From ecb04d0b35585280ab61a5db0f11ca95de5ffe3d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 15 Dec 2024 11:52:02 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...c-out-of-bounds-read-in-acpi_nfit_ct.patch | 63 +++++++ ...ix-memory-resource-type-union-access.patch | 55 ++++++ ...xfregn-don-t-release-the-contextmute.patch | 41 +++++ ...t-let-tt-changes-list-grows-indefini.patch | 77 ++++++++ ...do-not-send-uninitialized-tt-changes.patch | 78 ++++++++ ...e-uninitialized-data-in-full-table-t.patch | 115 ++++++++++++ ...-using-clamp-on-inuse-in-__propagate.patch | 77 ++++++++ ...ure-propagation-of-netif_f_gso_encap.patch | 101 ++++++++++ ...xgb4-use-port-number-to-set-mac-addr.patch | 83 +++++++++ ...-clarify-pm_runtime_resume_and_get-r.patch | 42 +++++ .../net-lapb-increase-lapb_header_len.patch | 86 +++++++++ ...account-for-backlog-updates-from-chi.patch | 171 +++++++++++++++++ ...et-sparx5-fix-fdma-performance-issue.patch | 63 +++++++ ...ix-the-maximum-frame-length-register.patch | 39 ++++ ...ypted-memory-in-confidential-guest-o.patch | 173 ++++++++++++++++++ ...rn-eopnotsupp-instead-of-enodev-from.patch | 63 +++++++ ...fix-clock-speed-for-multiple-qca7000.patch | 98 ++++++++++ ...qca_spi-make-driver-probing-reliable.patch | 40 ++++ ...sharedbuffer-remove-duplicate-test-c.patch | 58 ++++++ ...sharedbuffer-remove-h1-ingress-test-.patch | 48 +++++ queue-5.15/series | 22 +++ ...-propagation-of-netif_f_gso_encap_al.patch | 44 +++++ ...ipc-fix-null-deref-in-cleanup_bearer.patch | 82 +++++++++ 23 files changed, 1719 insertions(+) create mode 100644 queue-5.15/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch create mode 100644 queue-5.15/acpi-resource-fix-memory-resource-type-union-access.patch create mode 100644 queue-5.15/acpica-events-evxfregn-don-t-release-the-contextmute.patch create mode 100644 queue-5.15/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch create mode 100644 queue-5.15/batman-adv-do-not-send-uninitialized-tt-changes.patch create mode 100644 queue-5.15/batman-adv-remove-uninitialized-data-in-full-table-t.patch create mode 100644 queue-5.15/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch create mode 100644 queue-5.15/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch create mode 100644 queue-5.15/cxgb4-use-port-number-to-set-mac-addr.patch create mode 100644 queue-5.15/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch create mode 100644 queue-5.15/net-lapb-increase-lapb_header_len.patch create mode 100644 queue-5.15/net-sched-netem-account-for-backlog-updates-from-chi.patch create mode 100644 queue-5.15/net-sparx5-fix-fdma-performance-issue.patch create mode 100644 queue-5.15/net-sparx5-fix-the-maximum-frame-length-register.patch create mode 100644 queue-5.15/ptp-kvm-use-decrypted-memory-in-confidential-guest-o.patch create mode 100644 queue-5.15/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch create mode 100644 queue-5.15/qca_spi-fix-clock-speed-for-multiple-qca7000.patch create mode 100644 queue-5.15/qca_spi-make-driver-probing-reliable.patch create mode 100644 queue-5.15/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch create mode 100644 queue-5.15/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch create mode 100644 queue-5.15/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch create mode 100644 queue-5.15/tipc-fix-null-deref-in-cleanup_bearer.patch diff --git a/queue-5.15/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch b/queue-5.15/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch new file mode 100644 index 00000000000..6c13f9f619f --- /dev/null +++ b/queue-5.15/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch @@ -0,0 +1,63 @@ +From 9ce53721481d43b110a3ce78171a0261d0237b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 21:56:09 +0530 +Subject: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl + +From: Suraj Sonawane + +[ Upstream commit 265e98f72bac6c41a4492d3e30a8e5fd22fe0779 ] + +Fix an issue detected by syzbot with KASAN: + +BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ +core.c:416 [inline] +BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 +drivers/acpi/nfit/core.c:459 + +The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 +array is accessed without verifying that call_pkg points to a buffer +that is appropriately sized as a struct nd_cmd_pkg. This can lead +to out-of-bounds access and undefined behavior if the buffer does not +have sufficient space. + +To address this, a check was added in acpi_nfit_ctl() to ensure that +buf is not NULL and that buf_len is less than sizeof(*call_pkg) +before accessing it. This ensures safe access to the members of +call_pkg, including the nd_reserved2 array. + +Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3 +Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com +Fixes: ebe9f6f19d80 ("acpi/nfit: Fix bus command validation") +Signed-off-by: Suraj Sonawane +Reviewed-by: Alison Schofield +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20241118162609.29063-1-surajsonawane0215@gmail.com +Signed-off-by: Ira Weiny +Signed-off-by: Sasha Levin +--- + drivers/acpi/nfit/core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index 2575d6c51f89..9cc83df22de4 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -454,8 +454,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + if (cmd_rc) + *cmd_rc = -EINVAL; + +- if (cmd == ND_CMD_CALL) ++ if (cmd == ND_CMD_CALL) { ++ if (!buf || buf_len < sizeof(*call_pkg)) ++ return -EINVAL; ++ + call_pkg = buf; ++ } ++ + func = cmd_to_func(nfit_mem, cmd, call_pkg, &family); + if (func < 0) + return func; +-- +2.39.5 + diff --git a/queue-5.15/acpi-resource-fix-memory-resource-type-union-access.patch b/queue-5.15/acpi-resource-fix-memory-resource-type-union-access.patch new file mode 100644 index 00000000000..07114ac21cc --- /dev/null +++ b/queue-5.15/acpi-resource-fix-memory-resource-type-union-access.patch @@ -0,0 +1,55 @@ +From 20bb834d39fb8c8e5b09c2103bcb2d395503286a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 12:06:13 +0200 +Subject: ACPI: resource: Fix memory resource type union access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 7899ca9f3bd2b008e9a7c41f2a9f1986052d7e96 ] + +In acpi_decode_space() addr->info.mem.caching is checked on main level +for any resource type but addr->info.mem is part of union and thus +valid only if the resource type is memory range. + +Move the check inside the preceeding switch/case to only execute it +when the union is of correct type. + +Fixes: fcb29bbcd540 ("ACPI: Add prefetch decoding to the address space parser") +Signed-off-by: Ilpo Järvinen +Link: https://patch.msgid.link/20241202100614.20731-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 3c9f93981523..0433ab8ced0d 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -250,6 +250,9 @@ static bool acpi_decode_space(struct resource_win *win, + switch (addr->resource_type) { + case ACPI_MEMORY_RANGE: + acpi_dev_memresource_flags(res, len, wp); ++ ++ if (addr->info.mem.caching == ACPI_PREFETCHABLE_MEMORY) ++ res->flags |= IORESOURCE_PREFETCH; + break; + case ACPI_IO_RANGE: + acpi_dev_ioresource_flags(res, len, iodec, +@@ -265,9 +268,6 @@ static bool acpi_decode_space(struct resource_win *win, + if (addr->producer_consumer == ACPI_PRODUCER) + res->flags |= IORESOURCE_WINDOW; + +- if (addr->info.mem.caching == ACPI_PREFETCHABLE_MEMORY) +- res->flags |= IORESOURCE_PREFETCH; +- + return !