -73,6 +73,7 @@ struct perf_sf_sde_regs { + #define SAMPLE_FREQ_MODE(hwc) (SAMPL_FLAGS(hwc) & PERF_CPUM_SF_FREQ_MODE) + + #define perf_arch_fetch_caller_regs(regs, __ip) do { \ ++ (regs)->psw.mask = 0; \ + (regs)->psw.addr = (__ip); \ + (regs)->gprs[15] = (unsigned long)__builtin_frame_address(0) - \ + offsetof(struct stack_frame, back_chain); \ +-- +2.43.0 + diff --git a/queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch b/queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch new file mode 100644 index 00000000000..d28a5d62341 --- /dev/null +++ b/queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch @@ -0,0 +1,65 @@ +From 8c4bac4cf809b14f66810491ccd1d7c242621727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 14:01:39 +0200 +Subject: s390/pci: Handle PCI error codes other than 0x3a + +From: Niklas Schnelle + +[ Upstream commit 3cd03ea57e8e16cc78cc357d5e9f26078426f236 ] + +The Linux implementation of PCI error recovery for s390 was based on the +understanding that firmware error recovery is a two step process with an +optional initial error event to indicate the cause of the error if known +followed by either error event 0x3A (Success) or 0x3B (Failure) to +indicate whether firmware was able to recover. While this has been the +case in testing and the error cases seen in the wild it turns out this +is not correct. Instead firmware only generates 0x3A for some error and +service scenarios and expects the OS to perform recovery for all PCI +events codes except for those indicating permanent error (0x3B, 0x40) +and those indicating errors on the function measurement block (0x2A, +0x2B, 0x2C). Align Linux behavior with these expectations. + +Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") +Reviewed-by: Gerd Bayer +Signed-off-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_event.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c +index b9324ca2eb940..b3961f1016ea0 100644 +--- a/arch/s390/pci/pci_event.c ++++ b/arch/s390/pci/pci_event.c +@@ -272,18 +272,19 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf) + goto no_pdev; + + switch (ccdf->pec) { +- case 0x003a: /* Service Action or Error Recovery Successful */ ++ case 0x002a: /* Error event concerns FMB */ ++ case 0x002b: ++ case 0x002c: ++ break; ++ case 0x0040: /* Service Action or Error Recovery Failed */ ++ case 0x003b: ++ zpci_event_io_failure(pdev, pci_channel_io_perm_failure); ++ break; ++ default: /* PCI function left in the error state attempt to recover */ + ers_res = zpci_event_attempt_error_recovery(pdev); + if (ers_res != PCI_ERS_RESULT_RECOVERED) + zpci_event_io_failure(pdev, pci_channel_io_perm_failure); + break; +- default: +- /* +- * Mark as frozen not permanently failed because the device +- * could be subsequently recovered by the platform. +- */ +- zpci_event_io_failure(pdev, pci_channel_io_frozen); +- break; + } + pci_dev_put(pdev); + no_pdev: +-- +2.43.0 + diff --git a/queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch b/queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch new file mode 100644 index 00000000000..338ec32e08a --- /dev/null +++ b/queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch @@ -0,0 +1,132 @@ +From 3c2218fd9d59b14e7a365fa96c3b22b6f1525d7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 21:44:32 -0400 +Subject: sched/core: Disable page allocation in task_tick_mm_cid() + +From: Waiman Long + +[ Upstream commit 73ab05aa46b02d96509cb029a8d04fca7bbde8c7 ] + +With KASAN and PREEMPT_RT enabled, calling task_work_add() in +task_tick_mm_cid() may cause the following splat. + +[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe +[ 63.696416] preempt_count: 10001, expected: 0 +[ 63.696416] RCU nest depth: 1, expected: 1 + +This problem is caused by the following call trace. + + sched_tick() [ acquire rq->__lock ] + -> task_tick_mm_cid() + -> task_work_add() + -> __kasan_record_aux_stack() + -> kasan_save_stack() + -> stack_depot_save_flags() + -> alloc_pages_mpol_noprof() + -> __alloc_pages_noprof() + -> get_page_from_freelist() + -> rmqueue() + -> rmqueue_pcplist() + -> __rmqueue_pcplist() + -> rmqueue_bulk() + -> rt_spin_lock() + +The rq lock is a raw_spinlock_t. We can't sleep while holding +it. IOW, we can't call alloc_pages() in stack_depot_save_flags(). + +The task_tick_mm_cid() function with its task_work_add() call was +introduced by commit 223baf9d17f2 ("sched: Fix performance regression +introduced by mm_cid") in v6.4 kernel. + +Fortunately, there is a kasan_record_aux_stack_noalloc() variant that +calls stack_depot_save_flags() while not allowing it to allocate +new pages. To allow task_tick_mm_cid() to use task_work without +page allocation, a new TWAF_NO_ALLOC flag is added to enable calling +kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack() +if set. The task_tick_mm_cid() function is modified to add this new flag. + +The possible downside is the missing stack trace in a KASAN report due +to new page allocation required when task_work_add_noallloc() is called +which should be rare. + +Fixes: 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid") +Signed-off-by: Waiman Long +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20241010014432.194742-1-longman@redhat.com +Signed-off-by: Sasha Levin +--- + include/linux/task_work.h | 5 ++++- + kernel/sched/core.c | 4 +++- + kernel/task_work.c | 15 +++++++++++++-- + 3 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/include/linux/task_work.h b/include/linux/task_work.h +index cf5e7e891a776..2964171856e00 100644 +--- a/include/linux/task_work.h ++++ b/include/linux/task_work.h +@@ -14,11 +14,14 @@ init_task_work(struct callback_head *twork, task_work_func_t func) + } + + enum task_work_notify_mode { +- TWA_NONE, ++ TWA_NONE = 0, + TWA_RESUME, + TWA_SIGNAL, + TWA_SIGNAL_NO_IPI, + TWA_NMI_CURRENT, ++ ++ TWA_FLAGS = 0xff00, ++ TWAF_NO_ALLOC = 0x0100, + }; + + static inline bool task_work_pending(struct task_struct *task) +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 9b406d9886541..b6f922a20f83a 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -12050,7 +12050,9 @@ void task_tick_mm_cid(struct rq *rq, struct task_struct *curr) + return; + if (time_before(now, READ_ONCE(curr->mm->mm_cid_next_scan))) + return; +- task_work_add(curr, work, TWA_RESUME); ++ ++ /* No page allocation under rq lock */ ++ task_work_add(curr, work, TWA_RESUME | TWAF_NO_ALLOC); + } + + void sched_mm_cid_exit_signals(struct task_struct *t) +diff --git a/kernel/task_work.c b/kernel/task_work.c +index 5c2daa7ad3f90..8aa43204cb7dd 100644 +--- a/kernel/task_work.c ++++ b/kernel/task_work.c +@@ -53,13 +53,24 @@ int task_work_add(struct task_struct *task, struct callback_head *work, + enum task_work_notify_mode notify) + { + struct callback_head *head; ++ int flags = notify & TWA_FLAGS; + ++ notify &= ~TWA_FLAGS; + if (notify == TWA_NMI_CURRENT) { + if (WARN_ON_ONCE(task != current)) + return -EINVAL; + } else { +- /* record the work call stack in order to print it in KASAN reports */ +- kasan_record_aux_stack(work); ++ /* ++ * Record the work call stack in order to print it in KASAN ++ * reports. ++ * ++ * Note that stack allocation can fail if TWAF_NO_ALLOC flag ++ * is set and new page is needed to expand the stack buffer. ++ */ ++ if (flags & TWAF_NO_ALLOC) ++ kasan_record_aux_stack_noalloc(work); ++ else ++ kasan_record_aux_stack(work); + } + + head = READ_ONCE(task->task_works); +-- +2.43.0 + diff --git a/queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch b/queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch new file mode 100644 index 00000000000..024aea5467b --- /dev/null +++ b/queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch @@ -0,0 +1,54 @@ +From edf3ce9f550835e178a339413f5f87807f395706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 19:34:44 +0800 +Subject: scsi: target: core: Fix null-ptr-deref in target_alloc_device() + +From: Wang Hai + +[ Upstream commit fca6caeb4a61d240f031914413fcc69534f6dc03 ] + +There is a null-ptr-deref issue reported by KASAN: + +BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] +... + kasan_report+0xb9/0xf0 + target_alloc_device+0xbc4/0xbe0 [target_core_mod] + core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] + target_core_init_configfs+0x205/0x420 [target_core_mod] + do_one_initcall+0xdd/0x4e0 +... + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +In target_alloc_device(), if allocing memory for dev queues fails, then +dev will be freed by dev->transport->free_device(), but dev->transport +is not initialized at that time, which will lead to a null pointer +reference problem. + +Fixing this bug by freeing dev with hba->backend->ops->free_device(). + +Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU") +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 86590a7e29f6a..dd041ee18ac9b 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -692,7 +692,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + + dev->queues = kcalloc(nr_cpu_ids, sizeof(*dev->queues), GFP_KERNEL); + if (!dev->queues) { +- dev->transport->free_device(dev); ++ hba->backend->ops->free_device(dev); + return NULL; + } + +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch b/queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch new file mode 100644 index 00000000000..b008d58cd3d --- /dev/null +++ b/queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch @@ -0,0 +1,113 @@ +From afb9a8cfb5e85f124dd3c6ccc33c52bca9635a4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 12:05:02 +0100 +Subject: selftests/bpf: Add cookies check for perf_event fill_link_info test + +From: Jiri Olsa + +[ Upstream commit d74179708473c649c653f1db280e29875a532e99 ] + +Now that we get cookies for perf_event probes, adding tests +for cookie for kprobe/uprobe/tracepoint. + +The perf_event test needs to be added completely and is coming +in following change. + +Signed-off-by: Jiri Olsa +Acked-by: Song Liu +Link: https://lore.kernel.org/r/20240119110505.400573-6-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 4538a38f654a ("selftests/bpf: fix perf_event link info name_len assertion") +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/prog_tests/fill_link_info.c | 26 +++++++++++++++---- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +index 7db7f9bd9d58e..9eb93258614f9 100644 +--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c ++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +@@ -30,6 +30,8 @@ static noinline void uprobe_func(void) + asm volatile (""); + } + ++#define PERF_EVENT_COOKIE 0xdeadbeef ++ + static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long addr, + ssize_t offset, ssize_t entry_offset) + { +@@ -61,6 +63,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + ASSERT_EQ(info.perf_event.kprobe.addr, addr + entry_offset, + "kprobe_addr"); + ++ ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie"); ++ + if (!info.perf_event.kprobe.func_name) { + ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len"); + info.perf_event.kprobe.func_name = ptr_to_u64(&buf); +@@ -80,6 +84,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + goto again; + } + ++ ASSERT_EQ(info.perf_event.tracepoint.cookie, PERF_EVENT_COOKIE, "tracepoint_cookie"); ++ + err = strncmp(u64_to_ptr(info.perf_event.tracepoint.tp_name), TP_NAME, + strlen(TP_NAME)); + ASSERT_EQ(err, 0, "cmp_tp_name"); +@@ -95,6 +101,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + goto again; + } + ++ ASSERT_EQ(info.perf_event.uprobe.cookie, PERF_EVENT_COOKIE, "uprobe_cookie"); ++ + err = strncmp(u64_to_ptr(info.perf_event.uprobe.file_name), UPROBE_FILE, + strlen(UPROBE_FILE)); + ASSERT_EQ(err, 0, "cmp_file_name"); +@@ -138,6 +146,7 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel, + DECLARE_LIBBPF_OPTS(bpf_kprobe_opts, opts, + .attach_mode = PROBE_ATTACH_MODE_LINK, + .retprobe = type == BPF_PERF_EVENT_KRETPROBE, ++ .bpf_cookie = PERF_EVENT_COOKIE, + ); + ssize_t entry_offset = 0; + struct bpf_link *link; +@@ -162,10 +171,13 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel, + + static void test_tp_fill_link_info(struct test_fill_link_info *skel) + { ++ DECLARE_LIBBPF_OPTS(bpf_tracepoint_opts, opts, ++ .bpf_cookie = PERF_EVENT_COOKIE, ++ ); + struct bpf_link *link; + int link_fd, err; + +- link = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME); ++ link = bpf_program__attach_tracepoint_opts(skel->progs.tp_run, TP_CAT, TP_NAME, &opts); + if (!ASSERT_OK_PTR(link, "attach_tp")) + return; + +@@ -178,13 +190,17 @@ static void test_tp_fill_link_info(struct test_fill_link_info *skel) + static