From: Greg Kroah-Hartman Date: Mon, 26 Aug 2024 12:10:42 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.107~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2237ae29490a9c1b3310250149379b34d8d1fad6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch mptcp-pm-fullmesh-select-the-right-id-later.patch mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch mptcp-pm-only-mark-subflow-endp-as-available.patch mptcp-pm-re-using-id-of-unused-flushed-subflows.patch mptcp-pm-re-using-id-of-unused-removed-add_addr.patch mptcp-pm-re-using-id-of-unused-removed-subflows.patch mptcp-pm-remove-mptcp_pm_remove_subflow.patch nouveau-firmware-use-dma-non-coherent-allocator.patch pmdomain-imx-scu-pd-remove-duplicated-clocks.patch pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch --- diff --git a/queue-6.6/cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch b/queue-6.6/cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch new file mode 100644 index 00000000000..7bed87b8cc1 --- /dev/null +++ b/queue-6.6/cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch @@ -0,0 +1,38 @@ +From 80a1e7b83bb1834b5568a3872e64c05795d88f31 Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Mon, 19 Aug 2024 10:54:08 +0300 +Subject: cxgb4: add forgotten u64 ivlan cast before shift + +From: Nikolay Kuratov + +commit 80a1e7b83bb1834b5568a3872e64c05795d88f31 upstream. + +It is done everywhere in cxgb4 code, e.g. in is_filter_exact_match() +There is no reason it should not be done here + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Signed-off-by: Nikolay Kuratov +Cc: stable@vger.kernel.org +Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters") +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20240819075408.92378-1-kniv@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -1244,7 +1244,8 @@ static u64 hash_filter_ntuple(struct ch_ + * in the Compressed Filter Tuple. + */ + if (tp->vlan_shift >= 0 && fs->mask.ivlan) +- ntuple |= (FT_VLAN_VLD_F | fs->val.ivlan) << tp->vlan_shift; ++ ntuple |= (u64)(FT_VLAN_VLD_F | ++ fs->val.ivlan) << tp->vlan_shift; + + if (tp->port_shift >= 0 && fs->mask.iport) + ntuple |= (u64)fs->val.iport << tp->port_shift; diff --git a/queue-6.6/input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch b/queue-6.6/input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch new file mode 100644 index 00000000000..34b3f765bbf --- /dev/null +++ b/queue-6.6/input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch @@ -0,0 +1,117 @@ +From 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Thu, 4 Jan 2024 19:31:17 +0100 +Subject: Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 + +From: Werner Sembach + +commit 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 upstream. + +On s3 resume the i8042 driver tries to restore the controller to a known +state by reinitializing things, however this can confuse the controller +with different effects. Mostly occasionally unresponsive keyboards after +resume. + +These issues do not rise on s0ix resume as here the controller is assumed +to preserved its state from before suspend. + +This patch adds a quirk for devices where the reinitialization on s3 resume +is not needed and might be harmful as described above. It does this by +using the s0ix resume code path at selected locations. + +This new quirk goes beyond what the preexisting reset=never quirk does, +which only skips some reinitialization steps. + +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20240104183118.779778-2-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 10 +++++++--- + drivers/input/serio/i8042.c | 10 +++++++--- + 2 files changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -83,6 +83,7 @@ static inline void i8042_write_command(i + #define SERIO_QUIRK_KBDRESET BIT(12) + #define SERIO_QUIRK_DRITEK BIT(13) + #define SERIO_QUIRK_NOPNP BIT(14) ++#define SERIO_QUIRK_FORCENORESTORE BIT(15) + + /* Quirk table for different mainboards. Options similar or identical to i8042 + * module parameters. +@@ -1685,6 +1686,8 @@ static void __init i8042_check_quirks(vo + if (quirks & SERIO_QUIRK_NOPNP) + i8042_nopnp = true; + #endif ++ if (quirks & SERIO_QUIRK_FORCENORESTORE) ++ i8042_forcenorestore = true; + } + #else + static inline void i8042_check_quirks(void) {} +@@ -1718,7 +1721,7 @@ static int __init i8042_platform_init(vo + + i8042_check_quirks(); + +- pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s\n", ++ pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + i8042_nokbd ? " nokbd" : "", + i8042_noaux ? " noaux" : "", + i8042_nomux ? " nomux" : "", +@@ -1738,10 +1741,11 @@ static int __init i8042_platform_init(vo + "", + #endif + #ifdef CONFIG_PNP +- i8042_nopnp ? " nopnp" : ""); ++ i8042_nopnp ? " nopnp" : "", + #else +- ""); ++ "", + #endif ++ i8042_forcenorestore ? " forcenorestore" : ""); + + retval = i8042_pnp_init(); + if (retval) +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -115,6 +115,10 @@ module_param_named(nopnp, i8042_nopnp, b + MODULE_PARM_DESC(nopnp, "Do not use PNP to detect controller settings"); + #endif + ++static bool i8042_forcenorestore; ++module_param_named(forcenorestore, i8042_forcenorestore, bool, 0); ++MODULE_PARM_DESC(forcenorestore, "Force no restore on s3 resume, copying s2idle behaviour"); ++ + #define DEBUG + #ifdef DEBUG + static bool i8042_debug; +@@ -1232,7 +1236,7 @@ static int i8042_pm_suspend(struct devic + { + int i; + +- if (pm_suspend_via_firmware()) ++ if (!i8042_forcenorestore && pm_suspend_via_firmware()) + i8042_controller_reset(true); + + /* Set up serio interrupts for system wakeup. */ +@@ -1248,7 +1252,7 @@ static int i8042_pm_suspend(struct devic + + static int i8042_pm_resume_noirq(struct device *dev) + { +- if (!pm_resume_via_firmware()) ++ if (i8042_forcenorestore || !pm_resume_via_firmware()) + i8042_interrupt(0, NULL); + + return 0; +@@ -1271,7 +1275,7 @@ static int i8042_pm_resume(struct device + * not restore the controller state to whatever it had been at boot + * time, so we do not need to do anything. + */ +- if (!pm_suspend_via_firmware()) ++ if (i8042_forcenorestore || !pm_suspend_via_firmware()) + return 0; + + /* diff --git a/queue-6.6/input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch b/queue-6.6/input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch new file mode 100644 index 00000000000..5deb2ceb8d3 --- /dev/null +++ b/queue-6.6/input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch @@ -0,0 +1,46 @@ +From aaa4ca873d3da768896ffc909795359a01e853ef Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Thu, 4 Jan 2024 19:31:18 +0100 +Subject: Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination + +From: Werner Sembach + +commit aaa4ca873d3da768896ffc909795359a01e853ef upstream. + +The old quirk combination sometimes cause a laggy keyboard after boot. With +the new quirk the initial issue of an unresponsive keyboard after s3 resume +is also fixed, but it doesn't have the negative side effect of the +sometimes laggy keyboard. + +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20240104183118.779778-3-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -1150,18 +1150,10 @@ static const struct dmi_system_id i8042_ + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, + { +- /* +- * Setting SERIO_QUIRK_NOMUX or SERIO_QUIRK_RESET_ALWAYS makes +- * the keyboard very laggy for ~5 seconds after boot and +- * sometimes also after resume. +- * However both are required for the keyboard to not fail +- * completely sometimes after boot or resume. +- */ + .matches = { + DMI_MATCH(DMI_BOARD_NAME, "N150CU"), + }, +- .