(res->flags & IORESOURCE_DISABLED); + } + +-- +2.39.5 + diff --git a/queue-5.15/acpica-events-evxfregn-don-t-release-the-contextmute.patch b/queue-5.15/acpica-events-evxfregn-don-t-release-the-contextmute.patch new file mode 100644 index 00000000000..8fc2e09faa6 --- /dev/null +++ b/queue-5.15/acpica-events-evxfregn-don-t-release-the-contextmute.patch @@ -0,0 +1,41 @@ +From d1d67f630df933cf64cb3f117516864b69e83638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 11:29:54 +0300 +Subject: ACPICA: events/evxfregn: don't release the ContextMutex that was + never acquired + +From: Daniil Tatianin + +[ Upstream commit c53d96a4481f42a1635b96d2c1acbb0a126bfd54 ] + +This bug was first introduced in c27f3d011b08, where the author of the +patch probably meant to do DeleteMutex instead of ReleaseMutex. The +mutex leak was noticed later on and fixed in e4dfe108371, but the bogus +MutexRelease line was never removed, so do it now. + +Link: https://github.com/acpica/acpica/pull/982 +Fixes: c27f3d011b08 ("ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling") +Signed-off-by: Daniil Tatianin +Link: https://patch.msgid.link/20241122082954.658356-1-d-tatianin@yandex-team.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/evxfregn.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/acpi/acpica/evxfregn.c b/drivers/acpi/acpica/evxfregn.c +index b1ff0a8f9c14..7672d70da850 100644 +--- a/drivers/acpi/acpica/evxfregn.c ++++ b/drivers/acpi/acpica/evxfregn.c +@@ -201,8 +201,6 @@ acpi_remove_address_space_handler(acpi_handle device, + + /* Now we can delete the handler object */ + +- acpi_os_release_mutex(handler_obj->address_space. +- context_mutex); + acpi_ut_remove_reference(handler_obj); + goto unlock_and_exit; + } +-- +2.39.5 + diff --git a/queue-5.15/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch b/queue-5.15/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch new file mode 100644 index 00000000000..ebe8ad8374d --- /dev/null +++ b/queue-5.15/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch @@ -0,0 +1,77 @@ +From 855d229d4979444b3b036f58d70b0f7d010d46db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:52:50 +0100 +Subject: batman-adv: Do not let TT changes list grows indefinitely + +From: Remi Pommarel + +[ Upstream commit fff8f17c1a6fc802ca23bbd3a276abfde8cc58e6 ] + +When TT changes list is too big to fit in packet due to MTU size, an +empty OGM is sent expected other node to send TT request to get the +changes. The issue is that tt.last_changeset was not built thus the +originator was responding with previous changes to those TT requests +(see batadv_send_my_tt_response). Also the changes list was never +cleaned up effectively never ending growing from this point onwards, +repeatedly sending the same TT response changes over and over, and +creating a new empty OGM every OGM interval expecting for the local +changes to be purged. + +When there is more TT changes that can fit in packet, drop all changes, +send empty OGM and wait for TT request so we can respond with a full +table instead. + +Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") +Signed-off-by: Remi Pommarel +Acked-by: Antonio Quartulli +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 5700a9eaa49a..6be14f9e071a 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + int tt_diff_len, tt_change_len = 0; + int tt_diff_entries_num = 0; + int tt_diff_entries_count = 0; ++ bool drop_changes = false; + size_t tt_extra_len = 0; + u16 tvlv_len; + +@@ -997,10 +998,17 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + tt_diff_len = batadv_tt_len(tt_diff_entries_num); + + /* if we have too many changes for one packet don't send any +- * and wait for the tt table request which will be fragmented ++ * and wait for the tt table request so we can reply with the full ++ * (fragmented) table. ++ * ++ * The local change history should still be cleaned up so the next ++ * TT round can start again with a clean state. + */ +- if (tt_diff_len > bat_priv->soft_iface->mtu) ++ if (tt_diff_len > bat_priv->soft_iface->mtu) { + tt_diff_len = 0; ++ tt_diff_entries_num = 0; ++ drop_changes = true; ++ } + + tvlv_len = batadv_tt_prepare_tvlv_local_data(bat_priv, &tt_data, + &tt_change, &tt_diff_len); +@@ -1009,7 +1017,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + + tt_data->flags = BATADV_TT_OGM_DIFF; + +- if (tt_diff_len == 0) ++ if (!drop_changes && tt_diff_len == 0) + goto container_register; + + spin_lock_bh(&bat_priv->tt.changes_list_lock); +-- +2.39.5 + diff --git a/queue-5.15/batman-adv-do-not-send-uninitialized-tt-changes.patch b/queue-5.15/batman-adv-do-not-send-uninitialized-tt-changes.patch new file mode 100644 index 00000000000..039b55f149b --- /dev/null +++ b/queue-5.15/batman-adv-do-not-send-uninitialized-tt-changes.patch @@ -0,0 +1,78 @@ +From 21f348a4dab71b5c28c621ae2f85a36c7c38e517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:52:48 +0100 +Subject: batman-adv: Do not send uninitialized TT changes + +From: Remi Pommarel + +[ Upstream commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 ] + +The number of TT changes can be less than initially expected in +batadv_tt_tvlv_container_update() (changes can be removed by +batadv_tt_local_event() in ADD+DEL sequence between reading +tt_diff_entries_num and actually iterating the change list under lock). + +Thus tt_diff_len could be bigger than the actual changes size that need +to be sent. Because batadv_send_my_tt_response sends the whole +packet, uninitialized data can be interpreted as TT changes on other +nodes leading to weird TT global entries on those nodes such as: + + * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) + * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) + +All of the above also applies to OGM tvlv container buffer's tvlv_len. + +Remove the extra allocated space to avoid sending uninitialized TT +changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif(). + +Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 660a5594a647..ec30c1d36160 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + int tt_diff_len, tt_change_len = 0; + int tt_diff_entries_num = 0; + int tt_diff_entries_count = 0; ++ size_t tt_extra_len = 0; + u16 tvlv_len; + + tt_diff_entries_num = atomic_read(&bat_priv->tt.local_changes); +@@ -1027,6 +1028,9 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + } + spin_unlock_bh(&bat_priv->tt.changes_list_lock); + ++ tt_extra_len = batadv_tt_len(tt_diff_entries_num - ++ tt_diff_entries_count); ++ + /* Keep the buffer for possible tt_request */ + spin_lock_bh(&bat_priv->tt.last_changeset_lock); + kfree(bat_priv->tt.last_changeset); +@@ -1035,6 +1039,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + tt_change_len = batadv_tt_len(tt_diff_entries_count); + /* check whether this new OGM has no changes due to size problems */ + if (tt_diff_entries_count > 0) { ++ tt_diff_len -= tt_extra_len; + /* if kmalloc() fails we will reply with the full table + * instead of providing the diff + */ +@@ -1047,6 +1052,8 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + } + spin_unlock_bh(&bat_priv->tt.last_changeset_lock); + ++ /* Remove extra packet space for OGM */ ++ tvlv_len -= tt_extra_len; + container_register: + batadv_tvlv_container_register(bat_priv, BATADV_TVLV_TT, 1, tt_data, + tvlv_len); +-- +2.39.5 + diff --git a/queue-5.15/batman-adv-remove-uninitialized-data-in-full-table-t.patch b/queue-5.15/batman-adv-remove-uninitialized-data-in-full-table-t.patch new file mode 100644 index 00000000000..3e402df9fa8 --- /dev/null +++ b/queue-5.15/batman-adv-remove-uninitialized-data-in-full-table-t.patch @@ -0,0 +1,115 @@ +From 6931953c16a78488fa0e4011db9cf6f37236263f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:52:49 +0100 +Subject: batman-adv: Remove uninitialized data in full table TT response + +From: Remi Pommarel + +[ Upstream commit 8038806db64da15721775d6b834990cacbfcf0b2 ] + +The number of entries filled by batadv_tt_tvlv_generate() can be less +than initially expected in batadv_tt_prepare_tvlv_{global,local}_data() +(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence +in the meantime as the lock held during the whole tvlv global/local data +generation). + +Thus tvlv_len could be bigger than the actual TT entry size that need +to be sent so full table TT_RESPONSE could hold invalid TT entries such +as below. + + * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) + * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) + +Remove the extra allocated space to avoid sending uninitialized entries +for full table TT_RESPONSE in both batadv_send_other_tt_response() and +batadv_send_my_tt_response(). + +Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 37 ++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 15 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index ec30c1d36160..5700a9eaa49a 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -2754,14 +2754,16 @@ static bool batadv_tt_global_valid(const void *entry_ptr, + * + * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb + * is not provided then this becomes a no-op. ++ * ++ * Return: Remaining unused length in tvlv_buff. + */ +-static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, +- struct batadv_hashtable *hash, +- void *tvlv_buff, u16 tt_len, +- bool (*valid_cb)(const void *, +- const void *, +- u8 *flags), +- void *cb_data) ++static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, ++ struct batadv_hashtable *hash, ++ void *tvlv_buff, u16 tt_len, ++ bool (*valid_cb)(const void *, ++ const void *, ++ u8 *flags), ++ void *cb_data) + { + struct batadv_tt_common_entry *tt_common_entry; + struct batadv_tvlv_tt_change *tt_change; +@@ -2775,7 +2777,7 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, + tt_change = (struct batadv_tvlv_tt_change *)tvlv_buff; + + if (!valid_cb) +- return; ++ return tt_len; + + rcu_read_lock(); + for (i = 0; i < hash->size; i++) { +@@ -2801,6 +2803,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, + } + } + rcu_read_unlock(); ++ ++ return batadv_tt_len(tt_tot - tt_num_entries); + } + + /** +@@ -3076,10 +3080,11 @@ static bool batadv_send_other_tt_response(struct batadv_priv *bat_priv, + goto out; + + /* fill the rest of the tvlv with the real TT entries */ +- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash, +- tt_change, tt_len, +- batadv_tt_global_valid, +- req_dst_orig_node); ++ tvlv_len -= batadv_tt_tvlv_generate(bat_priv, ++ bat_priv->tt.global_hash, ++ tt_change, tt_len, ++ batadv_tt_global_valid, ++ req_dst_orig_node); + } + + /* Don't send the response, if larger than fragmented packet. */ +@@ -3203,9 +3208,11 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv, + goto out; + + /* fill the rest of the tvlv with the real TT entries */ +- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash, +- tt_change, tt_len, +- batadv_tt_local_valid, NULL); ++ tvlv_len -= batadv_tt_tvlv_generate(bat_priv, ++ bat_priv->tt.local_hash, ++ tt_change, tt_len, ++ batadv_tt_local_valid, ++ NULL); + } + + tvlv_tt_data->flags = BATADV_TT_RESPONSE; +-- +2.39.5 + diff --git a/queue-5.15/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch b/queue-5.15/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch new file mode 100644 index 00000000000..4c9ae0ea782 --- /dev/null +++ b/queue-5.15/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch @@ -0,0 +1,77 @@ +From a9fde545263c38729f017c27da664d9b6a3e03e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 10:13:29 -0700 +Subject: blk-iocost: Avoid using clamp() on inuse in __propagate_weights() + +From: Nathan Chancellor + +[ Upstream commit 57e420c84f9ab55ba4c5e2ae9c5f6c8e1ea834d2 ] + +After a recent change to clamp() and its variants [1] that increases the +coverage of the check that high is greater than low because it can be +done through inlining, certain build configurations (such as s390 +defconfig) fail to build with clang with: + + block/blk-iocost.c:1101:11: error: call to '__compiletime_assert_557' declared with 'error' attribute: clamp() low limit 1 greater than high limit active + 1101 | inuse = clamp_t(u32, inuse, 1, active); + | ^ + include/linux/minmax.h:218:36: note: expanded from macro 'clamp_t' + 218 | #define clamp_t(type, val, lo, hi) __careful_clamp(type, val, lo, hi) + | ^ + include/linux/minmax.h:195:2: note: expanded from macro '__careful_clamp' + 195 | __clamp_once(type, val, lo, hi, __UNIQUE_ID(v_), __UNIQUE_ID(l_), __UNIQUE_ID(h_)) + | ^ + include/linux/minmax.h:188:2: note: expanded from macro '__clamp_once' + 188 | BUILD_BUG_ON_MSG(statically_true(ulo > uhi), \ + | ^ + +__propagate_weights() is called with an active value of zero in +ioc_check_iocgs(), which results in the high value being less than the +low value, which is undefined because the value returned depends on the +order of the comparisons. + +The purpose of this expression is to ensure inuse is not more than +active and at least 1. This could be written more simply with a ternary +expression that uses min(inuse, active) as the condition so that the +value of that condition can be used if it is not zero and one if it is. +Do this conversion to resolve the error and add a comment to deter +people from turning this back into clamp(). + +Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") +Link: https://lore.kernel.org/r/34d53778977747f19cce2abb287bb3e6@AcuMS.aculab.com/ [1] +Suggested-by: David Laight +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/llvm/CA+G9fYsD7mw13wredcZn0L-KBA3yeoVSTuxnss-AEWMN3ha0cA@mail.gmail.com/ +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202412120322.3GfVe3vF-lkp@intel.com/ +Signed-off-by: Nathan Chancellor +Acked-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index 9654d1c2c20f..ba23562abc80 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1087,7 +1087,14 @@ static void __propagate_weights(struct ioc_gq *iocg, u32 active, u32 inuse, + inuse = DIV64_U64_ROUND_UP(active * iocg->child_inuse_sum, + iocg->child_active_sum); + } else { +- inuse = clamp_t(u32, inuse, 1, active); ++ /* ++ * It may be tempting to turn this into a clamp expression with ++ * a lower limit of 1 but active may be 0, which cannot be used ++ * as an upper limit in that situation. This expression allows ++ * active to clamp inuse unless it is 0, in which case inuse ++ * becomes 1. ++ */ ++ inuse = min(inuse, active) ?: 1; + } + + iocg->last_inuse = iocg->inuse; +-- +2.39.5 + diff --git a/queue-5.15/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch b/queue-5.15/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch new file mode 100644 index 00000000000..210c5cbf02d --- /dev/null +++ b/queue-5.15/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch @@ -0,0 +1,101 @@ +From d7816d10c9f97df11671ab5dbbe62ad86335bd4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:43 +0100 +Subject: bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL + +From: Daniel Borkmann + +[ Upstream commit 77b11c8bf3a228d1c63464534c2dcc8d9c8bf7ff ] + +Drivers like mlx5 expose NIC's vlan_features such as +NETIF_F_GSO_UDP_TUNNEL & NETIF_F_GSO_UDP_TUNNEL_CSUM which are +later not propagated when the underlying devices are bonded and +a vlan device created on top of the bond. + +Right now, the more cumbersome workaround for this is to create +the vlan on top of the mlx5 and then enslave the vlan devices +to a bond. + +To fix this, add NETIF_F_GSO_ENCAP_ALL to BOND_VLAN_FEATURES +such that bond_compute_features() can probe and propagate the +vlan_features from the slave devices up to the vlan device. + +Given the following bond: + + # ethtool -i enp2s0f{0,1}np{0,1} + driver: mlx5_core + [...] + + # ethtool -k enp2s0f0np0 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: on + rx-udp-gro-forwarding: off + + # ethtool -k enp2s0f1np1 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: on + rx-udp-gro-forwarding: off + + # ethtool -k bond0 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: off [fixed] + rx-udp-gro-forwarding: off + +Before: + + # ethtool -k bond0.100 | grep udp + tx-udp_tnl-segmentation: off [requested on] + tx-udp_tnl-csum-segmentation: off [requested on] + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: off [fixed] + rx-udp-gro-forwarding: off + +After: + + # ethtool -k bond0.100 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: off [fixed] + rx-udp-gro-forwarding: off + +Various users have run into this reporting performance issues when +configuring Cilium in vxlan tunneling mode and having the combination +of bond & vlan for the core devices connecting the Kubernetes cluster +to the outside world. + +Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing") +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20241210141245.327886-3-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 67d153cc6a6c..75499e2967e8 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1384,6 +1384,7 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + + #define BOND_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ ++ NETIF_F_GSO_ENCAP_ALL | \ + NETIF_F_HIGHDMA | NETIF_F_LRO) + + #define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +-- +2.39.5 + diff --git a/queue-5.15/cxgb4-use-port-number-to-set-mac-addr.patch b/queue-5.15/cxgb4-use-port-number-to-set-mac-addr.patch new file mode 100644 index 00000000000..af795150592 --- /dev/null +++ b/queue-5.15/cxgb4-use-port-number-to-set-mac-addr.patch @@ -0,0 +1,83 @@ +From b59cf49386c2ccf45a973c0763539be54cc98487 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:50:14 +0530 +Subject: cxgb4: use port number to set mac addr + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 356983f569c1f5991661fc0050aa263792f50616 ] + +t4_set_vf_mac_acl() uses pf to set mac addr, but t4vf_get_vf_mac_acl() +uses port number to get mac addr, this leads to error when an attempt +to set MAC address on VF's of PF2 and PF3. +This patch fixes the issue by using port number to set mac address. + +Fixes: e0cdac65ba26 ("cxgb4vf: configure ports accessible by the VF") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241206062014.49414-1-anumula@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 5 +++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +index ecea3cdd30b3..cceb1cbe0d6a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +@@ -2084,7 +2084,7 @@ void t4_idma_monitor(struct adapter *adapter, + struct sge_idma_monitor_state *idma, + int hz, int ticks); + int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf, +- unsigned int naddr, u8 *addr); ++ u8 start, unsigned int naddr, u8 *addr); + void t4_tp_pio_read(struct adapter *adap, u32 *buff, u32 nregs, + u32 start_index, bool sleep_ok); + void t4_tp_tm_pio_read(struct adapter *adap, u32 *buff, u32 nregs, +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 0d9cda4ab303..21afaa81697e 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -3247,7 +3247,7 @@ static int cxgb4_mgmt_set_vf_mac(struct net_device *dev, int vf, u8 *mac) + + dev_info(pi->adapter->pdev_dev, + "Setting MAC %pM on VF %d\n", mac, vf); +- ret = t4_set_vf_mac_acl(adap, vf + 1, 1, mac); ++ ret = t4_set_vf_mac_acl(adap, vf + 1, pi->lport, 1, mac); + if (!ret) + ether_addr_copy(adap->vfinfo[vf].vf_mac_addr, mac); + return ret; +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index c99f5920c957..94fd7d6a1109 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -10215,11 +10215,12 @@ int t4_load_cfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) + * t4_set_vf_mac_acl - Set MAC address for the specified VF + * @adapter: The adapter + * @vf: one of the VFs instantiated by the specified PF ++ * @start: The start port id associated with specified VF + * @naddr: the number of MAC addresses + * @addr: the MAC address(es) to be set to the specified VF + */ + int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf, +- unsigned int naddr, u8 *addr) ++ u8 start, unsigned int naddr, u8 *addr) + { + struct fw_acl_mac_cmd cmd; + +@@ -10234,7 +10235,7 @@ int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf, + cmd.en_to_len16 = cpu_to_be32((unsigned int)FW_LEN16(cmd)); + cmd.nmac = naddr; + +- switch (adapter->pf) { ++ switch (start) { + case 3: + memcpy(cmd.macaddr3, addr, sizeof(cmd.macaddr3)); + break; +-- +2.39.5 + diff --git a/queue-5.15/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch b/queue-5.15/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch new file mode 100644 index 00000000000..fb8eaf3be2d --- /dev/null +++ b/queue-5.15/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch @@ -0,0 +1,42 @@ +From b96466197955c164a911a226a4c581ecc2540dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 14:37:29 +0000 +Subject: Documentation: PM: Clarify pm_runtime_resume_and_get() return value + +From: Paul Barker + +[ Upstream commit ccb84dc8f4a02e7d30ffd388522996546b4d00e1 ] + +Update the documentation to match the behaviour of the code. + +pm_runtime_resume_and_get() always returns 0 on success, even if +__pm_runtime_resume() returns 1. + +Fixes: 2c412337cfe6 ("PM: runtime: Add documentation for pm_runtime_resume_and_get()") +Signed-off-by: Paul Barker +Link: https://patch.msgid.link/20241203143729.478-1-paul.barker.ct@bp.renesas.com +[ rjw: Subject and changelog edits, adjusted new comment formatting ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + Documentation/power/runtime_pm.rst | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/power/runtime_pm.rst b/Documentation/power/runtime_pm.rst +index d6bf84f061f4..921f56dffea7 100644 +--- a/Documentation/power/runtime_pm.rst ++++ b/Documentation/power/runtime_pm.rst +@@ -341,7 +341,9 @@ drivers/base/power/runtime.c and include/linux/pm_runtime.h: + + `int pm_runtime_resume_and_get(struct device *dev);` + - run pm_runtime_resume(dev) and if successful, increment the device's +- usage counter; return the result of pm_runtime_resume ++ usage counter; returns 0 on success (whether or not the device's ++ runtime PM status was already 'active') or the error code from ++ pm_runtime_resume() on failure. + + `int pm_request_idle(struct device *dev);` + - submit a request to execute the subsystem-level idle callback for the +-- +2.39.5 + diff --git a/queue-5.15/net-lapb-increase-lapb_header_len.patch b/queue-5.15/net-lapb-increase-lapb_header_len.patch new file mode 100644 index 00000000000..0d224d7a1d9 --- /dev/null +++ b/queue-5.15/net-lapb-increase-lapb_header_len.patch @@ -0,0 +1,86 @@ +From 0d32239eda3cec42840d3c383c69fee5b1e2b086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:10:31 +0000 +Subject: net: lapb: increase LAPB_HEADER_LEN + +From: Eric Dumazet + +[ Upstream commit a6d75ecee2bf828ac6a1b52724aba0a977e4eaf4 ] + +It is unclear if net/lapb code is supposed to be ready for 8021q. + +We can at least avoid crashes like the following : + +skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282 +RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 +RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60 +R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140 +R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016 +FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + nr_header+0x36/0x320 net/netrom/nr_dev.c:69 + dev_hard_header include/linux/netdevice.h:3148 [inline] + vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83 + dev_hard_header include/linux/netdevice.h:3148 [inline] + lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257 + lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447 + lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149 + lapb_establish_data_link+0x84/0xd0 + lapb_device_event+0x4e0/0x670 + notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 + __dev_notify_flags+0x207/0x400 + dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922 + devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188 + inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003 + sock_do_ioctl+0x158/0x460 net/socket.c:1227 + sock_ioctl+0x626/0x8e0 net/socket.c:1346 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+fb99d1b0c0f81d94a5e2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67506220.050a0220.17bd51.006c.