void test_uprobe_fill_link_info(struct test_fill_link_info *skel, + enum bpf_perf_event_type type) + { ++ DECLARE_LIBBPF_OPTS(bpf_uprobe_opts, opts, ++ .retprobe = type == BPF_PERF_EVENT_URETPROBE, ++ .bpf_cookie = PERF_EVENT_COOKIE, ++ ); + struct bpf_link *link; + int link_fd, err; + +- link = bpf_program__attach_uprobe(skel->progs.uprobe_run, +- type == BPF_PERF_EVENT_URETPROBE, +- 0, /* self pid */ +- UPROBE_FILE, uprobe_offset); ++ link = bpf_program__attach_uprobe_opts(skel->progs.uprobe_run, ++ 0, /* self pid */ ++ UPROBE_FILE, uprobe_offset, ++ &opts); + if (!ASSERT_OK_PTR(link, "attach_uprobe")) + return; + +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch b/queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch new file mode 100644 index 00000000000..7564300f003 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch @@ -0,0 +1,41 @@ +From 3567b5adfc612cbfc420950c27c3d70bc4eff317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 21:07:20 -0700 +Subject: selftests/bpf: Fix cross-compiling urandom_read + +From: Tony Ambardar + +[ Upstream commit fd526e121c4d6f71aed82d21a8b8277b03e60b43 ] + +Linking of urandom_read and liburandom_read.so prefers LLVM's 'ld.lld' but +falls back to using 'ld' if unsupported. However, this fallback discards +any existing makefile macro for LD and can break cross-compilation. + +Fix by changing the fallback to use the target linker $(LD), passed via +'-fuse-ld=' using an absolute path rather than a linker "flavour". + +Fixes: 08c79c9cd67f ("selftests/bpf: Don't force lld on non-x86 architectures") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241009040720.635260-1-tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index ab364e95a9b23..f5a3a84fac955 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -200,7 +200,7 @@ $(OUTPUT)/%:%.c + ifeq ($(SRCARCH),x86) + LLD := lld + else +-LLD := ld ++LLD := $(shell command -v $(LD)) + endif + + # Filter out -static for liburandom_read.so and its dependent targets so that static builds +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch b/queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch new file mode 100644 index 00000000000..d9bfcc5f90a --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch @@ -0,0 +1,63 @@ +From 1ebc1cc49eeba301123d44e88a582312fd685cec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:43:12 +0000 +Subject: selftests/bpf: fix perf_event link info name_len assertion + +From: Tyrone Wu + +[ Upstream commit 4538a38f654a1c292fe489a9b66179262bfed088 ] + +Fix `name_len` field assertions in `bpf_link_info.perf_event` for +kprobe/uprobe/tracepoint to validate correct name size instead of 0. + +Fixes: 23cf7aa539dc ("selftests/bpf: Add selftest for fill_link_info") +Signed-off-by: Tyrone Wu +Acked-by: Jiri Olsa +Acked-by: Yafang Shao +Link: https://lore.kernel.org/r/20241008164312.46269-2-wudevelops@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +index 9eb93258614f9..5b0c6a04cdbfe 100644 +--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c ++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +@@ -65,8 +65,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + + ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie"); + ++ ASSERT_EQ(info.perf_event.kprobe.name_len, strlen(KPROBE_FUNC) + 1, ++ "name_len"); + if (!info.perf_event.kprobe.func_name) { +- ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len"); + info.perf_event.kprobe.func_name = ptr_to_u64(&buf); + info.perf_event.kprobe.name_len = sizeof(buf); + goto again; +@@ -77,8 +78,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + ASSERT_EQ(err, 0, "cmp_kprobe_func_name"); + break; + case BPF_PERF_EVENT_TRACEPOINT: ++ ASSERT_EQ(info.perf_event.tracepoint.name_len, strlen(TP_NAME) + 1, ++ "name_len"); + if (!info.perf_event.tracepoint.tp_name) { +- ASSERT_EQ(info.perf_event.tracepoint.name_len, 0, "name_len"); + info.perf_event.tracepoint.tp_name = ptr_to_u64(&buf); + info.perf_event.tracepoint.name_len = sizeof(buf); + goto again; +@@ -94,8 +96,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add + case BPF_PERF_EVENT_URETPROBE: + ASSERT_EQ(info.perf_event.uprobe.offset, offset, "uprobe_offset"); + ++ ASSERT_EQ(info.perf_event.uprobe.name_len, strlen(UPROBE_FILE) + 1, ++ "name_len"); + if (!info.perf_event.uprobe.file_name) { +- ASSERT_EQ(info.perf_event.uprobe.name_len, 0, "name_len"); + info.perf_event.uprobe.file_name = ptr_to_u64(&buf); + info.perf_event.uprobe.name_len = sizeof(buf); + goto again; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch b/queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch new file mode 100644 index 00000000000..c7d9e755a93 --- /dev/null +++ b/queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch @@ -0,0 +1,134 @@ +From 8b29b8ac97de278e2ad336a4f5713e6b1e3afb89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Nov 2023 20:31:28 +0100 +Subject: selftests/bpf: Use bpf_link__destroy in fill_link_info tests + +From: Jiri Olsa + +[ Upstream commit 1703612885723869064f18e8816c6f3f87987748 ] + +The fill_link_info test keeps skeleton open and just creates +various links. We are wrongly calling bpf_link__detach after +each test to close them, we need to call bpf_link__destroy. + +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Acked-by: Yafang Shao +Link: https://lore.kernel.org/bpf/20231125193130.834322-5-jolsa@kernel.org +Stable-dep-of: 4538a38f654a ("selftests/bpf: fix perf_event link info name_len assertion") +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/prog_tests/fill_link_info.c | 44 ++++++++++--------- + 1 file changed, 23 insertions(+), 21 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +index 9d768e0837149..7db7f9bd9d58e 100644 +--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c ++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +@@ -140,14 +140,14 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel, + .retprobe = type == BPF_PERF_EVENT_KRETPROBE, + ); + ssize_t entry_offset = 0; ++ struct bpf_link *link; + int link_fd, err; + +- skel->links.kprobe_run = bpf_program__attach_kprobe_opts(skel->progs.kprobe_run, +- KPROBE_FUNC, &opts); +- if (!ASSERT_OK_PTR(skel->links.kprobe_run, "attach_kprobe")) ++ link = bpf_program__attach_kprobe_opts(skel->progs.kprobe_run, KPROBE_FUNC, &opts); ++ if (!ASSERT_OK_PTR(link, "attach_kprobe")) + return; + +- link_fd = bpf_link__fd(skel->links.kprobe_run); ++ link_fd = bpf_link__fd(link); + if (!invalid) { + /* See also arch_adjust_kprobe_addr(). */ + if (skel->kconfig->CONFIG_X86_KERNEL_IBT) +@@ -157,39 +157,41 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel, + } else { + kprobe_fill_invalid_user_buffer(link_fd); + } +- bpf_link__detach(skel->links.kprobe_run); ++ bpf_link__destroy(link); + } + + static void test_tp_fill_link_info(struct test_fill_link_info *skel) + { ++ struct bpf_link *link; + int link_fd, err; + +- skel->links.tp_run = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME); +- if (!ASSERT_OK_PTR(skel->links.tp_run, "attach_tp")) ++ link = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME); ++ if (!ASSERT_OK_PTR(link, "attach_tp")) + return; + +- link_fd = bpf_link__fd(skel->links.tp_run); ++ link_fd = bpf_link__fd(link); + err = verify_perf_link_info(link_fd, BPF_PERF_EVENT_TRACEPOINT, 0, 0, 0); + ASSERT_OK(err, "verify_perf_link_info"); +- bpf_link__detach(skel->links.tp_run); ++ bpf_link__destroy(link); + } + + static void test_uprobe_fill_link_info(struct test_fill_link_info *skel, + enum bpf_perf_event_type type) + { ++ struct bpf_link *link; + int link_fd, err; + +- skel->links.uprobe_run = bpf_program__attach_uprobe(skel->progs.uprobe_run, +- type == BPF_PERF_EVENT_URETPROBE, +- 0, /* self pid */ +- UPROBE_FILE, uprobe_offset); +- if (!ASSERT_OK_PTR(skel->links.uprobe_run, "attach_uprobe")) ++ link = bpf_program__attach_uprobe(skel->progs.uprobe_run, ++ type == BPF_PERF_EVENT_URETPROBE, ++ 0, /* self pid */ ++ UPROBE_FILE, uprobe_offset); ++ if (!ASSERT_OK_PTR(link, "attach_uprobe")) + return; + +- link_fd = bpf_link__fd(skel->links.uprobe_run); ++ link_fd = bpf_link__fd(link); + err = verify_perf_link_info(link_fd, type, 0, uprobe_offset, 0); + ASSERT_OK(err, "verify_perf_link_info"); +- bpf_link__detach(skel->links.uprobe_run); ++ bpf_link__destroy(link); + } + + static int verify_kmulti_link_info(int fd, bool retprobe) +@@ -278,24 +280,24 @@ static void test_kprobe_multi_fill_link_info(struct test_fill_link_info *skel, + bool retprobe, bool invalid) + { + LIBBPF_OPTS(bpf_kprobe_multi_opts, opts); ++ struct bpf_link *link; + int link_fd, err; + + opts.syms = kmulti_syms; + opts.cnt = KMULTI_CNT; + opts.retprobe = retprobe; +- skel->links.kmulti_run = bpf_program__attach_kprobe_multi_opts(skel->progs.kmulti_run, +- NULL, &opts); +- if (!ASSERT_OK_PTR(skel->links.kmulti_run, "attach_kprobe_multi")) ++ link = bpf_program__attach_kprobe_multi_opts(skel->progs.kmulti_run, NULL, &opts); ++ if (!ASSERT_OK_PTR(link, "attach_kprobe_multi")) + return; + +- link_fd = bpf_link__fd(skel->links.kmulti_run); ++ link_fd = bpf_link__fd(link); + if (!invalid) { + err = verify_kmulti_link_info(link_fd, retprobe); + ASSERT_OK(err, "verify_kmulti_link_info"); + } else { + verify_kmulti_invalid_user_buffer(link_fd); + } +- bpf_link__detach(skel->links.kmulti_run); ++ bpf_link__destroy(link); + } + + void test_fill_link_info(void) +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index e69de29bb2d..97f0cec414c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -0,0 +1,106 @@ +iio-accel-bma400-fix-uninitialized-variable-field_va.patch +bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch +bpf-devmap-provide-rxq-after-redirect.patch +cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch +lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch +bpf-fix-memory-leak-in-bpf_core_apply.patch +rdma-bnxt_re-fix-a-possible-memory-leak.patch +rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch +rdma-bnxt_re-add-a-check-for-memory-allocation.patch +rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch +x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch +arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch +bpf-add-missed-value-to-kprobe-perf-link-info.patch +bpf-add-cookie-to-perf_event-bpf_link_info-records.patch +bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch +selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch +selftests-bpf-add-cookies-check-for-perf_event-fill_.patch +selftests-bpf-fix-perf_event-link-info-name_len-asse.patch +s390-pci-handle-pci-error-codes-other-than-0x3a.patch +bpf-fix-kfunc-btf-caching-for-modules.patch +iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch +iio-frequency-admv4420-fix-missing-select-remap_spi-.patch +drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch +selftests-bpf-fix-cross-compiling-urandom_read.patch +task_work-add-twa_nmi_current-as-an-additional-notif.patch +sched-core-disable-page-allocation-in-task_tick_mm_c.patch +alsa-hda-cs8409-fix-possible-null-dereference.patch +firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch +rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch +rdma-irdma-fix-misspelling-of-accept.patch +rdma-srpt-make-slab-cache-names-unique.patch +ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch +rdma-bnxt_re-support-new-5760x-p7-devices.patch +rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch +rdma-bnxt_re-fix-out-of-bound-check.patch +rdma-bnxt_re-return-more-meaningful-error.patch +rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch +rdma-bnxt_re-update-the-bar-offsets.patch +rdma-bnxt_re-fix-the-gid-table-length.patch +accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch +drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch +drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch +drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch +drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch +drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch +drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch +firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch +net-smc-fix-memory-leak-when-using-percpu-refs.patch +net-usb-usbnet-fix-race-in-probe-failure.patch +net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch +octeontx2-af-fix-potential-integer-overflows-on-inte.patch +drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch +macsec-don-t-increment-counters-for-an-unrelated-sa.patch +netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch +net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch +net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch +net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch +bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch +net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch +irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch +irqchip-renesas-rzg2l-document-structure-members.patch +irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch +irqchip-renesas-rzg2l-fix-missing-put_device.patch +drm-msm-dpu-don-t-always-program-merge_3d-block.patch +net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch +tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch +net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch +genetlink-hold-rcu-in-genlmsg_mcast.patch +ravb-remove-setting-of-rx-software-timestamp.patch +net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch +scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch +smb-client-fix-possible-double-free-in-smb2_set_ea.patch +smb-client-fix-oobs-when-building-smb2_ioctl-request.patch +usb-typec-altmode-should-keep-reference-to-parent.patch +s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch +bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch +bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch +vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch +net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch +net-mlx5-fix-command-bitmask-initialization.patch +net-mlx5-unregister-notifier-on-eswitch-init-failure.patch +bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch +vsock-update-rx_bytes-on-read_skb.patch +vsock-update-msg_count-on-read_skb.patch +bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch +riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch +nvme-pci-set-doorbell-config-before-unquiescing.patch +nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch +bpf-fix-iter-task-tid-filtering.patch +cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch +mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch +mm-convert-collapse_huge_page-to-use-a-folio.patch +mm-khugepaged-use-a-folio-more-in-collapse_file.patch +khugepaged-inline-hpage_collapse_alloc_folio.patch +khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch +khugepaged-remove-hpage-from-collapse_file.patch +mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch +iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch +xhci-dbgtty-remove-kfifo_out-wrapper.patch +xhci-dbgtty-use-kfifo-from-tty_port-struct.patch +xhci-dbc-honor-usb-transfer-size-boundaries.patch +usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch +usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch +usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch +xhci-separate-port-and-caps-macros-into-dedicated-fi.patch +usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch diff --git a/queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch b/queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch new file mode 100644 index 00000000000..7b2bbc9b9c4 --- /dev/null +++ b/queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch @@ -0,0 +1,107 @@ +From 25ad60a90215e41f62c8a537eaae9a80d29f935c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 19:04:04 -0300 +Subject: smb: client: fix OOBs when building SMB2_IOCTL request + +From: Paulo Alcantara + +[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ] + +When using encryption, either enforced by the server or when using +'seal' mount option, the client will squash all compound request buffers +down for encryption into a single iov in smb2_set_next_command(). + +SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the +SMB2_IOCTL request in the first iov, and if the user passes an input +buffer that is greater than 328 bytes, smb2_set_next_command() will +end up writing off the end of @rqst->iov[0].iov_base as shown below: + + mount.cifs //srv/share /mnt -o ...,seal + ln -s $(perl -e "print('a')for 1..1024") /mnt/link + + BUG: KASAN: slab-out-of-bounds in + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + Write of size 4116 at addr ffff8881148fcab8 by task ln/859 + + CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + 1.16.3-2.fc40 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + print_report+0x156/0x4d9 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + ? __virt_addr_valid+0x145/0x310 + ? __phys_addr+0x46/0x90 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_report+0xda/0x110 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_check_range+0x10f/0x1f0 + __asan_memcpy+0x3c/0x60 + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + smb2_compound_op+0x238c/0x3840 [cifs] + ? kasan_save_track+0x14/0x30 + ? kasan_save_free_info+0x3b/0x70 + ? vfs_symlink+0x1a1/0x2c0 + ? do_symlinkat+0x108/0x1c0 + ? __pfx_smb2_compound_op+0x10/0x10 [cifs] + ? kmem_cache_free+0x118/0x3e0 + ? cifs_get_writable_path+0xeb/0x1a0 [cifs] + smb2_get_reparse_inode+0x423/0x540 [cifs] + ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] + ? rcu_is_watching+0x20/0x50 + ? __kmalloc_noprof+0x37c/0x480 + ? smb2_create_reparse_symlink+0x257/0x490 [cifs] + ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] + smb2_create_reparse_symlink+0x38f/0x490 [cifs] + ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] + ? find_held_lock+0x8a/0xa0 + ? hlock_class+0x32/0xb0 + ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] + cifs_symlink+0x24f/0x960 [cifs] + ? __pfx_make_vfsuid+0x10/0x10 + ? __pfx_cifs_symlink+0x10/0x10 [cifs] + ? make_vfsgid+0x6b/0xc0 + ? generic_permission+0x96/0x2d0 + vfs_symlink+0x1a1/0x2c0 + do_symlinkat+0x108/0x1c0 + ? __pfx_do_symlinkat+0x10/0x10 + ? strncpy_from_user+0xaa/0x160 + __x64_sys_symlinkat+0xb9/0xf0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f08d75c13bb + +Reported-by: David Howells +Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2pdu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index 83a03201bb862..a86a3fbfb5a49 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3300,6 +3300,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, + return rc; + + if (indatalen) { ++ unsigned int len; ++ ++ if (WARN_ON_ONCE(smb3_encryption_required(tcon) && ++ (check_add_overflow(total_len - 1, ++ ALIGN(indatalen, 8), &len) || ++ len > MAX_CIFS_SMALL_BUFFER_SIZE))) { ++ cifs_small_buf_release(req); ++ return -EIO; ++ } + /* + * indatalen is usually small at a couple of bytes max, so + * just allocate through generic pool +-- +2.43.0 + diff --git a/queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch b/queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch new file mode 100644 index 00000000000..4b9ea643730 --- /dev/null +++ b/queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch @@ -0,0 +1,59 @@ +From ec49a220243c32ab6b5ee7b287112908fbd53eee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 18:20:37 +0800 +Subject: smb: client: fix possible double free in smb2_set_ea() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit 19ebc1e6cab334a8193398d4152deb76019b5d34 ] + +Clang static checker(scan-build) warning: +fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. + 1304 | kfree(ea); + | ^~~~~~~~~ + +There is a double free in such case: +'ea is initialized to NULL' -> 'first successful memory allocation for +ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' +-> 'goto replay_again' -> 'second goto sea_exit before allocate memory +for ea' -> 'second memory release for ea resulted in double free'. + +Re-initialie 'ea' to NULL near to the replay_again label, it can fix this +double free problem. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Reviewed-by: Dan Carpenter +Signed-off-by: Su Hui +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c +index 450e3050324c6..ab6e79be2c15d 100644 +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -1122,7 +1122,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + struct cifs_fid fid; + unsigned int size[1]; + void *data[1]; +- struct smb2_file_full_ea_info *ea = NULL; ++ struct smb2_file_full_ea_info *ea; + struct smb2_query_info_rsp *rsp; + int rc, used_len = 0; + int retries = 0, cur_sleep = 1; +@@ -1143,6 +1143,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + if (!utf16_path) + return -ENOMEM; + ++ ea = NULL; + resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER; + vars = kzalloc(sizeof(*vars), GFP_KERNEL); + if (!vars) { +-- +2.43.0 + diff --git a/queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch b/queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch new file mode 100644 index 00000000000..65605898d59 --- /dev/null +++ b/queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch @@ -0,0 +1,114 @@ +From 1afb31e5d0133295e6d94bb678f382e288029092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 19:03:36 +0200 +Subject: task_work: Add TWA_NMI_CURRENT as an additional notify mode. + +From: Sebastian Andrzej Siewior + +[ Upstream commit 466e4d801cd438a1ab2c8a2cce1bef6b65c31bbb ] + +Adding task_work from NMI context requires the following: +- The kasan_record_aux_stack() is not NMU safe and must be avoided. +- Using TWA_RESUME is NMI safe. If the NMI occurs while the CPU is in + userland then it will continue in userland and not invoke the `work' + callback. + +Add TWA_NMI_CURRENT as an additional notify mode. In this mode skip +kasan and use irq_work in hardirq-mode to for needed interrupt. Set +TIF_NOTIFY_RESUME within the irq_work callback due to k[ac]san +instrumentation in test_and_set_bit() which does not look NMI safe in +case of a report. + +Suggested-by: Peter Zijlstra +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20240704170424.1466941-3-bigeasy@linutronix.de +Stable-dep-of: 73ab05aa46b0 ("sched/core: Disable page allocation in task_tick_mm_cid()") +Signed-off-by: Sasha Levin +--- + include/linux/task_work.h | 1 + + kernel/task_work.c | 24 +++++++++++++++++++++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/include/linux/task_work.h b/include/linux/task_work.h +index 26b8a47f41fca..cf5e7e891a776 100644 +--- a/include/linux/task_work.h ++++ b/include/linux/task_work.h +@@ -18,6 +18,7 @@ enum task_work_notify_mode { + TWA_RESUME, + TWA_SIGNAL, + TWA_SIGNAL_NO_IPI, ++ TWA_NMI_CURRENT, + }; + + static inline bool task_work_pending(struct task_struct *task) +diff --git a/kernel/task_work.c b/kernel/task_work.c +index 2134ac8057a94..5c2daa7ad3f90 100644 +--- a/kernel/task_work.c ++++ b/kernel/task_work.c +@@ -1,10 +1,18 @@ + // SPDX-License-Identifier: GPL-2.0 ++#include + #include + #include + #include + + static struct callback_head work_exited; /* all we need is ->next == NULL */ + ++static void task_work_set_notify_irq(struct irq_work *entry) ++{ ++ test_and_set_tsk_thread_flag(current, TIF_NOTIFY_RESUME); ++} ++static DEFINE_PER_CPU(struct irq_work, irq_work_NMI_resume) = ++ IRQ_WORK_INIT_HARD(task_work_set_notify_irq); ++ + /** + * task_work_add - ask the @task to execute @work->func() + * @task: the task which should run the callback +@@ -12,7 +20,7 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */ + * @notify: how to notify the targeted task + * + * Queue @work for task_work_run() below and notify the @task if @notify +- * is @TWA_RESUME, @TWA_SIGNAL, or @TWA_SIGNAL_NO_IPI. ++ * is @TWA_RESUME, @TWA_SIGNAL, @TWA_SIGNAL_NO_IPI or @TWA_NMI_CURRENT. + * + * @TWA_SIGNAL works like signals, in that the it will interrupt the targeted + * task and run the task_work, regardless of whether the task is currently +@@ -24,6 +32,8 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */ + * kernel anyway. + * @TWA_RESUME work is run only when the task exits the kernel and returns to + * user mode, or before entering guest mode. ++ * @TWA_NMI_CURRENT works like @TWA_RESUME, except it can only be used for the ++ * current @task and if the current context is NMI. + * + * Fails if the @task is exiting/exited and thus it can't process this @work. + * Otherwise @work->func() will be called when the @task goes through one of +@@ -44,8 +54,13 @@ int task_work_add(struct task_struct *task, struct callback_head *work, + { + struct callback_head *head; + +- /* record the work call stack in order to print it in KASAN reports */ +- kasan_record_aux_stack(work); ++ if (notify == TWA_NMI_CURRENT) { ++ if (WARN_ON_ONCE(task != current)) ++ return -EINVAL; ++ } else { ++ /* record the work call stack in order to print it in KASAN reports */ ++ kasan_record_aux_stack(work); ++ } + + head = READ_ONCE(task->task_works); + do { +@@ -66,6 +81,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, + case TWA_SIGNAL_NO_IPI: + __set_notify_signal(task); + break; ++ case TWA_NMI_CURRENT: ++ irq_work_queue(this_cpu_ptr(&irq_work_NMI_resume)); ++ break; + default: + WARN_ON_ONCE(1); + break; +-- +2.43.0 + diff --git a/queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch b/queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch new file mode 100644 index 00000000000..0aff77fd87a --- /dev/null +++ b/queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch @@ -0,0 +1,180 @@ +From 15804082f0431cb357bf3aa25ec2c153206f3cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 15:33:12 -0700 +Subject: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). + +From: Kuniyuki Iwashima + +[ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ] + +Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). + + """ + We are seeing a use-after-free from a bpf prog attached to + trace_tcp_retransmit_synack. The program passes the req->sk to the + bpf_sk_storage_get_tracing kernel helper which does check for null + before using it. + """ + +The commit 83fccfc3940c ("inet: fix potential deadlock in +reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not +to call del_timer_sync() from reqsk_timer_handler(), but it introduced a +small race window. + +Before the timer is called, expire_timers() calls detach_timer(timer, true) +to clear timer->entry.pprev and marks it as not pending. + +If reqsk_queue_unlink() checks timer_pending() just after expire_timers() +calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will +continue running and send multiple SYN+ACKs until it expires. + +The reported UAF could happen if req->sk is close()d earlier than the timer +expiration, which is 63s by default. + +The scenario would be + + 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), + but del_timer_sync() is missed + + 2. reqsk timer is executed and scheduled again + + 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but + reqsk timer still has another one, and inet_csk_accept() does not + clear req->sk for non-TFO sockets + + 4. sk is close()d + + 5. reqsk timer is executed again, and BPF touches req->sk + +Let's not use timer_pending() by passing the caller context to +__inet_csk_reqsk_queue_drop(). + +Note that reqsk timer is pinned, so the issue does not happen in most +use cases. [1] + +[0] +BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 + +Use-after-free read at 0x00000000a891fb3a (in kfence-#1): +bpf_sk_storage_get_tracing+0x2e/0x1b0 +bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda +bpf_trace_run2+0x4c/0xc0 +tcp_rtx_synack+0xf9/0x100 +reqsk_timer_handler+0xda/0x3d0 +run_timer_softirq+0x292/0x8a0 +irq_exit_rcu+0xf5/0x320 +sysvec_apic_timer_interrupt+0x6d/0x80 +asm_sysvec_apic_timer_interrupt+0x16/0x20 +intel_idle_irq+0x5a/0xa0 +cpuidle_enter_state+0x94/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 + +allocated by task 0 on cpu 9 at 260507.901592s: +sk_prot_alloc+0x35/0x140 +sk_clone_lock+0x1f/0x3f0 +inet_csk_clone_lock+0x15/0x160 +tcp_create_openreq_child+0x1f/0x410 +tcp_v6_syn_recv_sock+0x1da/0x700 +tcp_check_req+0x1fb/0x510 +tcp_v6_rcv+0x98b/0x1420 +ipv6_list_rcv+0x2258/0x26e0 +napi_complete_done+0x5b1/0x2990 +mlx5e_napi_poll+0x2ae/0x8d0 +net_rx_action+0x13e/0x590 +irq_exit_rcu+0xf5/0x320 +common_interrupt+0x80/0x90 +asm_common_interrupt+0x22/0x40 +cpuidle_enter_state+0xfb/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +freed by task 0 on cpu 9 at 260507.927527s: +rcu_core_si+0x4ff/0xf10 +irq_exit_rcu+0xf5/0x320 +sysvec_apic_timer_interrupt+0x6d/0x80 +asm_sysvec_apic_timer_interrupt+0x16/0x20 +cpuidle_enter_state+0xfb/0x273 +cpu_startup_entry+0x15e/0x260 +start_secondary+0x8a/0x90 +secondary_startup_64_no_verify+0xfa/0xfb + +Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") +Reported-by: Martin KaFai Lau +Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.dev/ +Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.dev/ [1] +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Martin KaFai Lau +Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 8720f3840b698..ca8cc0988b618 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -980,21 +980,31 @@ static bool reqsk_queue_unlink(struct request_sock *req) + found = __sk_nulls_del_node_init_rcu(sk); + spin_unlock(lock); + } +- if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) +- reqsk_put(req); ++ + return found; + } + +-bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++static bool __inet_csk_reqsk_queue_drop(struct sock *sk, ++ struct request_sock *req, ++ bool from_timer) + { + bool unlinked = reqsk_queue_unlink(req); + ++ if (!from_timer && timer_delete_sync(&req->rsk_timer)) ++ reqsk_put(req); ++ + if (unlinked) { + reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req); + reqsk_put(req); + } ++ + return unlinked; + } ++ ++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++{ ++ return __inet_csk_reqsk_queue_drop(sk, req, false); ++} + EXPORT_SYMBOL(inet_csk_reqsk_queue_drop); + + void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req) +@@ -1087,7 +1097,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) { + /* delete timer */ +- inet_csk_reqsk_queue_drop(sk_listener, nreq); ++ __inet_csk_reqsk_queue_drop(sk_listener, nreq, true); + goto no_ownership; + } + +@@ -1113,7 +1123,8 @@ static void reqsk_timer_handler(struct timer_list *t) + } + + drop: +- inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq); ++ __inet_csk_reqsk_queue_drop(sk_listener, oreq, true); ++ reqsk_put(req); + } + + static bool reqsk_queue_hash_req(struct request_sock *req, +-- +2.43.0 + diff --git a/queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch b/queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch new file mode 100644 index 00000000000..730756bbea1 --- /dev/null +++ b/queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch @@ -0,0 +1,111 @@ +From 7424de57ecea906d4e6e15ac9aeb2fc78939fedd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 13:53:24 +0300 +Subject: usb: dwc3: core: Fix system suspend on TI AM62 platforms + +From: Roger Quadros + +[ Upstream commit 705e3ce37bccdf2ed6f848356ff355f480d51a91 ] + +Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), +system suspend is broken on AM62 TI platforms. + +Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY +bits (hence forth called 2 SUSPHY bits) were being set during core +initialization and even during core re-initialization after a system +suspend/resume. + +These bits are required to be set for system suspend/resume to work correctly +on AM62 platforms. + +Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget +driver is not loaded and started. +For Host mode, the 2 SUSPHY bits are set before the first system suspend but +get cleared at system resume during core re-init and are never set again. + +This patch resovles these two issues by ensuring the 2 SUSPHY bits are set +before system suspend and restored to the original state during system resume. + +Cc: stable@vger.kernel.org # v6.9+ +Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") +Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ +Signed-off-by: Roger Quadros +Acked-by: Thinh Nguyen +Tested-by: Markus Schneider-Pargmann +Reviewed-by: Dhruva Gole +Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 19 +++++++++++++++++++ + drivers/usb/dwc3/core.h | 3 +++ + 2 files changed, 22 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index af851e4e8c8a7..8cbe19574bbcb 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -2106,6 +2106,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + { + u32 reg; + ++ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & ++ DWC3_GUSB2PHYCFG_SUSPHY) || ++ (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & ++ DWC3_GUSB3PIPECTL_SUSPHY); ++ + switch (dwc->current_dr_role) { + case DWC3_GCTL_PRTCAP_DEVICE: + if (pm_runtime_suspended(dwc->dev)) +@@ -2153,6 +2158,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + break; + } + ++ if (!PMSG_IS_AUTO(msg)) { ++ /* ++ * TI AM62 platform requires SUSPHY to be ++ * enabled for system suspend to work. ++ */ ++ if (!dwc->susphy_state) ++ dwc3_enable_susphy(dwc, true); ++ } ++ + return 0; + } + +@@ -2215,6 +2229,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) + break; + } + ++ if (!PMSG_IS_AUTO(msg)) { ++ /* restore SUSPHY state to that before system suspend. */ ++ dwc3_enable_susphy(dwc, dwc->susphy_state); ++ } ++ + return 0; + } + +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 420753205fafa..3325796f3cb45 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -1127,6 +1127,8 @@ struct dwc3_scratchpad_array { + * @sys_wakeup: set if the device may do system wakeup. + * @wakeup_configured: set if the device is configured for remote wakeup. + * @suspended: set to track suspend event due to U3/L2. ++ * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY ++ * before PM suspend. + * @imod_interval: set the interrupt moderation interval in 250ns + * increments or 0 to disable. + * @max_cfg_eps: current max number of IN eps used across all USB configs. +@@ -1351,6 +1353,7 @@ struct dwc3 { + unsigned sys_wakeup:1; + unsigned wakeup_configured:1; + unsigned suspended:1; ++ unsigned susphy_state:1; + + u16 imod_interval; + +-- +2.43.0 + diff --git a/queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch b/queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch new file mode 100644 index 00000000000..f7985996411 --- /dev/null +++ b/queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch @@ -0,0 +1,48 @@ +From 66102547c4f13d3f9412326241603124030423d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 15:25:53 +0100 +Subject: usb: gadget: f_uac2: fix non-newline-terminated function name + +From: John Keeping + +[ Upstream commit e60284b63245b84c3ae352427ed5ff8b79266b91 ] + +Most writes to configfs handle an optional newline, but do not require +it. By using the number of bytes written as the limit for scnprintf() +it is guaranteed that the final character in the buffer will be +overwritten. + +This is expected if it is a newline but is undesirable when a string is +written "as-is" (as libusbgx does, for example). + +Update the store function to strip an optional newline, matching the +behaviour of usb_string_copy(). + +Signed-off-by: John Keeping +Link: https://lore.kernel.org/r/20240708142553.3995022-1-jkeeping@inmusicbrands.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 9499327714de ("usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uac2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index 55a4f07bc9cc1..79d1f87c6cc59 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -2060,7 +2060,10 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ + goto end; \ + } \ + \ +- ret = scnprintf(opts->name, min(sizeof(opts->name), len), \ ++ if (len && page[len - 1] == '\n') \ ++ len--; \ ++ \ ++ ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ + "%s", page); \ + \ + end: \ +-- +2.43.0 + diff --git a/queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch b/queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch new file mode 100644 index 00000000000..cabf579aa48 --- /dev/null +++ b/queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch @@ -0,0 +1,58 @@ +From 5a42d949e31f2c7cfeffe28f267f29e590091080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 19:26:31 -0400 +Subject: usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store + +From: Kevin Groeneveld + +[ Upstream commit 9499327714de7bc5cf6c792112c1474932d8ad31 ] + +The configfs store callback should return the number of bytes consumed +not the total number of bytes we actually stored. These could differ if +for example the passed in string had a newline we did not store. + +If the returned value does not match the number of bytes written the +writer might assume a failure or keep trying to write the remaining bytes. + +For example the following command will hang trying to write the final +newline over and over again (tested on bash 2.05b): + + echo foo > function_name + +Fixes: 993a44fa85c1 ("usb: gadget: f_uac2: allow changing interface name via configfs") +Cc: stable +Signed-off-by: Kevin Groeneveld +Link: https://lore.kernel.org/r/20241006232637.4267-1-kgroeneveld@lenbrook.