From: Sasha Levin Date: Mon, 24 Jul 2023 01:25:05 +0000 (-0400) Subject: Fixes for 6.4 X-Git-Tag: v6.1.41~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=336f67195945cca236f332e5bfa73f8705f20aa0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.4 Signed-off-by: Sasha Levin --- diff --git a/queue-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch b/queue-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch new file mode 100644 index 00000000000..69ae7db9737 --- /dev/null +++ b/queue-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch @@ -0,0 +1,45 @@ +From e1d24d33287f1adda81c70da6e6f8e45fd5a44f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:38:41 +0200 +Subject: ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A + +From: Hans de Goede + +[ Upstream commit 4fd5556608bfa9c2bf276fc115ef04288331aded ] + +The LID0 device on the Nextbook Ares 8A tablet always reports lid +closed causing userspace to suspend the device as soon as booting +is complete. + +Add a DMI quirk to disable the broken lid functionality. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/button.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/button.c b/drivers/acpi/button.c +index 475e1eddfa3b4..ef77c14c72a92 100644 +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -77,6 +77,15 @@ static const struct dmi_system_id dmi_lid_quirks[] = { + }, + .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, + }, ++ { ++ /* Nextbook Ares 8A tablet, _LID device always reports lid closed */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, ++ }, + { + /* + * Lenovo Yoga 9 14ITL5, initial notification of the LID device +-- +2.39.2 + diff --git a/queue-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch b/queue-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch new file mode 100644 index 00000000000..b5aac4c0b74 --- /dev/null +++ b/queue-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch @@ -0,0 +1,132 @@ +From 6654fc24fbbfdc2d4d6c7ea35340711638cc5280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 17:11:51 -0500 +Subject: ACPI: resource: Remove "Zen" specific match and quirks + +From: Mario Limonciello + +[ Upstream commit a9c4a912b7dc7ff922d4b9261160c001558f9755 ] + +commit 9946e39fe8d0 ("ACPI: resource: skip IRQ override on +AMD Zen platforms") attempted to overhaul the override logic so it +didn't apply on X86 AMD Zen systems. This was intentional so that +systems would prefer DSDT values instead of default MADT value for +IRQ 1 on Ryzen 6000 systems which typically uses ActiveLow for IRQ1. + +This turned out to be a bad assumption because several vendors +add Interrupt Source Override but don't fix the DSDT. A pile of +quirks was collecting that proved this wasn't sustaintable. + +Furthermore some vendors have used ActiveHigh for IRQ1. +To solve this problem revert the following commits: +* commit 17bb7046e7ce ("ACPI: resource: Do IRQ override on all TongFang +GMxRGxx") +* commit f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") +* commit bfcdf58380b1 ("ACPI: resource: do IRQ override on LENOVO IdeaPad") +* commit 7592b79ba4a9 ("ACPI: resource: do IRQ override on XMG Core 15") +* commit 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen +platforms") + +Reported-by: evilsnoo@proton.me +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217394 +Reported-by: ruinairas1992@gmail.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217406 +Reported-by: nmschulte@gmail.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Signed-off-by: Mario Limonciello +Tested-by: Werner Sembach +Tested-by: Chuanhong Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 60 ----------------------------------------- + 1 file changed, 60 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 0800a9d775580..1dd8d5aebf678 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -470,52 +470,6 @@ static const struct dmi_system_id asus_laptop[] = { + { } + }; + +-static const struct dmi_system_id lenovo_laptop[] = { +- { +- .ident = "LENOVO IdeaPad Flex 5 14ALC7", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "82R9"), +- }, +- }, +- { +- .ident = "LENOVO IdeaPad Flex 5 16ALC7", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "82RA"), +- }, +- }, +- { } +-}; +- +-static const struct dmi_system_id tongfang_gm_rg[] = { +- { +- .ident = "TongFang GMxRGxx/XMG CORE 15 (M22)/TUXEDO Stellaris 15 Gen4 AMD", +- .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), +- }, +- }, +- { } +-}; +- +-static const struct dmi_system_id maingear_laptop[] = { +- { +- .ident = "MAINGEAR Vector Pro 2 15", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), +- DMI_MATCH(DMI_PRODUCT_NAME, "MG-VCP2-15A3070T"), +- } +- }, +- { +- .ident = "MAINGEAR Vector Pro 2 17", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), +- DMI_MATCH(DMI_PRODUCT_NAME, "MG-VCP2-17A3070T"), +- }, +- }, +- { } +-}; +- + static const struct dmi_system_id lg_laptop[] = { + { + .ident = "LG Electronics 17U70P", +@@ -539,10 +493,6 @@ struct irq_override_cmp { + static const struct irq_override_cmp override_table[] = { + { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, +- { lenovo_laptop, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, +- { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, +- { tongfang_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, +- { maingear_laptop, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + { lg_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + }; + +@@ -562,16 +512,6 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, + return entry->override; + } + +-#ifdef CONFIG_X86 +- /* +- * IRQ override isn't needed on modern AMD Zen systems and +- * this override breaks active low IRQs on AMD Ryzen 6000 and +- * newer systems. Skip it. +- */ +- if (boot_cpu_has(X86_FEATURE_ZEN)) +- return false; +-#endif +- + return true; + } + +-- +2.39.2 + diff --git a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch new file mode 100644 index 00000000000..07f521f00dc --- /dev/null +++ b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch @@ -0,0 +1,43 @@ +From 8b6923caebc9b56559f29a510d3eff108ca92f30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:58 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3 + +From: Hans de Goede + +[ Upstream commit 48436f2e9834b46b47b038b605c8142a1c07bc85 ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Apple iMac11,3 . + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index bcc25d457581d..61586caebb01b 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -470,6 +470,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Apple iMac11,3 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac11,3"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */ + .callback = video_detect_force_native, +-- +2.39.2 + diff --git a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch new file mode 100644 index 00000000000..9a6b9740eb4 --- /dev/null +++ b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch @@ -0,0 +1,46 @@ +From 1a7dbae44c18d67dbeb0322fe85f0807b54971c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:45:04 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569 + +From: Hans de Goede + +[ Upstream commit 23d28cc0444be3f694eb986cd653b6888b78431d ] + +The Dell Studio 1569 predates Windows 8, so it defaults to using +acpi_video# for backlight control, but this is non functional on +this model. + +Add a DMI quirk to use the native intel_backlight interface which +does work properly. + +Reported-by: raycekarneal +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index b87783c5872dd..e7d04ab864a16 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -528,6 +528,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7510"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Dell Studio 1569 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Studio 1569"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Acer Aspire 3830TG */ +-- +2.39.2 + diff --git a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch new file mode 100644 index 00000000000..b0083e9d84b --- /dev/null +++ b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch @@ -0,0 +1,44 @@ +From b98db95eaf63bbc74bbfc6f5b4fb9e491f4beeba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:59 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e + (3371 AMD version) + +From: Hans de Goede + +[ Upstream commit bd5d93df86a7ddf98a2a37e9c3751e3cb334a66c ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Lenovo ThinkPad X131e (3371 AMD version). + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 61586caebb01b..b87783c5872dd 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -470,6 +470,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Lenovo ThinkPad X131e (3371 AMD version) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3371"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Apple iMac11,3 */ +-- +2.39.2 + diff --git a/queue-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch b/queue-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch new file mode 100644 index 00000000000..970e0160842 --- /dev/null +++ b/queue-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch @@ -0,0 +1,79 @@ +From d9933c3669189d43374498be603032780fa8f7ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 18:34:58 +0200 +Subject: ACPI: x86: Add ACPI_QUIRK_UART1_SKIP for Lenovo Yoga Book yb1-x90f/l + +From: Hans de Goede + +[ Upstream commit f91280f35895d6dcb53f504968fafd1da0b00397 ] + +The Lenovo Yoga Book yb1-x90f/l 2-in-1 which ships with Android as +Factory OS has (another) bug in its DSDT where the UART resource for +the BTH0 ACPI device contains "\\_SB.PCIO.URT1" as path to the UART. + +Note that is with a letter 'O' instead of the number '0' which is wrong. + +This causes Linux to instantiate a standard /dev/ttyS? device for +the UART instead of a /sys/bus/serial device, which in turn causes +bluetooth to not work. + +Similar DSDT bugs have been encountered before and to work around those +the acpi_quirk_skip_serdev_enumeration() helper exists. + +Previous devices had the broken resource pointing to the first UART, while +the BT HCI was on the second UART, which ACPI_QUIRK_UART1_TTY_UART2_SKIP +deals with. Add a new ACPI_QUIRK_UART1_SKIP quirk for skipping enumeration +of UART1 instead for the Yoga Book case and add this quirk to the +existing DMI quirk table entry for the yb1-x90f/l . + +This leaves the UART1 controller unbound allowing the x86-android-tablets +module to manually instantiate a serdev for it fixing bluetooth. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 4cfee2da06756..c2b925f8cd4e4 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -259,10 +259,11 @@ bool force_storage_d3(void) + * drivers/platform/x86/x86-android-tablets.c kernel module. + */ + #define ACPI_QUIRK_SKIP_I2C_CLIENTS BIT(0) +-#define ACPI_QUIRK_UART1_TTY_UART2_SKIP BIT(1) +-#define ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY BIT(2) +-#define ACPI_QUIRK_USE_ACPI_AC_AND_BATTERY BIT(3) +-#define ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS BIT(4) ++#define ACPI_QUIRK_UART1_SKIP BIT(1) ++#define ACPI_QUIRK_UART1_TTY_UART2_SKIP BIT(2) ++#define ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY BIT(3) ++#define ACPI_QUIRK_USE_ACPI_AC_AND_BATTERY BIT(4) ++#define ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS BIT(5) + + static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + /* +@@ -319,6 +320,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), + }, + .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | ++ ACPI_QUIRK_UART1_SKIP | + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY | + ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS), + }, +@@ -449,6 +451,9 @@ int acpi_quirk_skip_serdev_enumeration(struct device *controller_parent, bool *s + if (dmi_id) + quirks = (unsigned long)dmi_id->driver_data; + ++ if ((quirks & ACPI_QUIRK_UART1_SKIP) && uid == 1) ++ *skip = true; ++ + if (quirks & ACPI_QUIRK_UART1_TTY_UART2_SKIP) { + if (uid == 1) + return -ENODEV; /* Create tty cdev instead of serdev */ +-- +2.39.2 + diff --git a/queue-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch b/queue-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch new file mode 100644 index 00000000000..d6ae42af596 --- /dev/null +++ b/queue-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch @@ -0,0 +1,76 @@ +From 062a6ebd2cfb57009d32e38904579308537f3b03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:38:40 +0200 +Subject: ACPI: x86: Add skip i2c clients quirk for Nextbook Ares 8A + +From: Hans de Goede + +[ Upstream commit 69d6b37695c1f2320cfa330e1e1636d50dd5040a ] + +The Nextbook Ares 8A is a x86 ACPI tablet which ships with Android x86 +as factory OS. Its DSDT contains a bunch of I2C devices which are not +actually there (the Android x86 kernel fork ignores I2C devices described +in the DSDT). + +On this specific model this just not cause resource conflicts, one of +the probe() calls for the non existing i2c_clients actually ends up +toggling a GPIO or executing a _PS3 after a failed probe which turns +the tablet off. + +Add a ACPI_QUIRK_SKIP_I2C_CLIENTS for the Nextbook Ares 8 to the +acpi_quirk_skip_dmi_ids table to avoid the bogus i2c_clients and +to fix the tablet turning off during boot because of this. + +Also add the "10EC5651" HID for the RealTek ALC5651 codec used +in this tablet to the list of HIDs for which not to skipi2c_client +instantiation, since the Intel SST sound driver relies on +the codec being instantiated through ACPI. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 9c2d6f35f88a0..4cfee2da06756 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -365,7 +365,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), + }, + { +- /* Nextbook Ares 8 */ ++ /* Nextbook Ares 8 (BYT version)*/ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), + DMI_MATCH(DMI_PRODUCT_NAME, "M890BAP"), +@@ -374,6 +374,16 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY | + ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS), + }, ++ { ++ /* Nextbook Ares 8A (CHT version)*/ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | ++ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), ++ }, + { + /* Whitelabel (sold as various brands) TM800A550L */ + .matches = { +@@ -392,6 +402,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + #if IS_ENABLED(CONFIG_X86_ANDROID_TABLETS) + static const struct acpi_device_id i2c_acpi_known_good_ids[] = { + { "10EC5640", 0 }, /* RealTek ALC5640 audio codec */ ++ { "10EC5651", 0 }, /* RealTek ALC5651 audio codec */ + { "INT33F4", 0 }, /* X-Powers AXP288 PMIC */ + { "INT33FD", 0 }, /* Intel Crystal Cove PMIC */ + { "INT34D3", 0 }, /* Intel Whiskey Cove PMIC */ +-- +2.39.2 + diff --git a/queue-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/queue-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch new file mode 100644 index 00000000000..55e0c524fc6 --- /dev/null +++ b/queue-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch @@ -0,0 +1,155 @@ +From 46f526e1c50701c973165f628afa55ea934c6c78 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 10 May 2023 19:39:05 +0200 +Subject: [PATCH AUTOSEL 5.4 02/12] ALSA: emu10k1: roll up loops in DSP setup + code for Audigy +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] + +There is no apparent reason for the massive code duplication. + +Signed-off-by: Oswald Buddenhagen +Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/emu10k1/emufx.c | 112 +++----------------------------------- + 1 file changed, 9 insertions(+), 103 deletions(-) + +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c +index e053f0d58bdd0..2f3cfcfcdb9a3 100644 +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -1536,14 +1536,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_GPR(var), A_GPR(vol), A_EXTIN(input)) + gpr += 2; + + /* Master volume (will be renamed later) */ +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); ++ for (z = 0; z < 8; z++) ++ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); + snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); + gpr += 2; + +@@ -1627,102 +1621,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_GPR(var), A_GPR(vol), A_EXTIN(input)) + dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", + gpr, tmp); + */ +- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ +- /* A_P16VIN(0) is delayed by one sample, +- * so all other A_P16VIN channels will need to also be delayed +- */ +- /* Left ADC in. 1 of 2 */ + snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); +- /* Right ADC in 1 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- /* Delaying by one sample: instead of copying the input +- * value A_P16VIN to output A_FXBUS2 as in the first channel, +- * we use an auxiliary register, delaying the value by one +- * sample +- */ +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); +- /* For 96kHz mode */ +- /* Left ADC in. 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); +- /* Right ADC in 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); +- /* Pavel Hofman - we still have voices, A_FXBUS2s, and +- * A_P16VINs available - +- * let's add 8 more capture channels - total of 16 +- */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x10)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x12)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x14)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x16)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x18)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1a)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1c)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1e)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), +- A_C_00000000, A_C_00000000); ++ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels ++ * will need to also be delayed; we use an auxiliary register for that. */ ++ for (z = 1; z < 0x10; z++) { ++ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); ++ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); ++ gpr_map[gpr++] = 0x00000000; ++ } + } + + #if 0 +-- +2.39.2 + diff --git a/queue-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch b/queue-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch new file mode 100644 index 00000000000..df59bdbe4b8 --- /dev/null +++ b/queue-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch @@ -0,0 +1,98 @@ +From 3596f6ed73f677798fb279436169502cb7306491 Mon Sep 17 00:00:00 2001 +From: Matthew Anderson +Date: Wed, 21 Jun 2023 11:17:14 -0500 +Subject: [PATCH AUTOSEL 5.4 08/12] ALSA: hda/realtek: Add quirks for ROG ALLY + CS35l41 audio +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 724418b84e6248cd27599607b7e5fac365b8e3f5 ] + +This requires a patched ACPI table or a firmware from ASUS to work because +the system does not come with the _DSD field for the CSC3551. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217550 +Signed-off-by: Matthew Anderson +Tested-by: Philip Mueller +Link: https://lore.kernel.org/r/20230621161714.9442-1-ruinairas1992@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 46 +++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6d8d9fc1da0b0..8c52d7014e79a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6479,6 +6479,10 @@ enum { + ALC294_FIXUP_ASUS_DUAL_SPK, + ALC285_FIXUP_THINKPAD_X1_GEN7, + ALC285_FIXUP_THINKPAD_HEADSET_JACK, ++ ALC294_FIXUP_ASUS_ALLY, ++ ALC294_FIXUP_ASUS_ALLY_PINS, ++ ALC294_FIXUP_ASUS_ALLY_VERBS, ++ ALC294_FIXUP_ASUS_ALLY_SPEAKER, + ALC294_FIXUP_ASUS_HPE, + ALC294_FIXUP_ASUS_COEF_1B, + ALC294_FIXUP_ASUS_GX502_HP, +@@ -7687,6 +7691,47 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 + }, ++ [ALC294_FIXUP_ASUS_ALLY] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cs35l41_fixup_i2c_two, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_ALLY_PINS ++ }, ++ [ALC294_FIXUP_ASUS_ALLY_PINS] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x03a11050 }, ++ { 0x1a, 0x03a11c30 }, ++ { 0x21, 0x03211420 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_ALLY_VERBS ++ }, ++ [ALC294_FIXUP_ASUS_ALLY_VERBS] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x46 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0004 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x47 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0xa47a }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x49 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0049}, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x4a }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x201b }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x6b }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x4278}, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_ALLY_SPEAKER ++ }, ++ [ALC294_FIXUP_ASUS_ALLY_SPEAKER] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ }, + [ALC285_FIXUP_THINKPAD_X1_GEN7] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_thinkpad_x1_gen7, +@@ -8259,6 +8304,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x1740, "ASUS UX430UA", ALC295_FIXUP_ASUS_DACS), + SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), ++ SND_PCI_QUIRK(0x1043, 0x17f3, "ROG Ally RC71L_RC71L", ALC294_FIXUP_ASUS_ALLY), + SND_PCI_QUIRK(0x1043, 0x1881, "ASUS Zephyrus S/M", ALC294_FIXUP_ASUS_GX502_PINS), + SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC), +-- +2.39.2 + diff --git a/queue-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch b/queue-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch new file mode 100644 index 00000000000..e37fbf7ce59 --- /dev/null +++ b/queue-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch @@ -0,0 +1,82 @@ +From e259b1a010e4ccaf284d9f7ae2bb75d19a1c05e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:20:21 +0100 +Subject: ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp + +From: Vitaly Rodionov + +[ Upstream commit f7b069cf08816252f494d193b9ecdff172bf9aa1 ] + +Generic fixup for CS35L41 amplifies should not have vendor specific +chained fixup. For ThinkPad laptops with led issue, we can just add +specific fixup. + +Fixes: a6ac60b36dade (ALSA: hda/realtek: Fix mute led issue on thinkpad with cs35l41 s-codec) +Signed-off-by: Vitaly Rodionov +Link: https://lore.kernel.org/r/20230720082022.13033-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 73cc705adb9e5..ee53d1badd86d 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7220,6 +7220,7 @@ enum { + ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, + ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS, + ALC236_FIXUP_DELL_DUAL_CODECS, ++ ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -9090,8 +9091,6 @@ static const struct hda_fixup alc269_fixups[] = { + [ALC287_FIXUP_CS35L41_I2C_2] = { + .type = HDA_FIXUP_FUNC, + .v.func = cs35l41_fixup_i2c_two, +- .chained = true, +- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, + }, + [ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, +@@ -9228,6 +9227,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + }, ++ [ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cs35l41_fixup_i2c_two, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -9752,14 +9757,14 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x22be, "Thinkpad X1 Carbon 8th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x22c1, "Thinkpad P1 Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x22c2, "Thinkpad X1 Extreme Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), +- SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +-- +2.39.2 + diff --git a/queue-6.4/arm64-fix-hfgxtr_el2-field-naming.patch b/queue-6.4/arm64-fix-hfgxtr_el2-field-naming.patch new file mode 100644 index 00000000000..7a19b485c5d --- /dev/null +++ b/queue-6.4/arm64-fix-hfgxtr_el2-field-naming.patch @@ -0,0 +1,70 @@ +From 667906b10bb674bbc572a57580f37bf28ae76808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 14:04:16 +0100 +Subject: arm64: Fix HFGxTR_EL2 field naming + +From: Marc Zyngier + +[ Upstream commit 55b87b74996383230586f4f9f801ae304c70e649 ] + +The HFGxTR_EL2 fields do not always follow the naming described +in the spec, nor do they match the name of the register they