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241204141031.4030267-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/lapb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/lapb.h b/include/net/lapb.h +index 124ee122f2c8..6c07420644e4 100644 +--- a/include/net/lapb.h ++++ b/include/net/lapb.h +@@ -4,7 +4,7 @@ + #include + #include + +-#define LAPB_HEADER_LEN 20 /* LAPB over Ethernet + a bit more */ ++#define LAPB_HEADER_LEN MAX_HEADER /* LAPB over Ethernet + a bit more */ + + #define LAPB_ACK_PENDING_CONDITION 0x01 + #define LAPB_REJECT_CONDITION 0x02 +-- +2.39.5 + diff --git a/queue-5.15/net-sched-netem-account-for-backlog-updates-from-chi.patch b/queue-5.15/net-sched-netem-account-for-backlog-updates-from-chi.patch new file mode 100644 index 00000000000..0313c9adcd7 --- /dev/null +++ b/queue-5.15/net-sched-netem-account-for-backlog-updates-from-chi.patch @@ -0,0 +1,171 @@ +From 146adede50e8a07e16ccf4e6594e83c6a368a798 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 14:14:11 +0100 +Subject: net/sched: netem: account for backlog updates from child qdisc + +From: Martin Ottens + +[ Upstream commit f8d4bc455047cf3903cd6f85f49978987dbb3027 ] + +In general, 'qlen' of any classful qdisc should keep track of the +number of packets that the qdisc itself and all of its children holds. +In case of netem, 'qlen' only accounts for the packets in its internal +tfifo. When netem is used with a child qdisc, the child qdisc can use +'qdisc_tree_reduce_backlog' to inform its parent, netem, about created +or dropped SKBs. This function updates 'qlen' and the backlog statistics +of netem, but netem does not account for changes made by a child qdisc. +'qlen' then indicates the wrong number of packets in the tfifo. +If a child qdisc creates new SKBs during enqueue and informs its parent +about this, netem's 'qlen' value is increased. When netem dequeues the +newly created SKBs from the child, the 'qlen' in netem is not updated. +If 'qlen' reaches the configured sch->limit, the enqueue function stops +working, even though the tfifo is not full. + +Reproduce the bug: +Ensure that the sender machine has GSO enabled. Configure netem as root +qdisc and tbf as its child on the outgoing interface of the machine +as follows: +$ tc qdisc add dev root handle 1: netem delay 100ms limit 100 +$ tc qdisc add dev parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms + +Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 +client on the machine. Check the qdisc statistics: +$ tc -s qdisc show dev + +Statistics after 10s of iPerf3 TCP test before the fix (note that +netem's backlog > limit, netem stopped accepting packets): +qdisc netem 1: root refcnt 2 limit 1000 delay 100ms + Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) + backlog 4294528236b 1155p requeues 0 +qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms + Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) + backlog 0b 0p requeues 0 + +Statistics after the fix: +qdisc netem 1: root refcnt 2 limit 1000 delay 100ms + Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) + backlog 0b 0p requeues 0 +qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms + Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) + backlog 0b 0p requeues 0 + +tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. +The interface fully stops transferring packets and "locks". In this case, +the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at +its limit and no more packets are accepted. + +This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is +only decreased when a packet is returned by its dequeue function, and not +during enqueuing into the child qdisc. External updates to 'qlen' are thus +accounted for and only the behavior of the backlog statistics changes. As +in other qdiscs, 'qlen' then keeps track of how many packets are held in +netem and all of its children. As before, sch->limit remains as the +maximum number of packets in the tfifo. The same applies to netem's +backlog statistics. + +Fixes: 50612537e9ab ("netem: fix classful handling") +Signed-off-by: Martin Ottens +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20241210131412.1837202-1-martin.ottens@fau.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 93ed7bac9ee6..f459e34684ad 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -77,6 +77,8 @@ struct netem_sched_data { + struct sk_buff *t_head; + struct sk_buff *t_tail; + ++ u32 t_len; ++ + /* optional qdisc for classful handling (NULL at netem init) */ + struct Qdisc *qdisc; + +@@ -373,6 +375,7 @@ static void tfifo_reset(struct Qdisc *sch) + rtnl_kfree_skbs(q->t_head, q->t_tail); + q->t_head = NULL; + q->t_tail = NULL; ++ q->t_len = 0; + } + + static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) +@@ -402,6 +405,7 @@ static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) + rb_link_node(&nskb->rbnode, parent, p); + rb_insert_color(&nskb->rbnode, &q->t_root); + } ++ q->t_len++; + sch->q.qlen++; + } + +@@ -508,7 +512,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch, + 1<<(prandom_u32() % 8); + } + +- if (unlikely(sch->q.qlen >= sch->limit)) { ++ if (unlikely(q->t_len >= sch->limit)) { + /* re-link segs, so that qdisc_drop_all() frees them all */ + skb->next = segs; + qdisc_drop_all(skb, sch, to_free); +@@ -692,8 +696,8 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + tfifo_dequeue: + skb = __qdisc_dequeue_head(&sch->q); + if (skb) { +- qdisc_qstats_backlog_dec(sch, skb); + deliver: ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + return skb; + } +@@ -709,8 +713,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + + if (time_to_send <= now && q->slot.slot_next <= now) { + netem_erase_head(q, skb); +- sch->q.qlen--; +- qdisc_qstats_backlog_dec(sch, skb); ++ q->t_len--; + skb->next = NULL; + skb->prev = NULL; + /* skb->dev shares skb->rbnode area, +@@ -737,16 +740,21 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + if (net_xmit_drop_count(err)) + qdisc_qstats_drop(sch); + qdisc_tree_reduce_backlog(sch, 1, pkt_len); ++ sch->qstats.backlog -= pkt_len; ++ sch->q.qlen--; + } + goto tfifo_dequeue; + } ++ sch->q.qlen--; + goto deliver; + } + + if (q->qdisc) { + skb = q->qdisc->ops->dequeue(q->qdisc); +- if (skb) ++ if (skb) { ++ sch->q.qlen--; + goto deliver; ++ } + } + + qdisc_watchdog_schedule_ns(&q->watchdog, +@@ -756,8 +764,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + + if (q->qdisc) { + skb = q->qdisc->ops->dequeue(q->qdisc); +- if (skb) ++ if (skb) { ++ sch->q.qlen--; + goto deliver; ++ } + } + return NULL; + } +-- +2.39.5 + diff --git a/queue-5.15/net-sparx5-fix-fdma-performance-issue.patch b/queue-5.15/net-sparx5-fix-fdma-performance-issue.patch new file mode 100644 index 00000000000..74f40e4cb70 --- /dev/null +++ b/queue-5.15/net-sparx5-fix-fdma-performance-issue.patch @@ -0,0 +1,63 @@ +From 59838860ff6962c3b5864616b9e93af342a98329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 14:54:26 +0100 +Subject: net: sparx5: fix FDMA performance issue + +From: Daniel Machon + +[ Upstream commit f004f2e535e2b66ccbf5ac35f8eaadeac70ad7b7 ] + +The FDMA handler is responsible for scheduling a NAPI poll, which will +eventually fetch RX packets from the FDMA queue. Currently, the FDMA +handler is run in a threaded context. For some reason, this kills +performance. Admittedly, I did not do a thorough investigation to see +exactly what causes the issue, however, I noticed that in the other +driver utilizing the same FDMA engine, we run the FDMA handler in hard +IRQ context. + +Fix this performance issue, by running the FDMA handler in hard IRQ +context, not deferring any work to a thread. + +Prior to this change, the RX UDP performance was: + +Interval Transfer Bitrate Jitter +0.00-10.20 sec 44.6 MBytes 36.7 Mbits/sec 0.027 ms + +After this change, the rx UDP performance is: + +Interval Transfer Bitrate Jitter +0.00-9.12 sec 1.01 GBytes 953 Mbits/sec 0.020 ms + +Fixes: 10615907e9b5 ("net: sparx5: switchdev: adding frame DMA functionality") +Signed-off-by: Daniel Machon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +index 