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | +- SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ .driver_data = (void *)(SERIO_QUIRK_FORCENORESTORE) + }, + { + .matches = { diff --git a/queue-6.6/kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch b/queue-6.6/kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch new file mode 100644 index 00000000000..acf20da79ba --- /dev/null +++ b/queue-6.6/kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch @@ -0,0 +1,66 @@ +From 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 20 Aug 2024 11:03:38 +0100 +Subject: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 + +From: Marc Zyngier + +commit 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f upstream. + +On a system with a GICv3, if a guest hasn't been configured with +GICv3 and that the host is not capable of GICv2 emulation, +a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. + +We therefore try to emulate the SGI access, only to hit a NULL +pointer as no private interrupt is allocated (no GIC, remember?). + +The obvious fix is to give the guest what it deserves, in the +shape of a UNDEF exception. + +Reported-by: Alexander Potapenko +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240820100349.3544850-2-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/sys_regs.c | 6 ++++++ + arch/arm64/kvm/vgic/vgic.h | 7 +++++++ + 2 files changed, 13 insertions(+) + +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -32,6 +32,7 @@ + #include + + #include "sys_regs.h" ++#include "vgic/vgic.h" + + #include "trace.h" + +@@ -301,6 +302,11 @@ static bool access_gic_sgi(struct kvm_vc + { + bool g1; + ++ if (!kvm_has_gicv3(vcpu->kvm)) { ++ kvm_inject_undefined(vcpu); ++ return false; ++ } ++ + if (!p->is_write) + return read_from_write_only(vcpu, p, r); + +--- a/arch/arm64/kvm/vgic/vgic.h ++++ b/arch/arm64/kvm/vgic/vgic.h +@@ -343,4 +343,11 @@ void vgic_v4_configure_vsgis(struct kvm + void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val); + int vgic_v4_request_vpe_irq(struct kvm_vcpu *vcpu, int irq); + ++static inline bool kvm_has_gicv3(struct kvm *kvm) ++{ ++ return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) && ++ irqchip_in_kernel(kvm) && ++ kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3); ++} ++ + #endif diff --git a/queue-6.6/mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch b/queue-6.6/mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch new file mode 100644 index 00000000000..71a86235332 --- /dev/null +++ b/queue-6.6/mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch @@ -0,0 +1,47 @@ +From 6275c7bc8dd07644ea8142a1773d826800f0f3f7 Mon Sep 17 00:00:00 2001 +From: Ben Whitten +Date: Sun, 11 Aug 2024 22:22:11 +0100 +Subject: mmc: dw_mmc: allow biu and ciu clocks to defer + +From: Ben Whitten + +commit 6275c7bc8dd07644ea8142a1773d826800f0f3f7 upstream. + +Fix a race condition if the clock provider comes up after mmc is probed, +this causes mmc to fail without retrying. +When given the DEFER error from the clk source, pass it on up the chain. + +Fixes: f90a0612f0e1 ("mmc: dw_mmc: lookup for optional biu and ciu clocks") +Signed-off-by: Ben Whitten +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240811212212.123255-1-ben.whitten@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -3294,6 +3294,10 @@ int dw_mci_probe(struct dw_mci *host) + host->biu_clk = devm_clk_get(host->dev, "biu"); + if (IS_ERR(host->biu_clk)) { + dev_dbg(host->dev, "biu clock not available\n"); ++ ret = PTR_ERR(host->biu_clk); ++ if (ret == -EPROBE_DEFER) ++ return ret; ++ + } else { + ret = clk_prepare_enable(host->biu_clk); + if (ret) { +@@ -3305,6 +3309,10 @@ int dw_mci_probe(struct dw_mci *host) + host->ciu_clk = devm_clk_get(host->dev, "ciu"); + if (IS_ERR(host->ciu_clk)) { + dev_dbg(host->dev, "ciu clock not available\n"); ++ ret = PTR_ERR(host->ciu_clk); ++ if (ret == -EPROBE_DEFER) ++ goto err_clk_biu; ++ + host->bus_hz = host->pdata->bus_hz; + } else { + ret = clk_prepare_enable(host->ciu_clk); diff --git a/queue-6.6/mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch b/queue-6.6/mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch new file mode 100644 index 00000000000..73f3b57ea55 --- /dev/null +++ b/queue-6.6/mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch @@ -0,0 +1,49 @@ +From 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d Mon Sep 17 00:00:00 2001 +From: Mengqi Zhang +Date: Tue, 16 Jul 2024 09:37:04 +0800 +Subject: mmc: mtk-sd: receive cmd8 data when hs400 tuning fail + +From: Mengqi Zhang + +commit 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d upstream. + +When we use cmd8 as the tuning command in hs400 mode, the command +response sent back by some eMMC devices cannot be correctly sampled +by MTK eMMC controller at some weak sample timing. In this case, +command timeout error may occur. So we must receive the following +data to make sure the next cmd8 send correctly. + +Signed-off-by: Mengqi Zhang +Fixes: c4ac38c6539b ("mmc: mtk-sd: Add HS400 online tuning support") +Cc: stable@vger.stable.com +Link: https://lore.kernel.org/r/20240716013704.10578-1-mengqi.zhang@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -1222,7 +1222,7 @@ static bool msdc_cmd_done(struct msdc_ho + } + + if (!sbc_error && !(events & MSDC_INT_CMDRDY)) { +- if (events & MSDC_INT_CMDTMO || ++ if ((events & MSDC_INT_CMDTMO && !host->hs400_tuning) || + (!mmc_op_tuning(cmd->opcode) && !host->hs400_tuning)) + /* + * should not clear fifo/interrupt as the tune data +@@ -1315,9 +1315,9 @@ static void msdc_start_command(struct ms + static void msdc_cmd_next(struct msdc_host *host, + struct mmc_request *mrq, struct mmc_command *cmd) + { +- if ((cmd->error && +- !(cmd->error == -EILSEQ && +- (mmc_op_tuning(cmd->opcode) || host->hs400_tuning))) || ++ if ((cmd->error && !host->hs400_tuning && ++ !