trap +in the rest of the kernel. + +It is a bit sad that they were written by hand despite the availability +of a machine readable version... + +Fixes: cc077e7facbe ("arm64/sysreg: Convert HFG[RW]TR_EL2 to automatic generation") +Signed-off-by: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Cc: Catalin Marinas +Cc: Mark Rutland +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20230703130416.1495307-1-maz@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/tools/sysreg | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg +index c9a0d1fa32090..930c8cc0812fc 100644 +--- a/arch/arm64/tools/sysreg ++++ b/arch/arm64/tools/sysreg +@@ -1890,7 +1890,7 @@ Field 0 SM + EndSysreg + + SysregFields HFGxTR_EL2 +-Field 63 nAMIAIR2_EL1 ++Field 63 nAMAIR2_EL1 + Field 62 nMAIR2_EL1 + Field 61 nS2POR_EL1 + Field 60 nPOR_EL1 +@@ -1905,9 +1905,9 @@ Field 52 nGCS_EL0 + Res0 51 + Field 50 nACCDATA_EL1 + Field 49 ERXADDR_EL1 +-Field 48 EXRPFGCDN_EL1 +-Field 47 EXPFGCTL_EL1 +-Field 46 EXPFGF_EL1 ++Field 48 ERXPFGCDN_EL1 ++Field 47 ERXPFGCTL_EL1 ++Field 46 ERXPFGF_EL1 + Field 45 ERXMISCn_EL1 + Field 44 ERXSTATUS_EL1 + Field 43 ERXCTLR_EL1 +@@ -1922,8 +1922,8 @@ Field 35 TPIDR_EL0 + Field 34 TPIDRRO_EL0 + Field 33 TPIDR_EL1 + Field 32 TCR_EL1 +-Field 31 SCTXNUM_EL0 +-Field 30 SCTXNUM_EL1 ++Field 31 SCXTNUM_EL0 ++Field 30 SCXTNUM_EL1 + Field 29 SCTLR_EL1 + Field 28 REVIDR_EL1 + Field 27 PAR_EL1 +-- +2.39.2 + diff --git a/queue-6.4/arm64-mm-fix-va-range-sanity-check.patch b/queue-6.4/arm64-mm-fix-va-range-sanity-check.patch new file mode 100644 index 00000000000..16f8dba9c8c --- /dev/null +++ b/queue-6.4/arm64-mm-fix-va-range-sanity-check.patch @@ -0,0 +1,106 @@ +From 0cd9b6e992630a33f8c353758f2c3ff22b1c97cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:26:28 +0100 +Subject: arm64: mm: fix VA-range sanity check + +From: Mark Rutland + +[ Upstream commit ab9b4008092c86dc12497af155a0901cc1156999 ] + +Both create_mapping_noalloc() and update_mapping_prot() sanity-check +their 'virt' parameter, but the check itself doesn't make much sense. +The condition used today appears to be a historical accident. + +The sanity-check condition: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +... can only be true for the KASAN shadow region or the module region, +and there's no reason to exclude these specifically for creating and +updateing mappings. + +When arm64 support was first upstreamed in commit: + + c1cc1552616d0f35 ("arm64: MMU initialisation") + +... the condition was: + + if (virt < VMALLOC_START) { + [ ... warning here ... ] + return; + } + +At the time, VMALLOC_START was the lowest kernel address, and this was +checking whether 'virt' would be translated via TTBR1. + +Subsequently in commit: + + 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") + +... the condition was changed to: + + if ((virt >= VA_START) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +This appear to have been a thinko. The commit moved the linear map to +the bottom of the kernel address space, with VMALLOC_START being at the +halfway point. The old condition would warn for changes to the linear +map below this, and at the time VA_START was the end of the linear map. + +Subsequently we cleaned up the naming of VA_START in commit: + + 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") + +... keeping the erroneous condition as: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +Correct the condition to check against the start of the TTBR1 address +space, which is currently PAGE_OFFSET. This simplifies the logic, and +more clearly matches the "outside kernel range" message in the warning. + +Signed-off-by: Mark Rutland +Cc: Russell King +Cc: Steve Capper +Cc: Will Deacon +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index af6bc8403ee46..72b3c21820b96 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -451,7 +451,7 @@ static phys_addr_t pgd_pgtable_alloc(int shift) + void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +@@ -478,7 +478,7 @@ void __init create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, + static void update_mapping_prot(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +-- +2.39.2 + diff --git a/queue-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch b/queue-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch new file mode 100644 index 00000000000..759d221f4c0 --- /dev/null +++ b/queue-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch @@ -0,0 +1,166 @@ +From 9df981ec0bf465d0a6cb8bc5909b0f4cb31b2887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 10:04:36 +0900 +Subject: arm64: set __exception_irq_entry with __irq_entry as a default + +From: Youngmin Nam + +[ Upstream commit f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 ] + +filter_irq_stacks() is supposed to cut entries which are related irq entries +from its call stack. +And in_irqentry_text() which is called by filter_irq_stacks() +uses __irqentry_text_start/end symbol to find irq entries in callstack. + +But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", +arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq +between __irqentry_text_start and __irqentry_text_end as we discussed in below link. +https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t + +This problem can makes unintentional deep call stack entries especially +in KASAN enabled situation as below. + +[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity +[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c +[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) +[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c +[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c +[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 +[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 +[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd +[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 +[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 +[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 +[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 +[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 +[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 +[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c +[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 +[ 2479.386231]I[0:launcher-loader: 1719] Call trace: +[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c +[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 +[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 +[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 +[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 +[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 +[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c +[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 +[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 +[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 +[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 +[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c +[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 +[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c +[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 +[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 +[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c +[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 +[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 +[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 +[ 2479.386833]I[0:launcher-loader: 1719] scsi_complete+0xcc/0x158 +[ 2479.386859]I[0:launcher-loader: 1719] blk_mq_complete_request+0x4c/0x5c +[ 2479.386885]I[0:launcher-loader: 1719] scsi_done_internal+0xf4/0x1e0 +[ 2479.386910]I[0:launcher-loader: 1719] scsi_done+0x14/0x20 +[ 2479.386935]I[0:launcher-loader: 1719] ufshcd_compl_one_cqe+0x578/0x71c +[ 2479.386963]I[0:launcher-loader: 1719] ufshcd_mcq_poll_cqe_nolock+0xc8/0x150 +[ 2479.386991]I[0:launcher-loader: 1719] ufshcd_intr+0x868/0xc0c +[ 2479.387017]I[0:launcher-loader: 1719] __handle_irq_event_percpu+0xd0/0x348 +[ 2479.387044]I[0:launcher-loader: 1719] handle_irq_event_percpu+0x24/0x74 +[ 2479.387068]I[0:launcher-loader: 1719] handle_irq_event+0x74/0xe0 +[ 2479.387091]I[0:launcher-loader: 1719] handle_fasteoi_irq+0x174/0x240 +[ 2479.387118]I[0:launcher-loader: 1719] handle_irq_desc+0x7c/0x2c0 +[ 2479.387147]I[0:launcher-loader: 1719] generic_handle_domain_irq+0x1c/0x28 +[ 2479.387174]I[0:launcher-loader: 1719] gic_handle_irq+0x64/0x158 +[ 2479.387204]I[0:launcher-loader: 1719] call_on_irq_stack+0x2c/0x54 +[ 2479.387231]I[0:launcher-loader: 1719] do_interrupt_handler+0x70/0xa0 +[ 2479.387258]I[0:launcher-loader: 1719] el1_interrupt+0x34/0x68 +[ 2479.387283]I[0:launcher-loader: 1719] el1h_64_irq_handler+0x18/0x24 +[ 2479.387308]I[0:launcher-loader: 1719] el1h_64_irq+0x68/0x6c +[ 2479.387332]I[0:launcher-loader: 1719] blk_attempt_bio_merge+0x8/0x170 +[ 2479.387356]I[0:launcher-loader: 1719] blk_mq_attempt_bio_merge+0x78/0x98 +[ 2479.387383]I[0:launcher-loader: 1719] blk_mq_submit_bio+0x324/0xa40 +[ 2479.387409]I[0:launcher-loader: 1719] __submit_bio+0x104/0x138 +[ 2479.387436]I[0:launcher-loader: 1719] submit_bio_noacct_nocheck+0x1d0/0x4a0 +[ 2479.387462]I[0:launcher-loader: 1719] submit_bio_noacct+0x618/0x804 +[ 2479.387487]I[0:launcher-loader: 1719] submit_bio+0x164/0x180 +[ 2479.387511]I[0:launcher-loader: 1719] f2fs_submit_read_bio+0xe4/0x1c4 +[ 2479.387537]I[0:launcher-loader: 1719] f2fs_mpage_readpages+0x888/0xa4c +[ 2479.387563]I[0:launcher-loader: 1719] f2fs_readahead+0xd4/0x19c +[ 2479.387587]I[0:launcher-loader: 1719] read_pages+0xb0/0x4ac +[ 2479.387614]I[0:launcher-loader: 1719] page_cache_ra_unbounded+0x238/0x288 +[ 2479.387642]I[0:launcher-loader: 1719] do_page_cache_ra+0x60/0x6c +[ 2479.387669]I[0:launcher-loader: 1719] page_cache_ra_order+0x318/0x364 +[ 2479.387695]I[0:launcher-loader: 1719] ondemand_readahead+0x30c/0x3d8 +[ 2479.387722]I[0:launcher-loader: 1719] page_cache_sync_ra+0xb4/0xc8 +[ 2479.387749]I[0:launcher-loader: 1719] filemap_read+0x268/0xd24 +[ 2479.387777]I[0:launcher-loader: 1719] f2fs_file_read_iter+0x1a0/0x62c +[ 2479.387806]I[0:launcher-loader: 1719] vfs_read+0x258/0x34c +[ 2479.387831]I[0:launcher-loader: 1719] ksys_pread64+0x8c/0xd0 +[ 2479.387857]I[0:launcher-loader: 1719] __arm64_sys_pread64+0x48/0x54 +[ 2479.387881]I[0:launcher-loader: 1719] invoke_syscall+0x58/0x158 +[ 2479.387909]I[0:launcher-loader: 1719] el0_svc_common+0xf0/0x134 +[ 2479.387935]I[0:launcher-loader: 1719] do_el0_svc+0x44/0x114 +[ 2479.387961]I[0:launcher-loader: 1719] el0_svc+0x2c/0x80 +[ 2479.387985]I[0:launcher-loader: 1719] el0t_64_sync_handler+0x48/0x114 +[ 2479.388010]I[0:launcher-loader: 1719] el0t_64_sync+0x190/0x194 +[ 2479.388038]I[0:launcher-loader: 1719] Kernel panic - not syncing: kernel: panic_on_warn set ... + +So let's set __exception_irq_entry with __irq_entry as a default. +Applying this patch, we can see gic_hande_irq is included in Systemp.map as below. + +* Before +ffffffc008010000 T __do_softirq +ffffffc008010000 T __irqentry_text_end +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T __softirqentry_text_start +ffffffc008010000 T _stext +ffffffc00801066c T __softirqentry_text_end +ffffffc008010670 T __entry_text_start + +* After +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T _stext +ffffffc008010000 t gic_handle_irq +ffffffc00801013c t gic_handle_irq +ffffffc008010294 T __irqentry_text_end +ffffffc008010298 T __do_softirq +ffffffc008010298 T __softirqentry_text_start +ffffffc008010904 T __softirqentry_text_end +ffffffc008010908 T __entry_text_start + +Signed-off-by: Youngmin Nam +Signed-off-by: SEO HOYOUNG +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20230424010436.779733-1-youngmin.nam@samsung.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/exception.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h +index e73af709cb7ad..88d8dfeed0db6 100644 +--- a/arch/arm64/include/asm/exception.h ++++ b/arch/arm64/include/asm/exception.h +@@ -8,16 +8,11 @@ + #define __ASM_EXCEPTION_H + + #include +-#include + #include + + #include + +-#ifdef CONFIG_FUNCTION_GRAPH_TRACER + #define __exception_irq_entry __irq_entry +-#else +-#define __exception_irq_entry __kprobes +-#endif + + static inline unsigned long disr_to_esr(u64 disr) + { +-- +2.39.2 + diff --git a/queue-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch b/queue-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch new file mode 100644 index 00000000000..6befb371d5b --- /dev/null +++ b/queue-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch @@ -0,0 +1,63 @@ +From edd80e3e2cea3bed041663831aa8125704b574db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 16:23:54 +0530 +Subject: ASoC: amd: acp: fix for invalid dai id handling in + acp_get_byte_count() + +From: Vijendar Mukunda + +[ Upstream commit 85aeab362201cf52c34cd429e4f6c75a0b42f9a3 ] + +For invalid dai id, instead of returning -EINVAL +return bytes count as zero in acp_get_byte_count() function. + +Fixes: 623621a9f9e1 ("ASoC: amd: Add common framework to support I2S on ACP SOC") + +Signed-off-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20230626105356.2580125-6-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/amd.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h +index 5f2119f422715..12a176a50fd6e 100644 +--- a/sound/soc/amd/acp/amd.h ++++ b/sound/soc/amd/acp/amd.h +@@ -173,7 +173,7 @@ int snd_amd_acp_find_config(struct pci_dev *pci); + + static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int direction) + { +- u64 byte_count, low = 0, high = 0; ++ u64 byte_count = 0, low = 0, high = 0; + + if (direction == SNDRV_PCM_STREAM_PLAYBACK) { + switch (dai_id) { +@@ -191,7 +191,7 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int + break; + default: + dev_err(adata->dev, "Invalid dai id %x\n", dai_id); +- return -EINVAL; ++ goto POINTER_RETURN_BYTES; + } + } else { + switch (dai_id) { +@@ -213,12 +213,13 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int + break; + default: + dev_err(adata->dev, "Invalid dai id %x\n", dai_id); +- return -EINVAL; ++ goto POINTER_RETURN_BYTES; + } + } + /* Get 64 bit value from two 32 bit registers */ + byte_count = (high << 32) | low; + ++POINTER_RETURN_BYTES: + return byte_count; + } + +-- +2.39.2 + diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch b/queue-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch new file mode 100644 index 00000000000..40da9bf5384 --- /dev/null +++ b/queue-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch @@ -0,0 +1,51 @@ +From d0035014b8bfd8c7e5845573b7e9f5b4db95cb74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 13:57:23 +0100 +Subject: ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR + +From: Srinivas Kandagatla + +[ Upstream commit c03226ba15fe3c42d13907ec7d8536396602557b ] + +dB range for HPHL and HPHR gains are from +6dB to -30dB in steps of +1.5dB with register values range from 0 to 24. + +Current code maps these dB ranges incorrectly, fix them to allow proper +volume setting. + +Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705125723.40464-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c +index 8bb6a5ff7b0f6..4a0b990f56e12 100644 +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -210,7 +210,7 @@ struct wcd938x_priv { + }; + + static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(ear_pa_gain, 600, -1800); +-static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(line_gain, 600, -3000); ++static const DECLARE_TLV_DB_SCALE(line_gain, -3000, 150, -3000); + static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(analog_gain, 0, 3000); + + struct wcd938x_mbhc_zdet_param { +@@ -2662,8 +2662,8 @@ static const struct snd_kcontrol_new wcd938x_snd_controls[] = { + wcd938x_get_swr_port, wcd938x_set_swr_port), + SOC_SINGLE_EXT("DSD_R Switch", WCD938X_DSD_R, 0, 1, 0, + wcd938x_get_swr_port, wcd938x_set_swr_port), +- SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 0, line_gain), +- SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 0, line_gain), ++ SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 1, line_gain), ++ SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 1, line_gain), + WCD938X_EAR_PA_GAIN_TLV("EAR_PA Volume", WCD938X_ANA_EAR_COMPANDER_CTL, + 2, 0x10, 0, ear_pa_gain), + SOC_SINGLE_EXT("ADC1 Switch", WCD938X_ADC1, 1, 1, 0, +-- +2.39.2 + diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch b/queue-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch new file mode 100644 index 00000000000..4830220c4a0 --- /dev/null +++ b/queue-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch @@ -0,0 +1,43 @@ +From 272677a7d51d5f30b931b0981c50a2b2cff55289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 16:27:13 +0200 +Subject: ASoC: codecs: wcd938x: fix mbhc impedance loglevel + +From: Johan Hovold + +[ Upstream commit e5ce198bd5c6923b6a51e1493b1401f84c24b26d ] + +Demote the MBHC impedance measurement printk, which is not an error +message, from error to debug level. + +While at it, fix the capitalisation of "ohm" and add the missing space +before the opening parenthesis. + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230630142717.5314-2-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c +index 0ff8f784b5eca..8bb6a5ff7b0f6 100644 +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2165,8 +2165,8 @@ static inline void wcd938x_mbhc_get_result_params(struct wcd938x_priv *wcd938x, + else if (x1 < minCode_param[noff]) + *zdet = WCD938X_ZDET_FLOATING_IMPEDANCE; + +- pr_err("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d(milliOhm)\n", +- __func__, d1, c1, x1, *zdet); ++ pr_debug("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d (milliohm)\n", ++ __func__, d1, c1, x1, *zdet); + ramp_down: + i = 0; + while (x1) { +-- +2.39.2 + diff --git a/queue-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch b/queue-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch new file mode 100644 index 00000000000..91e7129bc73 --- /dev/null +++ b/queue-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch @@ -0,0 +1,60 @@ +From 922473de77853fe08b1fd0ab538d820d97b554dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 14:18:42 +0100 +Subject: ASoC: qcom: q6apm: do not close GPR port before closing graph + +From: Srinivas Kandagatla + +[ Upstream commit c1be62923d4d86e7c06b1224626e27eb8d9ab32e ] + +Closing GPR port before graph close can result in un handled notifications +from DSP, this results in spam of errors from GPR driver as there is no +one to handle these notification at that point in time. + +Fix this by closing GPR port after graph close is finished. + +Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705131842.41584-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6apm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c +index a7a3f973eb6d5..cdebf209c8a55 100644 +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -446,6 +446,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + + switch (hdr->opcode) { + case DATA_CMD_RSP_WR_SH_MEM_EP_DATA_BUFFER_DONE_V2: ++ if (!graph->ar_graph) ++ break; + client_event = APM_CLIENT_EVENT_DATA_WRITE_DONE; + mutex_lock(&graph->lock); + token = hdr->token & APM_WRITE_TOKEN_MASK; +@@ -479,6 +481,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + wake_up(&graph->cmd_wait); + break; + case DATA_CMD_RSP_RD_SH_MEM_EP_DATA_BUFFER_V2: ++ if (!graph->ar_graph) ++ break; + client_event = APM_CLIENT_EVENT_DATA_READ_DONE; + mutex_lock(&graph->lock); + rd_done = data->payload; +@@ -581,8 +585,9 @@ int q6apm_graph_close(struct q6apm_graph *graph) + { + struct audioreach_graph *ar_graph = graph->ar_graph; + +- gpr_free_port(graph->port); ++ graph->ar_graph = NULL; + kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph); ++ gpr_free_port(graph->port); + kfree(graph); + + return 0; +-- +2.39.2 + diff --git a/queue-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch b/queue-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch new file mode 100644 index 00000000000..835740abdb0 --- /dev/null +++ b/queue-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch @@ -0,0 +1,60 @@ +From 4d081eb7ade047c783eff167d9362c5a23f905d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 14:25:23 +0300 +Subject: ASoC: SOF: ipc3-dtrace: uninitialized data in + dfsentry_trace_filter_write() + +From: Dan Carpenter + +[ Upstream commit 469e2f28c2cbee2430058c1c9bb6d1675d7195fb ] + +This doesn't check how many bytes the simple_write_to_buffer() writes to +the buffer. The only thing that we know is that the first byte is +initialized and the last byte of the buffer is set to NUL. However +the middle bytes could be uninitialized. + +There is no need to use simple_write_to_buffer(). This code does not +support partial writes but instead passes "pos = 0" as the starting +offset regardless of what the user passed as "*ppos". Just use the +copy_from_user() function and initialize the whole buffer. + +Fixes: 671e0b90051e ("ASoC: SOF: Clone the trace code to ipc3-dtrace as fw_tracing implementation") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/74148292-ce4d-4e01-a1a7-921e6767da14@moroto.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc3-dtrace.