174d89ee6374..ccfad6fba5b4 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +@@ -647,12 +647,11 @@ static int sparx5_start(struct sparx5 *sparx5) + err = -ENXIO; + if (sparx5->fdma_irq >= 0) { + if (GCB_CHIP_ID_REV_ID_GET(sparx5->chip_id) > 0) +- err = devm_request_threaded_irq(sparx5->dev, +- sparx5->fdma_irq, +- NULL, +- sparx5_fdma_handler, +- IRQF_ONESHOT, +- "sparx5-fdma", sparx5); ++ err = devm_request_irq(sparx5->dev, ++ sparx5->fdma_irq, ++ sparx5_fdma_handler, ++ 0, ++ "sparx5-fdma", sparx5); + if (!err) + err = sparx5_fdma_start(sparx5); + if (err) +-- +2.39.5 + diff --git a/queue-5.15/net-sparx5-fix-the-maximum-frame-length-register.patch b/queue-5.15/net-sparx5-fix-the-maximum-frame-length-register.patch new file mode 100644 index 00000000000..c173971ca2a --- /dev/null +++ b/queue-5.15/net-sparx5-fix-the-maximum-frame-length-register.patch @@ -0,0 +1,39 @@ +From 58e1575614692daa7ac20f808fc9b5cdf77adaf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 14:54:28 +0100 +Subject: net: sparx5: fix the maximum frame length register + +From: Daniel Machon + +[ Upstream commit ddd7ba006078a2bef5971b2dc5f8383d47f96207 ] + +On port initialization, we configure the maximum frame length accepted +by the receive module associated with the port. This value is currently +written to the MAX_LEN field of the DEV10G_MAC_ENA_CFG register, when in +fact, it should be written to the DEV10G_MAC_MAXLEN_CFG register. Fix +this. + +Fixes: 946e7fd5053a ("net: sparx5: add port module support") +Signed-off-by: Daniel Machon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c +index 8561a7bf53e1..0d9ff3db3144 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c +@@ -1113,7 +1113,7 @@ int sparx5_port_init(struct sparx5 *sparx5, + spx5_inst_rmw(DEV10G_MAC_MAXLEN_CFG_MAX_LEN_SET(ETH_MAXLEN), + DEV10G_MAC_MAXLEN_CFG_MAX_LEN, + devinst, +- DEV10G_MAC_ENA_CFG(0)); ++ DEV10G_MAC_MAXLEN_CFG(0)); + + /* Handle Signal Detect in 10G PCS */ + spx5_inst_wr(PCS10G_BR_PCS_SD_CFG_SD_POL_SET(sd_pol) | +-- +2.39.5 + diff --git a/queue-5.15/ptp-kvm-use-decrypted-memory-in-confidential-guest-o.patch b/queue-5.15/ptp-kvm-use-decrypted-memory-in-confidential-guest-o.patch new file mode 100644 index 00000000000..49b47c21759 --- /dev/null +++ b/queue-5.15/ptp-kvm-use-decrypted-memory-in-confidential-guest-o.patch @@ -0,0 +1,173 @@ +From 8ce3c1dad1870982213da63590bc2e0cc1821e2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 15:05:31 +0000 +Subject: ptp: kvm: Use decrypted memory in confidential guest on x86 + +From: Jeremi Piotrowski + +[ Upstream commit 6365ba64b4dbe8b59ddaeaa724b281f3787715d5 ] + +KVM_HC_CLOCK_PAIRING currently fails inside SEV-SNP guests because the +guest passes an address to static data to the host. In confidential +computing the host can't access arbitrary guest memory so handling the +hypercall runs into an "rmpfault". To make the hypercall work, the guest +needs to explicitly mark the memory as decrypted. Do that in +kvm_arch_ptp_init(), but retain the previous behavior for +non-confidential guests to save us from having to allocate memory. + +Add a new arch-specific function (kvm_arch_ptp_exit()) to free the +allocation and mark the memory as encrypted again. + +Signed-off-by: Jeremi Piotrowski +Link: https://lore.kernel.org/r/20230308150531.477741-1-jpiotrowski@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5e7aa97c7acf ("ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from kvm_arch_ptp_init()") +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_kvm_arm.c | 4 +++ + drivers/ptp/ptp_kvm_common.c | 1 + + drivers/ptp/ptp_kvm_x86.c | 59 +++++++++++++++++++++++++++++------- + include/linux/ptp_kvm.h | 1 + + 4 files changed, 54 insertions(+), 11 deletions(-) + +diff --git a/drivers/ptp/ptp_kvm_arm.c b/drivers/ptp/ptp_kvm_arm.c +index b7d28c8dfb84..e68e6943167b 100644 +--- a/drivers/ptp/ptp_kvm_arm.c ++++ b/drivers/ptp/ptp_kvm_arm.c +@@ -22,6 +22,10 @@ int kvm_arch_ptp_init(void) + return 0; + } + ++void kvm_arch_ptp_exit(void) ++{ ++} ++ + int kvm_arch_ptp_get_clock(struct timespec64 *ts) + { + return kvm_arch_ptp_get_crosststamp(NULL, ts, NULL); +diff --git a/drivers/ptp/ptp_kvm_common.c b/drivers/ptp/ptp_kvm_common.c +index fcae32f56f25..051114a59286 100644 +--- a/drivers/ptp/ptp_kvm_common.c ++++ b/drivers/ptp/ptp_kvm_common.c +@@ -130,6 +130,7 @@ static struct kvm_ptp_clock kvm_ptp_clock; + static void __exit ptp_kvm_exit(void) + { + ptp_clock_unregister(kvm_ptp_clock.ptp_clock); ++ kvm_arch_ptp_exit(); + } + + static int __init ptp_kvm_init(void) +diff --git a/drivers/ptp/ptp_kvm_x86.c b/drivers/ptp/ptp_kvm_x86.c +index 4991054a2135..902844cc1a17 100644 +--- a/drivers/ptp/ptp_kvm_x86.c ++++ b/drivers/ptp/ptp_kvm_x86.c +@@ -14,27 +14,64 @@ + #include + #include + #include ++#include + + static phys_addr_t clock_pair_gpa; +-static struct kvm_clock_pairing clock_pair; ++static struct kvm_clock_pairing clock_pair_glbl; ++static struct kvm_clock_pairing *clock_pair; + + int kvm_arch_ptp_init(void) + { ++ struct page *p; + long ret; + + if (!kvm_para_available()) + return -ENODEV; + +- clock_pair_gpa = slow_virt_to_phys(&clock_pair); +- if (!pvclock_get_pvti_cpu0_va()) +- return -ENODEV; ++ if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) { ++ p = alloc_page(GFP_KERNEL | __GFP_ZERO); ++ if (!p) ++ return -ENOMEM; ++ ++ clock_pair = page_address(p); ++ ret = set_memory_decrypted((unsigned long)clock_pair, 1); ++ if (ret) { ++ __free_page(p); ++ clock_pair = NULL; ++ goto nofree; ++ } ++ } else { ++ clock_pair = &clock_pair_glbl; ++ } ++ ++ clock_pair_gpa = slow_virt_to_phys(clock_pair); ++ if (!pvclock_get_pvti_cpu0_va()) { ++ ret = -ENODEV; ++ goto err; ++ } + + ret = kvm_hypercall2(KVM_HC_CLOCK_PAIRING, clock_pair_gpa, + KVM_CLOCK_PAIRING_WALLCLOCK); +- if (ret == -KVM_ENOSYS) +- return -ENODEV; ++ if (ret == -KVM_ENOSYS) { ++ ret = -ENODEV; ++ goto err; ++ } + + return ret; ++ ++err: ++ kvm_arch_ptp_exit(); ++nofree: ++ return ret; ++} ++ ++void kvm_arch_ptp_exit(void) ++{ ++ if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) { ++ WARN_ON(set_memory_encrypted((unsigned long)clock_pair, 1)); ++ free_page((unsigned long)clock_pair); ++ clock_pair = NULL; ++ } + } + + int kvm_arch_ptp_get_clock(struct timespec64 *ts) +@@ -49,8 +86,8 @@ int kvm_arch_ptp_get_clock(struct timespec64 *ts) + return -EOPNOTSUPP; + } + +- ts->tv_sec = clock_pair.sec; +- ts->tv_nsec = clock_pair.nsec; ++ ts->tv_sec = clock_pair->sec; ++ ts->tv_nsec = clock_pair->nsec; + + return 0; + } +@@ -81,9 +118,9 @@ int kvm_arch_ptp_get_crosststamp(u64 *cycle, struct timespec64 *tspec, + pr_err_ratelimited("clock pairing hypercall ret %lu\n", ret); + return -EOPNOTSUPP; + } +- tspec->tv_sec = clock_pair.sec; +- tspec->tv_nsec = clock_pair.nsec; +- *cycle = __pvclock_read_cycles(src, clock_pair.tsc); ++ tspec->tv_sec = clock_pair->sec; ++ tspec->tv_nsec = clock_pair->nsec; ++ *cycle = __pvclock_read_cycles(src, clock_pair->tsc); + } while (pvclock_read_retry(src, version)); + + *cs = &kvm_clock; +diff --git a/include/linux/ptp_kvm.h b/include/linux/ptp_kvm.h +index f960a719f0d5..c1636ce76bd2 100644 +--- a/include/linux/ptp_kvm.h ++++ b/include/linux/ptp_kvm.h +@@ -12,6 +12,7 @@ struct timespec64; + struct clocksource; + + int kvm_arch_ptp_init(void); ++void kvm_arch_ptp_exit(void); + int kvm_arch_ptp_get_clock(struct timespec64 *ts); + int kvm_arch_ptp_get_crosststamp(u64 *cycle, + struct timespec64 *tspec, struct clocksource **cs); +-- +2.39.5 + diff --git a/queue-5.15/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch b/queue-5.15/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch new file mode 100644 index 00000000000..a62396ac1dd --- /dev/null +++ b/queue-5.15/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch @@ -0,0 +1,63 @@ +From 1d78f1e056b21e7d9ed886ed4a17c915a1c25f1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:09:55 +0100 +Subject: ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from + kvm_arch_ptp_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 5e7aa97c7acf171275ac02a8bb018c31b8918d13 ] + +The caller, ptp_kvm_init(), emits a warning if kvm_arch_ptp_init() exits +with any error which is not EOPNOTSUPP: + + "fail to initialize ptp_kvm" + +Replace ENODEV with EOPNOTSUPP to avoid this spurious warning, +aligning with the ARM implementation. + +Fixes: a86ed2cfa13c ("ptp: Don't print an error if ptp_kvm is not supported") +Signed-off-by: Thomas Weißschuh +Link: https://patch.msgid.link/20241203-kvm_ptp-eopnotsuppp-v2-1-d1d060f27aa6@weissschuh.