(cmd->error == -EILSEQ && ++ mmc_op_tuning(cmd->opcode))) || + (mrq->sbc && mrq->sbc->error)) + msdc_request_done(host, mrq); + else if (cmd == mrq->sbc) diff --git a/queue-6.6/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch b/queue-6.6/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch new file mode 100644 index 00000000000..138e3c17472 --- /dev/null +++ b/queue-6.6/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch @@ -0,0 +1,171 @@ +From 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:32 +0200 +Subject: mptcp: pm: avoid possible UaF when selecting endp + +From: Matthieu Baerts (NGI0) + +commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream. + +select_local_address() and select_signal_address() both select an +endpoint entry from the list inside an RCU protected section, but return +a reference to it, to be read later on. If the entry is dereferenced +after the RCU unlock, reading info could cause a Use-after-Free. + +A simple solution is to copy the required info while inside the RCU +protected section to avoid any risk of UaF later. The address ID might +need to be modified later to handle the ID0 case later, so a copy seems +OK to deal with. + +Reported-by: Paolo Abeni +Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com +Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 64 ++++++++++++++++++++++++++----------------------- + 1 file changed, 34 insertions(+), 30 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -148,11 +148,13 @@ static bool lookup_subflow_by_daddr(cons + return false; + } + +-static struct mptcp_pm_addr_entry * ++static bool + select_local_address(const struct pm_nl_pernet *pernet, +- const struct mptcp_sock *msk) ++ const struct mptcp_sock *msk, ++ struct mptcp_pm_addr_entry *new_entry) + { +- struct mptcp_pm_addr_entry *entry, *ret = NULL; ++ struct mptcp_pm_addr_entry *entry; ++ bool found = false; + + msk_owned_by_me(msk); + +@@ -164,17 +166,21 @@ select_local_address(const struct pm_nl_ + if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap)) + continue; + +- ret = entry; ++ *new_entry = *entry; ++ found = true; + break; + } + rcu_read_unlock(); +- return ret; ++ ++ return found; + } + +-static struct mptcp_pm_addr_entry * +-select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk) ++static bool ++select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk, ++ struct mptcp_pm_addr_entry *new_entry) + { +- struct mptcp_pm_addr_entry *entry, *ret = NULL; ++ struct mptcp_pm_addr_entry *entry; ++ bool found = false; + + rcu_read_lock(); + /* do not keep any additional per socket state, just signal +@@ -189,11 +195,13 @@ select_signal_address(struct pm_nl_perne + if (!(entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) + continue; + +- ret = entry; ++ *new_entry = *entry; ++ found = true; + break; + } + rcu_read_unlock(); +- return ret; ++ ++ return found; + } + + unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk) +@@ -520,9 +528,10 @@ __lookup_addr(struct pm_nl_pernet *perne + + static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) + { +- struct mptcp_pm_addr_entry *local, *signal_and_subflow = NULL; + struct sock *sk = (struct sock *)msk; ++ struct mptcp_pm_addr_entry local; + unsigned int add_addr_signal_max; ++ bool signal_and_subflow = false; + unsigned int local_addr_max; + struct pm_nl_pernet *pernet; + unsigned int subflows_max; +@@ -573,23 +582,22 @@ static void mptcp_pm_create_subflow_or_s + if (msk->pm.addr_signal & BIT(MPTCP_ADD_ADDR_SIGNAL)) + return; + +- local = select_signal_address(pernet, msk); +- if (!local) ++ if (!select_signal_address(pernet, msk, &local)) + goto subflow; + + /* If the alloc fails, we are on memory pressure, not worth + * continuing, and trying to create subflows. + */ +- if (!mptcp_pm_alloc_anno_list(msk, &local->addr)) ++ if (!mptcp_pm_alloc_anno_list(msk, &local.addr)) + return; + +- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); ++ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); + msk->pm.add_addr_signaled++; +- mptcp_pm_announce_addr(msk, &local->addr, false); ++ mptcp_pm_announce_addr(msk, &local.addr, false); + mptcp_pm_nl_addr_send_ack(msk); + +- if (local->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) +- signal_and_subflow = local; ++ if (local.flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) ++ signal_and_subflow = true; + } + + subflow: +@@ -600,26 +608,22 @@ subflow: + bool fullmesh; + int i, nr; + +- if (signal_and_subflow) { +- local = signal_and_subflow; +- signal_and_subflow = NULL; +- } else { +- local = select_local_address(pernet, msk); +- if (!local) +- break; +- } ++ if (signal_and_subflow) ++ signal_and_subflow = false; ++ else if (!select_local_address(pernet, msk, &local)) ++ break; + +- fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH); ++ fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH); + + msk->pm.local_addr_used++; +- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); +- nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs); ++ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); ++ nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs); + if (nr == 0) + continue; + + spin_unlock_bh(&msk->pm.lock); + for (i = 0; i < nr; i++) +- __mptcp_subflow_connect(sk, &local->addr, &addrs[i]); ++ __mptcp_subflow_connect(sk, &local.addr, &addrs[i]); + spin_lock_bh(&msk->pm.lock); + } + mptcp_pm_nl_check_work_pending(msk); diff --git a/queue-6.6/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch b/queue-6.6/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch new file mode 100644 index 00000000000..9d770e4536d --- /dev/null +++ b/queue-6.6/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch @@ -0,0 +1,36 @@ +From 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:28 +0200 +Subject: mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR + +From: Matthieu Baerts (NGI0) + +commit 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb upstream. + +The limits might have changed in between, it is best to check them +before accepting new ADD_ADDR. + +Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-10-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -856,8 +856,8 @@ static void mptcp_pm_nl_rm_addr_or_subfl + /* Note: if the subflow has been closed before, this + * add_addr_accepted counter will not be decremented. + */ +- msk->pm.add_addr_accepted--; +- WRITE_ONCE(msk->pm.accept_addr, true); ++ if (--msk->pm.add_addr_accepted < mptcp_pm_get_add_addr_accept_max(msk)) ++ WRITE_ONCE(msk->pm.accept_addr, true); + } + } + } diff --git a/queue-6.6/mptcp-pm-fullmesh-select-the-right-id-later.patch b/queue-6.6/mptcp-pm-fullmesh-select-the-right-id-later.patch new file mode 100644 index 00000000000..49d1f4d8156 --- /dev/null +++ b/queue-6.6/mptcp-pm-fullmesh-select-the-right-id-later.patch @@ -0,0 +1,64 @@ +From 09355f7abb9fbfc1a240be029837921ea417bf4f Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:30 +0200 +Subject: mptcp: pm: fullmesh: select the right ID later + +From: Matthieu Baerts (NGI0) + +commit 09355f7abb9fbfc1a240be029837921ea417bf4f upstream. + +When reacting upon the reception of an ADD_ADDR, the in-kernel PM first +looks for fullmesh endpoints. If there are some, it will pick them, +using their entry ID. + +It should set the ID 0 when using the endpoint corresponding to the +initial subflow, it is a special case imposed by the MPTCP specs. + +Note that msk->mpc_endpoint_id might not be set when receiving the first +ADD_ADDR from the server. So better to compare the addresses. + +Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-12-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -644,6 +644,7 @@ static unsigned int fill_local_addresses + { + struct sock *sk = (struct sock *)msk; + struct mptcp_pm_addr_entry *entry; ++ struct mptcp_addr_info mpc_addr; + struct pm_nl_pernet *pernet; + unsigned int subflows_max; + int i = 0; +@@ -651,6 +652,8 @@ static unsigned int fill_local_addresses + pernet = pm_nl_get_pernet_from_msk(msk); + subflows_max = mptcp_pm_get_subflows_max(msk); + ++ mptcp_local_address((struct sock_common *)msk, &mpc_addr); ++ + rcu_read_lock(); + list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) { + if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH)) +@@ -661,7 +664,13 @@ static unsigned int fill_local_addresses + + if (msk->pm.subflows < subflows_max) { + msk->pm.subflows++; +- addrs[i++] = entry->addr; ++ addrs[i] = entry->addr; ++ ++ /* Special case for ID0: set the correct ID */ ++ if (mptcp_addresses_equal(&entry->addr, &mpc_addr, entry->addr.port)) ++ addrs[i].id = 0; ++ ++ i++; + } + } + rcu_read_unlock(); diff --git a/queue-6.6/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch b/queue-6.6/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch new file mode 100644 index 00000000000..2e0d57762cd --- /dev/null +++ b/queue-6.6/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch @@ -0,0 +1,62 @@ +From 1c1f721375989579e46741f59523e39ec9b2a9bd Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:27 +0200 +Subject: mptcp: pm: only decrement add_addr_accepted for MPJ req + +From: Matthieu Baerts (NGI0) + +commit 1c1f721375989579e46741f59523e39ec9b2a9bd upstream. + +Adding the following warning ... + + WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) + +... before decrementing the add_addr_accepted counter helped to find a +bug when running the "remove single subflow" subtest from the +mptcp_join.sh selftest. + +Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the +subflow closure. Before this patch, and upon the reception of the +RM_ADDR, the other peer will then try to decrement this +add_addr_accepted. That's not correct because the attached subflows have +not been created upon the reception of an ADD_ADDR. + +A way to solve that is to decrement the counter only if the attached +subflow was an MP_JOIN to a remote id that was not 0, and initiated by +the host receiving the RM_ADDR. + +Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-9-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -837,7 +837,7 @@ static void mptcp_pm_nl_rm_addr_or_subfl + mptcp_close_ssk(sk, ssk, subflow); + spin_lock_bh(&msk->pm.lock); + +- removed = true; ++ removed |= subflow->request_join; + if (rm_type == MPTCP_MIB_RMSUBFLOW) + __MPTCP_INC_STATS(sock_net(sk), rm_type); + } +@@ -851,7 +851,11 @@ static void mptcp_pm_nl_rm_addr_or_subfl + if (!mptcp_pm_is_kernel(msk)) + continue; + +- if (rm_type == MPTCP_MIB_RMADDR) { ++ if (rm_type == MPTCP_MIB_RMADDR && rm_id && ++ !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) { ++ /* Note: if the subflow has been closed before, this ++ * add_addr_accepted counter will not be decremented. ++ */ + msk->pm.add_addr_accepted--; + WRITE_ONCE(msk->pm.accept_addr, true); + } diff --git a/queue-6.6/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch b/queue-6.6/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch new file mode 100644 index 00000000000..a728c2f31dc --- /dev/null +++ b/queue-6.6/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch @@ -0,0 +1,53 @@ +From ca6e55a703ca2894611bb5c5bca8bfd2290fd91e Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:29 +0200 +Subject: mptcp: pm: only in-kernel cannot have entries with ID 0 + +From: Matthieu Baerts (NGI0) + +commit ca6e55a703ca2894611bb5c5bca8bfd2290fd91e upstream. + +The ID 0 is specific per MPTCP connections. The per netns entries cannot +have this special ID 0 then. + +But that's different for the userspace PM where the entries are per +connection, they can then use this special ID 0. + +Fixes: f40be0db0b76 ("mptcp: unify pm get_flags_and_ifindex_by_id") +Cc: stable@vger.kernel.org +Acked-by: Geliang Tang +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-11-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 3 --- + net/mptcp/pm_netlink.c | 4 ++++ + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -435,9 +435,6 @@ int mptcp_pm_get_flags_and_ifindex_by_id + *flags = 0; + *ifindex = 0; + +- if (!id) +- return 0; +- + if (mptcp_pm_is_userspace(msk)) + return mptcp_userspace_pm_get_flags_and_ifindex_by_id(msk, id, flags, ifindex); + return mptcp_pm_nl_get_flags_and_ifindex_by_id(msk, id, flags, ifindex); +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1426,6 +1426,10 @@ int mptcp_pm_nl_get_flags_and_ifindex_by + struct sock *sk = (struct sock *)msk; + struct net *net = sock_net(sk); + ++ /* No entries with ID 0 */ ++ if (id == 0) ++ return 0; ++ + rcu_read_lock(); + entry = __lookup_addr_by_id(pm_nl_get_pernet(net), id); + if (entry) { diff --git a/queue-6.6/mptcp-pm-only-mark-subflow-endp-as-available.patch b/queue-6.6/mptcp-pm-only-mark-subflow-endp-as-available.patch new file mode 100644 index 00000000000..94b05893a17 --- /dev/null +++ b/queue-6.6/mptcp-pm-only-mark-subflow-endp-as-available.patch @@ -0,0 +1,114 @@ +From 322ea3778965da72862cca2a0c50253aacf65fe6 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:26 +0200 +Subject: mptcp: pm: only mark 'subflow' endp as available + +From: Matthieu Baerts (NGI0) + +commit 322ea3778965da72862cca2a0c50253aacf65fe6 upstream. + +Adding the following warning ... + + WARN_ON_ONCE(msk->pm.local_addr_used == 0) + +... before decrementing the local_addr_used counter helped to find a bug +when running the "remove single address" subtest from the mptcp_join.sh +selftests. + +Removing a 'signal' endpoint will trigger the removal of all subflows +linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with +rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used +counter, which is wrong in this case because this counter is linked to +'subflow' endpoints, and here it is a 'signal' endpoint that is being +removed. + +Now, the counter is decremented, only if the ID is being used outside +of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and +if the ID is not 0 -- local_addr_used is not taking into account these +ones. This marking of the ID as being available, and the decrement is +done no matter if a subflow using this ID is currently available, +because the subflow could have been closed before. + +Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-8-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -841,10 +841,10 @@ static void mptcp_pm_nl_rm_addr_or_subfl + if (rm_type == MPTCP_MIB_RMSUBFLOW) + __MPTCP_INC_STATS(sock_net(sk), rm_type); + } +- if (rm_type == MPTCP_MIB_RMSUBFLOW) +- __set_bit(rm_id ? rm_id : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap); +- else if (rm_type == MPTCP_MIB_RMADDR) ++ ++ if (rm_type == MPTCP_MIB_RMADDR) + __MPTCP_INC_STATS(sock_net(sk), rm_type); ++ + if (!removed) + continue; + +@@ -854,8 +854,6 @@ static void mptcp_pm_nl_rm_addr_or_subfl + if (rm_type == MPTCP_MIB_RMADDR) { + msk->pm.add_addr_accepted--; + WRITE_ONCE(msk->pm.accept_addr, true); +- } else if (rm_type == MPTCP_MIB_RMSUBFLOW) { +- msk->pm.local_addr_used--; + } + } + } +@@ -1472,6 +1470,14 @@ static bool mptcp_pm_remove_anno_addr(st + return ret; + } + ++static void __mark_subflow_endp_available(struct mptcp_sock *msk, u8 id) ++{ ++ /* If it was marked as used, and not ID 0, decrement local_addr_used */ ++ if (!