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c +index 1d3bca2d28dd6..35da85a45a9ae 100644 +--- a/sound/soc/sof/ipc3-dtrace.c ++++ b/sound/soc/sof/ipc3-dtrace.c +@@ -186,7 +186,6 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user + struct snd_sof_dfsentry *dfse = file->private_data; + struct sof_ipc_trace_filter_elem *elems = NULL; + struct snd_sof_dev *sdev = dfse->sdev; +- loff_t pos = 0; + int num_elems; + char *string; + int ret; +@@ -201,11 +200,11 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user + if (!string) + return -ENOMEM; + +- /* assert null termination */ +- string[count] = 0; +- ret = simple_write_to_buffer(string, count, &pos, from, count); +- if (ret < 0) ++ if (copy_from_user(string, from, count)) { ++ ret = -EFAULT; + goto error; ++ } ++ string[count] = '\0'; + + ret = trace_filter_parse(sdev, string, &num_elems, &elems); + if (ret < 0) +-- +2.39.2 + diff --git a/queue-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch b/queue-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch new file mode 100644 index 00000000000..293e66b3be4 --- /dev/null +++ b/queue-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch @@ -0,0 +1,61 @@ +From 2985cb1c3caeaa23909dc76b3608d8f5ffa0034c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 21:23:54 +0800 +Subject: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none + +From: Ming Lei + +[ Upstream commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a ] + +After grabbing q->sysfs_lock, q->elevator may become NULL because of +elevator switch. + +Fix the NULL dereference on q->elevator by checking it with lock. + +Reported-by: Guangwu Zhang +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index b9f4546139894..73ed8ccb09ce8 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -4617,9 +4617,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + { + struct blk_mq_qe_pair *qe; + +- if (!q->elevator) +- return true; +- + qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY); + if (!qe) + return false; +@@ -4627,6 +4624,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + /* q->elevator needs protection from ->sysfs_lock */ + mutex_lock(&q->sysfs_lock); + ++ /* the check has to be done with holding sysfs_lock */ ++ if (!q->elevator) { ++ kfree(qe); ++ goto unlock; ++ } ++ + INIT_LIST_HEAD(&qe->node); + qe->q = q; + qe->type = q->elevator->type; +@@ -4634,6 +4637,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + __elevator_get(qe->type); + list_add(&qe->node, head); + elevator_disable(q); ++unlock: + mutex_unlock(&q->sysfs_lock); + + return true; +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch b/queue-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch new file mode 100644 index 00000000000..732ea3bb10b --- /dev/null +++ b/queue-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch @@ -0,0 +1,47 @@ +From 0f3d353a227d27998efc4598cfdfc74d33fb522b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 12:25:14 +0200 +Subject: Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Moń + +[ Upstream commit 95b7015433053cd5f648ad2a7b8f43b2c99c949a ] + +Commit c13380a55522 ("Bluetooth: btusb: Do not require hardcoded +interface numbers") inadvertedly broke bluetooth on Intel Macbook 2014. +The intention was to keep behavior intact when BTUSB_IFNUM_2 is set and +otherwise allow any interface numbers. The problem is that the new logic +condition omits the case where bInterfaceNumber is 0. + +Fix BTUSB_IFNUM_2 handling by allowing both interface number 0 and 2 +when the flag is set. + +Fixes: c13380a55522 ("Bluetooth: btusb: Do not require hardcoded interface numbers") +Reported-by: John Holland +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217651 +Signed-off-by: Tomasz Moń +Tested-by: John Holland +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 2a8e2bb038f58..50e23762ec5e9 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4099,6 +4099,7 @@ static int btusb_probe(struct usb_interface *intf, + BT_DBG("intf %p id %p", intf, id); + + if ((id->driver_info & BTUSB_IFNUM_2) && ++ (intf->cur_altsetting->desc.bInterfaceNumber != 0) && + (intf->cur_altsetting->desc.bInterfaceNumber != 2)) + return -ENODEV; + +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch b/queue-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch new file mode 100644 index 00000000000..4a05013c5c3 --- /dev/null +++ b/queue-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch @@ -0,0 +1,58 @@ +From 84ceed6bd7bd6b85f52b80362cae4ce3f2f0daf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 18:43:53 +0530 +Subject: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no + link + +From: Siddh Raman Pant + +[ Upstream commit b4066eb04bb67e7ff66e5aaab0db4a753f37eaad ] + +hci_connect_sco currently returns NULL when there is no link (i.e. when +hci_conn_link() returns NULL). + +sco_connect() expects an ERR_PTR in case of any error (see line 266 in +sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which +tries to get hcon->hdev, resulting in dereferencing a NULL pointer as +reported by syzkaller. + +The same issue exists for iso_connect_cis() calling hci_connect_cis(). + +Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR +instead of NULL. + +Reported-and-tested-by: syzbot+37acd5d80d00d609d233@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=37acd5d80d00d609d233 +Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") +Signed-off-by: Siddh Raman Pant +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 7b0c74ef93296..31c115b225e7e 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1684,7 +1684,7 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, + if (!link) { + hci_conn_drop(acl); + hci_conn_drop(sco); +- return NULL; ++ return ERR_PTR(-ENOLINK); + } + + sco->setting = setting; +@@ -2256,7 +2256,7 @@ struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, + if (!link) { + hci_conn_drop(le); + hci_conn_drop(cis); +- return NULL; ++ return ERR_PTR(-ENOLINK); + } + + /* If LE is already connected and CIS handle is already set proceed to +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch b/queue-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch new file mode 100644 index 00000000000..8c4865a7c6c --- /dev/null +++ b/queue-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch @@ -0,0 +1,168 @@ +From 1c0a105690e7ae4ffc1b2c44181d834089aea545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:32 +0300 +Subject: Bluetooth: hci_event: call disconnect callback before deleting conn + +From: Pauli Virtanen + +[ Upstream commit 7f7cfcb6f0825652973b780f248603e23f16ee90 ] + +In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. + +ISO, L2CAP and SCO connections refer to the hci_conn without +hci_conn_get, so disconn_cfm must be called so they can clean up their +conn, otherwise use-after-free occurs. + +ISO: +========================================================== +iso_sock_connect:880: sk 00000000eabd6557 +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 +hci_dev_put:1487: hci0 orig refcnt 17 +__iso_chan_add:214: conn 00000000b6251073 +iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 +... +hci_rx_work:4085: hci0 Event packet +hci_event_packet:7601: hci0: event 0x0f +hci_cmd_status_evt:4346: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3107: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 +hci_conn_unlink:1102: hci0: hcon 000000001696f1fd +hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 +hci_chan_list_flush:2780: hcon 000000001696f1fd +hci_dev_put:1487: hci0 orig refcnt 21 +hci_dev_put:1487: hci0 orig refcnt 20 +hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c +... ... +iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 +BUG: kernel NULL pointer dereference, address: 0000000000000668 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth +========================================================== + +L2CAP: +================================================================== +hci_cmd_status_evt:4359: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3085: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 +hci_conn_unlink:1102: hci0: hcon ffff88800c999000 +hci_chan_list_flush:2780: hcon ffff88800c999000 +hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 +... +BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] +Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 + +CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Call Trace: + + dump_stack_lvl+0x5b/0x90 + print_report+0xcf/0x670 + ? __virt_addr_valid+0xf8/0x180 + ? hci_send_acl+0x2d/0x540 [bluetooth] + kasan_report+0xa8/0xe0 + ? hci_send_acl+0x2d/0x540 [bluetooth] + hci_send_acl+0x2d/0x540 [bluetooth] + ? __pfx___lock_acquire+0x10/0x10 + l2cap_chan_send+0x1fd/0x1300 [bluetooth] + ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] + ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] + ? lock_release+0x1d5/0x3c0 + ? mark_held_locks+0x1a/0x90 + l2cap_sock_sendmsg+0x100/0x170 [bluetooth] + sock_write_iter+0x275/0x280 + ? __pfx_sock_write_iter+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + do_iter_readv_writev+0x176/0x220 + ? __pfx_do_iter_readv_writev+0x10/0x10 + ? find_held_lock+0x83/0xa0 + ? selinux_file_permission+0x13e/0x210 + do_iter_write+0xda/0x340 + vfs_writev+0x1b4/0x400 + ? __pfx_vfs_writev+0x10/0x10 + ? __seccomp_filter+0x112/0x750 + ? populate_seccomp_data+0x182/0x220 + ? __fget_light+0xdf/0x100 + ? do_writev+0x19d/0x210 + do_writev+0x19d/0x210 + ? __pfx_do_writev+0x10/0x10 + ? mark_held_locks+0x1a/0x90 + do_syscall_64+0x60/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + ? do_syscall_64+0x6c/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7ff45cb23e64 +Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 +RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64 +RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017 +RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40 +R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0 +R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040 + + +Allocated by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + __kasan_kmalloc+0xaa/0xb0 + hci_chan_create+0x67/0x1b0 [bluetooth] + l2cap_conn_add.part.0+0x17/0x590 [bluetooth] + l2cap_connect_cfm+0x266/0x6b0 [bluetooth] + hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 + +Freed by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + kasan_save_free_info+0x2e/0x50 + ____kasan_slab_free+0x169/0x1c0 + slab_free_freelist_hook+0x9e/0x1c0 + __kmem_cache_free+0xc0/0x310 + hci_chan_list_flush+0x46/0x90 [bluetooth] + hci_conn_cleanup+0x7d/0x330 [bluetooth] + hci_cs_disconnect+0x35d/0x530 [bluetooth] + hci_cmd_status_evt+0xef/0x2b0 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 +================================================================== + +Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 72b6d189d3de2..cb0b5fe7a6f8c 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2784,6 +2784,9 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) + hci_enable_advertising(hdev); + } + ++ /* Inform sockets conn is gone before we delete it */ ++ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); ++ + goto done; + } + +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch b/queue-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch new file mode 100644 index 00000000000..8af4b293be5 --- /dev/null +++ b/queue-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch @@ -0,0 +1,60 @@ +From a1ee2560c82046e851ecf0268f802f2e15a138aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 15:33:14 -0700 +Subject: Bluetooth: hci_sync: Avoid use-after-free in dbg for + hci_remove_adv_monitor() + +From: Douglas Anderson + +[ Upstream commit de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 ] + +KASAN reports that there's a use-after-free in +hci_remove_adv_monitor(). Trawling through the disassembly, you can +see that the complaint is from the access in bt_dev_dbg() under the +HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because +msft_remove_monitor() can end up freeing the monitor +structure. Specifically: + hci_remove_adv_monitor() -> + msft_remove_monitor() -> + msft_remove_monitor_sync() -> + msft_le_cancel_monitor_advertisement_cb() -> + hci_free_adv_monitor() + +Let's fix the problem by just stashing the relevant data when it's +still valid. + +Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") +Signed-off-by: Douglas Anderson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index b421e196f60c3..1ec83985f1ab0 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1972,6 +1972,7 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, + struct adv_monitor *monitor) + { + int status = 0; ++ int handle; + + switch (hci_get_adv_monitor_offload_ext(hdev)) { + case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ +@@ -1980,9 +1981,10 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, + goto free_monitor; + + case HCI_ADV_MONITOR_EXT_MSFT: ++ handle = monitor->handle; + status = msft_remove_monitor(hdev, monitor); + bt_dev_dbg(hdev, "%s remove monitor %d msft status %d", +- hdev->name, monitor->handle, status); ++ hdev->name, handle, status); + break; + } + +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch b/queue-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch new file mode 100644 index 00000000000..e802b39b9fc --- /dev/null +++ b/queue-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch @@ -0,0 +1,292 @@ +From 38c1cad8787d706dea39d17a633b391863b8e3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:33 +0300 +Subject: Bluetooth: ISO: fix iso_conn related locking and validity issues + +From: Pauli Virtanen + +[ Upstream commit d40ae85ee62e3666f45bc61864b22121346f88ef ] + +sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations +that check/update sk_state and access conn should hold lock_sock, +otherwise they can race. + +The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, +which is how it is in connect/disconnect_cfm -> iso_conn_del -> +iso_chan_del. + +Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock +around updating sk_state and conn. + +iso_conn_del must not occur during iso_connect_cis/bis, as it frees the +iso_conn. Hold hdev->lock longer to prevent that. + +This should not reintroduce the issue fixed in commit 241f51931c35 +("Bluetooth: ISO: Avoid circular locking dependency"), since the we +acquire locks in order. We retain the fix in iso_sock_connect to release +lock_sock before iso_connect_* acquires hdev->lock. + +Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible +circular locking dependency"). We retain the fix in iso_conn_ready to +not acquire iso_conn_lock before lock_sock. + +iso_conn_add shall return iso_conn with valid hcon. Make it so also when +reusing an old CIS connection waiting for disconnect timeout (see +__iso_sock_close where conn->hcon is set to NULL). + +Trace with iso_conn_del after iso_chan_add in iso_connect_cis: +=============================================================== +iso_sock_create:771: sock 00000000be9b69b7 +iso_sock_init:693: sk 000000004dff667e +iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_connect:875: sk 000000004dff667e +iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da +iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e +__iso_chan_add:214: conn 00000000daf8625e +iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 +iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 +iso_sock_clear_timer:117: sock 000000004dff667e state 3 + +iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 +hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 +hci_conn_unlink:1102: hci0: hcon 000000007b65d182 +hci_chan_list_flush:2780: hcon 000000007b65d182 +iso_sock_getsockopt:1376: sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getsockopt:1376: sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 +__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth +=============================================================== + +Trace with iso_conn_del before iso_chan_add in iso_connect_cis: +=============================================================== +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 +hci_dev_put:1487: hci0 orig refcnt 21 +hci_event_packet:7607: hci0: event 0x0e +hci_cmd_complete_evt:4231: hci0: opcode 0x2062 +hci_cc_le_set_cig_params:3846: hci0: status 0x07 +hci_sent_cmd_data:3107: hci0 opcode 0x2062 +iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7 +iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12 +hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535 +hci_conn_unlink:1102: hci0: hcon 0000000093bc551f +hci_chan_list_flush:2780: hcon 0000000093bc551f +__iso_chan_add:214: conn 00000000768ae504 + +iso_sock_clear_timer:117: sock 0000000098323f95 state 3 +general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G E 6.3.0-rc7+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:detach_if_pending+0x28/0xd0 +Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <> +RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007 +RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000 +RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8 +RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88 +R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80 +R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338 +FS: 00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0 +Call Trace: + + timer_delete+0x48/0x80 + try_to_grab_pending+0xdf/0x170 + __cancel_work+0x37/0xb0 + iso_connect_cis+0x141/0x400 [bluetooth] +=============================================================== + +Trace with NULL conn->hcon in state BT_CONNECT: +=============================================================== +__iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5 +... +__iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5 +iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104 +... +iso_sock_connect:862: sk 00000000129b56c3 +iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a +hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a +hci_dev_hold:1495: hci0 orig refcnt 19 +__iso_chan_add:214: conn 0000000022c03a7e + +iso_sock_clear_timer:117: sock 00000000129b56c3 state 3 +... +iso_sock_ready:1485: sk 00000000129b56c3 +... +iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3 +BUG: kernel NULL pointer dereference, address: 00000000000006a8 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 1403 Comm: wireplumber Tainted: G E 6.3.0-rc7+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth] +=============================================================== + +Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency") +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 53 ++++++++++++++++++++++++++------------------- + 1 file changed, 31 insertions(+), 22 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 34d55a85d8f6f..94d5bc104fede 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -123,8 +123,11 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) + { + struct iso_conn *conn = hcon->iso_data; + +- if (conn) ++ if (conn) { ++ if (!conn->hcon) ++ conn->hcon = hcon; + return conn; ++ } + + conn = kzalloc(sizeof(*conn), GFP_KERNEL); + if (!conn) +@@ -300,14 +303,13 @@ static int iso_connect_bis(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); ++ lock_sock(sk); + + err = iso_chan_add(conn, sk, NULL); +- if (err) +- return err; +- +- lock_sock(sk); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } + + /* Update source addr of the socket */ + bacpy(&iso_pi(sk)->src, &hcon->src); +@@ -321,7 +323,6 @@ static int iso_connect_bis(struct sock *sk) + } + + release_sock(sk); +- return err; + + unlock: + hci_dev_unlock(hdev); +@@ -389,14 +390,13 @@ static int iso_connect_cis(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); ++ lock_sock(sk); + + err = iso_chan_add(conn, sk, NULL); +- if (err) +- return err; +- +- lock_sock(sk); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } + + /* Update source addr of the socket */ + bacpy(&iso_pi(sk)->src, &hcon->src); +@@ -413,7 +413,6 @@ static int iso_connect_cis(struct sock *sk) + } + + release_sock(sk); +- return err; + + unlock: + hci_dev_unlock(hdev); +@@ -1072,8 +1071,8 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; +- struct iso_conn *conn = iso_pi(sk)->conn; + struct sk_buff *skb, **frag; ++ size_t mtu; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -1085,11 +1084,18 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + +- if (sk->sk_state != BT_CONNECTED) ++ lock_sock(sk); ++ ++ if (sk->sk_state != BT_CONNECTED) { ++ release_sock(sk); + return -ENOTCONN; ++ } ++ ++ mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu; ++ ++ release_sock(sk); + +- skb = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, +- HCI_ISO_DATA_HDR_SIZE, 0); ++ skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); + if (IS_ERR(skb)) + return PTR_ERR(skb); + +@@ -1102,8 +1108,7 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + while (len) { + struct sk_buff *tmp; + +- tmp = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, +- 0, 0); ++ tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); + if (IS_ERR(tmp)) { + kfree_skb(skb); + return PTR_ERR(tmp); +@@ -1158,15 +1163,19 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, + BT_DBG("sk %p", sk); + + if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { ++ lock_sock(sk); + switch (sk->sk_state) { + case BT_CONNECT2: +- lock_sock(sk); + iso_conn_defer_accept(pi->conn->hcon); + sk->sk_state = BT_CONFIG; + release_sock(sk); + return 0; + case BT_CONNECT: ++ release_sock(sk); + return iso_connect_cis(sk); ++ default: ++ release_sock(sk); ++ break; + } + } + +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch b/queue-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch new file mode 100644 index 00000000000..84761ceda9b --- /dev/null +++ b/queue-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch @@ -0,0 +1,100 @@ +From cc9d54b74879a34272695218fd49e9ba6687e670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 19:48:19 +0300 +Subject: Bluetooth: SCO: fix sco_conn related locking and validity issues + +From: Pauli Virtanen + +[ Upstream commit 3dcaa192ac2159193bc6ab57bc5369dcb84edd8e ] + +Operations that check/update sk_state and access conn should hold +lock_sock, otherwise they can race. + +The order of taking locks is hci_dev_lock > lock_sock > sco_conn_lock, +which is how it is in connect/disconnect_cfm -> sco_conn_del -> +sco_chan_del. + +Fix locking in sco_connect to take lock_sock around updating sk_state +and conn. + +sco_conn_del must not occur during sco_connect, as it frees the +sco_conn. Hold hdev->lock longer to prevent that. + +sco_conn_add shall return sco_conn with valid hcon. Make it so also when +reusing an old SCO connection waiting for disconnect timeout (see +__sco_sock_close where conn->hcon is set to NULL). + +This should not reintroduce the issue fixed in the earlier +commit 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking +dependency on sco_connect_cfm"), the relevant fix of releasing lock_sock +in sco_sock_connect before acquiring hdev->lock is retained. + +These changes mirror similar fixes earlier in ISO sockets. + +Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index cd1a27ac555d0..7762604ddfc05 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -126,8 +126,11 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) + struct hci_dev *hdev = hcon->hdev; + struct sco_conn *conn = hcon->sco_data; + +- if (conn) ++ if (conn) { ++ if (!conn->hcon) ++ conn->hcon = hcon; + return conn; ++ } + + conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL); + if (!conn) +@@ -268,21 +271,21 @@ static int sco_connect(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); +- + conn = sco_conn_add(hcon); + if (!conn) { + hci_conn_drop(hcon); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto unlock; + } + +- err = sco_chan_add(conn, sk, NULL); +- if (err) +- return err; +- + lock_sock(sk); + ++ err = sco_chan_add(conn, sk, NULL); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } ++ + /* Update source addr of the socket */ + bacpy(&sco_pi(sk)->src, &hcon->src); + +@@ -296,8 +299,6 @@ static int sco_connect(struct sock *sk) + + release_sock(sk); + +- return err; +- + unlock: + hci_dev_unlock(hdev); + hci_dev_put(hdev); +-- +2.39.2 + diff --git a/queue-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch b/queue-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch new file mode 100644 index 00000000000..bad87f05068 --- /dev/null +++ b/queue-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch @@ -0,0 +1,594 @@ +From bb40a24b1a5fe8604c76ab2a9447b7b69940a3ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:31 +0300 +Subject: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync + +From: Pauli Virtanen + +[ Upstream commit 195ef75e19287b4bc413da3e3e3722b030ac881e ] + +hci_update_accept_list_sync iterates over hdev->pend_le_conns and +hdev->pend_le_reports, and waits for controller events in the loop body, +without holding hdev lock. + +Meanwhile, these lists and the items may be modified e.g. by +le_scan_cleanup. This can invalidate the list cursor or any other item +in the list, resulting to invalid behavior (eg use-after-free). + +Use RCU for the hci_conn_params action lists. Since the loop bodies in +hci_sync block and we cannot use RCU or hdev->lock for the whole loop, +copy list items first and then iterate on the copy. Only the flags field +is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we +read valid values. + +Free params everywhere with hci_conn_params_free so the cleanup is +guaranteed to be done properly. + +This fixes the following, which can be triggered e.g. by BlueZ new +mgmt-tester case "Add + Remove Device Nowait - Success", or by changing +hci_le_set_cig_params to always return false, and running iso-tester: + +================================================================== +BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32 + +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Workqueue: hci0 hci_cmd_sync_work +Call Trace: + +dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107) +print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) +? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65) +? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +kasan_report (mm/kasan/report.c:538) +? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780) +? mutex_lock (kernel/locking/mutex.c:282) +? __pfx_mutex_lock (kernel/locking/mutex.c:282) +? __pfx_mutex_unlock (kernel/locking/mutex.c:538) +? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861) +hci_cmd_sync_work (net/bluetooth/hci_sync.c:306) +process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) +worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) +? __pfx_worker_thread (kernel/workqueue.c:2480) +kthread (kernel/kthread.c:376) +? __pfx_kthread (kernel/kthread.c:331) +ret_from_fork (arch/x86/entry/entry_64.S:314) + + +Allocated by task 31: +kasan_save_stack (mm/kasan/common.c:46) +kasan_set_track (mm/kasan/common.c:52) +__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) +hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277) +hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589) +hci_connect_cis (net/bluetooth/hci_conn.c:2266) +iso_connect_cis (net/bluetooth/iso.c:390) +iso_sock_connect (net/bluetooth/iso.c:899) +__sys_connect (net/socket.c:2003 net/socket.c:2020) +__x64_sys_connect (net/socket.c:2027) +do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Freed by task 15: +kasan_save_stack (mm/kasan/common.c:46) +kasan_set_track (mm/kasan/common.c:52) +kasan_save_free_info (mm/kasan/generic.c:523) +__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) +__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) +hci_conn_params_del (net/bluetooth/hci_core.c:2323) +le_scan_cleanup (net/bluetooth/hci_conn.c:202) +process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) +worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) +kthread (kernel/kthread.c:376) +ret_from_fork (arch/x86/entry/entry_64.S:314) +================================================================== + +Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 5 ++ + net/bluetooth/hci_conn.c | 10 +-- + net/bluetooth/hci_core.c | 38 ++++++++-- + net/bluetooth/hci_event.c | 12 ++-- + net/bluetooth/hci_sync.c | 117 ++++++++++++++++++++++++++++--- + net/bluetooth/mgmt.c | 26 +++---- + 6 files changed, 164 insertions(+), 44 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 9654567cfae37..870b6d3c5146b 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -822,6 +822,7 @@ struct hci_conn_params { + + struct hci_conn *conn; + bool explicit_connect; ++ /* Accessed without hdev->lock: */ + hci_conn_flags_t flags; + u8 privacy_mode; + }; +@@ -1573,7 +1574,11 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + bdaddr_t *addr, u8 addr_type); + void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type); + void hci_conn_params_clear_disabled(struct hci_dev *hdev); ++void hci_conn_params_free(struct hci_conn_params *param); + ++void hci_pend_le_list_del_init(struct hci_conn_params *param); ++void hci_pend_le_list_add(struct hci_conn_params *param, ++ struct list_head *list); + struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, + bdaddr_t *addr, + u8 addr_type); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 2275e0d9f8419..7b0c74ef93296 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + */ + params->explicit_connect = false; + +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + + switch (params->auto_connect) { + case HCI_AUTO_CONN_EXPLICIT: +@@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + return; + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: +- list_add(¶ms->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(params, &hdev->pend_le_reports); + break; + default: + break; +@@ -1426,8 +1426,8 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev, + if (params->auto_connect == HCI_AUTO_CONN_DISABLED || + params->auto_connect == HCI_AUTO_CONN_REPORT || + params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + } + + params->explicit_connect = true; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 48917c68358de..b421e196f60c3 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2249,21 +2249,45 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, + return NULL; + } + +-/* This function requires the caller holds hdev->lock */ ++/* This function requires the caller holds hdev->lock or rcu_read_lock */ + struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, + bdaddr_t *addr, u8 addr_type) + { + struct hci_conn_params *param; + +- list_for_each_entry(param, list, action) { ++ rcu_read_lock(); ++ ++ list_for_each_entry_rcu(param, list, action) { + if (bacmp(¶m->addr, addr) == 0 && +- param->addr_type == addr_type) ++ param->addr_type == addr_type) { ++ rcu_read_unlock(); + return param; ++ } + } + ++ rcu_read_unlock(); ++ + return NULL; + } + ++/* This function requires the caller holds hdev->lock */ ++void hci_pend_le_list_del_init(struct hci_conn_params *param) ++{ ++ if (list_empty(¶m->action)) ++ return; ++ ++ list_del_rcu(¶m->action); ++ synchronize_rcu(); ++ INIT_LIST_HEAD(¶m->action); ++} ++ ++/* This function requires the caller holds hdev->lock */ ++void hci_pend_le_list_add(struct hci_conn_params *param, ++ struct list_head *list) ++{ ++ list_add_rcu(¶m->action, list); ++} ++ + /* This function requires the caller holds hdev->lock */ + struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + bdaddr_t *addr, u8 addr_type) +@@ -2297,14 +2321,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + return params; + } + +-static void hci_conn_params_free(struct hci_conn_params *params) ++void hci_conn_params_free(struct hci_conn_params *params) + { ++ hci_pend_le_list_del_init(params); ++ + if (params->conn) { + hci_conn_drop(params->conn); + hci_conn_put(params->conn); + } + +- list_del(¶ms->action); + list_del(¶ms->list); + kfree(params); + } +@@ -2342,8 +2367,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev) + continue; + } + +- list_del(¶ms->list); +- kfree(params); ++ hci_conn_params_free(params); + } + + BT_DBG("All LE disabled connection parameters were removed"); +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 21e26d3b286cc..72b6d189d3de2 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, + + params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); + if (params) +- params->privacy_mode = cp->mode; ++ WRITE_ONCE(params->privacy_mode, cp->mode); + + hci_dev_unlock(hdev); + +@@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) + + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + + default: +@@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, + + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + hci_update_passive_scan(hdev); + break; + +@@ -5961,7 +5961,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, + params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, + conn->dst_type); + if (params) { +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + if (params->conn) { + hci_conn_drop(params->conn); + hci_conn_put(params->conn); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index b5b1b610df335..1bcb54272dc67 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev, + return 0; + } + ++struct conn_params { ++ bdaddr_t addr; ++ u8 addr_type; ++ hci_conn_flags_t flags; ++ u8 privacy_mode; ++}; ++ + /* Adds connection to resolve list if needed. + * Setting params to NULL programs local hdev->irk + */ + static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, +- struct hci_conn_params *params) ++ struct conn_params *params) + { + struct hci_cp_le_add_to_resolv_list cp; + struct smp_irk *irk; + struct bdaddr_list_with_irk *entry; ++ struct hci_conn_params *p; + + if (!use_ll_privacy(hdev)) + return 0; +@@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, + /* Default privacy mode is always Network */ + params->privacy_mode = HCI_NETWORK_PRIVACY; + ++ rcu_read_lock(); ++ p = hci_pend_le_action_lookup(&hdev->pend_le_conns, ++ ¶ms->addr, params->addr_type); ++ if (!p) ++ p = hci_pend_le_action_lookup(&hdev->pend_le_reports, ++ ¶ms->addr, params->addr_type); ++ if (p) ++ WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY); ++ rcu_read_unlock(); ++ + done: + if (hci_dev_test_flag(hdev, HCI_PRIVACY)) + memcpy(cp.local_irk, hdev->irk, 16); +@@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, + + /* Set Device Privacy Mode. */ + static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, +- struct hci_conn_params *params) ++ struct conn_params *params) + { + struct hci_cp_le_set_privacy_mode cp; + struct smp_irk *irk; +@@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + bacpy(&cp.bdaddr, &irk->bdaddr); + cp.mode = HCI_DEVICE_PRIVACY; + ++ /* Note: params->privacy_mode is not updated since it is a copy */ ++ + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } +@@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + * properly set the privacy mode. + */ + static int hci_le_add_accept_list_sync(struct hci_dev *hdev, +- struct hci_conn_params *params, ++ struct conn_params *params, + u8 *num_entries) + { + struct hci_cp_le_add_to_accept_list cp; +@@ -2447,6 +2467,52 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, + return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk); + } + ++static struct conn_params *conn_params_copy(struct list_head *list, size_t *n) ++{ ++ struct hci_conn_params *params; ++ struct conn_params *p; ++ size_t i; ++ ++ rcu_read_lock(); ++ ++ i = 0; ++ list_for_each_entry_rcu(params, list, action) ++ ++i; ++ *n = i; ++ ++ rcu_read_unlock(); ++ ++ p = kvcalloc(*n, sizeof(struct conn_params), GFP_KERNEL); ++ if (!p) ++ return NULL; ++ ++ rcu_read_lock(); ++ ++ i = 0; ++ list_for_each_entry_rcu(params, list, action) { ++ /* Racing adds are handled in next scan update */ ++ if (i >= *n) ++ break; ++ ++ /* No hdev->lock, but: addr, addr_type are immutable. ++ * privacy_mode is only written by us or in ++ * hci_cc_le_set_privacy_mode that we wait for. ++ * We should be idempotent so MGMT updating flags ++ * while we are processing is OK. ++ */ ++ bacpy(&p[i].addr, ¶ms->addr); ++ p[i].addr_type = params->addr_type; ++ p[i].flags = READ_ONCE(params->flags); ++ p[i].privacy_mode = READ_ONCE(params->privacy_mode); ++ ++i; ++ } ++ ++ rcu_read_unlock(); ++ ++ *n = i; ++ return p; ++} ++ + /* Device must not be scanning when updating the accept list. + * + * Update is done using the following sequence: +@@ -2466,11 +2532,12 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, + */ + static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + { +- struct hci_conn_params *params; ++ struct conn_params *params; + struct bdaddr_list *b, *t; + u8 num_entries = 0; + bool pend_conn, pend_report; + u8 filter_policy; ++ size_t i, n; + int err; + + /* Pause advertising if resolving list can be used as controllers +@@ -2504,6 +2571,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) + continue; + ++ /* Pointers not dereferenced, no locks needed */ + pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns, + &b->bdaddr, + b->bdaddr_type); +@@ -2532,23 +2600,50 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + * available accept list entries in the controller, then + * just abort and return filer policy value to not use the + * accept list. ++ * ++ * The list and params may be mutated while we wait for events, ++ * so make a copy and iterate it. + */ +- list_for_each_entry(params, &hdev->pend_le_conns, action) { +- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); +- if (err) ++ ++ params = conn_params_copy(&hdev->pend_le_conns, &n); ++ if (!params) { ++ err = -ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < n; ++i) { ++ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], ++ &num_entries); ++ if (err) { ++ kvfree(params); + goto done; ++ } + } + ++ kvfree(params); ++ + /* After adding all new pending connections, walk through + * the list of pending reports and also add these to the + * accept list if there is still space. Abort if space runs out. + */ +- list_for_each_entry(params, &hdev->pend_le_reports, action) { +- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); +- if (err) ++ ++ params = conn_params_copy(&hdev->pend_le_reports, &n); ++ if (!params) { ++ err = -ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < n; ++i) { ++ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], ++ &num_entries); ++ if (err) { ++ kvfree(params); + goto done; ++ } + } + ++ kvfree(params); ++ + /* Use the allowlist unless the following conditions are all true: + * - We are not currently suspending + * - There are 1 or more ADV monitors registered and it's not offloaded +@@ -4839,12 +4934,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev) + struct hci_conn_params *p; + + list_for_each_entry(p, &hdev->le_conn_params, list) { ++ hci_pend_le_list_del_init(p); + if (p->conn) { + hci_conn_drop(p->conn); + hci_conn_put(p->conn); + p->conn = NULL; + } +- list_del_init(&p->action); + } + + BT_DBG("All LE pending actions cleared"); +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index f7b2d0971f240..1e07d0f289723 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1297,15 +1297,15 @@ static void restart_le_actions(struct hci_dev *hdev) + /* Needed for AUTO_OFF case where might not "really" + * have been powered off. + */ +- list_del_init(&p->action); ++ hci_pend_le_list_del_init(p); + + switch (p->auto_connect) { + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_add(&p->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(p, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: +- list_add(&p->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(p, &hdev->pend_le_reports); + break; + default: + break; +@@ -5169,7 +5169,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + goto unlock; + } + +- params->flags = current_flags; ++ WRITE_ONCE(params->flags, current_flags); + status = MGMT_STATUS_SUCCESS; + + /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY +@@ -7580,7 +7580,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, + if (params->auto_connect == auto_connect) + return 0; + +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + + switch (auto_connect) { + case HCI_AUTO_CONN_DISABLED: +@@ -7589,18 +7589,18 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, + * connect to device, keep connecting. + */ + if (params->explicit_connect) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: + if (params->explicit_connect) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + else +- list_add(¶ms->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(params, &hdev->pend_le_reports); + break; + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: + if (!is_connected(hdev, addr, addr_type)) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + } + +@@ -7823,9 +7823,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, + goto unlock; + } + +- list_del(¶ms->action); +- list_del(¶ms->list); +- kfree(params); ++ hci_conn_params_free(params); + + device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type); + } else { +@@ -7856,9 +7854,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, + p->auto_connect = HCI_AUTO_CONN_EXPLICIT; + continue; + } +- list_del(&p->action); +- list_del(&p->list); +- kfree(p); ++ hci_conn_params_free(p); + } + + bt_dev_dbg(hdev, "All LE connection parameters were removed"); +-- +2.39.2 + diff --git a/queue-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch b/queue-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..400e32122e8 --- /dev/null +++ b/queue-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 57221d8fa06c7bb4348592a89fa64f6d815f8518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index d99e89f113c43..3dabdd137d102 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 4ea227c9c1ade..8f3c8b2b4490e 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -64,11 +64,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/queue-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch b/queue-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch new file mode 100644 index 00000000000..69d1570961b --- /dev/null +++ b/queue-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch @@ -0,0 +1,55 @@ +From 69e2c18524955cd8fb89335a4ddf8186f4aab6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 09:49:31 -0700 +Subject: bpf, arm64: Fix BTI type used for freplace attached functions + +From: Alexander Duyck + +[ Upstream commit a3f25d614bc73b45e8f02adc6769876dfd16ca84 ] + +When running an freplace attached bpf program on an arm64 system w were +seeing the following issue: + Unhandled 64-bit el1h sync exception on CPU47, ESR 0x0000000036000003 -- BTI + +After a bit of work to track it down I determined that what appeared to be +happening is that the 'bti c' at the start of the program was somehow being +reached after a 'br' instruction. Further digging pointed me toward the +fact that the function was attached via freplace. This in turn led me to +build_plt which I believe is invoking the long jump which is triggering +this error. + +To resolve it we can replace the 'bti c' with 'bti jc' and add a comment +explaining why this has to be modified as such. + +Fixes: b2ad54e1533e ("bpf, arm64: Implement bpf_arch_text_poke() for arm64") +Signed-off-by: Alexander Duyck +Acked-by: Xu Kuohai +Link: https://lore.kernel.org/r/168926677665.316237.9953845318337455525.stgit@ahduyck-xeon-server.home.arpa +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index b26da8efa616e..0ce5f13eabb1b 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -322,7 +322,13 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) + * + */ + +- emit_bti(A64_BTI_C, ctx); ++ /* bpf function may be invoked by 3 instruction types: ++ * 1. bl, attached via freplace to bpf prog via short jump ++ * 2. br, attached via freplace to bpf prog via long jump ++ * 3. blr, working as a function pointer, used by emit_call. ++ * So BTI_JC should used here to support both br and blr. ++ */ ++ emit_bti(A64_BTI_JC, ctx); + + emit(A64_MOV(1, A64_R(9), A64_LR), ctx); + emit(A64_NOP, ctx); +-- +2.39.2 + diff --git a/queue-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch b/queue-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch new file mode 100644 index 00000000000..e198a2a3887 --- /dev/null +++ b/queue-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch @@ -0,0 +1,47 @@ +From 4350e2f0eea4178f3bb70baa675e31ad71759a97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 11:04:09 -0700 +Subject: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log + +From: Andrii Nakryiko + +[ Upstream commit cff36398bd4c7d322d424433db437f3c3391c491 ] + +It's trivial for user to trigger "verifier log line truncated" warning, +as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at +least two pieces of user-provided information that can be output through +this buffer, and both can be arbitrarily sized by user: + - BTF names; + - BTF.ext source code lines strings. + +Verifier log buffer should be properly sized for typical verifier state +output. But it's sort-of expected that this buffer won't be long enough +in some circumstances. So let's drop the check. In any case code will +work correctly, at worst truncating a part of a single line output. + +Reported-by: syzbot+8b2a08dfbd25fd933d75@syzkaller.appspotmail.com +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20230516180409.3549088-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/log.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c +index 046ddff37a76d..850494423530e 100644 +--- a/kernel/bpf/log.c ++++ b/kernel/bpf/log.c +@@ -62,9 +62,6 @@ void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, + + n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); + +- WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, +- "verifier log line truncated - local buffer too short\n"); +- + if (log->level == BPF_LOG_KERNEL) { + bool newline = n > 0 && log->kbuf[n - 1] == '\n'; + +-- +2.39.2 + diff --git a/queue-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch b/queue-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch new file mode 100644 index 00000000000..40c497a072a --- /dev/null +++ b/queue-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch @@ -0,0 +1,75 @@ +From 0903ef6dae667052bd2e2b5f70fd8d93583fd8fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:28 +0530 +Subject: bpf: Fix subprog idx logic in check_max_stack_depth + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit ba7b3e7d5f9014be65879ede8fd599cb222901c9 ] + +The assignment to idx in check_max_stack_depth happens once we see a +bpf_pseudo_call or bpf_pseudo_func. This is not an issue as the rest of +the code performs a few checks and then pushes the frame to the frame +stack, except the case of async callbacks. If the async callback case +causes the loop iteration to be skipped, the idx assignment will be +incorrect on the next iteration of the loop. The value stored in the +frame stack (as the subprogno of the current subprog) will be incorrect. + +This leads to incorrect checks and incorrect tail_call_reachable +marking. Save the target subprog in a new variable and only assign to +idx once we are done with the is_async_cb check which may skip pushing +of frame to the frame stack and subsequent stack depth checks and tail +call markings. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index aac31e33323bb..e95bfe45fd890 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5429,7 +5429,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue_func: + subprog_end = subprog[idx + 1].start; + for (; i < subprog_end; i++) { +- int next_insn; ++ int next_insn, sidx; + + if (!bpf_pseudo_call(insn + i) && !bpf_pseudo_func(insn + i)) + continue; +@@ -5439,14 +5439,14 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + + /* find the callee */ + next_insn = i + insn[i].imm + 1; +- idx = find_subprog(env, next_insn); +- if (idx < 0) { ++ sidx = find_subprog(env, next_insn); ++ if (sidx < 0) { + WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", + next_insn); + return -EFAULT; + } +- if (subprog[idx].is_async_cb) { +- if (subprog[idx].has_tail_call) { ++ if (subprog[sidx].is_async_cb) { ++ if (subprog[sidx].has_tail_call) { + verbose(env, "verifier bug. subprog has tail_call and async cb\n"); + return -EFAULT; + } +@@ -5455,6 +5455,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue; + } + i = next_insn; ++ idx = sidx; + + if (subprog[idx].has_tail_call) + tail_call_reachable = true; +-- +2.39.2 + diff --git a/queue-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch b/queue-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch new file mode 100644 index 00000000000..3badce6a052 --- /dev/null +++ b/queue-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch @@ -0,0 +1,47 @@ +From 5546963a3ee78475dff4b222fafb27b5ad6d2de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 11:14:18 -0700 +Subject: bpf: Print a warning only if writing to unprivileged_bpf_disabled. + +From: Kui-Feng Lee + +[ Upstream commit fedf99200ab086c42a572fca1d7266b06cdc3e3f ] + +Only print the warning message if you are writing to +"/proc/sys/kernel/unprivileged_bpf_disabled". + +The kernel may print an annoying warning when you read +"/proc/sys/kernel/unprivileged_bpf_disabled" saying + + WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible + via Spectre v2 BHB attacks! + +However, this message is only meaningful when the feature is +disabled or enabled. + +Signed-off-by: Kui-Feng Lee +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20230502181418.308479-1-kuifeng@meta.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index f1c8733f76b83..5524fcf6fb2a4 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -5394,7 +5394,8 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, + *(int *)table->data = unpriv_enable; + } + +- unpriv_ebpf_notify(unpriv_enable); ++ if (write) ++ unpriv_ebpf_notify(unpriv_enable); + + return ret; + } +-- +2.39.2 + diff --git a/queue-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch b/queue-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch new file mode 100644 index 00000000000..ed94042d578 --- /dev/null +++ b/queue-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch @@ -0,0 +1,102 @@ +From 618abe8dabe1ad1d0d66135467202aca5f3881c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:29 +0530 +Subject: bpf: Repeat check_max_stack_depth for async callbacks + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit b5e9ad522c4ccd32d322877515cff8d47ed731b9 ] + +While the check_max_stack_depth function explores call chains emanating +from the main prog, which is typically enough to cover all possible call +chains, it doesn't explore those rooted at async callbacks unless the +async callback will have been directly called, since unlike non-async +callbacks it skips their instruction exploration as they don't +contribute to stack depth. + +It could be the case that the async callback leads to a callchain which +exceeds the stack depth, but this is never reachable while only +exploring the entry point from main subprog. Hence, repeat the check for +the main subprog *and* all async callbacks marked by the symbolic +execution pass of the verifier, as execution of the program may begin at +any of them. + +Consider functions with following stack depths: +main: 256 +async: 256 +foo: 256 + +main: + rX = async + bpf_timer_set_callback(...) + +async: + foo() + +Here, async is not descended as it does not contribute to stack depth of +main (since it is referenced using bpf_pseudo_func and not +bpf_pseudo_call). However, when async is invoked asynchronously, it will +end up breaching the MAX_BPF_STACK limit by calling foo. + +Hence, in addition to main, we also need to explore call chains +beginning at all async callback subprogs in a program. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-3-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index e95bfe45fd890..4fbfe1d086467 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5381,16 +5381,17 @@ static int update_stack_depth(struct bpf_verifier_env *env, + * Since recursion is prevented by check_cfg() this algorithm + * only needs a local stack of MAX_CALL_FRAMES to remember callsites + */ +-static int check_max_stack_depth(struct bpf_verifier_env *env) ++static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + { +- int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; + struct bpf_subprog_info *subprog = env->subprog_info; + struct bpf_insn *insn = env->prog->insnsi; ++ int depth = 0, frame = 0, i, subprog_end; + bool tail_call_reachable = false; + int ret_insn[MAX_CALL_FRAMES]; + int ret_prog[MAX_CALL_FRAMES]; + int j; + ++ i = subprog[idx].start; + process_func: + /* protect against potential stack overflow that might happen when + * bpf2bpf calls get combined with tailcalls. Limit the caller's stack +@@ -5491,6 +5492,22 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + goto continue_func; + } + ++static int check_max_stack_depth(struct bpf_verifier_env *env) ++{ ++ struct bpf_subprog_info *si = env->subprog_info; ++ int ret; ++ ++ for (int i = 0; i < env->subprog_cnt; i++) { ++ if (!i || si[i].is_async_cb) { ++ ret = check_max_stack_depth_subprog(env, i); ++ if (ret < 0) ++ return ret; ++ } ++ continue; ++ } ++ return 0; ++} ++ + #ifndef CONFIG_BPF_JIT_ALWAYS_ON + static int get_callee_stack_depth(struct bpf_verifier_env *env, + const struct bpf_insn *insn, int idx) +-- +2.39.2 + diff --git a/queue-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch b/queue-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch new file mode 100644 index 00000000000..54e4c3386d8 --- /dev/null +++ b/queue-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch @@ -0,0 +1,100 @@ +From dbcb5e3b6449240c0366bfcc88051b4ac795a114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 13:50:29 -0700 +Subject: bpf: Silence a warning in btf_type_id_size() + +From: Yonghong Song + +[ Upstream commit e6c2f594ed961273479505b42040782820190305 ] + +syzbot reported a warning in [1] with the following stacktrace: + WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 + ... + RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 + ... + Call Trace: + + map_check_btf kernel/bpf/syscall.c:1024 [inline] + map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 + __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 + __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] + __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +With the following btf + [1] DECL_TAG 'a' type_id=4 component_idx=-1 + [2] PTR '(anon)' type_id=0 + [3] TYPE_TAG 'a' type_id=2 + [4] VAR 'a' type_id=3, linkage=static +and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), +the following WARN_ON_ONCE in btf_type_id_size() is triggered: + if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && + !btf_type_is_var(size_type))) + return NULL; + +Note that 'return NULL' is the correct behavior as we don't want +a DECL_TAG type to be used as a btf_{key,value}_type_id even +for the case like 'DECL_TAG -> STRUCT'. So there +is no correctness issue here, we just want to silence warning. + +To silence the warning, I added DECL_TAG as one of kinds in +btf_type_nosize() which will cause btf_type_id_size() returning +NULL earlier without the warning. + + [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ + +Reported-by: syzbot+958967f249155967d42a@syzkaller.appspotmail.com +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20230530205029.264910-1-yhs@fb.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 25ca17a8e1964..8b4e92439d1d6 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -485,25 +485,26 @@ static bool btf_type_is_fwd(const struct btf_type *t) + return BTF_INFO_KIND(t->info) == BTF_KIND_FWD; + } + +-static bool btf_type_nosize(const struct btf_type *t) ++static bool btf_type_is_datasec(const struct btf_type *t) + { +- return btf_type_is_void(t) || btf_type_is_fwd(t) || +- btf_type_is_func(t) || btf_type_is_func_proto(t); ++ return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC; + } + +-static bool btf_type_nosize_or_null(const struct btf_type *t) ++static bool btf_type_is_decl_tag(const struct btf_type *t) + { +- return !t || btf_type_nosize(t); ++ return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG; + } + +-static bool btf_type_is_datasec(const struct btf_type *t) ++static bool btf_type_nosize(const struct btf_type *t) + { +- return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC; ++ return btf_type_is_void(t) || btf_type_is_fwd(t) || ++ btf_type_is_func(t) || btf_type_is_func_proto(t) || ++ btf_type_is_decl_tag(t); + } + +-static bool btf_type_is_decl_tag(const struct btf_type *t) ++static bool btf_type_nosize_or_null(const struct btf_type *t) + { +- return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG; ++ return !t || btf_type_nosize(t); + } + + static bool btf_type_is_decl_tag_target(const struct btf_type *t) +-- +2.39.2 + diff --git a/queue-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch b/queue-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch new file mode 100644 index 00000000000..1f77203606d --- /dev/null +++ b/queue-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch @@ -0,0 +1,152 @@ +From ab66d5336cd3fa2f5a2196a042f23a408d2e29e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 22:51:49 +0000 +Subject: bpf: tcp: Avoid taking fast sock lock in iterator + +From: Aditi Ghag + +[ Upstream commit 9378096e8a656fb5c4099b26b1370c56f056eab9 ] + +This is a preparatory commit to replace `lock_sock_fast` with +`lock_sock`,and facilitate BPF programs executed from the TCP sockets +iterator to be able to destroy TCP sockets using the bpf_sock_destroy +kfunc (implemented in follow-up commits). + +Previously, BPF TCP iterator was acquiring the sock lock with BH +disabled. This led to scenarios where the sockets hash table bucket lock +can be acquired with BH enabled in some path versus disabled in other. +In such situation, kernel issued a warning since it thinks that in the +BH enabled path the same bucket lock *might* be acquired again in the +softirq context (BH disabled), which will lead to a potential dead lock. +Since bpf_sock_destroy also happens in a process context, the potential +deadlock warning is likely a false alarm. + +Here is a snippet of annotated stack trace that motivated this change: + +``` + +Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&h->lhash2[i].lock); + local_bh_disable(); + lock(&h->lhash2[i].lock); +kernel imagined possible scenario: + local_bh_disable(); /* Possible softirq */ + lock(&h->lhash2[i].lock); +*** Potential Deadlock *** + +process context: + +lock_acquire+0xcd/0x330 +_raw_spin_lock+0x33/0x40 +------> Acquire (bucket) lhash2.lock with BH enabled +__inet_hash+0x4b/0x210 +inet_csk_listen_start+0xe6/0x100 +inet_listen+0x95/0x1d0 +__sys_listen+0x69/0xb0 +__x64_sys_listen+0x14/0x20 +do_syscall_64+0x3c/0x90 +entry_SYSCALL_64_after_hwframe+0x72/0xdc + +bpf_sock_destroy run from iterator: + +lock_acquire+0xcd/0x330 +_raw_spin_lock+0x33/0x40 +------> Acquire (bucket) lhash2.lock with BH disabled +inet_unhash+0x9a/0x110 +tcp_set_state+0x6a/0x210 +tcp_abort+0x10d/0x200 +bpf_prog_6793c5ca50c43c0d_iter_tcp6_server+0xa4/0xa9 +bpf_iter_run_prog+0x1ff/0x340 +------> lock_sock_fast that acquires sock lock with BH disabled +bpf_iter_tcp_seq_show+0xca/0x190 +bpf_seq_read+0x177/0x450 + +``` + +Also, Yonghong reported a deadlock for non-listening TCP sockets that +this change resolves. Previously, `lock_sock_fast` held the sock spin +lock with BH which was again being acquired in `tcp_abort`: + +``` +watchdog: BUG: soft lockup - CPU#0 stuck for 86s! [test_progs:2331] +RIP: 0010:queued_spin_lock_slowpath+0xd8/0x500 +Call Trace: + + _raw_spin_lock+0x84/0x90 + tcp_abort+0x13c/0x1f0 + bpf_prog_88539c5453a9dd47_iter_tcp6_client+0x82/0x89 + bpf_iter_run_prog+0x1aa/0x2c0 + ? preempt_count_sub+0x1c/0xd0 + ? from_kuid_munged+0x1c8/0x210 + bpf_iter_tcp_seq_show+0x14e/0x1b0 + bpf_seq_read+0x36c/0x6a0 + +bpf_iter_tcp_seq_show + lock_sock_fast + __lock_sock_fast + spin_lock_bh(&sk->sk_lock.slock); + /* * Fast path return with bottom halves disabled and * sock::sk_lock.slock held.* */ + + ... + tcp_abort + local_bh_disable(); + spin_lock(&((sk)->sk_lock.slock)); // from bh_lock_sock(sk) + +``` + +With the switch to `lock_sock`, it calls `spin_unlock_bh` before returning: + +``` +lock_sock + lock_sock_nested + spin_lock_bh(&sk->sk_lock.slock); + : + spin_unlock_bh(&sk->sk_lock.slock); +``` + +Acked-by: Yonghong Song +Acked-by: Stanislav Fomichev +Signed-off-by: Aditi Ghag +Link: https://lore.kernel.org/r/20230519225157.760788-2-aditi.ghag@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 06d2573685ca9..434e5f0c8b99d 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2963,7 +2963,6 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + struct bpf_iter_meta meta; + struct bpf_prog *prog; + struct sock *sk = v; +- bool slow; + uid_t uid; + int ret; + +@@ -2971,7 +2970,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + return 0; + + if (sk_fullsock(sk)) +- slow = lock_sock_fast(sk); ++ lock_sock(sk); + + if (unlikely(sk_unhashed(sk))) { + ret = SEQ_SKIP; +@@ -2995,7 +2994,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + + unlock: + if (sk_fullsock(sk)) +- unlock_sock_fast(sk, slow); ++ release_sock(sk); + return ret; + + } +-- +2.39.2 + diff --git a/queue-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/queue-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch new file mode 100644 index 00000000000..dbdfb4293d0 --- /dev/null +++ b/queue-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch @@ -0,0 +1,71 @@ +From 68931bfc8cda6272ea843dde9ba493d4a311b2a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 08:44:49 -0700 +Subject: bridge: Add extack warning when enabling STP in netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] + +When we create an L2 loop on a bridge in netns, we will see packets storm +even if STP is enabled. + + # unshare -n + # ip link add br0 type bridge + # ip link add veth0 type veth peer name veth1 + # ip link set veth0 master br0 up + # ip link set veth1 master br0 up + # ip link set br0 type bridge stp_state 1 + # ip link set br0 up + # sleep 30 + # ip -s link show br0 + 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff + RX: bytes packets errors dropped missed mcast + 956553768 12861249 0 0 0 12861249 <-. Keep + TX: bytes packets errors dropped carrier collsns | increasing + 1027834 11951 0 0 0 0 <-' rapidly + +This is because llc_rcv() drops all packets in non-root netns and BPDU +is dropped. + +Let's add extack warning when enabling STP in netns. + + # unshare -n + # ip link add br0 type bridge + # ip link set br0 type bridge stp_state 1 + Warning: bridge: STP does not work in non-root netns. + +Note this commit will be reverted later when we namespacify the whole LLC +infra. + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Suggested-by: Harry Coin +Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ +Suggested-by: Ido Schimmel +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_stp_if.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 75204d36d7f90..b65962682771f 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, + { + ASSERT_RTNL(); + ++ if (!net_eq(dev_net(br->dev), &init_net)) ++ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); ++ + if (br_mrp_enabled(br)) { + NL_SET_ERR_MSG_MOD(extack, + "STP can't be enabled if MRP is already enabled"); +-- +2.39.2 + diff --git a/queue-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch b/queue-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch new file mode 100644 index 00000000000..de7fca554bc --- /dev/null +++ b/queue-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch @@ -0,0 +1,54 @@ +From c753b330c41c8f311cd03dc8b18fcad6f947bf9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 11:27:45 +0100 +Subject: btrfs: abort transaction at update_ref_for_cow() when ref count is + zero + +From: Filipe Manana + +[ Upstream commit eced687e224eb3cc5a501cf53ad9291337c8dbc5 ] + +At update_ref_for_cow() we are calling btrfs_handle_fs_error() if we find +that the extent buffer has an unexpected ref count of zero, however we can +simply use btrfs_abort_transaction(), which achieves the same purposes: to +turn the fs to error state, abort the current transaction and turn the fs +to RO mode as well. Besides that, btrfs_abort_transaction() also prints a +stack trace which makes it more useful. + +Also, as this is a very unexpected situation, indicating a serious +corruption/inconsistency, tag the if branch as 'unlikely', set the error +code to -EUCLEAN instead of -EROFS, and log an explicit message. + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 4912d624ca3d3..886e661a218fc 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -417,9 +417,13 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, + &refs, &flags); + if (ret) + return ret; +- if (refs == 0) { +- ret = -EROFS; +- btrfs_handle_fs_error(fs_info, ret, NULL); ++ if (unlikely(refs == 0)) { ++ btrfs_crit(fs_info, ++ "found 0 references for tree block at bytenr %llu level %d root %llu", ++ buf->start, btrfs_header_level(buf), ++ btrfs_root_id(root)); ++ ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); + return ret; + } + } else { +-- +2.39.2 + diff --git a/queue-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch b/queue-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch new file mode 100644 index 00000000000..c885698bfa6 --- /dev/null +++ b/queue-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch @@ -0,0 +1,59 @@ +From 93a51f01a3ca362a5bc53e99086d6fb0fc922e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 00:06:02 +0200 +Subject: btrfs: add xxhash to fast checksum implementations + +From: David Sterba + +[ Upstream commit efcfcbc6a36195c42d98e0ee697baba36da94dc8 ] + +The implementation of XXHASH is now CPU only but still fast enough to be +considered for the synchronous checksumming, like non-generic crc32c. + +A userspace benchmark comparing it to various implementations (patched +hash-speedtest from btrfs-progs): + + Block size: 4096 + Iterations: 1000000 + Implementation: builtin + Units: CPU cycles + + NULL-NOP: cycles: 73384294, cycles/i 73 + NULL-MEMCPY: cycles: 228033868, cycles/i 228, 61664.320 MiB/s + CRC32C-ref: cycles: 24758559416, cycles/i 24758, 567.950 MiB/s + CRC32C-NI: cycles: 1194350470, cycles/i 1194, 11773.433 MiB/s + CRC32C-ADLERSW: cycles: 6150186216, cycles/i 6150, 2286.372 MiB/s + CRC32C-ADLERHW: cycles: 626979180, cycles/i 626, 22427.453 MiB/s + CRC32C-PCL: cycles: 466746732, cycles/i 466, 30126.699 MiB/s + XXHASH: cycles: 860656400, cycles/i 860, 16338.188 MiB/s + +Comparing purely software implementation (ref), current outdated +accelerated using crc32q instruction (NI), optimized implementations by +M. Adler (https://stackoverflow.com/questions/17645167/implementing-sse-4-2s-crc32c-in-software/17646775#17646775) +and the best one that was taken from kernel using the PCLMULQDQ +instruction (PCL). + +Reviewed-by: Christoph Hellwig +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index fc59eb4024438..795b30913c542 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2265,6 +2265,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type) + if (!strstr(crypto_shash_driver_name(csum_shash), "generic")) + set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); + break; ++ case BTRFS_CSUM_TYPE_XXHASH: ++ set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); ++ break; + default: + break; + } +-- +2.39.2 + diff --git a/queue-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch b/queue-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch new file mode 100644 index 00000000000..18fbef7c2be --- /dev/null +++ b/queue-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch @@ -0,0 +1,44 @@ +From e73188bd438294cee72fe11e00cbce1b297072ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 08:13:23 +0200 +Subject: btrfs: be a bit more careful when setting mirror_num_ret in + btrfs_map_block + +From: Christoph Hellwig + +[ Upstream commit 4e7de35eb7d1a1d4f2dda15f39fbedd4798a0b8d ] + +The mirror_num_ret is allowed to be NULL, although it has to be set when +smap is set. Unfortunately that is not a well enough specifiable +invariant for static type checkers, so add a NULL check to make sure they +are fine. + +Fixes: 03793cbbc80f ("btrfs: add fast path for single device io in __btrfs_map_block") +Reported-by: Dan Carpenter +Reviewed-by: Qu Wenruo +Reviewed-by: Johannes Thumshirn +Signed-off-by: Christoph Hellwig +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 5ec000813f047..436e15e3759da 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6399,7 +6399,8 @@ int __btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op, + (!need_full_stripe(op) || !dev_replace_is_ongoing || + !dev_replace->tgtdev)) { + set_io_stripe(smap, map, stripe_index, stripe_offset, stripe_nr); +- *mirror_num_ret = mirror_num; ++ if (mirror_num_ret) ++ *mirror_num_ret = mirror_num; + *bioc_ret = NULL; + ret = 0; + goto out; +-- +2.39.2 + diff --git a/queue-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch b/queue-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch new file mode 100644 index 00000000000..086953f047e --- /dev/null +++ b/queue-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch @@ -0,0 +1,79 @@ +From 8fbd050e44cae916944b0ddd3139df91c9667f1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 08:04:56 +0200 +Subject: btrfs: don't check PageError in __extent_writepage + +From: Christoph Hellwig + +[ Upstream commit 3e92499e3b004baffb479d61e191b41b604ece9a ] + +__extent_writepage currenly sets PageError whenever any error happens, +and the also checks for PageError to decide if to call error handling. +This leads to very unclear responsibility for cleaning up on errors. +In the VM and generic writeback helpers the basic idea is that once +I/O is fired off all error handling responsibility is delegated to the +end I/O handler. But if that end I/O handler sets the PageError bit, +and the submitter checks it, the bit could in some cases leak into the +submission context for fast enough I/O. + +Fix this by simply not checking PageError and just using the local +ret variable to check for submission errors. This also fundamentally +solves the long problem documented in a comment in __extent_writepage +by never leaking the error bit into the submission context. + +Reviewed-by: Josef Bacik +Signed-off-by: Christoph Hellwig +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 33 +-------------------------------- + 1 file changed, 1 insertion(+), 32 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index e3ae55d8bae14..a37a6587efaf0 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -1592,38 +1592,7 @@ static int __extent_writepage(struct page *page, struct btrfs_bio_ctrl *bio_ctrl + set_page_writeback(page); + end_page_writeback(page); + } +- /* +- * Here we used to have a check for PageError() and then set @ret and +- * call end_extent_writepage(). +- * +- * But in fact setting @ret here will cause different error paths +- * between subpage and regular sectorsize. +- * +- * For regular page size, we never submit current page, but only add +- * current page to current bio. +- * The bio submission can only happen in next page. +- * Thus if we hit the PageError() branch, @ret is already set to +- * non-zero value and will not get updated for regular sectorsize. +- * +- * But for subpage case, it's possible we submit part of current page, +- * thus can get PageError() set by submitted bio of the same page, +- * while our @ret is still 0. +- * +- * So here we unify the behavior and don't set @ret. +- * Error can still be properly passed to higher layer as page will +- * be set error, here we just don't handle the IO failure. +- * +- * NOTE: This is just a hotfix for subpage. +- * The root fix will be properly ending ordered extent when we hit +- * an error during writeback. +- * +- * But that needs a bigger refactoring, as we not only need to grab the +- * submitted OE, but also need to know exactly at which bytenr we hit +- * the error. +- * Currently the full page based __extent_writepage_io() is not +- * capable of that. +- */ +- if (PageError(page)) ++ if (ret) + end_extent_writepage(page, ret, page_start, page_end); + unlock_page(page); + ASSERT(ret <= 0); +-- +2.39.2 + diff --git a/queue-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch b/queue-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch new file mode 100644 index 00000000000..f6b11cf8fff --- /dev/null +++ b/queue-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch @@ -0,0 +1,100 @@ +From 5f515044a667882b557d2f1c1ecb6ccdf5886305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jul 2023 08:56:33 +0000 +Subject: cifs: fix mid leak during reconnection after timeout threshold + +From: Shyam Prasad N + +[ Upstream commit 69cba9d3c1284e0838ae408830a02c4a063104bc ] + +When the number of responses with status of STATUS_IO_TIMEOUT +exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect +the connection. But we do not return the mid, or the credits +returned for the mid, or reduce the number of in-flight requests. + +This bug could result in the server->in_flight count to go bad, +and also cause a leak in the mids. + +This change moves the check to a few lines below where the +response is decrypted, even of the response is read from the +transform header. This way, the code for returning the mids +can be reused. + +Also, the cifs_reconnect was reconnecting just the transport +connection before. In case of multi-channel, this may not be +what we want to do after several timeouts. Changed that to +reconnect the session and the tree too. + +Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name +MAX_STATUS_IO_TIMEOUT. + +Fixes: 8e670f77c4a5 ("Handle STATUS_IO_TIMEOUT gracefully") +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/connect.