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uac2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index 79d1f87c6cc59..b3dc5f5164f42 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -2052,7 +2052,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ + const char *page, size_t len) \ + { \ + struct f_uac2_opts *opts = to_f_uac2_opts(item); \ +- int ret = 0; \ ++ int ret = len; \ + \ + mutex_lock(&opts->lock); \ + if (opts->refcnt) { \ +@@ -2063,8 +2063,8 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ + if (len && page[len - 1] == '\n') \ + len--; \ + \ +- ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ +- "%s", page); \ ++ scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ ++ "%s", page); \ + \ + end: \ + mutex_unlock(&opts->lock); \ +-- +2.43.0 + diff --git a/queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch b/queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch new file mode 100644 index 00000000000..91b13db40cc --- /dev/null +++ b/queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch @@ -0,0 +1,68 @@ +From d4614c7cd1eb5e09e25fc61b47d17b6701c98b51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 16:42:32 +0000 +Subject: usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf() + variant + +From: Lee Jones + +[ Upstream commit 60034e0aedf507888c4a880f57011bb7f5d7700c ] + +There is a general misunderstanding amongst engineers that {v}snprintf() +returns the length of the data *actually* encoded into the destination +array. However, as per the C99 standard {v}snprintf() really returns +the length of the data that *would have been* written if there were +enough space for it. This misunderstanding has led to buffer-overruns +in the past. It's generally considered safer to use the {v}scnprintf() +variants in their place (or even sprintf() in simple cases). So let's +do that. + +Link: https://lwn.net/Articles/69419/ +Link: https://github.com/KSPP/linux/issues/105 +Cc: James Gruber +Cc: Yadwinder Singh +Cc: Jaswinder Singh +Cc: Ruslan Bilovol +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20231213164246.1021885-4-lee@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 9499327714de ("usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uac2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index 0219cd79493a7..55a4f07bc9cc1 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -2042,7 +2042,7 @@ static ssize_t f_uac2_opts_##name##_show(struct config_item *item, \ + int result; \ + \ + mutex_lock(&opts->lock); \ +- result = snprintf(page, sizeof(opts->name), "%s", opts->name); \ ++ result = scnprintf(page, sizeof(opts->name), "%s", opts->name); \ + mutex_unlock(&opts->lock); \ + \ + return result; \ +@@ -2060,7 +2060,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ + goto end; \ + } \ + \ +- ret = snprintf(opts->name, min(sizeof(opts->name), len), \ ++ ret = scnprintf(opts->name, min(sizeof(opts->name), len), \ + "%s", page); \ + \ + end: \ +@@ -2178,7 +2178,7 @@ static struct usb_function_instance *afunc_alloc_inst(void) + opts->req_number = UAC2_DEF_REQ_NUM; + opts->fb_max = FBACK_FAST_MAX; + +- snprintf(opts->function_name, sizeof(opts->function_name), "Source/Sink"); ++ scnprintf(opts->function_name, sizeof(opts->function_name), "Source/Sink"); + + return &opts->func_inst; + } +-- +2.43.0 + diff --git a/queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch b/queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch new file mode 100644 index 00000000000..f5159ac07fd --- /dev/null +++ b/queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch @@ -0,0 +1,130 @@ +From e1c3f9214e9889e3135881d5346772204e6b6af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 09:37:38 -0300 +Subject: usb: typec: altmode should keep reference to parent + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ] + +The altmode device release refers to its parent device, but without keeping +a reference to it. + +When registering the altmode, get a reference to the parent and put it in +the release function. + +Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues +like this: + +[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) +[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 46.612867] ================================================================== +[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 +[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 +[ 46.614538] +[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 +[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 46.616042] Workqueue: events kobject_delayed_cleanup +[ 46.616446] Call Trace: +[ 46.616648] +[ 46.616820] dump_stack_lvl+0x5b/0x7c +[ 46.617112] ? typec_altmode_release+0x38/0x129 +[ 46.617470] print_report+0x14c/0x49e +[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 +[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab +[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d +[ 46.618807] ? typec_altmode_release+0x38/0x129 +[ 46.619161] kasan_report+0x8d/0xb4 +[ 46.619447] ? typec_altmode_release+0x38/0x129 +[ 46.619809] ? process_scheduled_works+0x3cb/0x85f +[ 46.620185] typec_altmode_release+0x38/0x129 +[ 46.620537] ? process_scheduled_works+0x3cb/0x85f +[ 46.620907] device_release+0xaf/0xf2 +[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a +[ 46.621584] process_scheduled_works+0x4f6/0x85f +[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 +[ 46.622353] ? hlock_class+0x31/0x9a +[ 46.622647] ? lock_acquired+0x361/0x3c3 +[ 46.622956] ? move_linked_works+0x46/0x7d +[ 46.623277] worker_thread+0x1ce/0x291 +[ 46.623582] ? __kthread_parkme+0xc8/0xdf +[ 46.623900] ? __pfx_worker_thread+0x10/0x10 +[ 46.624236] kthread+0x17e/0x190 +[ 46.624501] ? kthread+0xfb/0x190 +[ 46.624756] ? __pfx_kthread+0x10/0x10 +[ 46.625015] ret_from_fork+0x20/0x40 +[ 46.625268] ? __pfx_kthread+0x10/0x10 +[ 46.625532] ret_from_fork_asm+0x1a/0x30 +[ 46.625805] +[ 46.625953] +[ 46.626056] Allocated by task 678: +[ 46.626287] kasan_save_stack+0x24/0x44 +[ 46.626555] kasan_save_track+0x14/0x2d +[ 46.626811] __kasan_kmalloc+0x3f/0x4d +[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 +[ 46.627362] typec_register_port+0x23/0x491 +[ 46.627698] cros_typec_probe+0x634/0xbb6 +[ 46.628026] platform_probe+0x47/0x8c +[ 46.628311] really_probe+0x20a/0x47d +[ 46.628605] device_driver_attach+0x39/0x72 +[ 46.628940] bind_store+0x87/0xd7 +[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 +[ 46.629574] vfs_write+0x1d6/0x29b +[ 46.629856] ksys_write+0xcd/0x13b +[ 46.630128] do_syscall_64+0xd4/0x139 +[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 46.630820] +[ 46.630946] Freed by task 48: +[ 46.631182] kasan_save_stack+0x24/0x44 +[ 46.631493] kasan_save_track+0x14/0x2d +[ 46.631799] kasan_save_free_info+0x3f/0x4d +[ 46.632144] __kasan_slab_free+0x37/0x45 +[ 46.632474] kfree+0x1d4/0x252 +[ 46.632725] device_release+0xaf/0xf2 +[ 46.633017] kobject_delayed_cleanup+0x13b/0x17a +[ 46.633388] process_scheduled_works+0x4f6/0x85f +[ 46.633764] worker_thread+0x1ce/0x291 +[ 46.634065] kthread+0x17e/0x190 +[ 46.634324] ret_from_fork+0x20/0x40 +[ 46.634621] ret_from_fork_asm+0x1a/0x30 + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Heikki Krogerus +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/class.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c +index f92fc2acfcba0..79cad8d61dacd 100644 +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -502,6 +502,7 @@ static void typec_altmode_release(struct device *dev) + typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); ++ put_device(alt->adev.dev.parent); + kfree(alt); + } + +@@ -551,6 +552,8 @@ typec_register_altmode(struct device *parent, + alt->adev.dev.type = &typec_altmode_dev_type; + dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id); + ++ get_device(alt->adev.dev.parent); ++ + /* Link partners and plugs with the ports */ + if (!is_port) + typec_altmode_set_partner(alt); +-- +2.43.0 + diff --git a/queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch b/queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch new file mode 100644 index 00000000000..8a214103d0d --- /dev/null +++ b/queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch @@ -0,0 +1,64 @@ +From a8854db35f7526b0b3fe20199a6321a82c3a7e7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 21:03:11 +0200 +Subject: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame + +From: Daniel Borkmann + +[ Upstream commit 4678adf94da4a9e9683817b246b58ce15fb81782 ] + +Andrew and Nikolay reported connectivity issues with Cilium's service +load-balancing in case of vmxnet3. + +If a BPF program for native XDP adds an encapsulation header such as +IPIP and transmits the packet out the same interface, then in case +of vmxnet3 a corrupted packet is being sent and subsequently dropped +on the path. + +vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp() +through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address: + + page = virt_to_page(xdpf->data); + tbi->dma_addr = page_pool_get_dma_addr(page) + + VMXNET3_XDP_HEADROOM; + dma_sync_single_for_device(&adapter->pdev->dev, + tbi->dma_addr, buf_size, + DMA_TO_DEVICE); + +The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP +BPF program could have moved xdp->data. While the passed buf_size is +correct (xdpf->len), the dma_addr needs to have a dynamic offset which +can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data - +xdp->data_hard_start. + +Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.") +Reported-by: Andrew Sauber +Reported-by: Nikolay Nikolaev +Signed-off-by: Daniel Borkmann +Tested-by: Nikolay Nikolaev +Acked-by: Anton Protopopov +Cc: William Tu +Cc: Ronak Doshi +Link: https://patch.msgid.link/a0888656d7f09028f9984498cc698bb5364d89fc.1728931137.git.daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_xdp.c b/drivers/net/vmxnet3/vmxnet3_xdp.c +index a6c787454a1ae..1341374a4588a 100644 +--- a/drivers/net/vmxnet3/vmxnet3_xdp.c ++++ b/drivers/net/vmxnet3/vmxnet3_xdp.c +@@ -148,7 +148,7 @@ vmxnet3_xdp_xmit_frame(struct vmxnet3_adapter *adapter, + } else { /* XDP buffer from page pool */ + page = virt_to_page(xdpf->data); + tbi->dma_addr = page_pool_get_dma_addr(page) + +- VMXNET3_XDP_HEADROOM; ++ (xdpf->data - (void *)xdpf); + dma_sync_single_for_device(&adapter->pdev->dev, + tbi->dma_addr, buf_size, + DMA_TO_DEVICE); +-- +2.43.0 + diff --git a/queue-6.6/vsock-update-msg_count-on-read_skb.patch b/queue-6.6/vsock-update-msg_count-on-read_skb.patch new file mode 100644 index 00000000000..3b6f531fa7b --- /dev/null +++ b/queue-6.6/vsock-update-msg_count-on-read_skb.patch @@ -0,0 +1,40 @@ +From f8608ae0fff5c2f60d60d1f2676ba4b9367b34ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:41 +0200 +Subject: vsock: Update msg_count on read_skb() + +From: Michal Luczaj + +[ Upstream commit 6dafde852df8de3617d4b9f835b629aaeaccd01d ] + +Dequeuing via vsock_transport::read_skb() left msg_count outdated, which +then confused SOCK_SEQPACKET recv(). Decrease the counter. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Reviewed-by: Stefano Garzarella +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-3-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 072878012b51e..78b5f4f8808b9 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1524,6 +1524,9 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + } + + hdr = virtio_vsock_hdr(skb); ++ if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM) ++ vvs->msg_count--; ++ + virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len)); + spin_unlock_bh(&vvs->rx_lock); + +-- +2.43.0 + diff --git a/queue-6.6/vsock-update-rx_bytes-on-read_skb.patch b/queue-6.6/vsock-update-rx_bytes-on-read_skb.patch new file mode 100644 index 00000000000..72695e4e09b --- /dev/null +++ b/queue-6.6/vsock-update-rx_bytes-on-read_skb.patch @@ -0,0 +1,68 @@ +From 0883d1310735592f4f1d3b035c845a0ccc5cd707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 18:26:40 +0200 +Subject: vsock: Update rx_bytes on read_skb() + +From: Michal Luczaj + +[ Upstream commit 3543152f2d330141d9394d28855cb90b860091d2 ] + +Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt() +calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after +vsock_transport::read_skb(). + +While here, also inform the peer that we've freed up space and it has more +credit. + +Failing to update rx_bytes after packet is dequeued leads to a warning on +SOCK_STREAM recv(): + +[ 233.396654] rx_queue is empty, but rx_bytes is non-zero +[ 233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589 + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Suggested-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Reviewed-by: Stefano Garzarella +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-2-d6577bbfe742@rbox.co +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index e87fd9480acda..072878012b51e 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1508,6 +1508,7 