__test_and_set_bit(id ? : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap) && ++ id && !WARN_ON_ONCE(msk->pm.local_addr_used == 0)) ++ msk->pm.local_addr_used--; ++} ++ + static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net, + const struct mptcp_pm_addr_entry *entry) + { +@@ -1505,11 +1511,11 @@ static int mptcp_nl_remove_subflow_and_s + spin_lock_bh(&msk->pm.lock); + mptcp_pm_nl_rm_subflow_received(msk, &list); + spin_unlock_bh(&msk->pm.lock); +- } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { +- /* If the subflow has been used, but now closed */ ++ } ++ ++ if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { + spin_lock_bh(&msk->pm.lock); +- if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap)) +- msk->pm.local_addr_used--; ++ __mark_subflow_endp_available(msk, list.ids[0]); + spin_unlock_bh(&msk->pm.lock); + } + +@@ -1547,6 +1553,7 @@ static int mptcp_nl_remove_id_zero_addre + spin_lock_bh(&msk->pm.lock); + mptcp_pm_remove_addr(msk, &list); + mptcp_pm_nl_rm_subflow_received(msk, &list); ++ __mark_subflow_endp_available(msk, 0); + spin_unlock_bh(&msk->pm.lock); + release_sock(sk); + +@@ -1939,6 +1946,7 @@ static void mptcp_pm_nl_fullmesh(struct + + spin_lock_bh(&msk->pm.lock); + mptcp_pm_nl_rm_subflow_received(msk, &list); ++ __mark_subflow_endp_available(msk, list.ids[0]); + mptcp_pm_create_subflow_or_signal_addr(msk); + spin_unlock_bh(&msk->pm.lock); + } diff --git a/queue-6.6/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch b/queue-6.6/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch new file mode 100644 index 00000000000..70707bf59dc --- /dev/null +++ b/queue-6.6/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch @@ -0,0 +1,49 @@ +From ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:23 +0200 +Subject: mptcp: pm: re-using ID of unused flushed subflows + +From: Matthieu Baerts (NGI0) + +commit ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 upstream. + +If no subflows are attached to the 'subflow' endpoints that are being +flushed, the corresponding addr IDs will not be marked as available +again. + +Mark all ID as being available when flushing all the 'subflow' +endpoints, and reset local_addr_used counter to cover these cases. + +Note that mptcp_pm_remove_addrs_and_subflows() helper is only called for +flushing operations, not to remove a specific set of addresses and +subflows. + +Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-5-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1654,8 +1654,15 @@ void mptcp_pm_remove_addrs_and_subflows( + mptcp_pm_remove_addr(msk, &alist); + spin_unlock_bh(&msk->pm.lock); + } ++ + if (slist.nr) + mptcp_pm_remove_subflow(msk, &slist); ++ ++ /* Reset counters: maybe some subflows have been removed before */ ++ spin_lock_bh(&msk->pm.lock); ++ bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); ++ msk->pm.local_addr_used = 0; ++ spin_unlock_bh(&msk->pm.lock); + } + + static void mptcp_nl_remove_addrs_list(struct net *net, diff --git a/queue-6.6/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch b/queue-6.6/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch new file mode 100644 index 00000000000..512d0f56be0 --- /dev/null +++ b/queue-6.6/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch @@ -0,0 +1,40 @@ +From e255683c06df572ead96db5efb5d21be30c0efaa Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:19 +0200 +Subject: mptcp: pm: re-using ID of unused removed ADD_ADDR + +From: Matthieu Baerts (NGI0) + +commit e255683c06df572ead96db5efb5d21be30c0efaa upstream. + +If no subflow is attached to the 'signal' endpoint that is being +removed, the addr ID will not be marked as available again. + +Mark the linked ID as available when removing the address entry from the +list to cover this case. + +Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-1-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1462,7 +1462,10 @@ static bool mptcp_pm_remove_anno_addr(st + ret = remove_anno_list_by_saddr(msk, addr); + if (ret || force) { + spin_lock_bh(&msk->pm.lock); +- msk->pm.add_addr_signaled -= ret; ++ if (ret) { ++ __set_bit(addr->id, msk->pm.id_avail_bitmap); ++ msk->pm.add_addr_signaled--; ++ } + mptcp_pm_remove_addr(msk, &list); + spin_unlock_bh(&msk->pm.lock); + } diff --git a/queue-6.6/mptcp-pm-re-using-id-of-unused-removed-subflows.patch b/queue-6.6/mptcp-pm-re-using-id-of-unused-removed-subflows.patch new file mode 100644 index 00000000000..77e99e59077 --- /dev/null +++ b/queue-6.6/mptcp-pm-re-using-id-of-unused-removed-subflows.patch @@ -0,0 +1,51 @@ +From edd8b5d868a4d459f3065493001e293901af758d Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:21 +0200 +Subject: mptcp: pm: re-using ID of unused removed subflows + +From: Matthieu Baerts (NGI0) + +commit edd8b5d868a4d459f3065493001e293901af758d upstream. + +If no subflow is attached to the 'subflow' endpoint that is being +removed, the addr ID will not be marked as available again. + +Mark the linked ID as available when removing the 'subflow' endpoint if +no subflow is attached to it. + +While at it, the local_addr_used counter is decremented if the ID was +marked as being used to reflect the reality, but also to allow adding +new endpoints after that. + +Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-3-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1500,8 +1500,17 @@ static int mptcp_nl_remove_subflow_and_s + remove_subflow = lookup_subflow_by_saddr(&msk->conn_list, addr); + mptcp_pm_remove_anno_addr(msk, addr, remove_subflow && + !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT)); +- if (remove_subflow) ++ ++ if (remove_subflow) { + mptcp_pm_remove_subflow(msk, &list); ++ } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { ++ /* If the subflow has been used, but now closed */ ++ spin_lock_bh(&msk->pm.lock); ++ if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap)) ++ msk->pm.local_addr_used--; ++ spin_unlock_bh(&msk->pm.lock); ++ } ++ + release_sock(sk); + + next: diff --git a/queue-6.6/mptcp-pm-remove-mptcp_pm_remove_subflow.patch b/queue-6.6/mptcp-pm-remove-mptcp_pm_remove_subflow.patch new file mode 100644 index 00000000000..48b407d427f --- /dev/null +++ b/queue-6.6/mptcp-pm-remove-mptcp_pm_remove_subflow.patch @@ -0,0 +1,121 @@ +From f448451aa62d54be16acb0034223c17e0d12bc69 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:25 +0200 +Subject: mptcp: pm: remove mptcp_pm_remove_subflow() + +From: Matthieu Baerts (NGI0) + +commit f448451aa62d54be16acb0034223c17e0d12bc69 upstream. + +This helper is confusing. It is in pm.c, but it is specific to the +in-kernel PM and it cannot be used by the userspace one. Also, it simply +calls one in-kernel specific function with the PM lock, while the +similar mptcp_pm_remove_addr() helper requires the PM lock. + +What's left is the pr_debug(), which is not that useful, because a +similar one is present in the only function called by this helper: + + mptcp_pm_nl_rm_subflow_received() + +After these modifications, this helper can be marked