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_kvm_x86.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/ptp/ptp_kvm_x86.c b/drivers/ptp/ptp_kvm_x86.c +index 902844cc1a17..5e5b2ef78547 100644 +--- a/drivers/ptp/ptp_kvm_x86.c ++++ b/drivers/ptp/ptp_kvm_x86.c +@@ -26,7 +26,7 @@ int kvm_arch_ptp_init(void) + long ret; + + if (!kvm_para_available()) +- return -ENODEV; ++ return -EOPNOTSUPP; + + if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) { + p = alloc_page(GFP_KERNEL | __GFP_ZERO); +@@ -46,14 +46,14 @@ int kvm_arch_ptp_init(void) + + clock_pair_gpa = slow_virt_to_phys(clock_pair); + if (!pvclock_get_pvti_cpu0_va()) { +- ret = -ENODEV; ++ ret = -EOPNOTSUPP; + goto err; + } + + ret = kvm_hypercall2(KVM_HC_CLOCK_PAIRING, clock_pair_gpa, + KVM_CLOCK_PAIRING_WALLCLOCK); + if (ret == -KVM_ENOSYS) { +- ret = -ENODEV; ++ ret = -EOPNOTSUPP; + goto err; + } + +-- +2.39.5 + diff --git a/queue-5.15/qca_spi-fix-clock-speed-for-multiple-qca7000.patch b/queue-5.15/qca_spi-fix-clock-speed-for-multiple-qca7000.patch new file mode 100644 index 00000000000..9bef631b203 --- /dev/null +++ b/queue-5.15/qca_spi-fix-clock-speed-for-multiple-qca7000.patch @@ -0,0 +1,98 @@ +From 7de672a03d7c8edb806a2cd2122bf807d3a64442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:46:42 +0100 +Subject: qca_spi: Fix clock speed for multiple QCA7000 + +From: Stefan Wahren + +[ Upstream commit 4dba406fac06b009873fe7a28231b9b7e4288b09 ] + +Storing the maximum clock speed in module parameter qcaspi_clkspeed +has the unintended side effect that the first probed instance +defines the value for all other instances. Fix this issue by storing +it in max_speed_hz of the relevant SPI device. + +This fix keeps the priority of the speed parameter (module parameter, +device tree property, driver default). Btw this uses the opportunity +to get the rid of the unused member clkspeed. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20241206184643.123399-2-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 24 ++++++++++-------------- + drivers/net/ethernet/qualcomm/qca_spi.h | 1 - + 2 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 385e4c62ca03..926eec0a9532 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -829,7 +829,6 @@ qcaspi_netdev_init(struct net_device *dev) + + dev->mtu = QCAFRM_MAX_MTU; + dev->type = ARPHRD_ETHER; +- qca->clkspeed = qcaspi_clkspeed; + qca->burst_len = qcaspi_burst_len; + qca->spi_thread = NULL; + qca->buffer_size = (dev->mtu + VLAN_ETH_HLEN + QCAFRM_HEADER_LEN + +@@ -918,17 +917,15 @@ qca_spi_probe(struct spi_device *spi) + legacy_mode = of_property_read_bool(spi->dev.of_node, + "qca,legacy-mode"); + +- if (qcaspi_clkspeed == 0) { +- if (spi->max_speed_hz) +- qcaspi_clkspeed = spi->max_speed_hz; +- else +- qcaspi_clkspeed = QCASPI_CLK_SPEED; +- } ++ if (qcaspi_clkspeed) ++ spi->max_speed_hz = qcaspi_clkspeed; ++ else if (!spi->max_speed_hz) ++ spi->max_speed_hz = QCASPI_CLK_SPEED; + +- if ((qcaspi_clkspeed < QCASPI_CLK_SPEED_MIN) || +- (qcaspi_clkspeed > QCASPI_CLK_SPEED_MAX)) { +- dev_err(&spi->dev, "Invalid clkspeed: %d\n", +- qcaspi_clkspeed); ++ if (spi->max_speed_hz < QCASPI_CLK_SPEED_MIN || ++ spi->max_speed_hz > QCASPI_CLK_SPEED_MAX) { ++ dev_err(&spi->dev, "Invalid clkspeed: %u\n", ++ spi->max_speed_hz); + return -EINVAL; + } + +@@ -953,14 +950,13 @@ qca_spi_probe(struct spi_device *spi) + return -EINVAL; + } + +- dev_info(&spi->dev, "ver=%s, clkspeed=%d, burst_len=%d, pluggable=%d\n", ++ dev_info(&spi->dev, "ver=%s, clkspeed=%u, burst_len=%d, pluggable=%d\n", + QCASPI_DRV_VERSION, +- qcaspi_clkspeed, ++ spi->max_speed_hz, + qcaspi_burst_len, + qcaspi_pluggable); + + spi->mode = SPI_MODE_3; +- spi->max_speed_hz = qcaspi_clkspeed; + if (spi_setup(spi) < 0) { + dev_err(&spi->dev, "Unable to setup SPI device\n"); + return -EFAULT; +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h +index 58ad910068d4..b3b17bd46e12 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.h ++++ b/drivers/net/ethernet/qualcomm/qca_spi.h +@@ -101,7 +101,6 @@ struct qcaspi { + #endif + + /* user configurable options */ +- u32 clkspeed; + u8 legacy_mode; + u16 burst_len; + }; +-- +2.39.5 + diff --git a/queue-5.15/qca_spi-make-driver-probing-reliable.patch b/queue-5.15/qca_spi-make-driver-probing-reliable.patch new file mode 100644 index 00000000000..e51a34b1c5e --- /dev/null +++ b/queue-5.15/qca_spi-make-driver-probing-reliable.patch @@ -0,0 +1,40 @@ +From 66083b36f15863237aed29475e93ebed040a9650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:46:43 +0100 +Subject: qca_spi: Make driver probing reliable + +From: Stefan Wahren + +[ Upstream commit becc6399ce3b724cffe9ccb7ef0bff440bb1b62b ] + +The module parameter qcaspi_pluggable controls if QCA7000 signature +should be checked at driver probe (current default) or not. Unfortunately +this could fail in case the chip is temporary in reset, which isn't under +total control by the Linux host. So disable this check per default +in order to avoid unexpected probe failures. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20241206184643.123399-3-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 926eec0a9532..9b34ab547840 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -67,7 +67,7 @@ MODULE_PARM_DESC(qcaspi_burst_len, "Number of data bytes per burst. Use 1-5000." + + #define QCASPI_PLUGGABLE_MIN 0 + #define QCASPI_PLUGGABLE_MAX 1 +-static int qcaspi_pluggable = QCASPI_PLUGGABLE_MIN; ++static int qcaspi_pluggable = QCASPI_PLUGGABLE_MAX; + module_param(qcaspi_pluggable, int, 0); + MODULE_PARM_DESC(qcaspi_pluggable, "Pluggable SPI connection (yes/no)."); + +-- +2.39.5 + diff --git a/queue-5.15/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch b/queue-5.15/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch new file mode 100644 index 00000000000..eb20662a5ea --- /dev/null +++ b/queue-5.15/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch @@ -0,0 +1,58 @@ +From 5c8e3c8da64c3642159a5b7ca9086a7a8a4a1593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 17:36:00 +0100 +Subject: selftests: mlxsw: sharedbuffer: Remove duplicate test cases + +From: Danielle Ratson + +[ Upstream commit 6c46ad4d1bb2e8ec2265296e53765190f6e32f33 ] + +On both port_tc_ip_test() and port_tc_arp_test(), the max occupancy is +checked on $h2 twice, when only the error message is different and does not +match the check itself. + +Remove the two duplicated test cases from the test. + +Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") +Signed-off-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Signed-off-by: Ido Schimmel +Signed-off-by: Petr Machata +Link: https://patch.msgid.link/d9eb26f6fc16a06a30b5c2c16ad80caf502bc561.1733414773.