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + { + struct virtio_vsock_sock *vvs = vsk->trans; + struct sock *sk = sk_vsock(vsk); ++ struct virtio_vsock_hdr *hdr; + struct sk_buff *skb; + int off = 0; + int err; +@@ -1517,10 +1518,16 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + * works for types other than dgrams. + */ + skb = __skb_recv_datagram(sk, &vvs->rx_queue, MSG_DONTWAIT, &off, &err); ++ if (!skb) { ++ spin_unlock_bh(&vvs->rx_lock); ++ return err; ++ } ++ ++ hdr = virtio_vsock_hdr(skb); ++ virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len)); + spin_unlock_bh(&vvs->rx_lock); + +- if (!skb) +- return err; ++ virtio_transport_send_credit_update(vsk); + + return recv_actor(sk, skb); + } +-- +2.43.0 + diff --git a/queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch b/queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch new file mode 100644 index 00000000000..8beb7d86dc3 --- /dev/null +++ b/queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch @@ -0,0 +1,102 @@ +From 8a00844fe54ac475f532cd0547677cb95caf6ca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 13:43:56 +0200 +Subject: x86/resctrl: Avoid overflow in MB settings in bw_validate() + +From: Martin Kletzander + +[ Upstream commit 2b5648416e47933939dc310c4ea1e29404f35630 ] + +The resctrl schemata file supports specifying memory bandwidth associated with +the Memory Bandwidth Allocation (MBA) feature via a percentage (this is the +default) or bandwidth in MiBps (when resctrl is mounted with the "mba_MBps" +option). + +The allowed range for the bandwidth percentage is from +/sys/fs/resctrl/info/MB/min_bandwidth to 100, using a granularity of +/sys/fs/resctrl/info/MB/bandwidth_gran. The supported range for the MiBps +bandwidth is 0 to U32_MAX. + +There are two issues with parsing of MiBps memory bandwidth: + +* The user provided MiBps is mistakenly rounded up to the granularity + that is unique to percentage input. + +* The user provided MiBps is parsed using unsigned long (thus accepting + values up to ULONG_MAX), and then assigned to u32 that could result in + overflow. + +Do not round up the MiBps value and parse user provided bandwidth as the u32 +it is intended to be. Use the appropriate kstrtou32() that can detect out of +range values. + +Fixes: 8205a078ba78 ("x86/intel_rdt/mba_sc: Add schemata support") +Fixes: 6ce1560d35f6 ("x86/resctrl: Switch over to the resctrl mbps_val list") +Co-developed-by: Reinette Chatre +Signed-off-by: Reinette Chatre +Signed-off-by: Martin Kletzander +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +index b44c487727d45..a701e7921ea5c 100644 +--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c ++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +@@ -27,10 +27,10 @@ + * hardware. The allocated bandwidth percentage is rounded to the next + * control step available on the hardware. + */ +-static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r) ++static bool bw_validate(char *buf, u32 *data, struct rdt_resource *r) + { +- unsigned long bw; + int ret; ++ u32 bw; + + /* + * Only linear delay values is supported for current Intel SKUs. +@@ -40,16 +40,21 @@ static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r) + return false; + } + +- ret = kstrtoul(buf, 10, &bw); ++ ret = kstrtou32(buf, 10, &bw); + if (ret) { +- rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf); ++ rdt_last_cmd_printf("Invalid MB value %s\n", buf); + return false; + } + +- if ((bw < r->membw.min_bw || bw > r->default_ctrl) && +- !is_mba_sc(r)) { +- rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", bw, +- r->membw.min_bw, r->default_ctrl); ++ /* Nothing else to do if software controller is enabled. */ ++ if (is_mba_sc(r)) { ++ *data = bw; ++ return true; ++ } ++ ++ if (bw < r->membw.min_bw || bw > r->default_ctrl) { ++ rdt_last_cmd_printf("MB value %u out of range [%d,%d]\n", ++ bw, r->membw.min_bw, r->default_ctrl); + return false; + } + +@@ -63,7 +68,7 @@ int parse_bw(struct rdt_parse_data *data, struct resctrl_schema *s, + struct resctrl_staged_config *cfg; + u32 closid = data->rdtgrp->closid; + struct rdt_resource *r = s->res; +- unsigned long bw_val; ++ u32 bw_val; + + cfg = &d->staged_config[s->conf_type]; + if (cfg->have_new_ctrl) { +-- +2.43.0 + diff --git a/queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch b/queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch new file mode 100644 index 00000000000..61c8f574dbc --- /dev/null +++ b/queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch @@ -0,0 +1,149 @@ +From deaef71ec0891952ff491629f52bfcdc27a988d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 17:00:00 +0300 +Subject: xhci: dbc: honor usb transfer size boundaries. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Nyman + +[ Upstream commit 30c9ae5ece8ecd69d36e6912c2c0896418f2468c ] + +Treat each completed full size write to /dev/ttyDBC0 as a separate usb +transfer. Make sure the size of the TRBs matches the size of the tty +write by first queuing as many max packet size TRBs as possible up to +the last TRB which will be cut short to match the size of the tty write. + +This solves an issue where userspace writes several transfers back to +back via /dev/ttyDBC0 into a kfifo before dbgtty can find available +request to turn that kfifo data into TRBs on the transfer ring. + +The boundary between transfer was lost as xhci-dbgtty then turned +everyting in the kfifo into as many 'max packet size' TRBs as possible. + +DbC would then send more data to the host than intended for that +transfer, causing host to issue a babble error. + +Refuse to write more data to kfifo until previous tty write data is +turned into properly sized TRBs with data size boundaries matching tty +write size + +Tested-by: Uday M Bhat +Tested-by: Łukasz Bartosik +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-dbgcap.h | 1 + + drivers/usb/host/xhci-dbgtty.c | 55 ++++++++++++++++++++++++++++++---- + 2 files changed, 51 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h +index 54fafebb7bd1f..76170d7a7e7c3 100644 +--- a/drivers/usb/host/xhci-dbgcap.h ++++ b/drivers/usb/host/xhci-dbgcap.h +@@ -108,6 +108,7 @@ struct dbc_port { + struct tasklet_struct push; + + struct list_head write_pool; ++ unsigned int tx_boundary; + + bool registered; + }; +diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c +index 881f5a7e6e0e1..0266c2f5bc0d8 100644 +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) + return dbc->priv; + } + ++static unsigned int ++dbc_kfifo_to_req(struct dbc_port *port, char *packet) ++{ ++ unsigned int len; ++ ++ len = kfifo_len(&port->port.xmit_fifo); ++ ++ if (len == 0) ++ return 0; ++ ++ len = min(len, DBC_MAX_PACKET); ++ ++ if (port->tx_boundary) ++ len = min(port->tx_boundary, len); ++ ++ len = kfifo_out(&port->port.xmit_fifo, packet, len); ++ ++ if (port->tx_boundary) ++ port->tx_boundary -= len; ++ ++ return len; ++} ++ + static int dbc_start_tx(struct dbc_port *port) + __releases(&port->port_lock) + __acquires(&port->port_lock) +@@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port) + + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); +- len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); ++ len = dbc_kfifo_to_req(port, req->buf); + if (len == 0) + break; + do_tty_wake = true; +@@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, + { + struct dbc_port *port = tty->driver_data; + unsigned long flags; ++ unsigned int written = 0; + + spin_lock_irqsave(&port->port_lock, flags); +- if (count) +- count = kfifo_in(&port->port.xmit_fifo, buf, count); +- dbc_start_tx(port); ++ ++ /* ++ * Treat tty write as one usb transfer. Make sure the writes are turned ++ * into TRB request having the same size boundaries as the tty writes. ++ * Don't add data to kfifo before previous write is turned into TRBs ++ */ ++ if (port->tx_boundary) { ++ spin_unlock_irqrestore(&port->port_lock, flags); ++ return 0; ++ } ++ ++ if (count) { ++ written = kfifo_in(&port->port.xmit_fifo, buf, count); ++ ++ if (written == count) ++ port->tx_boundary = kfifo_len(&port->port.xmit_fifo); ++ ++ dbc_start_tx(port); ++ } ++ + spin_unlock_irqrestore(&port->port_lock, flags); + +- return count; ++ return written; + } + + static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) +@@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) + + spin_lock_irqsave(&port->port_lock, flags); + room = kfifo_avail(&port->port.xmit_fifo); ++ ++ if (port->tx_boundary) ++ room = 0; ++ + spin_unlock_irqrestore(&port->port_lock, flags); + + return room; +-- +2.43.0 + diff --git a/queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch b/queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch new file mode 100644 index 00000000000..c49bd10dc42 --- /dev/null +++ b/queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch @@ -0,0 +1,61 @@ +From 1bbfed58a2bb2afe9acd6c7ad988f44a748fce99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 12:35:40 +0200 +Subject: xhci: dbgtty: remove kfifo_out() wrapper + +From: Jiri Slaby (SUSE) + +[ Upstream commit 2b217514436744dd98c4d9fa48d60610f9f67d61 ] + +There is no need to check against kfifo_len() before kfifo_out(). Just +ask the latter for data and it tells how much it retrieved. Or returns 0 +in case there are no more. + +Signed-off-by: Jiri Slaby (SUSE) +Cc: Mathias Nyman +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Link: https://lore.kernel.org/r/20240808103549.429349-5-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-dbgtty.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c +index b74e98e943932..64ea964949975 100644 +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -24,19 +24,6 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) + return dbc->priv; + } + +-static unsigned int +-dbc_send_packet(struct dbc_port *port, char *packet, unsigned int size) +-{ +- unsigned int len; +- +- len = kfifo_len(&port->write_fifo); +- if (len < size) +- size = len; +- if (size != 0) +- size = kfifo_out(&port->write_fifo, packet, size); +- return size; +-} +- + static int dbc_start_tx(struct dbc_port *port) + __releases(&port->port_lock) + __acquires(&port->port_lock) +@@ -49,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port) + + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); +- len = dbc_send_packet(port, req->buf, DBC_MAX_PACKET); ++ len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET); + if (len == 0) + break; + do_tty_wake = true; +-- +2.43.0 + diff --git a/queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch b/queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch new file mode 100644 index 00000000000..7c8eb088442 --- /dev/null +++ b/queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch @@ -0,0 +1,117 @@ +From 050f69ebb8cc84a3e85919ffdbc7c4bcfb5ed0fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 12:35:41 +0200 +Subject: xhci: dbgtty: use kfifo from tty_port struct + +From: Jiri Slaby (SUSE) + +[ Upstream commit 866025f0237609532bc8e4af5ef4d7252d3b55b6 ] + +There is no need to define one in a custom structure. The tty_port one +is free to use. + +Signed-off-by: Jiri Slaby (SUSE) +Cc: Mathias Nyman +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Link: https://lore.kernel.org/r/20240808103549.429349-6-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-dbgcap.h | 1 - + drivers/usb/host/xhci-dbgtty.c | 17 +++++++++-------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h +index 51a7ab3ba0cac..54fafebb7bd1f 100644 +--- a/drivers/usb/host/xhci-dbgcap.h ++++ b/drivers/usb/host/xhci-dbgcap.h +@@ -108,7 +108,6 @@ struct dbc_port { + struct tasklet_struct push; + + struct list_head write_pool; +- struct kfifo write_fifo; + + bool registered; + }; +diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c +index 64ea964949975..881f5a7e6e0e1 100644 +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -36,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port) + + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); +- len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET); ++ len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); + if (len == 0) + break; + do_tty_wake = true; +@@ -203,7 +203,7 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, + + spin_lock_irqsave(&port->port_lock, flags); + if (count) +- count = kfifo_in(&port->write_fifo, buf, count); ++ count = kfifo_in(&port->port.xmit_fifo, buf, count); + dbc_start_tx(port); + spin_unlock_irqrestore(&port->port_lock, flags); + +@@ -217,7 +217,7 @@ static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) + int status; + + spin_lock_irqsave(&port->port_lock, flags); +- status = kfifo_put(&port->write_fifo, ch); ++ status = kfifo_put(&port->port.xmit_fifo, ch); + spin_unlock_irqrestore(&port->port_lock, flags); + + return status; +@@ -240,7 +240,7 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) + unsigned int room; + + spin_lock_irqsave(&port->port_lock, flags); +- room = kfifo_avail(&port->write_fifo); ++ room = kfifo_avail(&port->port.xmit_fifo); + spin_unlock_irqrestore(&port->port_lock, flags); + + return room; +@@ -253,7 +253,7 @@ static unsigned int dbc_tty_chars_in_buffer(struct tty_struct *tty) + unsigned int chars; + + spin_lock_irqsave(&port->port_lock, flags); +- chars = kfifo_len(&port->write_fifo); ++ chars = kfifo_len(&port->port.xmit_fifo); + spin_unlock_irqrestore(&port->port_lock, flags); + + return chars; +@@ -411,7 +411,8 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc) + goto err_idr; + } + +- ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL); ++ ret = kfifo_alloc(&port->port.xmit_fifo, DBC_WRITE_BUF_SIZE, ++ GFP_KERNEL); + if (ret) + goto err_exit_port; + +@@ -440,7 +441,7 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc) + xhci_dbc_free_requests(&port->read_pool); + xhci_dbc_free_requests(&port->write_pool); + err_free_fifo: +- kfifo_free(&port->write_fifo); ++ kfifo_free(&port->port.xmit_fifo); + err_exit_port: + idr_remove(&dbc_tty_minors, port->minor); + err_idr: +@@ -465,7 +466,7 @@ static void xhci_dbc_tty_unregister_device(struct xhci_dbc *dbc) + idr_remove(&dbc_tty_minors, port->minor); + mutex_unlock(&dbc_tty_minors_lock); + +- kfifo_free(&port->write_fifo); ++ kfifo_free(&port->port.xmit_fifo); + xhci_dbc_free_requests(&port->read_pool); + xhci_dbc_free_requests(&port->read_queue); + xhci_dbc_free_requests(&port->write_pool); +-- +2.43.0 + diff --git a/queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch b/queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch new file mode 100644 index 00000000000..3aa38c47cb1 --- /dev/null +++ b/queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch @@ -0,0 +1,589 @@ +From 852baa08d7eded220a2788d9eef267a14782a3aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 10:25:23 -0500 +Subject: XHCI: Separate PORT and CAPs macros into dedicated file + +From: Frank Li + +[ Upstream commit c35ba0ac48355df1d11fcce85945f76c42d250ac ] + +Split the PORT and CAPs macro definitions into a separate file to +facilitate sharing with other files without the need to include the entire +xhci.h. + +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240124152525.3910311-2-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-caps.h | 85 ++++++++++++ + drivers/usb/host/xhci-port.h | 176 +++++++++++++++++++++++ + drivers/usb/host/xhci.h | 262 +---------------------------------- + 3 files changed, 264 insertions(+), 259 deletions(-) + create mode 100644 drivers/usb/host/xhci-caps.h + create mode 100644 drivers/usb/host/xhci-port.h + +diff --git a/drivers/usb/host/xhci-caps.h b/drivers/usb/host/xhci-caps.h +new file mode 100644 +index 0000000000000..9e94cebf4a56d +--- /dev/null ++++ b/drivers/usb/host/xhci-caps.h +@@ -0,0 +1,85 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++/* hc_capbase bitmasks */ ++/* bits 7:0 - how long is the Capabilities register */ ++#define HC_LENGTH(p) XHCI_HC_LENGTH(p) ++/* bits 31:16 */ ++#define HC_VERSION(p) (((p) >> 16) & 0xffff) ++ ++/* HCSPARAMS1 - hcs_params1 - bitmasks */ ++/* bits 0:7, Max Device Slots */ ++#define HCS_MAX_SLOTS(p) (((p) >> 0) & 0xff) ++#define HCS_SLOTS_MASK 0xff ++/* bits 8:18, Max Interrupters */ ++#define HCS_MAX_INTRS(p) (((p) >> 8) & 0x7ff) ++/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */ ++#define HCS_MAX_PORTS(p) (((p) >> 24) & 0x7f) ++ ++/* HCSPARAMS2 - hcs_params2 - bitmasks */ ++/* bits 0:3, frames or uframes that SW needs to queue transactions ++ * ahead of the HW to meet periodic deadlines */ ++#define HCS_IST(p) (((p) >> 0) & 0xf) ++/* bits 4:7, max number of Event Ring segments */ ++#define HCS_ERST_MAX(p) (((p) >> 4) & 0xf) ++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */ ++/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */ ++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */ ++#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f)) ++ ++/* HCSPARAMS3 - hcs_params3 - bitmasks */ ++/* bits 0:7, Max U1 to U0 latency for the roothub ports */ ++#define HCS_U1_LATENCY(p) (((p) >> 0) & 0xff) ++/* bits 16:31, Max U2 to U0 latency for the roothub ports */ ++#define HCS_U2_LATENCY(p) (((p) >> 16) & 0xffff) ++ ++/* HCCPARAMS - hcc_params - bitmasks */ ++/* true: HC can use 64-bit address pointers */ ++#define HCC_64BIT_ADDR(p) ((p) & (1 << 0)) ++/* true: HC can do bandwidth negotiation */ ++#define HCC_BANDWIDTH_NEG(p) ((p) & (1 << 1)) ++/* true: HC uses 64-byte Device Context structures ++ * FIXME 64-byte context structures aren't supported yet. ++ */ ++#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2)) ++/* true: HC has port power switches */ ++#define HCC_PPC(p) ((p) & (1 << 3)) ++/* true: HC has port indicators */ ++#define HCS_INDICATOR(p) ((p) & (1 << 4)) ++/* true: HC has Light HC Reset Capability */ ++#define HCC_LIGHT_RESET(p) ((p) & (1 << 5)) ++/* true: HC supports latency tolerance messaging */ ++#define HCC_LTC(p) ((p) & (1 << 6)) ++/* true: no secondary Stream ID Support */ ++#define HCC_NSS(p) ((p) & (1 << 7)) ++/* true: HC supports Stopped - Short Packet */ ++#define HCC_SPC(p) ((p) & (1 << 9)) ++/* true: HC has Contiguous Frame ID Capability */ ++#define HCC_CFC(p) ((p) & (1 << 11)) ++/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */ ++#define HCC_MAX_PSA(p) (1 << ((((p) >> 12) & 0xf) + 1)) ++/* Extended Capabilities pointer from PCI base - section 5.3.6 */ ++#define HCC_EXT_CAPS(p) XHCI_HCC_EXT_CAPS(p) ++ ++#define CTX_SIZE(_hcc) (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32) ++ ++/* db_off bitmask - bits 0:1 reserved */ ++#define DBOFF_MASK (~0x3) ++ ++/* run_regs_off bitmask - bits 0:4 reserved */ ++#define RTSOFF_MASK (~0x1f) ++ ++/* HCCPARAMS2 - hcc_params2 - bitmasks */ ++/* true: HC supports U3 entry Capability */ ++#define HCC2_U3C(p) ((p) & (1 << 0)) ++/* true: HC supports Configure endpoint command Max exit latency too large */ ++#define HCC2_CMC(p) ((p) & (1 << 1)) ++/* true: HC supports Force Save context Capability */ ++#define HCC2_FSC(p) ((p) & (1 << 2)) ++/* true: HC supports Compliance Transition Capability */ ++#define HCC2_CTC(p) ((p) & (1 << 3)) ++/* true: HC support Large ESIT payload Capability > 48k */ ++#define HCC2_LEC(p) ((p) & (1 << 4)) ++/* true: HC support Configuration Information Capability */ ++#define HCC2_CIC(p) ((p) & (1 << 5)) ++/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */ ++#define HCC2_ETC(p) ((p) & (1 << 6)) +diff --git a/drivers/usb/host/xhci-port.h b/drivers/usb/host/xhci-port.h +new file mode 100644 +index 0000000000000..f19efb966d180 +--- /dev/null ++++ b/drivers/usb/host/xhci-port.h +@@ -0,0 +1,176 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++/* PORTSC - Port Status and Control Register - port_status_base bitmasks */ ++/* true: device connected */ ++#define PORT_CONNECT (1 << 0) ++/* true: port enabled */ ++#define PORT_PE (1 << 1) ++/* bit 2 reserved and zeroed */ ++/* true: port has an over-current condition */ ++#define PORT_OC (1 << 3) ++/* true: port reset signaling asserted */ ++#define PORT_RESET (1 << 4) ++/* Port Link State - bits 5:8 ++ * A read gives the current link PM state of the port, ++ * a write with Link State Write Strobe set sets the link state. ++ */ ++#define PORT_PLS_MASK (0xf << 5) ++#define XDEV_U0 (0x0 << 5) ++#define XDEV_U1 (0x1 << 5) ++#define XDEV_U2 (0x2 << 5) ++#define XDEV_U3 (0x3 << 5) ++#define XDEV_DISABLED (0x4 << 5) ++#define XDEV_RXDETECT (0x5 << 5) ++#define XDEV_INACTIVE (0x6 << 5) ++#define XDEV_POLLING (0x7 << 5) ++#define XDEV_RECOVERY (0x8 << 5) ++#define XDEV_HOT_RESET (0x9 << 5) ++#define XDEV_COMP_MODE (0xa << 5) ++#define XDEV_TEST_MODE (0xb << 5) ++#define XDEV_RESUME (0xf << 5) ++ ++/* true: port has power (see HCC_PPC) */ ++#define PORT_POWER (1 << 9) ++/* bits 10:13 indicate device speed: ++ * 0 - undefined speed - port hasn't be initialized by a reset yet ++ * 1 - full speed ++ * 2 - low speed ++ * 3 - high speed ++ * 4 - super speed ++ * 5-15 reserved ++ */ ++#define DEV_SPEED_MASK (0xf << 10) ++#define XDEV_FS (0x1 << 10) ++#define XDEV_LS (0x2 << 10) ++#define XDEV_HS (0x3 << 10) ++#define XDEV_SS (0x4 << 10) ++#define XDEV_SSP (0x5 << 10) ++#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0<<10)) ++#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS) ++#define DEV_LOWSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_LS) ++#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS) ++#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS) ++#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP) ++#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS) ++#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f) ++ ++/* Bits 20:23 in the Slot Context are the speed for the device */ ++#define SLOT_SPEED_FS (XDEV_FS << 10) ++#define SLOT_SPEED_LS (XDEV_LS << 10) ++#define SLOT_SPEED_HS (XDEV_HS << 10) ++#define SLOT_SPEED_SS (XDEV_SS << 10) ++#define SLOT_SPEED_SSP (XDEV_SSP << 10) ++/* Port Indicator Control */ ++#define PORT_LED_OFF (0 << 14) ++#define PORT_LED_AMBER (1 << 14) ++#define PORT_LED_GREEN (2 << 14) ++#define PORT_LED_MASK (3 << 14) ++/* Port Link State Write Strobe - set this when changing link state */ ++#define PORT_LINK_STROBE (1 << 16) ++/* true: connect status change */ ++#define PORT_CSC (1 << 17) ++/* true: port enable change */ ++#define PORT_PEC (1 << 18) ++/* true: warm reset for a USB 3.0 device is done. A "hot" reset puts the port ++ * into an enabled state, and the device into the default state. A "warm" reset ++ * also resets the link, forcing the device through the link training sequence. ++ * SW can also look at the Port Reset register to see when warm reset is done. ++ */ ++#define PORT_WRC (1 << 19) ++/* true: over-current change */ ++#define PORT_OCC (1 << 20) ++/* true: reset change - 1 to 0 transition of PORT_RESET */ ++#define PORT_RC (1 << 21) ++/* port link status change - set on some port link state transitions: ++ * Transition Reason ++ * ------------------------------------------------------------------------------ ++ * - U3 to Resume Wakeup signaling from a device ++ * - Resume to Recovery to U0 USB 3.0 device resume ++ * - Resume to U0 USB 2.0 device resume ++ * - U3 to Recovery to U0 Software resume of USB 3.0 device complete ++ * - U3 to U0 Software resume of USB 2.0 device complete ++ * - U2 to U0 L1 resume of USB 2.1 device complete ++ * - U0 to U0 (???) L1 entry rejection by USB 2.1 device ++ * - U0 to disabled L1 entry error with USB 2.1 device ++ * - Any state to inactive Error on USB 3.0 port ++ */ ++#define PORT_PLC (1 << 22) ++/* port configure error change - port failed to configure its link partner */ ++#define PORT_CEC (1 << 23) ++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ ++ PORT_RC | PORT_PLC | PORT_CEC) ++ ++ ++/* Cold Attach Status - xHC can set this bit to report device attached during ++ * Sx state. Warm port reset should be perfomed to clear this bit and move port ++ * to connected state. ++ */ ++#define PORT_CAS (1 << 24) ++/* wake on connect (enable) */ ++#define PORT_WKCONN_E (1 << 25) ++/* wake on disconnect (enable) */ ++#define PORT_WKDISC_E (1 << 26) ++/* wake on over-current (enable) */ ++#define PORT_WKOC_E (1 << 27) ++/* bits 28:29 reserved */ ++/* true: device is non-removable - for USB 3.0 roothub emulation */ ++#define PORT_DEV_REMOVE (1 << 30) ++/* Initiate a warm port reset - complete when PORT_WRC is '1' */ ++#define PORT_WR (1 << 31) ++ ++/* We mark duplicate entries with -1 */ ++#define DUPLICATE_ENTRY ((u8)(-1)) ++ ++/* Port Power Management Status and Control - port_power_base bitmasks */ ++/* Inactivity timer value for transitions into U1, in microseconds. ++ * Timeout can be up to 127us. 0xFF means an infinite timeout. ++ */ ++#define PORT_U1_TIMEOUT(p) ((p) & 0xff) ++#define PORT_U1_TIMEOUT_MASK 0xff ++/* Inactivity timer value for transitions into U2 */ ++#define PORT_U2_TIMEOUT(p) (((p) & 0xff) << 8) ++#define PORT_U2_TIMEOUT_MASK (0xff << 8) ++/* Bits 24:31 for port testing */ ++ ++/* USB2 Protocol PORTSPMSC */ ++#define PORT_L1S_MASK 7 ++#define PORT_L1S_SUCCESS 1 ++#define PORT_RWE (1 << 3) ++#define PORT_HIRD(p) (((p) & 0xf) << 4) ++#define PORT_HIRD_MASK (0xf << 4) ++#define PORT_L1DS_MASK (0xff << 8) ++#define