as 'static', and +the lock can be taken only once in mptcp_pm_flush_addrs_and_subflows(). + +Note that it is not a bug fix, but it will help backporting the +following commits. + +Fixes: 0ee4261a3681 ("mptcp: implement mptcp_pm_remove_subflow") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-7-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 10 ---------- + net/mptcp/pm_netlink.c | 16 +++++++--------- + net/mptcp/protocol.h | 3 --- + 3 files changed, 7 insertions(+), 22 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -61,16 +61,6 @@ int mptcp_pm_remove_addr(struct mptcp_so + return 0; + } + +-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list) +-{ +- pr_debug("msk=%p, rm_list_nr=%d", msk, rm_list->nr); +- +- spin_lock_bh(&msk->pm.lock); +- mptcp_pm_nl_rm_subflow_received(msk, rm_list); +- spin_unlock_bh(&msk->pm.lock); +- return 0; +-} +- + /* path manager event handlers */ + + void mptcp_pm_new_connection(struct mptcp_sock *msk, const struct sock *ssk, int server_side) +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -865,8 +865,8 @@ static void mptcp_pm_nl_rm_addr_received + mptcp_pm_nl_rm_addr_or_subflow(msk, &msk->pm.rm_list_rx, MPTCP_MIB_RMADDR); + } + +-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, +- const struct mptcp_rm_list *rm_list) ++static void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, ++ const struct mptcp_rm_list *rm_list) + { + mptcp_pm_nl_rm_addr_or_subflow(msk, rm_list, MPTCP_MIB_RMSUBFLOW); + } +@@ -1502,7 +1502,9 @@ static int mptcp_nl_remove_subflow_and_s + !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT)); + + if (remove_subflow) { +- mptcp_pm_remove_subflow(msk, &list); ++ spin_lock_bh(&msk->pm.lock); ++ mptcp_pm_nl_rm_subflow_received(msk, &list); ++ spin_unlock_bh(&msk->pm.lock); + } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { + /* If the subflow has been used, but now closed */ + spin_lock_bh(&msk->pm.lock); +@@ -1648,18 +1650,14 @@ void mptcp_pm_remove_addrs_and_subflows( + alist.ids[alist.nr++] = entry->addr.id; + } + ++ spin_lock_bh(&msk->pm.lock); + if (alist.nr) { +- spin_lock_bh(&msk->pm.lock); + msk->pm.add_addr_signaled -= alist.nr; + mptcp_pm_remove_addr(msk, &alist); +- spin_unlock_bh(&msk->pm.lock); + } +- + if (slist.nr) +- mptcp_pm_remove_subflow(msk, &slist); +- ++ mptcp_pm_nl_rm_subflow_received(msk, &slist); + /* Reset counters: maybe some subflows have been removed before */ +- spin_lock_bh(&msk->pm.lock); + bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); + msk->pm.local_addr_used = 0; + spin_unlock_bh(&msk->pm.lock); +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -945,7 +945,6 @@ int mptcp_pm_announce_addr(struct mptcp_ + const struct mptcp_addr_info *addr, + bool echo); + int mptcp_pm_remove_addr(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list); +-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list); + void mptcp_pm_remove_addrs(struct mptcp_sock *msk, struct list_head *rm_list); + void mptcp_pm_remove_addrs_and_subflows(struct mptcp_sock *msk, + struct list_head *rm_list); +@@ -1047,8 +1046,6 @@ static inline u8 subflow_get_local_id(co + + void __init mptcp_pm_nl_init(void); + void mptcp_pm_nl_work(struct mptcp_sock *msk); +-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, +- const struct mptcp_rm_list *rm_list); + unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk); + unsigned int mptcp_pm_get_add_addr_accept_max(const struct mptcp_sock *msk); + unsigned int mptcp_pm_get_subflows_max(const struct mptcp_sock *msk); diff --git a/queue-6.6/nouveau-firmware-use-dma-non-coherent-allocator.patch b/queue-6.6/nouveau-firmware-use-dma-non-coherent-allocator.patch new file mode 100644 index 00000000000..b2abecc516b --- /dev/null +++ b/queue-6.6/nouveau-firmware-use-dma-non-coherent-allocator.patch @@ -0,0 +1,108 @@ +From 9b340aeb26d50e9a9ec99599e2a39b035fac978e Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 16 Aug 2024 06:19:23 +1000 +Subject: nouveau/firmware: use dma non-coherent allocator + +From: Dave Airlie + +commit 9b340aeb26d50e9a9ec99599e2a39b035fac978e upstream. + +Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a +BUG() on startup, when the iommu is enabled: + +kernel BUG at include/linux/scatterlist.h:187! +invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30 +Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019 +RIP: 0010:sg_init_one+0x85/0xa0 +Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54 +24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b +0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00 +RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b +RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000 +RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508 +R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018 +FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0 +Call Trace: + + ? die+0x36/0x90 + ? do_trap+0xdd/0x100 + ? sg_init_one+0x85/0xa0 + ? do_error_trap+0x65/0x80 + ? sg_init_one+0x85/0xa0 + ? exc_invalid_op+0x50/0x70 + ? sg_init_one+0x85/0xa0 + ? asm_exc_invalid_op+0x1a/0x20 + ? sg_init_one+0x85/0xa0 + nvkm_firmware_ctor+0x14a/0x250 [nouveau] + nvkm_falcon_fw_ctor+0x42/0x70 [nouveau] + ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau] + r535_gsp_oneinit+0xb3/0x15f0 [nouveau] + ? srso_return_thunk+0x5/0x5f + ? srso_return_thunk+0x5/0x5f + ? nvkm_udevice_new+0x95/0x140 [nouveau] + ? srso_return_thunk+0x5/0x5f + ? srso_return_thunk+0x5/0x5f + ? ktime_get+0x47/0xb0 + +Fix this by using the non-coherent allocator instead, I think there +might be a better answer to this, but it involve ripping up some of +APIs using sg lists. + +Cc: stable@vger.kernel.org +Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs") +Signed-off-by: Dave Airlie +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240815201923.632803-1-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 ++++++--- + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 ++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/core/firmware.c ++++ b/drivers/gpu/drm/nouveau/nvkm/core/firmware.c +@@ -187,7 +187,8 @@ nvkm_firmware_dtor(struct nvkm_firmware + break; + case NVKM_FIRMWARE_IMG_DMA: + nvkm_memory_unref(&memory); +- dma_free_coherent(fw->device->dev, sg_dma_len(&fw->mem.sgl), fw->img, fw->phys); ++ dma_free_noncoherent(fw->device->dev, sg_dma_len(&fw->mem.sgl), ++ fw->img, fw->phys, DMA_TO_DEVICE); + break; + default: + WARN_ON(1); +@@ -212,10 +213,12 @@ nvkm_firmware_ctor(const struct nvkm_fir + break; + case NVKM_FIRMWARE_IMG_DMA: { + dma_addr_t addr; +- + len = ALIGN(fw->len, PAGE_SIZE); + +- fw->img = dma_alloc_coherent(fw->device->dev, len, &addr, GFP_KERNEL); ++ fw->img = dma_alloc_noncoherent(fw->device->dev, ++ len, &addr, ++ DMA_TO_DEVICE, ++ GFP_KERNEL); + if (fw->img) { + memcpy(fw->img, src, fw->len); + fw->phys = addr; +--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c ++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c +@@ -89,6 +89,12 @@ nvkm_falcon_fw_boot(struct nvkm_falcon_f + nvkm_falcon_fw_dtor_sigs(fw); + } + ++ /* after last write to the img, sync dma mappings */ ++ dma_sync_single_for_device(fw->fw.device->dev, ++ fw->fw.phys, ++ sg_dma_len(&fw->fw.mem.sgl), ++ DMA_TO_DEVICE); ++ + FLCNFW_DBG(fw, "resetting"); + fw->func->reset(fw); + diff --git a/queue-6.6/pmdomain-imx-scu-pd-remove-duplicated-clocks.patch b/queue-6.6/pmdomain-imx-scu-pd-remove-duplicated-clocks.patch new file mode 100644 index 00000000000..5ff44734186 --- /dev/null +++ b/queue-6.6/pmdomain-imx-scu-pd-remove-duplicated-clocks.patch @@ -0,0 +1,40 @@ +From 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Wed, 17 Jul 2024 10:03:33 +0200 +Subject: pmdomain: imx: scu-pd: Remove duplicated clocks + +From: Alexander Stein + +commit 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 upstream. + +These clocks are already added to the list. Remove the duplicates ones. + +Fixes: a67d780720ff ("genpd: imx: scu-pd: add more PDs") +Signed-off-by: Alexander Stein +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240717080334.2210988-1-alexander.stein@ew.tq-group.