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index d9f0b3b94f007..853209268f507 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -60,7 +60,7 @@ extern bool disable_legacy_dialects; + #define TLINK_IDLE_EXPIRE (600 * HZ) + + /* Drop the connection to not overload the server */ +-#define NUM_STATUS_IO_TIMEOUT 5 ++#define MAX_STATUS_IO_TIMEOUT 5 + + static int ip_connect(struct TCP_Server_Info *server); + static int generic_ip_connect(struct TCP_Server_Info *server); +@@ -1117,6 +1117,7 @@ cifs_demultiplex_thread(void *p) + struct mid_q_entry *mids[MAX_COMPOUND]; + char *bufs[MAX_COMPOUND]; + unsigned int noreclaim_flag, num_io_timeout = 0; ++ bool pending_reconnect = false; + + noreclaim_flag = memalloc_noreclaim_save(); + cifs_dbg(FYI, "Demultiplex PID: %d\n", task_pid_nr(current)); +@@ -1156,6 +1157,8 @@ cifs_demultiplex_thread(void *p) + cifs_dbg(FYI, "RFC1002 header 0x%x\n", pdu_length); + if (!is_smb_response(server, buf[0])) + continue; ++ ++ pending_reconnect = false; + next_pdu: + server->pdu_size = pdu_length; + +@@ -1213,10 +1216,13 @@ cifs_demultiplex_thread(void *p) + if (server->ops->is_status_io_timeout && + server->ops->is_status_io_timeout(buf)) { + num_io_timeout++; +- if (num_io_timeout > NUM_STATUS_IO_TIMEOUT) { +- cifs_reconnect(server, false); ++ if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) { ++ cifs_server_dbg(VFS, ++ "Number of request timeouts exceeded %d. Reconnecting", ++ MAX_STATUS_IO_TIMEOUT); ++ ++ pending_reconnect = true; + num_io_timeout = 0; +- continue; + } + } + +@@ -1263,6 +1269,11 @@ cifs_demultiplex_thread(void *p) + buf = server->smallbuf; + goto next_pdu; + } ++ ++ /* do this reconnect at the very end after processing all MIDs */ ++ if (pending_reconnect) ++ cifs_reconnect(server, true); ++ + } /* end while !EXITING */ + + /* buffer usually freed in free_mid - need to free it here on exit */ +-- +2.39.2 + diff --git a/queue-6.4/devlink-make-health-report-on-unregistered-instance-.patch b/queue-6.4/devlink-make-health-report-on-unregistered-instance-.patch new file mode 100644 index 00000000000..984ca233654 --- /dev/null +++ b/queue-6.4/devlink-make-health-report-on-unregistered-instance-.patch @@ -0,0 +1,43 @@ +From ffed50746946c408ab88d16ea7c730798e9e312c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 18:55:23 -0700 +Subject: devlink: make health report on unregistered instance warn just once + +From: Jakub Kicinski + +[ Upstream commit 6f4b98147b8dfcabacb19b5c6abd087af66d0049 ] + +Devlink health is involved in error recovery. Machines in bad +state tend to be fairly unreliable, and occasionally get stuck +in error loops. Even with a reasonable grace period devlink health +may get a thousand reports in an hour. + +In case of reporting on an unregistered devlink instance +the subsequent reports don't add much value. Switch to +WARN_ON_ONCE() to avoid flooding dmesg and fleet monitoring +dashboards. + +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230531015523.48961-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/health.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/devlink/health.c b/net/devlink/health.c +index 0839706d5741a..194340a8bb863 100644 +--- a/net/devlink/health.c ++++ b/net/devlink/health.c +@@ -480,7 +480,7 @@ static void devlink_recover_notify(struct devlink_health_reporter *reporter, + int err; + + WARN_ON(cmd != DEVLINK_CMD_HEALTH_REPORTER_RECOVER); +- WARN_ON(!xa_get_mark(&devlinks, devlink->index, DEVLINK_REGISTERED)); ++ ASSERT_DEVLINK_REGISTERED(devlink); + + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) +-- +2.39.2 + diff --git a/queue-6.4/devlink-report-devlink_port_type_warn-source-device.patch b/queue-6.4/devlink-report-devlink_port_type_warn-source-device.patch new file mode 100644 index 00000000000..f46677d8d6a --- /dev/null +++ b/queue-6.4/devlink-report-devlink_port_type_warn-source-device.patch @@ -0,0 +1,77 @@ +From efc47b3052db7de925bb43d839f0d060039cac0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:54:47 +0200 +Subject: devlink: report devlink_port_type_warn source device + +From: Petr Oros + +[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] + +devlink_port_type_warn is scheduled for port devlink and warning +when the port type is not set. But from this warning it is not easy +found out which device (driver) has no devlink port set. + +[ 3709.975552] Type was not set for devlink port. +[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 +[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm +[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse +[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 +[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 +[ 3710.108437] Workqueue: events devlink_port_type_warn +[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 +[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 +[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 +[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 +[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 +[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 +[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 +[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 +[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 +[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 +[ 3710.108456] PKRU: 55555554 +[ 3710.108457] Call Trace: +[ 3710.108458] +[ 3710.108459] process_one_work+0x1e2/0x3b0 +[ 3710.108466] ? rescuer_thread+0x390/0x390 +[ 3710.108468] worker_thread+0x50/0x3a0 +[ 3710.108471] ? rescuer_thread+0x390/0x390 +[ 3710.108473] kthread+0xdd/0x100 +[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 +[ 3710.108479] ret_from_fork+0x1f/0x30 +[ 3710.108485] +[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- + +After patch: +[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. +[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. + +Signed-off-by: Petr Oros +Reviewed-by: Pavan Chebbi +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/leftover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c +index cd02549680767..790e61b2a9404 100644 +--- a/net/devlink/leftover.c ++++ b/net/devlink/leftover.c +@@ -6772,7 +6772,10 @@ void devlink_notify_unregister(struct devlink *devlink) + + static void devlink_port_type_warn(struct work_struct *work) + { +- WARN(true, "Type was not set for devlink port."); ++ struct devlink_port *port = container_of(to_delayed_work(work), ++ struct devlink_port, ++ type_warn_dw); ++ dev_warn(port->devlink->dev, "Type was not set for devlink port."); + } + + static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) +-- +2.39.2 + diff --git a/queue-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch b/queue-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch new file mode 100644 index 00000000000..571d13a8c25 --- /dev/null +++ b/queue-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch @@ -0,0 +1,49 @@ +From 339638982e36115af550bd2e6ffd2b87fa2d288a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 17:34:10 +0200 +Subject: drm/i915/perf: add sentinel to xehp_oa_b_counters + +From: Andrzej Hajda + +[ Upstream commit 785b3f667b4bf98804cad135005e964df0c750de ] + +Arrays passed to reg_in_range_table should end with empty record. + +The patch solves KASAN detected bug with signature: +BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] +Read of size 4 at addr ffffffffa1555d90 by task perf/1518 + +CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1 +Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023 +Call Trace: + +... +xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] + +Fixes: 0fa9349dda03 ("drm/i915/perf: complete programming whitelisting for XEHPSDV") +Signed-off-by: Andrzej Hajda +Reviewed-by: Andi Shyti +Reviewed-by: Nirmoy Das +Link: https://patchwork.freedesktop.org/patch/msgid/20230711153410.1224997-1-andrzej.hajda@intel.com +(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_perf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c +index 3035cba2c6a29..d7caae281fb92 100644 +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -4442,6 +4442,7 @@ static const struct i915_range mtl_oam_b_counters[] = { + static const struct i915_range xehp_oa_b_counters[] = { + { .start = 0xdc48, .end = 0xdc48 }, /* OAA_ENABLE_REG */ + { .start = 0xdd00, .end = 0xdd48 }, /* OAG_LCE0_0 - OAA_LENABLE_REG */ ++ {} + }; + + static const struct i915_range gen7_oa_mux_regs[] = { +-- +2.39.2 + diff --git a/queue-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/queue-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch new file mode 100644 index 00000000000..66c4278ff61 --- /dev/null +++ b/queue-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch @@ -0,0 +1,43 @@ +From e9340f07719757a070b11277d243dd9908bca63c Mon Sep 17 00:00:00 2001 +From: hackyzh002 +Date: Wed, 19 Apr 2023 20:20:58 +0800 +Subject: [PATCH AUTOSEL 5.4 01/12] drm/radeon: Fix integer overflow in + radeon_cs_parser_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] + +The type of size is unsigned, if size is 0x40000000, there will be an +integer overflow, size will be zero after size *= sizeof(uint32_t), +will cause uninitialized memory to be referenced later + +Reviewed-by: Christian König +Signed-off-by: hackyzh002 +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 7b54606783821..ba64dad1d7c9e 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -271,7 +271,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + { + struct drm_radeon_cs *cs = data; + uint64_t *chunk_array_ptr; +- unsigned size, i; ++ u64 size; ++ unsigned i; + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + +-- +2.39.2 + diff --git a/queue-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch b/queue-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch new file mode 100644 index 00000000000..574853312c2 --- /dev/null +++ b/queue-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch @@ -0,0 +1,69 @@ +From 1fa4b768ca5d93b65efcc45c07ce247b86e19e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 00:34:05 +0200 +Subject: dsa: mv88e6xxx: Do a final check before timing out + +From: Linus Walleij + +[ Upstream commit 95ce158b6c93b28842b54b42ad1cb221b9844062 ] + +I get sporadic timeouts from the driver when using the +MV88E6352. Reading the status again after the loop fixes the +problem: the operation is successful but goes undetected. + +Some added prints show things like this: + +[ 58.356209] mv88e6085 mdio_mux-0.1:00: Timeout while waiting + for switch, addr 1b reg 0b, mask 8000, val 0000, data c000 +[ 58.367487] mv88e6085 mdio_mux-0.1:00: Timeout waiting for + ATU op 4000, fid 0001 +(...) +[ 61.826293] mv88e6085 mdio_mux-0.1:00: Timeout while waiting + for switch, addr 1c reg 18, mask 8000, val 0000, data 9860 +[ 61.837560] mv88e6085 mdio_mux-0.1:00: Timeout waiting + for PHY command 1860 to complete + +The reason is probably not the commands: I think those are +mostly fine with the 50+50ms timeout, but the problem +appears when OpenWrt brings up several interfaces in +parallel on a system with 7 populated ports: if one of +them take more than 50 ms and waits one or more of the +others can get stuck on the mutex for the switch and then +this can easily multiply. + +As we sleep and wait, the function loop needs a final +check after exiting the loop if we were successful. + +Suggested-by: Andrew Lunn +Cc: Tobias Waldekranz +Fixes: 35da1dfd9484 ("net: dsa: mv88e6xxx: Improve performance of busy bit polling") +Signed-off-by: Linus Walleij +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230712223405.861899-1-linus.walleij@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 08a46ffd53af9..642e93e8623eb 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -109,6 +109,13 @@ int mv88e6xxx_wait_mask(struct mv88e6xxx_chip *chip, int addr, int reg, + usleep_range(1000, 2000); + } + ++ err = mv88e6xxx_read(chip, addr, reg, &data); ++ if (err) ++ return err; ++ ++ if ((data & mask) == val) ++ return 0; ++ + dev_err(chip->dev, "Timeout while waiting for switch\n"); + return -ETIMEDOUT; + } +-- +2.39.2 + diff --git a/queue-6.4/erofs-fix-detection-of-atomic-context.patch b/queue-6.4/erofs-fix-detection-of-atomic-context.patch new file mode 100644 index 00000000000..9ead507c835 --- /dev/null +++ b/queue-6.4/erofs-fix-detection-of-atomic-context.patch @@ -0,0 +1,100 @@ +From e75759218787dc40a2c6c61685bd4428918ca596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:08:47 -0700 +Subject: erofs: Fix detection of atomic context + +From: Sandeep Dhavale + +[ Upstream commit 12d0a24afd9ea58e581ea64d64e066f2027b28d9 ] + +Current check for atomic context is not sufficient as +z_erofs_decompressqueue_endio can be called under rcu lock +from blk_mq_flush_plug_list(). See the stacktrace [1] + +In such case we should hand off the decompression work for async +processing rather than trying to do sync decompression in current +context. Patch fixes the detection by checking for +rcu_read_lock_any_held() and while at it use more appropriate +!in_task() check than in_atomic(). + +Background: Historically erofs would always schedule a kworker for +decompression which would incur the scheduling cost regardless of +the context. But z_erofs_decompressqueue_endio() may not always +be in atomic context and we could actually benefit from doing the +decompression in z_erofs_decompressqueue_endio() if we are in +thread context, for example when running with dm-verity. +This optimization was later added in patch [2] which has shown +improvement in performance benchmarks. + +============================================== +[1] Problem stacktrace +[name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291 +[name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi +[name:core&]preempt_count: 0, expected: 0 +[name:core&]RCU nest depth: 1, expected: 0 +CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1 +Hardware name: MT6897 (DT) +Call trace: + dump_backtrace+0x108/0x15c + show_stack+0x20/0x30 + dump_stack_lvl+0x6c/0x8c + dump_stack+0x20/0x48 + __might_resched+0x1fc/0x308 + __might_sleep+0x50/0x88 + mutex_lock+0x2c/0x110 + z_erofs_decompress_queue+0x11c/0xc10 + z_erofs_decompress_kickoff+0x110/0x1a4 + z_erofs_decompressqueue_endio+0x154/0x180 + bio_endio+0x1b0/0x1d8 + __dm_io_complete+0x22c/0x280 + clone_endio+0xe4/0x280 + bio_endio+0x1b0/0x1d8 + blk_update_request+0x138/0x3a4 + blk_mq_plug_issue_direct+0xd4/0x19c + blk_mq_flush_plug_list+0x2b0/0x354 + __blk_flush_plug+0x110/0x160 + blk_finish_plug+0x30/0x4c + read_pages+0x2fc/0x370 + page_cache_ra_unbounded+0xa4/0x23c + page_cache_ra_order+0x290/0x320 + do_sync_mmap_readahead+0x108/0x2c0 + filemap_fault+0x19c/0x52c + __do_fault+0xc4/0x114 + handle_mm_fault+0x5b4/0x1168 + do_page_fault+0x338/0x4b4 + do_translation_fault+0x40/0x60 + do_mem_abort+0x60/0xc8 + el0_da+0x4c/0xe0 + el0t_64_sync_handler+0xd4/0xfc + el0t_64_sync+0x1a0/0x1a4 + +[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/ + +Reported-by: Will Shiu +Suggested-by: Gao Xiang +Signed-off-by: Sandeep Dhavale +Reviewed-by: Gao Xiang +Reviewed-by: Alexandre Mergnat +Link: https://lore.kernel.org/r/20230621220848.3379029-1-dhavale@google.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 997ca4b32e87f..4a1c238600c52 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1411,7 +1411,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + if (atomic_add_return(bios, &io->pending_bios)) + return; + /* Use (kthread_)work and sync decompression for atomic contexts only */ +- if (in_atomic() || irqs_disabled()) { ++ if (!in_task() || irqs_disabled() || rcu_read_lock_any_held()) { + #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD + struct kthread_worker *worker; + +-- +2.39.2 + diff --git a/queue-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/queue-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..72947bf228e --- /dev/null +++ b/queue-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From f3098e2e134597b5de84bfaf143eb0113a929381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index aed88ce45bf09..d8f085d4ede30 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/queue-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch b/queue-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch new file mode 100644 index 00000000000..ab0525e3219 --- /dev/null +++ b/queue-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch @@ -0,0 +1,36 @@ +From d5ea2fdfc87225588c235e2d54f298077b023d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 21:19:58 +0800 +Subject: fbdev: imxfb: Removed unneeded release_mem_region + +From: Yangtao Li + +[ Upstream commit 45fcc058a75bf5d65cf4c32da44a252fbe873cd4 ] + +Remove unnecessary release_mem_region from the error path to prevent +mem region from being released twice, which could avoid resource leak +or other unexpected issues. + +Fixes: b083c22d5114 ("video: fbdev: imxfb: Convert request_mem_region + ioremap to devm_ioremap_resource") +Signed-off-by: Yangtao Li +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index 5fbcb78a9caee..c8b1c73412d36 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -1043,7 +1043,6 @@ static int imxfb_probe(struct platform_device *pdev) + failed_map: + failed_ioremap: + failed_getclock: +- release_mem_region(res->start, resource_size(res)); + failed_of_parse: + kfree(info->pseudo_palette); + failed_init: +-- +2.39.2 + diff --git a/queue-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/queue-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..a8b7127e2f4 --- /dev/null +++ b/queue-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From e5b3b55ac7affc28ab87a9c787d2c41e898454c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index adf36690c342b..5fbcb78a9caee 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -613,10 +613,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/queue-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/queue-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch new file mode 100644 index 00000000000..5f05fd14f14 --- /dev/null +++ b/queue-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch @@ -0,0 +1,41 @@ +From 83e1fa1cec9a9b3872feb64aee1620612e20b784 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:17:08 +0530 +Subject: [PATCH AUTOSEL 5.4 12/12] FS: JFS: Check for read-only mounted + filesystem in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] + + This patch adds a check for read-only mounted filesystem + in txBegin before starting a transaction potentially saving + from NULL pointer deref. + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_txnmgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c +index c8ce7f1bc5942..6f6a5b9203d3f 100644 +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -354,6 +354,11 @@ tid_t txBegin(struct super_block *sb, int flag) + jfs_info("txBegin: flag = 0x%x", flag); + log = JFS_SBI(sb)->log; + ++ if (!log) { ++ jfs_error(sb, "read-only filesystem\n"); ++ return 0; ++ } ++ + TXN_LOCK(); + + INCREMENT(TxStat.txBegin); +-- +2.39.2 + diff --git a/queue-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/queue-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch new file mode 100644 index 00000000000..25b6556b744 --- /dev/null +++ b/queue-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch @@ -0,0 +1,45 @@ +From 097f5e82578e6895fd4f5528a020321647644b89 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:14:01 +0530 +Subject: [PATCH AUTOSEL 5.4 11/12] FS: JFS: Fix null-ptr-deref Read in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] + + Syzkaller reported an issue where txBegin may be called + on a superblock in a read-only mounted filesystem which leads + to NULL pointer deref. This could be solved by checking if + the filesystem is read-only before calling txBegin, and returning + with appropiate error code. + +Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c +index 7a55d14cc1af0..f155ad6650bd4 100644 +--- a/fs/jfs/namei.c ++++ b/fs/jfs/namei.c +@@ -798,6 +798,11 @@ static int jfs_link(struct dentry *old_dentry, + if (rc) + goto out; + ++ if (isReadOnly(ip)) { ++ jfs_error(ip->i_sb, "read-only filesystem\n"); ++ return -EROFS; ++ } ++ + tid = txBegin(ip->i_sb, 0); + + mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); +-- +2.39.2 + diff --git a/queue-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/queue-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch new file mode 100644 index 00000000000..4a3939695e5 --- /dev/null +++ b/queue-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch @@ -0,0 +1,88 @@ +From d97453868eeba3d85be2772979541dc4ed88233b Mon Sep 17 00:00:00 2001 +From: Yogesh +Date: Thu, 22 Jun 2023 00:07:03 +0530 +Subject: [PATCH AUTOSEL 5.4 09/12] fs: jfs: Fix UBSAN: + array-index-out-of-bounds in dbAllocDmapLev +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 +index -84 is out of range for type 's8[341]' (aka 'signed char[341]') +CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 + dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 + dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 + dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 + dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] + dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 + jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 + lookup_open fs/namei.c:3492 [inline] + open_last_lookups fs/namei.c:3560 [inline] + path_openat+0x13df/0x3170 fs/namei.c:3788 + do_filp_open+0x234/0x490 fs/namei.c:3818 + do_sys_openat2+0x13f/0x500 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x247/0x290 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f1f4e33f7e9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 +RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c +RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The bug occurs when the dbAllocDmapLev()function attempts to access +dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. + +To rectify this, the patch introduces a safeguard within the +dbAllocDmapLev() function. A check has been added to verify if leafidx is +negative. If it is, the function immediately returns an I/O error, preventing +any further execution that could potentially cause harm. + +Tested via syzbot. + +Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 +Signed-off-by: Yogesh +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index cc1fed285b2d6..3514cfcd4abbf 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2021,6 +2021,9 @@ dbAllocDmapLev(struct bmap * bmp, + if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) + return -ENOSPC; + ++ if (leafidx < 0) ++ return -EIO; ++ + /* determine the block number within the file system corresponding + * to the leaf at which free space was found. + */ +-- +2.39.2 + diff --git a/queue-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch b/queue-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch new file mode 100644 index 00000000000..0beed69978a --- /dev/null +++ b/queue-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch @@ -0,0 +1,85 @@ +From 6090361de3c7650680b9a2b098828072864fe334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 10:28:00 -0700 +Subject: gso: fix dodgy bit handling for GSO_UDP_L4 + +From: Yan Zhai + +[ Upstream commit 9840036786d90cea11a90d1f30b6dc003b34ee67 ] + +Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 +packets.") checks DODGY bit for UDP, but for packets that can be fed +directly to the device after gso_segs reset, it actually falls through +to fragmentation: + +https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/ + +This change restores the expected behavior of GSO_UDP_L4 packets. + +Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.") +Suggested-by: Willem de Bruijn +Signed-off-by: Yan Zhai +Reviewed-by: Willem de Bruijn +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_offload.c | 16 +++++++++++----- + net/ipv6/udp_offload.c | 3 +-- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c +index 1f01e15ca24fd..4a61832e7f69b 100644 +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -273,13 +273,20 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, + __sum16 check; + __be16 newlen; + +- if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) +- return __udp_gso_segment_list(gso_skb, features, is_ipv6); +- + mss = skb_shinfo(gso_skb)->gso_size; + if (gso_skb->len <= sizeof(*uh) + mss) + return ERR_PTR(-EINVAL); + ++ if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { ++ /* Packet is from an untrusted source, reset gso_segs. */ ++ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), ++ mss); ++ return NULL; ++ } ++ ++ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) ++ return __udp_gso_segment_list(gso_skb, features, is_ipv6); ++ + skb_pull(gso_skb, sizeof(*uh)); + + /* clear destructor to avoid skb_segment assigning it to tail */ +@@ -387,8 +394,7 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb, + if (!pskb_may_pull(skb, sizeof(struct udphdr))) + goto out; + +- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && +- !skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) + return __udp_gso_segment(skb, features, false); + + mss = skb_shinfo(skb)->gso_size; +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index c39c1e32f9804..e0e10f6bcdc18 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -42,8 +42,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + if (!pskb_may_pull(skb, sizeof(struct udphdr))) + goto out; + +- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && +- !skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) + return __udp_gso_segment(skb, features, true); + + mss = skb_shinfo(skb)->gso_size; +-- +2.39.2 + diff --git a/queue-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch b/queue-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch new file mode 100644 index 00000000000..cff88eddeee --- /dev/null +++ b/queue-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch @@ -0,0 +1,56 @@ +From df2df0b1368fc95618c0173e921b0ec0361f3a50 Mon Sep 17 00:00:00 2001 +From: Marco Morandini +Date: Tue, 30 May 2023 15:40:08 +0200 +Subject: [PATCH AUTOSEL 5.4 05/12] HID: add quirk for 03f0:464a HP Elite + Presenter Mouse +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 0db117359e47750d8bd310d19f13e1c4ef7fc26a ] + +HP Elite Presenter Mouse HID Record Descriptor shows +two mouses (Repord ID 0x1 and 0x2), one keypad (Report ID 0x5), +two Consumer Controls (Report IDs 0x6 and 0x3). +Previous to this commit it registers one mouse, one keypad +and one Consumer Control, and it was usable only as a +digitl laser pointer (one of the two mouses). This patch defines +the 464a USB device ID and enables the HID_QUIRK_MULTI_INPUT +quirk for it, allowing to use the device both as a mouse +and a digital laser pointer. + +Signed-off-by: Marco Morandini +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 479516bbb61bf..64842926aff64 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -581,6 +581,7 @@ + #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 + + #define USB_VENDOR_ID_HP 0x03f0 ++#define USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A 0x464a + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index e5dcc47586ee4..83c3322fcf187 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -96,6 +96,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A293), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A), HID_QUIRK_ALWAYS_POLL }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, +-- +2.39.2 + diff --git a/queue-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch b/queue-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch new file mode 100644 index 00000000000..2cc89a6021d --- /dev/null +++ b/queue-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch @@ -0,0 +1,342 @@ +From 5f761430984862f987bf461a697a429a2963c676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:25 -0400 +Subject: iavf: fix a deadlock caused by rtnl and driver's lock circular + dependencies + +From: Ahmed Zaki + +[ Upstream commit d1639a17319ba78a018280cd2df6577a7e5d9fab ] + +A driver's lock (crit_lock) is used to serialize all the driver's tasks. +Lockdep, however, shows a circular dependency between rtnl and +crit_lock. This happens when an ndo that already holds the rtnl requests +the driver to reset, since the reset task (in some paths) tries to grab +rtnl to either change real number of queues of update netdev features. + + [566.241851] ====================================================== + [566.241893] WARNING: possible circular locking dependency detected + [566.241936] 6.2.14-100.fc36.x86_64+debug #1 Tainted: G OE + [566.241984] ------------------------------------------------------ + [566.242025] repro.sh/2604 is trying to acquire lock: + [566.242061] ffff9280fc5ceee8 (&adapter->crit_lock){+.