PORT_L1DS(p) (((p) & 0xff) << 8) ++#define PORT_HLE (1 << 16) ++#define PORT_TEST_MODE_SHIFT 28 ++ ++/* USB3 Protocol PORTLI Port Link Information */ ++#define PORT_RX_LANES(p) (((p) >> 16) & 0xf) ++#define PORT_TX_LANES(p) (((p) >> 20) & 0xf) ++ ++/* USB2 Protocol PORTHLPMC */ ++#define PORT_HIRDM(p)((p) & 3) ++#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2) ++#define PORT_BESLD(p)(((p) & 0xf) << 10) ++ ++/* use 512 microseconds as USB2 LPM L1 default timeout. */ ++#define XHCI_L1_TIMEOUT 512 ++ ++/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency. ++ * Safe to use with mixed HIRD and BESL systems (host and device) and is used ++ * by other operating systems. ++ * ++ * XHCI 1.0 errata 8/14/12 Table 13 notes: ++ * "Software should choose xHC BESL/BESLD field values that do not violate a ++ * device's resume latency requirements, ++ * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached, ++ * or not program values < '4' if BLC = '0' and a BESL device is attached. ++ */ ++#define XHCI_DEFAULT_BESL 4 ++ ++/* ++ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports ++ * to complete link training. usually link trainig completes much faster ++ * so check status 10 times with 36ms sleep in places we need to wait for ++ * polling to complete. ++ */ ++#define XHCI_PORT_POLLING_LFPS_TIME 36 +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 7754ed55d220b..f2190d121233b 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -23,6 +23,9 @@ + #include "xhci-ext-caps.h" + #include "pci-quirks.h" + ++#include "xhci-port.h" ++#include "xhci-caps.h" ++ + /* max buffer size for trace and debug messages */ + #define XHCI_MSG_MAX 500 + +@@ -63,90 +66,6 @@ struct xhci_cap_regs { + /* Reserved up to (CAPLENGTH - 0x1C) */ + }; + +-/* hc_capbase bitmasks */ +-/* bits 7:0 - how long is the Capabilities register */ +-#define HC_LENGTH(p) XHCI_HC_LENGTH(p) +-/* bits 31:16 */ +-#define HC_VERSION(p) (((p) >> 16) & 0xffff) +- +-/* HCSPARAMS1 - hcs_params1 - bitmasks */ +-/* bits 0:7, Max Device Slots */ +-#define HCS_MAX_SLOTS(p) (((p) >> 0) & 0xff) +-#define HCS_SLOTS_MASK 0xff +-/* bits 8:18, Max Interrupters */ +-#define HCS_MAX_INTRS(p) (((p) >> 8) & 0x7ff) +-/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */ +-#define HCS_MAX_PORTS(p) (((p) >> 24) & 0x7f) +- +-/* HCSPARAMS2 - hcs_params2 - bitmasks */ +-/* bits 0:3, frames or uframes that SW needs to queue transactions +- * ahead of the HW to meet periodic deadlines */ +-#define HCS_IST(p) (((p) >> 0) & 0xf) +-/* bits 4:7, max number of Event Ring segments */ +-#define HCS_ERST_MAX(p) (((p) >> 4) & 0xf) +-/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */ +-/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */ +-/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */ +-#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f)) +- +-/* HCSPARAMS3 - hcs_params3 - bitmasks */ +-/* bits 0:7, Max U1 to U0 latency for the roothub ports */ +-#define HCS_U1_LATENCY(p) (((p) >> 0) & 0xff) +-/* bits 16:31, Max U2 to U0 latency for the roothub ports */ +-#define HCS_U2_LATENCY(p) (((p) >> 16) & 0xffff) +- +-/* HCCPARAMS - hcc_params - bitmasks */ +-/* true: HC can use 64-bit address pointers */ +-#define HCC_64BIT_ADDR(p) ((p) & (1 << 0)) +-/* true: HC can do bandwidth negotiation */ +-#define HCC_BANDWIDTH_NEG(p) ((p) & (1 << 1)) +-/* true: HC uses 64-byte Device Context structures +- * FIXME 64-byte context structures aren't supported yet. +- */ +-#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2)) +-/* true: HC has port power switches */ +-#define HCC_PPC(p) ((p) & (1 << 3)) +-/* true: HC has port indicators */ +-#define HCS_INDICATOR(p) ((p) & (1 << 4)) +-/* true: HC has Light HC Reset Capability */ +-#define HCC_LIGHT_RESET(p) ((p) & (1 << 5)) +-/* true: HC supports latency tolerance messaging */ +-#define HCC_LTC(p) ((p) & (1 << 6)) +-/* true: no secondary Stream ID Support */ +-#define HCC_NSS(p) ((p) & (1 << 7)) +-/* true: HC supports Stopped - Short Packet */ +-#define HCC_SPC(p) ((p) & (1 << 9)) +-/* true: HC has Contiguous Frame ID Capability */ +-#define HCC_CFC(p) ((p) & (1 << 11)) +-/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */ +-#define HCC_MAX_PSA(p) (1 << ((((p) >> 12) & 0xf) + 1)) +-/* Extended Capabilities pointer from PCI base - section 5.3.6 */ +-#define HCC_EXT_CAPS(p) XHCI_HCC_EXT_CAPS(p) +- +-#define CTX_SIZE(_hcc) (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32) +- +-/* db_off bitmask - bits 0:1 reserved */ +-#define DBOFF_MASK (~0x3) +- +-/* run_regs_off bitmask - bits 0:4 reserved */ +-#define RTSOFF_MASK (~0x1f) +- +-/* HCCPARAMS2 - hcc_params2 - bitmasks */ +-/* true: HC supports U3 entry Capability */ +-#define HCC2_U3C(p) ((p) & (1 << 0)) +-/* true: HC supports Configure endpoint command Max exit latency too large */ +-#define HCC2_CMC(p) ((p) & (1 << 1)) +-/* true: HC supports Force Save context Capability */ +-#define HCC2_FSC(p) ((p) & (1 << 2)) +-/* true: HC supports Compliance Transition Capability */ +-#define HCC2_CTC(p) ((p) & (1 << 3)) +-/* true: HC support Large ESIT payload Capability > 48k */ +-#define HCC2_LEC(p) ((p) & (1 << 4)) +-/* true: HC support Configuration Information Capability */ +-#define HCC2_CIC(p) ((p) & (1 << 5)) +-/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */ +-#define HCC2_ETC(p) ((p) & (1 << 6)) +- + /* Number of registers per port */ + #define NUM_PORT_REGS 4 + +@@ -292,181 +211,6 @@ struct xhci_op_regs { + #define CONFIG_CIE (1 << 9) + /* bits 10:31 - reserved and should be preserved */ + +-/* PORTSC - Port Status and Control Register - port_status_base bitmasks */ +-/* true: device connected */ +-#define PORT_CONNECT (1 << 0) +-/* true: port enabled */ +-#define PORT_PE (1 << 1) +-/* bit 2 reserved and zeroed */ +-/* true: port has an over-current condition */ +-#define PORT_OC (1 << 3) +-/* true: port reset signaling asserted */ +-#define PORT_RESET (1 << 4) +-/* Port Link State - bits 5:8 +- * A read gives the current link PM state of the port, +- * a write with Link State Write Strobe set sets the link state. +- */ +-#define PORT_PLS_MASK (0xf << 5) +-#define XDEV_U0 (0x0 << 5) +-#define XDEV_U1 (0x1 << 5) +-#define XDEV_U2 (0x2 << 5) +-#define XDEV_U3 (0x3 << 5) +-#define XDEV_DISABLED (0x4 << 5) +-#define XDEV_RXDETECT (0x5 << 5) +-#define XDEV_INACTIVE (0x6 << 5) +-#define XDEV_POLLING (0x7 << 5) +-#define XDEV_RECOVERY (0x8 << 5) +-#define XDEV_HOT_RESET (0x9 << 5) +-#define XDEV_COMP_MODE (0xa << 5) +-#define XDEV_TEST_MODE (0xb << 5) +-#define XDEV_RESUME (0xf << 5) +- +-/* true: port has power (see HCC_PPC) */ +-#define PORT_POWER (1 << 9) +-/* bits 10:13 indicate device speed: +- * 0 - undefined speed - port hasn't be initialized by a reset yet +- * 1 - full speed +- * 2 - low speed +- * 3 - high speed +- * 4 - super speed +- * 5-15 reserved +- */ +-#define DEV_SPEED_MASK (0xf << 10) +-#define XDEV_FS (0x1 << 10) +-#define XDEV_LS (0x2 << 10) +-#define XDEV_HS (0x3 << 10) +-#define XDEV_SS (0x4 << 10) +-#define XDEV_SSP (0x5 << 10) +-#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0<<10)) +-#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS) +-#define DEV_LOWSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_LS) +-#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS) +-#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS) +-#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP) +-#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS) +-#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f) +- +-/* Bits 20:23 in the Slot Context are the speed for the device */ +-#define SLOT_SPEED_FS (XDEV_FS << 10) +-#define SLOT_SPEED_LS (XDEV_LS << 10) +-#define SLOT_SPEED_HS (XDEV_HS << 10) +-#define SLOT_SPEED_SS (XDEV_SS << 10) +-#define SLOT_SPEED_SSP (XDEV_SSP << 10) +-/* Port Indicator Control */ +-#define PORT_LED_OFF (0 << 14) +-#define PORT_LED_AMBER (1 << 14) +-#define PORT_LED_GREEN (2 << 14) +-#define PORT_LED_MASK (3 << 14) +-/* Port Link State Write Strobe - set this when changing link state */ +-#define PORT_LINK_STROBE (1 << 16) +-/* true: connect status change */ +-#define PORT_CSC (1 << 17) +-/* true: port enable change */ +-#define PORT_PEC (1 << 18) +-/* true: warm reset for a USB 3.0 device is done. A "hot" reset puts the port +- * into an enabled state, and the device into the default state. A "warm" reset +- * also resets the link, forcing the device through the link training sequence. +- * SW can also look at the Port Reset register to see when warm reset is done. +- */ +-#define PORT_WRC (1 << 19) +-/* true: over-current change */ +-#define PORT_OCC (1 << 20) +-/* true: reset change - 1 to 0 transition of PORT_RESET */ +-#define PORT_RC (1 << 21) +-/* port link status change - set on some port link state transitions: +- * Transition Reason +- * ------------------------------------------------------------------------------ +- * - U3 to Resume Wakeup signaling from a device +- * - Resume to Recovery to U0 USB 3.0 device resume +- * - Resume to U0 USB 2.0 device resume +- * - U3 to Recovery to U0 Software resume of USB 3.0 device complete +- * - U3 to U0 Software resume of USB 2.0 device complete +- * - U2 to U0 L1 resume of USB 2.1 device complete +- * - U0 to U0 (???) L1 entry rejection by USB 2.1 device +- * - U0 to disabled L1 entry error with USB 2.1 device +- * - Any state to inactive Error on USB 3.0 port +- */ +-#define PORT_PLC (1 << 22) +-/* port configure error change - port failed to configure its link partner */ +-#define PORT_CEC (1 << 23) +-#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ +- PORT_RC | PORT_PLC | PORT_CEC) +- +- +-/* Cold Attach Status - xHC can set this bit to report device attached during +- * Sx state. Warm port reset should be perfomed to clear this bit and move port +- * to connected state. +- */ +-#define PORT_CAS (1 << 24) +-/* wake on connect (enable) */ +-#define PORT_WKCONN_E (1 << 25) +-/* wake on disconnect (enable) */ +-#define PORT_WKDISC_E (1 << 26) +-/* wake on over-current (enable) */ +-#define PORT_WKOC_E (1 << 27) +-/* bits 28:29 reserved */ +-/* true: device is non-removable - for USB 3.0 roothub emulation */ +-#define PORT_DEV_REMOVE (1 << 30) +-/* Initiate a warm port reset - complete when PORT_WRC is '1' */ +-#define PORT_WR (1 << 31) +- +-/* We mark duplicate entries with -1 */ +-#define DUPLICATE_ENTRY ((u8)(-1)) +- +-/* Port Power Management Status and Control - port_power_base bitmasks */ +-/* Inactivity timer value for transitions into U1, in microseconds. +- * Timeout can be up to 127us. 0xFF means an infinite timeout. +- */ +-#define PORT_U1_TIMEOUT(p) ((p) & 0xff) +-#define PORT_U1_TIMEOUT_MASK 0xff +-/* Inactivity timer value for transitions into U2 */ +-#define PORT_U2_TIMEOUT(p) (((p) & 0xff) << 8) +-#define PORT_U2_TIMEOUT_MASK (0xff << 8) +-/* Bits 24:31 for port testing */ +- +-/* USB2 Protocol PORTSPMSC */ +-#define PORT_L1S_MASK 7 +-#define PORT_L1S_SUCCESS 1 +-#define PORT_RWE (1 << 3) +-#define PORT_HIRD(p) (((p) & 0xf) << 4) +-#define PORT_HIRD_MASK (0xf << 4) +-#define PORT_L1DS_MASK (0xff << 8) +-#define PORT_L1DS(p) (((p) & 0xff) << 8) +-#define PORT_HLE (1 << 16) +-#define PORT_TEST_MODE_SHIFT 28 +- +-/* USB3 Protocol PORTLI Port Link Information */ +-#define PORT_RX_LANES(p) (((p) >> 16) & 0xf) +-#define PORT_TX_LANES(p) (((p) >> 20) & 0xf) +- +-/* USB2 Protocol PORTHLPMC */ +-#define PORT_HIRDM(p)((p) & 3) +-#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2) +-#define PORT_BESLD(p)(((p) & 0xf) << 10) +- +-/* use 512 microseconds as USB2 LPM L1 default timeout. */ +-#define XHCI_L1_TIMEOUT 512 +- +-/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency. +- * Safe to use with mixed HIRD and BESL systems (host and device) and is used +- * by other operating systems. +- * +- * XHCI 1.0 errata 8/14/12 Table 13 notes: +- * "Software should choose xHC BESL/BESLD field values that do not violate a +- * device's resume latency requirements, +- * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached, +- * or not program values < '4' if BLC = '0' and a BESL device is attached. +- */ +-#define XHCI_DEFAULT_BESL 4 +- +-/* +- * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports +- * to complete link training. usually link trainig completes much faster +- * so check status 10 times with 36ms sleep in places we need to wait for +- * polling to complete. +- */ +-#define XHCI_PORT_POLLING_LFPS_TIME 36 +- + /** + * struct xhci_intr_reg - Interrupt Register Set + * @irq_pending: IMAN - Interrupt Management Register. Used to enable +-- +2.43.0 + -- 2.47.2