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/scu-pd.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/pmdomain/imx/scu-pd.c b/drivers/pmdomain/imx/scu-pd.c +index 05841b0bf7f3..01d465d88f60 100644 +--- a/drivers/pmdomain/imx/scu-pd.c ++++ b/drivers/pmdomain/imx/scu-pd.c +@@ -223,11 +223,6 @@ static const struct imx_sc_pd_range imx8qxp_scu_pd_ranges[] = { + { "lvds1-pwm", IMX_SC_R_LVDS_1_PWM_0, 1, false, 0 }, + { "lvds1-lpi2c", IMX_SC_R_LVDS_1_I2C_0, 2, true, 0 }, + +- { "mipi1", IMX_SC_R_MIPI_1, 1, 0 }, +- { "mipi1-pwm0", IMX_SC_R_MIPI_1_PWM_0, 1, 0 }, +- { "mipi1-i2c", IMX_SC_R_MIPI_1_I2C_0, 2, 1 }, +- { "lvds1", IMX_SC_R_LVDS_1, 1, 0 }, +- + /* DC SS */ + { "dc0", IMX_SC_R_DC_0, 1, false, 0 }, + { "dc0-pll", IMX_SC_R_DC_0_PLL_0, 2, true, 0 }, +-- +2.46.0 + diff --git a/queue-6.6/pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch b/queue-6.6/pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch new file mode 100644 index 00000000000..2fec8bc6d01 --- /dev/null +++ b/queue-6.6/pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch @@ -0,0 +1,62 @@ +From 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Wed, 14 Aug 2024 20:47:40 +0800 +Subject: pmdomain: imx: wait SSAR when i.MX93 power domain on + +From: Peng Fan + +commit 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb upstream. + +With "quiet" set in bootargs, there is power domain failure: +"imx93_power_domain 44462400.power-domain: pd_off timeout: name: + 44462400.power-domain, stat: 4" + +The current power on opertation takes ISO state as power on finished +flag, but it is wrong. Before powering on operation really finishes, +powering off comes and powering off will never finish because the last +powering on still not finishes, so the following powering off actually +not trigger hardware state machine to run. SSAR is the last step when +powering on a domain, so need to wait SSAR done when powering on. + +Since EdgeLock Enclave(ELE) handshake is involved in the flow, enlarge +the waiting time to 10ms for both on and off to avoid timeout. + +Cc: stable@vger.kernel.org +Fixes: 0a0f7cc25d4a ("soc: imx: add i.MX93 SRC power domain driver") +Reviewed-by: Jacky Bai +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20240814124740.2778952-1-peng.fan@oss.nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/imx93-pd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pmdomain/imx/imx93-pd.c ++++ b/drivers/pmdomain/imx/imx93-pd.c +@@ -20,6 +20,7 @@ + #define FUNC_STAT_PSW_STAT_MASK BIT(0) + #define FUNC_STAT_RST_STAT_MASK BIT(2) + #define FUNC_STAT_ISO_STAT_MASK BIT(4) ++#define FUNC_STAT_SSAR_STAT_MASK BIT(8) + + struct imx93_power_domain { + struct generic_pm_domain genpd; +@@ -50,7 +51,7 @@ static int imx93_pd_on(struct generic_pm + writel(val, addr + MIX_SLICE_SW_CTRL_OFF); + + ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val, +- !(val & FUNC_STAT_ISO_STAT_MASK), 1, 10000); ++ !(val & FUNC_STAT_SSAR_STAT_MASK), 1, 10000); + if (ret) { + dev_err(domain->dev, "pd_on timeout: name: %s, stat: %x\n", genpd->name, val); + return ret; +@@ -72,7 +73,7 @@ static int imx93_pd_off(struct generic_p + writel(val, addr + MIX_SLICE_SW_CTRL_OFF); + + ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val, +- val & FUNC_STAT_PSW_STAT_MASK, 1, 1000); ++ val & FUNC_STAT_PSW_STAT_MASK, 1, 10000); + if (ret) { + dev_err(domain->dev, "pd_off timeout: name: %s, stat: %x\n", genpd->name, val); + return ret; diff --git a/queue-6.6/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch b/queue-6.6/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch new file mode 100644 index 00000000000..a04c2d2fdef --- /dev/null +++ b/queue-6.6/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch @@ -0,0 +1,94 @@ +From 65fb58afa341ad68e71e5c4d816b407e6a683a66 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:22 +0200 +Subject: selftests: mptcp: join: check re-using ID of closed subflow + +From: Matthieu Baerts (NGI0) + +commit 65fb58afa341ad68e71e5c4d816b407e6a683a66 upstream. + +This test extends "delete and re-add" to validate the previous commit. A +new 'subflow' endpoint is added, but the subflow request will be +rejected. The result is that no subflow will be established from this +address. + +Later, the endpoint is removed and re-added after having cleared the +firewall rule. Before the previous commit, the client would not have +been able to create this new subflow. + +While at it, extra checks have been added to validate the expected +numbers of MPJ and RM_ADDR. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-4-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 27 +++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -481,9 +481,10 @@ reset_with_tcp_filter() + local ns="${!1}" + local src="${2}" + local target="${3}" ++ local chain="${4:-INPUT}" + + if ! ip netns exec "${ns}" ${iptables} \ +- -A INPUT \ ++ -A "${chain}" \ + -s "${src}" \ + -p tcp \ + -j "${target}"; then +@@ -3575,10 +3576,10 @@ endpoint_tests() + mptcp_lib_kill_wait $tests_pid + fi + +- if reset "delete and re-add" && ++ if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT && + mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then +- pm_nl_set_limits $ns1 1 1 +- pm_nl_set_limits $ns2 1 1 ++ pm_nl_set_limits $ns1 0 2 ++ pm_nl_set_limits $ns2 0 2 + pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow + test_linkfail=4 speed=20 \ + run_tests $ns1 $ns2 10.0.1.1 & +@@ -3595,11 +3596,27 @@ endpoint_tests() + chk_subflow_nr "after delete" 1 + chk_mptcp_info subflows 0 subflows 0 + +- pm_nl_add_endpoint $ns2 10.0.2.2 dev ns2eth2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow + wait_mpj $ns2 + chk_subflow_nr "after re-add" 2 + chk_mptcp_info subflows 1 subflows 1 ++ ++ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow ++ wait_attempt_fail $ns2 ++ chk_subflow_nr "after new reject" 2 ++ chk_mptcp_info subflows 1 subflows 1 ++ ++ ip netns exec "${ns2}" ${iptables} -D OUTPUT -s "10.0.3.2" -p tcp -j REJECT ++ pm_nl_del_endpoint $ns2 3 10.0.3.2 ++ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow ++ wait_mpj $ns2 ++ chk_subflow_nr "after no reject" 3 ++ chk_mptcp_info subflows 