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/drivers/net/mlxsw/sharedbuffer.sh | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +index f6f5e2090891..9c3c426197af 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +@@ -131,11 +131,6 @@ port_tc_ip_test() + + devlink sb occupancy snapshot $DEVLINK_DEV + +- RET=0 +- max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) +- check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +- log_test "physical port's($h1) ingress TC - IP packet" +- + RET=0 + max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) + check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +@@ -162,11 +157,6 @@ port_tc_arp_test() + + devlink sb occupancy snapshot $DEVLINK_DEV + +- RET=0 +- max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) +- check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +- log_test "physical port's($h1) ingress TC - ARP packet" +- + RET=0 + max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) + check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +-- +2.39.5 + diff --git a/queue-5.15/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch b/queue-5.15/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch new file mode 100644 index 00000000000..08a90e1a837 --- /dev/null +++ b/queue-5.15/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch @@ -0,0 +1,48 @@ +From 7ce2283f82d017adca25e9c9959b83cddea373f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 17:35:59 +0100 +Subject: selftests: mlxsw: sharedbuffer: Remove h1 ingress test case + +From: Danielle Ratson + +[ Upstream commit cf3515c556907b4da290967a2a6cbbd9ee0ee723 ] + +The test is sending only one packet generated with mausezahn from $h1 to +$h2. However, for some reason, it is testing for non-zero maximum occupancy +in both the ingress pool of $h1 and $h2. The former only passes when $h2 +happens to send a packet. + +Avoid intermittent failures by removing unintentional test case +regarding the ingress pool of $h1. + +Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") +Signed-off-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Signed-off-by: Ido Schimmel +Signed-off-by: Petr Machata +Link: https://patch.msgid.link/5b7344608d5e06f38209e48d8af8c92fa11b6742.1733414773.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +index 7d9e73a43a49..f6f5e2090891 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +@@ -108,11 +108,6 @@ port_pool_test() + + devlink sb occupancy snapshot $DEVLINK_DEV + +- RET=0 +- max_occ=$(sb_occ_pool_check $dl_port1 $SB_POOL_ING $exp_max_occ) +- check_err $? "Expected iPool($SB_POOL_ING) max occupancy to be $exp_max_occ, but got $max_occ" +- log_test "physical port's($h1) ingress pool" +- + RET=0 + max_occ=$(sb_occ_pool_check $dl_port2 $SB_POOL_ING $exp_max_occ) + check_err $? "Expected iPool($SB_POOL_ING) max occupancy to be $exp_max_occ, but got $max_occ" +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index fcb0d982254..670626cc2e4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -16,3 +16,25 @@ xfs-fix-scrub-tracepoints-when-inode-rooted-btrees-are-involved.patch bpf-sockmap-fix-update-element-with-same.patch virtio-vsock-fix-accept_queue-memory-leak.patch exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch +acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch +batman-adv-do-not-send-uninitialized-tt-changes.patch +batman-adv-remove-uninitialized-data-in-full-table-t.patch +batman-adv-do-not-let-tt-changes-list-grows-indefini.patch +tipc-fix-null-deref-in-cleanup_bearer.patch +selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch +selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch +ptp-kvm-use-decrypted-memory-in-confidential-guest-o.patch +ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch +net-lapb-increase-lapb_header_len.patch +net-sparx5-fix-fdma-performance-issue.patch +net-sparx5-fix-the-maximum-frame-length-register.patch +acpi-resource-fix-memory-resource-type-union-access.patch +cxgb4-use-port-number-to-set-mac-addr.patch +qca_spi-fix-clock-speed-for-multiple-qca7000.patch +qca_spi-make-driver-probing-reliable.patch +documentation-pm-clarify-pm_runtime_resume_and_get-r.patch +net-sched-netem-account-for-backlog-updates-from-chi.patch +bonding-fix-feature-propagation-of-netif_f_gso_encap.patch +team-fix-feature-propagation-of-netif_f_gso_encap_al.patch +acpica-events-evxfregn-don-t-release-the-contextmute.patch +blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch diff --git a/queue-5.15/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch b/queue-5.15/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch new file mode 100644 index 00000000000..2e07a37a9d9 --- /dev/null +++ b/queue-5.15/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch @@ -0,0 +1,44 @@ +From d3188be4ba1d1556dd6fa218c1bf970f91fc8f84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:45 +0100 +Subject: team: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL + +From: Daniel Borkmann + +[ Upstream commit 98712844589e06d9aa305b5077169942139fd75c ] + +Similar to bonding driver, add NETIF_F_GSO_ENCAP_ALL to TEAM_VLAN_FEATURES +in order to support slave devices which propagate NETIF_F_GSO_UDP_TUNNEL & +NETIF_F_GSO_UDP_TUNNEL_CSUM as vlan_features. + +Fixes: 3625920b62c3 ("teaming: fix vlan_features computing") +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20241210141245.327886-5-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 8edfc8984e2c..5e5af71a85ac 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -979,7 +979,8 @@ static void team_port_disable(struct team *team, + + #define TEAM_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ +- NETIF_F_HIGHDMA | NETIF_F_LRO) ++ NETIF_F_HIGHDMA | NETIF_F_LRO | \ ++ NETIF_F_GSO_ENCAP_ALL) + + #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE) +-- +2.39.5 + diff --git a/queue-5.15/tipc-fix-null-deref-in-cleanup_bearer.patch b/queue-5.15/tipc-fix-null-deref-in-cleanup_bearer.patch new file mode 100644 index 00000000000..1bf2d7e0aff --- /dev/null +++ b/queue-5.15/tipc-fix-null-deref-in-cleanup_bearer.patch @@ -0,0 +1,82 @@ +From 91817e62fa9d234cd32c71ad25ae7c774cb7e842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 17:05:48 +0000 +Subject: tipc: fix NULL deref in cleanup_bearer() + +From: Eric Dumazet + +[ Upstream commit b04d86fff66b15c07505d226431f808c15b1703c ] + +syzbot found [1] that after blamed commit, ub->ubsock->sk +was NULL when attempting the atomic_dec() : + +atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); + +Fix this by caching the tipc_net pointer. + +[1] + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: events cleanup_bearer + RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline] + RIP: 0010:sock_net include/net/sock.h:655 [inline] + RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820 +Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b +RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206 +RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00 +RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900 +RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20 +R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980 +R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918 +FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 6a2fa13312e5 ("tipc: Fix use-after-free of kernel socket in cleanup_bearer().") +Reported-by: syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67508b5f.050a0220.17bd51.0070.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20241204170548.4152658-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/udp_media.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 3f5a12b85b2d..f5bd75d931c1 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -811,6 +811,7 @@ static void cleanup_bearer(struct work_struct *work) + { + struct udp_bearer *ub = container_of(work, struct udp_bearer, work); + struct udp_replicast *rcast, *tmp; ++ struct tipc_net *tn; + + list_for_each_entry_safe(rcast, tmp, &ub->rcast.list, list) { + dst_cache_destroy(&rcast->dst_cache); +@@ -818,10 +819,14 @@ static void cleanup_bearer(struct work_struct *work) + kfree_rcu(rcast, rcu); + } + ++ tn = tipc_net(sock_net(ub->ubsock->sk)); ++ + dst_cache_destroy(&ub->rcast.dst_cache); + udp_tunnel_sock_release(ub->ubsock); ++ ++ /* Note: could use a call_rcu() to avoid another synchronize_net() */ + synchronize_net(); +- atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); ++ atomic_dec(&tn->wq_count); + kfree(ub); + } + +-- +2.39.5 + -- 2.47.2