+.}-{3:3}, at: iavf_close+0x3c/0x240 [iavf] + [566.242167] + but task is already holding lock: + [566.242209] ffffffff9976d350 (rtnl_mutex){+.+.}-{3:3}, at: iavf_remove+0x6b5/0x730 [iavf] + [566.242300] + which lock already depends on the new lock. + + [566.242353] + the existing dependency chain (in reverse order) is: + [566.242401] + -> #1 (rtnl_mutex){+.+.}-{3:3}: + [566.242451] __mutex_lock+0xc1/0xbb0 + [566.242489] iavf_init_interrupt_scheme+0x179/0x440 [iavf] + [566.242560] iavf_watchdog_task+0x80b/0x1400 [iavf] + [566.242627] process_one_work+0x2b3/0x560 + [566.242663] worker_thread+0x4f/0x3a0 + [566.242696] kthread+0xf2/0x120 + [566.242730] ret_from_fork+0x29/0x50 + [566.242763] + -> #0 (&adapter->crit_lock){+.+.}-{3:3}: + [566.242815] __lock_acquire+0x15ff/0x22b0 + [566.242869] lock_acquire+0xd2/0x2c0 + [566.242901] __mutex_lock+0xc1/0xbb0 + [566.242934] iavf_close+0x3c/0x240 [iavf] + [566.242997] __dev_close_many+0xac/0x120 + [566.243036] dev_close_many+0x8b/0x140 + [566.243071] unregister_netdevice_many_notify+0x165/0x7c0 + [566.243116] unregister_netdevice_queue+0xd3/0x110 + [566.243157] iavf_remove+0x6c1/0x730 [iavf] + [566.243217] pci_device_remove+0x33/0xa0 + [566.243257] device_release_driver_internal+0x1bc/0x240 + [566.243299] pci_stop_bus_device+0x6c/0x90 + [566.243338] pci_stop_and_remove_bus_device+0xe/0x20 + [566.243380] pci_iov_remove_virtfn+0xd1/0x130 + [566.243417] sriov_disable+0x34/0xe0 + [566.243448] ice_free_vfs+0x2da/0x330 [ice] + [566.244383] ice_sriov_configure+0x88/0xad0 [ice] + [566.245353] sriov_numvfs_store+0xde/0x1d0 + [566.246156] kernfs_fop_write_iter+0x15e/0x210 + [566.246921] vfs_write+0x288/0x530 + [566.247671] ksys_write+0x74/0xf0 + [566.248408] do_syscall_64+0x58/0x80 + [566.249145] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [566.249886] + other info that might help us debug this: + + [566.252014] Possible unsafe locking scenario: + + [566.253432] CPU0 CPU1 + [566.254118] ---- ---- + [566.254800] lock(rtnl_mutex); + [566.255514] lock(&adapter->crit_lock); + [566.256233] lock(rtnl_mutex); + [566.256897] lock(&adapter->crit_lock); + [566.257388] + *** DEADLOCK *** + +The deadlock can be triggered by a script that is continuously resetting +the VF adapter while doing other operations requiring RTNL, e.g: + + while :; do + ip link set $VF up + ethtool --set-channels $VF combined 2 + ip link set $VF down + ip link set $VF up + ethtool --set-channels $VF combined 4 + ip link set $VF down + done + +Any operation that triggers a reset can substitute "ethtool --set-channles" + +As a fix, add a new task "finish_config" that do all the work which +needs rtnl lock. With the exception of iavf_remove(), all work that +require rtnl should be called from this task. + +As for iavf_remove(), at the point where we need to call +unregister_netdevice() (and grab rtnl_lock), we make sure the finish_config +task is not running (cancel_work_sync()) to safely grab rtnl. Subsequent +finish_config work cannot restart after that since the task is guarded +by the __IAVF_IN_REMOVE_TASK bit in iavf_schedule_finish_config(). + +Fixes: 5ac49f3c2702 ("iavf: use mutexes for locking of critical sections") +Signed-off-by: Ahmed Zaki +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 + + drivers/net/ethernet/intel/iavf/iavf_main.c | 114 +++++++++++++----- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + + 3 files changed, 85 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index a5cab19eb6a8b..bf5e3c8e97e04 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -255,6 +255,7 @@ struct iavf_adapter { + struct workqueue_struct *wq; + struct work_struct reset_task; + struct work_struct adminq_task; ++ struct work_struct finish_config; + struct delayed_work client_task; + wait_queue_head_t down_waitqueue; + wait_queue_head_t reset_waitqueue; +@@ -521,6 +522,7 @@ int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); + void iavf_schedule_reset(struct iavf_adapter *adapter); + void iavf_schedule_request_stats(struct iavf_adapter *adapter); ++void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 8cb9b74b3ebea..161750c1598f8 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1702,10 +1702,10 @@ static int iavf_set_interrupt_capability(struct iavf_adapter *adapter) + adapter->msix_entries[vector].entry = vector; + + err = iavf_acquire_msix_vectors(adapter, v_budget); ++ if (!err) ++ iavf_schedule_finish_config(adapter); + + out: +- netif_set_real_num_rx_queues(adapter->netdev, pairs); +- netif_set_real_num_tx_queues(adapter->netdev, pairs); + return err; + } + +@@ -1925,9 +1925,7 @@ static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) + goto err_alloc_queues; + } + +- rtnl_lock(); + err = iavf_set_interrupt_capability(adapter); +- rtnl_unlock(); + if (err) { + dev_err(&adapter->pdev->dev, + "Unable to setup interrupt capabilities\n"); +@@ -2013,6 +2011,78 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool runni + return err; + } + ++/** ++ * iavf_finish_config - do all netdev work that needs RTNL ++ * @work: our work_struct ++ * ++ * Do work that needs both RTNL and crit_lock. ++ **/ ++static void iavf_finish_config(struct work_struct *work) ++{ ++ struct iavf_adapter *adapter; ++ int pairs, err; ++ ++ adapter = container_of(work, struct iavf_adapter, finish_config); ++ ++ /* Always take RTNL first to prevent circular lock dependency */ ++ rtnl_lock(); ++ mutex_lock(&adapter->crit_lock); ++ ++ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && ++ adapter->netdev_registered && ++ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { ++ netdev_update_features(adapter->netdev); ++ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ } ++ ++ switch (adapter->state) { ++ case __IAVF_DOWN: ++ if (!adapter->netdev_registered) { ++ err = register_netdevice(adapter->netdev); ++ if (err) { ++ dev_err(&adapter->pdev->dev, "Unable to register netdev (%d)\n", ++ err); ++ ++ /* go back and try again.*/ ++ iavf_free_rss(adapter); ++ iavf_free_misc_irq(adapter); ++ iavf_reset_interrupt_capability(adapter); ++ iavf_change_state(adapter, ++ __IAVF_INIT_CONFIG_ADAPTER); ++ goto out; ++ } ++ adapter->netdev_registered = true; ++ } ++ ++ /* Set the real number of queues when reset occurs while ++ * state == __IAVF_DOWN ++ */ ++ fallthrough; ++ case __IAVF_RUNNING: ++ pairs = adapter->num_active_queues; ++ netif_set_real_num_rx_queues(adapter->netdev, pairs); ++ netif_set_real_num_tx_queues(adapter->netdev, pairs); ++ break; ++ ++ default: ++ break; ++ } ++ ++out: ++ mutex_unlock(&adapter->crit_lock); ++ rtnl_unlock(); ++} ++ ++/** ++ * iavf_schedule_finish_config - Set the flags and schedule a reset event ++ * @adapter: board private structure ++ **/ ++void iavf_schedule_finish_config(struct iavf_adapter *adapter) ++{ ++ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) ++ queue_work(adapter->wq, &adapter->finish_config); ++} ++ + /** + * iavf_process_aq_command - process aq_required flags + * and sends aq command +@@ -2650,22 +2720,8 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + + netif_carrier_off(netdev); + adapter->link_up = false; +- +- /* set the semaphore to prevent any callbacks after device registration +- * up to time when state of driver will be set to __IAVF_DOWN +- */ +- rtnl_lock(); +- if (!adapter->netdev_registered) { +- err = register_netdevice(netdev); +- if (err) { +- rtnl_unlock(); +- goto err_register; +- } +- } +- +- adapter->netdev_registered = true; +- + netif_tx_stop_all_queues(netdev); ++ + if (CLIENT_ALLOWED(adapter)) { + err = iavf_lan_add_device(adapter); + if (err) +@@ -2678,7 +2734,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + + iavf_change_state(adapter, __IAVF_DOWN); + set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); +- rtnl_unlock(); + + iavf_misc_irq_enable(adapter); + wake_up(&adapter->down_waitqueue); +@@ -2698,10 +2753,11 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + /* request initial VLAN offload settings */ + iavf_set_vlan_offload_features(adapter, 0, netdev->features); + ++ iavf_schedule_finish_config(adapter); + return; ++ + err_mem: + iavf_free_rss(adapter); +-err_register: + iavf_free_misc_irq(adapter); + err_sw_init: + iavf_reset_interrupt_capability(adapter); +@@ -2728,15 +2784,6 @@ static void iavf_watchdog_task(struct work_struct *work) + goto restart_watchdog; + } + +- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && +- adapter->netdev_registered && +- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && +- rtnl_trylock()) { +- netdev_update_features(adapter->netdev); +- rtnl_unlock(); +- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; +- } +- + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +@@ -4978,6 +5025,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + INIT_WORK(&adapter->reset_task, iavf_reset_task); + INIT_WORK(&adapter->adminq_task, iavf_adminq_task); ++ INIT_WORK(&adapter->finish_config, iavf_finish_config); + INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); + INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); + queue_delayed_work(adapter->wq, &adapter->watchdog_task, +@@ -5120,13 +5168,15 @@ static void iavf_remove(struct pci_dev *pdev) + usleep_range(500, 1000); + } + cancel_delayed_work_sync(&adapter->watchdog_task); ++ cancel_work_sync(&adapter->finish_config); + ++ rtnl_lock(); + if (adapter->netdev_registered) { +- rtnl_lock(); + unregister_netdevice(netdev); + adapter->netdev_registered = false; +- rtnl_unlock(); + } ++ rtnl_unlock(); ++ + if (CLIENT_ALLOWED(adapter)) { + err = iavf_lan_del_device(adapter); + if (err) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 1bab896aaf40c..073ac29ed84c7 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2237,6 +2237,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + + iavf_process_config(adapter); + adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ iavf_schedule_finish_config(adapter); + + iavf_set_queue_vlan_tag_loc(adapter); + +-- +2.39.2 + diff --git a/queue-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/queue-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch new file mode 100644 index 00000000000..cc8b7f34cd3 --- /dev/null +++ b/queue-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch @@ -0,0 +1,160 @@ +From 9a0a6f5caa0dcedb4c41554c0d5d7f5fd401e046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:48 +0800 +Subject: iavf: Fix out-of-bounds when setting channels on remove + +From: Ding Hui + +[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] + +If we set channels greater during iavf_remove(), and waiting reset done +would be timeout, then returned with error but changed num_active_queues +directly, that will lead to OOB like the following logs. Because the +num_active_queues is greater than tx/rx_rings[] allocated actually. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 3506.152887] iavf 0000:41:02.0: Removing device +[ 3510.400799] ================================================================== +[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 +[ 3510.400823] +[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 3510.400835] Call Trace: +[ 3510.400851] dump_stack+0x71/0xab +[ 3510.400860] print_address_description+0x6b/0x290 +[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400868] kasan_report+0x14a/0x2b0 +[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] +[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] +[ 3510.400891] ? wait_woken+0x1d0/0x1d0 +[ 3510.400895] ? notifier_call_chain+0xc1/0x130 +[ 3510.400903] pci_device_remove+0xa8/0x1f0 +[ 3510.400910] device_release_driver_internal+0x1c6/0x460 +[ 3510.400916] pci_stop_bus_device+0x101/0x150 +[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 +[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 +[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 3510.400929] ? pci_get_subsys+0x90/0x90 +[ 3510.400932] sriov_disable+0xed/0x3e0 +[ 3510.400936] ? bus_find_device+0x12d/0x1a0 +[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] +[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 3510.400968] ? pci_get_device+0x7c/0x90 +[ 3510.400970] ? pci_get_subsys+0x90/0x90 +[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 3510.401001] sriov_numvfs_store+0x214/0x290 +[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 +[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.401011] ? __check_object_size+0x15a/0x350 +[ 3510.401018] kernfs_fop_write+0x280/0x3f0 +[ 3510.401022] vfs_write+0x145/0x440 +[ 3510.401025] ksys_write+0xab/0x160 +[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 +[ 3510.401031] ? fput_many+0x1a/0x120 +[ 3510.401032] ? filp_close+0xf0/0x130 +[ 3510.401038] do_syscall_64+0xa0/0x370 +[ 3510.401041] ? page_fault+0x8/0x30 +[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 +[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 +[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 +[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 +[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 +[ 3510.401090] +[ 3510.401093] Allocated by task 76795: +[ 3510.401098] kasan_kmalloc+0xa6/0xd0 +[ 3510.401099] __kmalloc+0xfb/0x200 +[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] +[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] +[ 3510.401114] process_one_work+0x56a/0x11f0 +[ 3510.401115] worker_thread+0x8f/0xf40 +[ 3510.401117] kthread+0x2a0/0x390 +[ 3510.401119] ret_from_fork+0x1f/0x40 +[ 3510.401122] 0xffffffffffffffff +[ 3510.401123] + +In timeout handling, we should keep the original num_active_queues +and reset num_req_queues to 0. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 6f171d1d85b75..92443f8e9fbdf 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1863,7 +1863,7 @@ static int iavf_set_channels(struct net_device *netdev, + } + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_active_queues = num_req; ++ adapter->num_req_queues = 0; + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/queue-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch b/queue-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch new file mode 100644 index 00000000000..d8c2ed28871 --- /dev/null +++ b/queue-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch @@ -0,0 +1,190 @@ +From abbc67998f91be1d120f00aa0a1ed11511c3ac34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:26 -0400 +Subject: iavf: fix reset task race with iavf_remove() + +From: Ahmed Zaki + +[ Upstream commit c34743daca0eb1dc855831a5210f0800a850088e ] + +The reset task is currently scheduled from the watchdog or adminq tasks. +First, all direct calls to schedule the reset task are replaced with the +iavf_schedule_reset(), which is modified to accept the flag showing the +type of reset. + +To prevent the reset task from starting once iavf_remove() starts, we need +to check the __IAVF_IN_REMOVE_TASK bit before we schedule it. This is now +easily added to iavf_schedule_reset(). + +Finally, remove the check for IAVF_FLAG_RESET_NEEDED in the watchdog task. +It is redundant since all callers who set the flag immediately schedules +the reset task. + +Fixes: 3ccd54ef44eb ("iavf: Fix init state closure on remove") +Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage") +Signed-off-by: Ahmed Zaki +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 +- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 8 ++--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 32 +++++++------------ + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 3 +- + 4 files changed, 16 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index bf5e3c8e97e04..8cbdebc5b6989 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -520,7 +520,7 @@ int iavf_up(struct iavf_adapter *adapter); + void iavf_down(struct iavf_adapter *adapter); + int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); +-void iavf_schedule_reset(struct iavf_adapter *adapter); ++void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags); + void iavf_schedule_request_stats(struct iavf_adapter *adapter); + void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index b7141c2a941d1..2f47cfa7f06e2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -532,8 +532,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + /* issue a reset to force legacy-rx change to take effect */ + if (changed_flags & IAVF_FLAG_LEGACY_RX) { + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret) + netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); +@@ -676,8 +675,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + } + + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret) + netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); +@@ -1860,7 +1858,7 @@ static int iavf_set_channels(struct net_device *netdev, + + adapter->num_req_queues = num_req; + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + + ret = iavf_wait_for_reset(adapter); + if (ret) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 161750c1598f8..ba96312feb505 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -309,12 +309,14 @@ static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) + /** + * iavf_schedule_reset - Set the flags and schedule a reset event + * @adapter: board private structure ++ * @flags: IAVF_FLAG_RESET_PENDING or IAVF_FLAG_RESET_NEEDED + **/ +-void iavf_schedule_reset(struct iavf_adapter *adapter) ++void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags) + { +- if (!(adapter->flags & +- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && ++ !(adapter->flags & ++ (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { ++ adapter->flags |= flags; + queue_work(adapter->wq, &adapter->reset_task); + } + } +@@ -342,7 +344,7 @@ static void iavf_tx_timeout(struct net_device *netdev, unsigned int txqueue) + struct iavf_adapter *adapter = netdev_priv(netdev); + + adapter->tx_timeout_count++; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + } + + /** +@@ -2490,7 +2492,7 @@ int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter) + adapter->vsi_res->num_queue_pairs); + adapter->flags |= IAVF_FLAG_REINIT_MSIX_NEEDED; + adapter->num_req_queues = adapter->vsi_res->num_queue_pairs; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + + return -EAGAIN; + } +@@ -2787,14 +2789,6 @@ static void iavf_watchdog_task(struct work_struct *work) + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +- if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { +- adapter->aq_required = 0; +- adapter->current_op = VIRTCHNL_OP_UNKNOWN; +- mutex_unlock(&adapter->crit_lock); +- queue_work(adapter->wq, &adapter->reset_task); +- return; +- } +- + switch (adapter->state) { + case __IAVF_STARTUP: + iavf_startup(adapter); +@@ -2922,11 +2916,10 @@ static void iavf_watchdog_task(struct work_struct *work) + /* check for hw reset */ + reg_val = rd32(hw, IAVF_VF_ARQLEN1) & IAVF_VF_ARQLEN1_ARQENABLE_MASK; + if (!reg_val) { +- adapter->flags |= IAVF_FLAG_RESET_PENDING; + adapter->aq_required = 0; + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + dev_err(&adapter->pdev->dev, "Hardware reset detected\n"); +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); + mutex_unlock(&adapter->crit_lock); + queue_delayed_work(adapter->wq, + &adapter->watchdog_task, HZ * 2); +@@ -3324,9 +3317,7 @@ static void iavf_adminq_task(struct work_struct *work) + } while (pending); + mutex_unlock(&adapter->crit_lock); + +- if ((adapter->flags & +- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || +- adapter->state == __IAVF_RESETTING) ++ if (iavf_is_reset_in_progress(adapter)) + goto freedom; + + /* check for error indications */ +@@ -4423,8 +4414,7 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + } + + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret < 0) + netdev_warn(netdev, "MTU change interrupted waiting for reset"); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 073ac29ed84c7..be3c007ce90a9 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -1961,9 +1961,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_EVENT_RESET_IMPENDING: + dev_info(&adapter->pdev->dev, "Reset indication received from the PF\n"); + if (!