2 subflows 2 ++ + mptcp_lib_kill_wait $tests_pid ++ ++ chk_join_nr 3 3 3 ++ chk_rm_nr 1 1 + fi + } + diff --git a/queue-6.6/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch b/queue-6.6/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch new file mode 100644 index 00000000000..965c06ebcaf --- /dev/null +++ b/queue-6.6/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch @@ -0,0 +1,40 @@ +From 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:31 +0200 +Subject: selftests: mptcp: join: validate fullmesh endp on 1st sf + +From: Matthieu Baerts (NGI0) + +commit 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 upstream. + +This case was not covered, and the wrong ID was set before the previous +commit. + +The rest is not modified, it is just that it will increase the code +coverage. + +The right address ID can be verified by looking at the packet traces. We +could automate that using Netfilter with some cBPF code for example, but +that's always a bit cryptic. Packetdrill seems better fitted for that. + +Fixes: 4f49d63352da ("selftests: mptcp: add fullmesh testcases") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-13-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3220,6 +3220,7 @@ fullmesh_tests() + pm_nl_set_limits $ns1 1 3 + pm_nl_set_limits $ns2 1 3 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh + fullmesh=1 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 3 3 3 diff --git a/queue-6.6/series b/queue-6.6/series index 7d75b5c8dff..53204652100 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -299,3 +299,26 @@ drm-amdgpu-sdma5.2-limit-wptr-workaround-to-sdma-5.2.1.patch net-dsa-microchip-fix-ptp-config-failure-when-using-multiple-ports.patch mips-loongson64-set-timer-mode-in-cpu-probe.patch hid-wacom-defer-calculation-of-resolution-until-resolution_code-is-known.patch +input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch +input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch +cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch +kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch +mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch +mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch +pmdomain-imx-scu-pd-remove-duplicated-clocks.patch +pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch +nouveau-firmware-use-dma-non-coherent-allocator.patch +thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch +thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch +mptcp-pm-re-using-id-of-unused-removed-add_addr.patch +mptcp-pm-re-using-id-of-unused-removed-subflows.patch +mptcp-pm-re-using-id-of-unused-flushed-subflows.patch +mptcp-pm-remove-mptcp_pm_remove_subflow.patch +mptcp-pm-only-mark-subflow-endp-as-available.patch +mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch +mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch +mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch +mptcp-pm-fullmesh-select-the-right-id-later.patch +mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch +selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch +selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch diff --git a/queue-6.6/thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch b/queue-6.6/thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch new file mode 100644 index 00000000000..b939d6d540b --- /dev/null +++ b/queue-6.6/thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch @@ -0,0 +1,68 @@ +From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 14 Aug 2024 21:58:23 +0200 +Subject: thermal: of: Fix OF node leak in of_thermal_zone_find() error paths + +From: Krzysztof Kozlowski + +commit c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 upstream. + +Terminating for_each_available_child_of_node() loop requires dropping OF +node reference, so bailing out on errors misses this. Solve the OF node +reference leak with scoped for_each_available_child_of_node_scoped(). + +Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Daniel Lezcano +Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_of.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -182,14 +182,14 @@ static struct device_node *of_thermal_zo + * Search for each thermal zone, a defined sensor + * corresponding to the one passed as parameter + */ +- for_each_available_child_of_node(np, tz) { ++ for_each_available_child_of_node_scoped(np, child) { + + int count, i; + +- count = of_count_phandle_with_args(tz, "thermal-sensors", ++ count = of_count_phandle_with_args(child, "thermal-sensors", + "#thermal-sensor-cells"); + if (count <= 0) { +- pr_err("%pOFn: missing thermal sensor\n", tz); ++ pr_err("%pOFn: missing thermal sensor\n", child); + tz = ERR_PTR(-EINVAL); + goto out; + } +@@ -198,18 +198,19 @@ static struct device_node *of_thermal_zo + + int ret; + +- ret = of_parse_phandle_with_args(tz, "thermal-sensors", ++ ret = of_parse_phandle_with_args(child, "thermal-sensors", + "#thermal-sensor-cells", + i, &sensor_specs); + if (ret < 0) { +- pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret); ++ pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret); + tz = ERR_PTR(ret); + goto out; + } + + if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ? + sensor_specs.args[0] : 0)) { +- pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz); ++ pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child); ++ tz = no_free_ptr(child); + goto out; + } + } diff --git a/queue-6.6/thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch b/queue-6.6/thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch new file mode 100644 index 00000000000..3e162b4708b --- /dev/null +++ b/queue-6.6/thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch @@ -0,0 +1,46 @@ +From afc954fd223ded70b1fa000767e2531db55cce58 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 14 Aug 2024 21:58:21 +0200 +Subject: thermal: of: Fix OF node leak in thermal_of_trips_init() error path + +From: Krzysztof Kozlowski + +commit afc954fd223ded70b1fa000767e2531db55cce58 upstream. + +Terminating for_each_child_of_node() loop requires dropping OF node +reference, so bailing out after thermal_of_populate_trip() error misses +this. Solve the OF node reference leak with scoped +for_each_child_of_node_scoped(). + +Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately") +Cc: All applicable +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Daniel Lezcano +Link: https://patch.msgid.link/20240814195823.437597-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_of.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -123,7 +123,7 @@ static int thermal_of_populate_trip(stru + static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips) + { + struct thermal_trip *tt; +- struct device_node *trips, *trip; ++ struct device_node *trips; + int ret, count; + + trips = of_get_child_by_name(np, "trips"); +@@ -148,7 +148,7 @@ static struct thermal_trip *thermal_of_t + *ntrips = count; + + count = 0; +- for_each_child_of_node(trips, trip) { ++ for_each_child_of_node_scoped(trips, trip) { + ret = thermal_of_populate_trip(trip, &tt[count++]); + if (ret) + goto out_kfree;