(adapter->flags & IAVF_FLAG_RESET_PENDING)) { +- adapter->flags |= IAVF_FLAG_RESET_PENDING; + dev_info(&adapter->pdev->dev, "Scheduling reset task\n"); +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); + } + break; + default: +-- +2.39.2 + diff --git a/queue-6.4/iavf-fix-use-after-free-in-free_netdev.patch b/queue-6.4/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..8687449a498 --- /dev/null +++ b/queue-6.4/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From 787c2cf45c807afa52660119d30d9fa8d9d95e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 4a66873882d12..601de8e8f3654 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1840,19 +1840,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/queue-6.4/iavf-make-functions-static-where-possible.patch b/queue-6.4/iavf-make-functions-static-where-possible.patch new file mode 100644 index 00000000000..e48bf7b084f --- /dev/null +++ b/queue-6.4/iavf-make-functions-static-where-possible.patch @@ -0,0 +1,223 @@ +From 68b6c8edce9d8fbb94f77072800d2fdebbf603d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 08:54:05 -0700 +Subject: iavf: make functions static where possible + +From: Przemek Kitszel + +[ Upstream commit a4aadf0f5905661cd25c366b96cc1c840f05b756 ] + +Make all possible functions static. + +Move iavf_force_wb() up to avoid forward declaration. + +Suggested-by: Maciej Fijalkowski +Reviewed-by: Maciej Fijalkowski +Signed-off-by: Przemek Kitszel +Signed-off-by: Tony Nguyen +Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 10 ----- + drivers/net/ethernet/intel/iavf/iavf_main.c | 14 +++---- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 43 ++++++++++----------- + drivers/net/ethernet/intel/iavf/iavf_txrx.h | 4 -- + 4 files changed, 28 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 39d0fe76a38ff..f80f2735e6886 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -523,9 +523,6 @@ void iavf_schedule_request_stats(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); +-void iavf_reset_interrupt_capability(struct iavf_adapter *adapter); +-int iavf_init_interrupt_scheme(struct iavf_adapter *adapter); +-void iavf_irq_enable_queues(struct iavf_adapter *adapter); + void iavf_free_all_tx_resources(struct iavf_adapter *adapter); + void iavf_free_all_rx_resources(struct iavf_adapter *adapter); + +@@ -579,17 +576,10 @@ void iavf_enable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_disable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_enable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_disable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); +-int iavf_replace_primary_mac(struct iavf_adapter *adapter, +- const u8 *new_mac); +-void +-iavf_set_vlan_offload_features(struct iavf_adapter *adapter, +- netdev_features_t prev_features, +- netdev_features_t features); + void iavf_add_fdir_filter(struct iavf_adapter *adapter); + void iavf_del_fdir_filter(struct iavf_adapter *adapter); + void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); +-int iavf_lock_timeout(struct mutex *lock, unsigned int msecs); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index b698f8917f049..b24e54823e6ae 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -253,7 +253,7 @@ enum iavf_status iavf_free_virt_mem_d(struct iavf_hw *hw, + * + * Returns 0 on success, negative on failure + **/ +-int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) ++static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) + { + unsigned int wait, delay = 10; + +@@ -362,7 +362,7 @@ static void iavf_irq_disable(struct iavf_adapter *adapter) + * iavf_irq_enable_queues - Enable interrupt for all queues + * @adapter: board private structure + **/ +-void iavf_irq_enable_queues(struct iavf_adapter *adapter) ++static void iavf_irq_enable_queues(struct iavf_adapter *adapter) + { + struct iavf_hw *hw = &adapter->hw; + int i; +@@ -1003,8 +1003,8 @@ struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + * + * Do not call this with mac_vlan_list_lock! + **/ +-int iavf_replace_primary_mac(struct iavf_adapter *adapter, +- const u8 *new_mac) ++static int iavf_replace_primary_mac(struct iavf_adapter *adapter, ++ const u8 *new_mac) + { + struct iavf_hw *hw = &adapter->hw; + struct iavf_mac_filter *f; +@@ -1860,7 +1860,7 @@ static void iavf_free_q_vectors(struct iavf_adapter *adapter) + * @adapter: board private structure + * + **/ +-void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) ++static void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) + { + if (!adapter->msix_entries) + return; +@@ -1875,7 +1875,7 @@ void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) + * @adapter: board private structure to initialize + * + **/ +-int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) ++static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) + { + int err; + +@@ -2174,7 +2174,7 @@ static int iavf_process_aq_command(struct iavf_adapter *adapter) + * the watchdog if any changes are requested to expedite the request via + * virtchnl. + **/ +-void ++static void + iavf_set_vlan_offload_features(struct iavf_adapter *adapter, + netdev_features_t prev_features, + netdev_features_t features) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index e989feda133c1..8c5f6096b0022 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -54,7 +54,7 @@ static void iavf_unmap_and_free_tx_resource(struct iavf_ring *ring, + * iavf_clean_tx_ring - Free any empty Tx buffers + * @tx_ring: ring to be cleaned + **/ +-void iavf_clean_tx_ring(struct iavf_ring *tx_ring) ++static void iavf_clean_tx_ring(struct iavf_ring *tx_ring) + { + unsigned long bi_size; + u16 i; +@@ -110,7 +110,7 @@ void iavf_free_tx_resources(struct iavf_ring *tx_ring) + * Since there is no access to the ring head register + * in XL710, we need to use our local copies + **/ +-u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) ++static u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + { + u32 head, tail; + +@@ -127,6 +127,24 @@ u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + return 0; + } + ++/** ++ * iavf_force_wb - Issue SW Interrupt so HW does a wb ++ * @vsi: the VSI we care about ++ * @q_vector: the vector on which to force writeback ++ **/ ++static void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) ++{ ++ u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | ++ IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ ++ IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | ++ IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK ++ /* allow 00 to be written to the index */; ++ ++ wr32(&vsi->back->hw, ++ IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), ++ val); ++} ++ + /** + * iavf_detect_recover_hung - Function to detect and recover hung_queues + * @vsi: pointer to vsi struct with tx queues +@@ -352,25 +370,6 @@ static void iavf_enable_wb_on_itr(struct iavf_vsi *vsi, + q_vector->arm_wb_state = true; + } + +-/** +- * iavf_force_wb - Issue SW Interrupt so HW does a wb +- * @vsi: the VSI we care about +- * @q_vector: the vector on which to force writeback +- * +- **/ +-void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) +-{ +- u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | +- IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ +- IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | +- IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK +- /* allow 00 to be written to the index */; +- +- wr32(&vsi->back->hw, +- IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), +- val); +-} +- + static inline bool iavf_container_is_rx(struct iavf_q_vector *q_vector, + struct iavf_ring_container *rc) + { +@@ -687,7 +686,7 @@ int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring) + * iavf_clean_rx_ring - Free Rx buffers + * @rx_ring: ring to be cleaned + **/ +-void iavf_clean_rx_ring(struct iavf_ring *rx_ring) ++static void iavf_clean_rx_ring(struct iavf_ring *rx_ring) + { + unsigned long bi_size; + u16 i; +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.h b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +index 2624bf6d009e3..7e6ee32d19b69 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +@@ -442,15 +442,11 @@ static inline unsigned int iavf_rx_pg_order(struct iavf_ring *ring) + + bool iavf_alloc_rx_buffers(struct iavf_ring *rxr, u16 cleaned_count); + netdev_tx_t iavf_xmit_frame(struct sk_buff *skb, struct net_device *netdev); +-void iavf_clean_tx_ring(struct iavf_ring *tx_ring); +-void iavf_clean_rx_ring(struct iavf_ring *rx_ring); + int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring); + int iavf_setup_rx_descriptors(struct iavf_ring *rx_ring); + void iavf_free_tx_resources(struct iavf_ring *tx_ring); + void iavf_free_rx_resources(struct iavf_ring *rx_ring); + int iavf_napi_poll(struct napi_struct *napi, int budget); +-void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector); +-u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw); + void iavf_detect_recover_hung(struct iavf_vsi *vsi); + int __iavf_maybe_stop_tx(struct iavf_ring *tx_ring, int size); + bool __iavf_chk_linearize(struct sk_buff *skb); +-- +2.39.2 + diff --git a/queue-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch b/queue-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch new file mode 100644 index 00000000000..c0278ecdafd --- /dev/null +++ b/queue-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch @@ -0,0 +1,65 @@ +From 31c8df7f7a300777b2f0073fd70320c0734a785f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:46:02 -0600 +Subject: iavf: use internal state to free traffic IRQs + +From: Ahmed Zaki + +[ Upstream commit a77ed5c5b768e9649be240a2d864e5cd9c6a2015 ] + +If the system tries to close the netdev while iavf_reset_task() is +running, __LINK_STATE_START will be cleared and netif_running() will +return false in iavf_reinit_interrupt_scheme(). This will result in +iavf_free_traffic_irqs() not being called and a leak as follows: + + [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' + [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 + +is shown when pci_disable_msix() is later called. Fix by using the +internal adapter state. The traffic IRQs will always exist if +state == __IAVF_RUNNING. + +Fixes: 5b36e8d04b44 ("i40evf: Enable VF to request an alternate queue allocation") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 601de8e8f3654..b698f8917f049 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1941,15 +1941,16 @@ static void iavf_free_rss(struct iavf_adapter *adapter) + /** + * iavf_reinit_interrupt_scheme - Reallocate queues and vectors + * @adapter: board private structure ++ * @running: true if adapter->state == __IAVF_RUNNING + * + * Returns 0 on success, negative on failure + **/ +-static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter) ++static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool running) + { + struct net_device *netdev = adapter->netdev; + int err; + +- if (netif_running(netdev)) ++ if (running) + iavf_free_traffic_irqs(adapter); + iavf_free_misc_irq(adapter); + iavf_reset_interrupt_capability(adapter); +@@ -3065,7 +3066,7 @@ static void iavf_reset_task(struct work_struct *work) + + if ((adapter->flags & IAVF_FLAG_REINIT_MSIX_NEEDED) || + (adapter->flags & IAVF_FLAG_REINIT_ITR_NEEDED)) { +- err = iavf_reinit_interrupt_scheme(adapter); ++ err = iavf_reinit_interrupt_scheme(adapter, running); + if (err) + goto reset_err; + } +-- +2.39.2 + diff --git a/queue-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch b/queue-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch new file mode 100644 index 00000000000..176c0e422c4 --- /dev/null +++ b/queue-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch @@ -0,0 +1,253 @@ +From 1536bf50c1b1e60700372a8344141f9a05a00b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:22 -0400 +Subject: iavf: Wait for reset in callbacks which trigger it + +From: Marcin Szycik + +[ Upstream commit c2ed2403f12c74a74a0091ed5d830e72c58406e8 ] + +There was a fail when trying to add the interface to bonding +right after changing the MTU on the interface. It was caused +by bonding interface unable to open the interface due to +interface being in __RESETTING state because of MTU change. + +Add new reset_waitqueue to indicate that reset has finished. + +Add waiting for reset to finish in callbacks which trigger hw reset: +iavf_set_priv_flags(), iavf_change_mtu() and iavf_set_ringparam(). +We use a 5000ms timeout period because on Hyper-V based systems, +this operation takes around 3000-4000ms. In normal circumstances, +it doesn't take more than 500ms to complete. + +Add a function iavf_wait_for_reset() to reuse waiting for reset code and +use it also in iavf_set_channels(), which already waits for reset. +We don't use error handling in iavf_set_channels() as this could +cause the device to be in incorrect state if the reset was scheduled +but hit timeout or the waitng function was interrupted by a signal. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Marcin Szycik +Co-developed-by: Dawid Wesierski +Signed-off-by: Dawid Wesierski +Signed-off-by: Sylwester Dziedziuch +Signed-off-by: Kamil Maziarz +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 + + .../net/ethernet/intel/iavf/iavf_ethtool.c | 31 ++++++----- + drivers/net/ethernet/intel/iavf/iavf_main.c | 51 ++++++++++++++++++- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + + 4 files changed, 68 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index f80f2735e6886..a5cab19eb6a8b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -257,6 +257,7 @@ struct iavf_adapter { + struct work_struct adminq_task; + struct delayed_work client_task; + wait_queue_head_t down_waitqueue; ++ wait_queue_head_t reset_waitqueue; + wait_queue_head_t vc_waitqueue; + struct iavf_q_vector *q_vectors; + struct list_head vlan_filter_list; +@@ -582,4 +583,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); ++int iavf_wait_for_reset(struct iavf_adapter *adapter); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 92443f8e9fbdf..b7141c2a941d1 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -484,6 +484,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 orig_flags, new_flags, changed_flags; ++ int ret = 0; + u32 i; + + orig_flags = READ_ONCE(adapter->flags); +@@ -533,10 +534,13 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); + } + } + +- return 0; ++ return ret; + } + + /** +@@ -627,6 +631,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; ++ int ret = 0; + + if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) + return -EINVAL; +@@ -673,9 +678,12 @@ static int iavf_set_ringparam(struct net_device *netdev, + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); + } + +- return 0; ++ return ret; + } + + /** +@@ -1830,7 +1838,7 @@ static int iavf_set_channels(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 num_req = ch->combined_count; +- int i; ++ int ret = 0; + + if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && + adapter->num_tc) { +@@ -1854,20 +1862,11 @@ static int iavf_set_channels(struct net_device *netdev, + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; + iavf_schedule_reset(adapter); + +- /* wait for the reset is done */ +- for (i = 0; i < IAVF_RESET_WAIT_COMPLETE_COUNT; i++) { +- msleep(IAVF_RESET_WAIT_MS); +- if (adapter->flags & IAVF_FLAG_RESET_PENDING) +- continue; +- break; +- } +- if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { +- adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_req_queues = 0; +- return -EOPNOTSUPP; +- } ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); + +- return 0; ++ return ret; + } + + /** +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index b24e54823e6ae..8cb9b74b3ebea 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -166,6 +166,45 @@ static struct iavf_adapter *iavf_pdev_to_adapter(struct pci_dev *pdev) + return netdev_priv(pci_get_drvdata(pdev)); + } + ++/** ++ * iavf_is_reset_in_progress - Check if a reset is in progress ++ * @adapter: board private structure ++ */ ++static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) ++{ ++ if (adapter->state == __IAVF_RESETTING || ++ adapter->flags & (IAVF_FLAG_RESET_PENDING | ++ IAVF_FLAG_RESET_NEEDED)) ++ return true; ++ ++ return false; ++} ++ ++/** ++ * iavf_wait_for_reset - Wait for reset to finish. ++ * @adapter: board private structure ++ * ++ * Returns 0 if reset finished successfully, negative on timeout or interrupt. ++ */ ++int iavf_wait_for_reset(struct iavf_adapter *adapter) ++{ ++ int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, ++ !iavf_is_reset_in_progress(adapter), ++ msecs_to_jiffies(5000)); ++ ++ /* If ret < 0 then it means wait was interrupted. ++ * If ret == 0 then it means we got a timeout while waiting ++ * for reset to finish. ++ * If ret > 0 it means reset has finished. ++ */ ++ if (ret > 0) ++ return 0; ++ else if (ret < 0) ++ return -EINTR; ++ else ++ return -EBUSY; ++} ++ + /** + * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code + * @hw: pointer to the HW structure +@@ -3161,6 +3200,7 @@ static void iavf_reset_task(struct work_struct *work) + + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; + ++ wake_up(&adapter->reset_waitqueue); + mutex_unlock(&adapter->client_lock); + mutex_unlock(&adapter->crit_lock); + +@@ -4325,6 +4365,7 @@ static int iavf_close(struct net_device *netdev) + static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + { + struct iavf_adapter *adapter = netdev_priv(netdev); ++ int ret = 0; + + netdev_dbg(netdev, "changing MTU from %d to %d\n", + netdev->mtu, new_mtu); +@@ -4337,9 +4378,14 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret < 0) ++ netdev_warn(netdev, "MTU change interrupted waiting for reset"); ++ else if (ret) ++ netdev_warn(netdev, "MTU change timed out waiting for reset"); + } + +- return 0; ++ return ret; + } + + #define NETIF_VLAN_OFFLOAD_FEATURES (NETIF_F_HW_VLAN_CTAG_RX | \ +@@ -4940,6 +4986,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); + ++ /* Setup the wait queue for indicating transition to running state */ ++ init_waitqueue_head(&adapter->reset_waitqueue); ++ + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 7c0578b5457b9..1bab896aaf40c 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2285,6 +2285,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_OP_ENABLE_QUEUES: + /* enable transmits */ + iavf_irq_enable(adapter, true); ++ wake_up(&adapter->reset_waitqueue); + adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; + break; + case VIRTCHNL_OP_DISABLE_QUEUES: +-- +2.39.2 + diff --git a/queue-6.4/ice-prevent-null-pointer-deref-during-reload.patch b/queue-6.4/ice-prevent-null-pointer-deref-during-reload.patch new file mode 100644 index 00000000000..1d5f0e4e51b --- /dev/null +++ b/queue-6.4/ice-prevent-null-pointer-deref-during-reload.patch @@ -0,0 +1,187 @@ +From 93590b860be32d444cc9d6dfbc0e7308f63b6ef7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 08:25:51 +0200 +Subject: ice: prevent NULL pointer deref during reload + +From: Michal Swiatkowski + +[ Upstream commit b3e7b3a6ee92ab927f750a6b19615ce88ece808f ] + +Calling ethtool during reload can lead to call trace, because VSI isn't +configured for some time, but netdev is alive. + +To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors +to 0 after freeing and add a check for ::tx/rx_rings in ring related +ethtool ops. + +Add proper unroll of filters in ice_start_eth(). + +Reproduction: +$watch -n 0.1 -d 'ethtool -g enp24s0f0np0' +$devlink dev reload pci/0000:18:00.0 action driver_reinit + +Call trace before fix: +[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[66303.926259] #PF: supervisor read access in kernel mode +[66303.926286] #PF: error_code(0x0000) - not-present page +[66303.926311] PGD 0 P4D 0 +[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI +[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 +[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 +[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] +[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 +[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 +[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 +[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 +[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 +[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 +[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 +[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 +[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 +[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[66303.927060] PKRU: 55555554 +[66303.927075] Call Trace: +[66303.927094] +[66303.927111] ? __die+0x23/0x70 +[66303.927140] ? page_fault_oops+0x171/0x4e0 +[66303.927176] ? exc_page_fault+0x7f/0x180 +[66303.927209] ? asm_exc_page_fault+0x26/0x30 +[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] +[66303.927433] rings_prepare_data+0x62/0x80 +[66303.927469] ethnl_default_doit+0xe2/0x350 +[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 +[66303.927538] genl_rcv_msg+0x1b1/0x2c0 +[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 +[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 +[66303.927615] netlink_rcv_skb+0x58/0x110 +[66303.927644] genl_rcv+0x28/0x40 +[66303.927665] netlink_unicast+0x19e/0x290 +[66303.927691] netlink_sendmsg+0x254/0x4d0 +[66303.927717] sock_sendmsg+0x93/0xa0 +[66303.927743] __sys_sendto+0x126/0x170 +[66303.927780] __x64_sys_sendto+0x24/0x30 +[66303.928593] do_syscall_64+0x5d/0x90 +[66303.929370] ? __count_memcg_events+0x60/0xa0 +[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 +[66303.930920] ? handle_mm_fault+0x9e/0x350 +[66303.931688] ? do_user_addr_fault+0x258/0x740 +[66303.932452] ? exc_page_fault+0x7f/0x180 +[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixes: 5b246e533d01 ("ice: split probe into smaller functions") +Reviewed-by: Przemek Kitszel +Signed-off-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_base.c | 2 ++ + drivers/net/ethernet/intel/ice/ice_ethtool.c | 13 +++++++++++-- + drivers/net/ethernet/intel/ice/ice_main.c | 10 ++++++++-- + 3 files changed, 21 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index 1911d644dfa8d..619cb07a40691 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -758,6 +758,8 @@ void ice_vsi_free_q_vectors(struct ice_vsi *vsi) + + ice_for_each_q_vector(vsi, v_idx) + ice_free_q_vector(vsi, v_idx); ++ ++ vsi->num_q_vectors = 0; + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index f86e814354a31..ec4138e684bd2 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2920,8 +2920,13 @@ ice_get_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + + ring->rx_max_pending = ICE_MAX_NUM_DESC; + ring->tx_max_pending = ICE_MAX_NUM_DESC; +- ring->rx_pending = vsi->rx_rings[0]->count; +- ring->tx_pending = vsi->tx_rings[0]->count; ++ if (vsi->tx_rings && vsi->rx_rings) { ++ ring->rx_pending = vsi->rx_rings[0]->count; ++ ring->tx_pending = vsi->tx_rings[0]->count; ++ } else { ++ ring->rx_pending = 0; ++ ring->tx_pending = 0; ++ } + + /* Rx mini and jumbo rings are not supported */ + ring->rx_mini_max_pending = 0; +@@ -2955,6 +2960,10 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + return -EINVAL; + } + ++ /* Return if there is no rings (device is reloading) */ ++ if (!vsi->tx_rings || !vsi->rx_rings) ++ return -EBUSY; ++ + new_tx_cnt = ALIGN(ring->tx_pending, ICE_REQ_DESC_MULTIPLE); + if (new_tx_cnt != ring->tx_pending) + netdev_info(netdev, "Requested Tx descriptor count rounded up to %d\n", +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 1277e0a044ee4..fbe70458fda27 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4655,9 +4655,9 @@ static int ice_start_eth(struct ice_vsi *vsi) + if (err) + return err; + +- rtnl_lock(); + err = ice_vsi_open(vsi); +- rtnl_unlock(); ++ if (err) ++ ice_fltr_remove_all(vsi); + + return err; + } +@@ -5120,6 +5120,7 @@ int ice_load(struct ice_pf *pf) + params = ice_vsi_to_params(vsi); + params.flags = ICE_VSI_FLAG_INIT; + ++ rtnl_lock(); + err = ice_vsi_cfg(vsi, ¶ms); + if (err) + goto err_vsi_cfg; +@@ -5127,6 +5128,7 @@ int ice_load(struct ice_pf *pf) + err = ice_start_eth(ice_get_main_vsi(pf)); + if (err) + goto err_start_eth; ++ rtnl_unlock(); + + err = ice_init_rdma(pf); + if (err) +@@ -5141,9 +5143,11 @@ int ice_load(struct ice_pf *pf) + + err_init_rdma: + ice_vsi_close(ice_get_main_vsi(pf)); ++ rtnl_lock(); + err_start_eth: + ice_vsi_decfg(ice_get_main_vsi(pf)); + err_vsi_cfg: ++ rtnl_unlock(); + ice_deinit_dev(pf); + return err; + } +@@ -5156,8 +5160,10 @@ void ice_unload(struct ice_pf *pf) + { + ice_deinit_features(pf); + ice_deinit_rdma(pf); ++ rtnl_lock(); + ice_stop_eth(ice_get_main_vsi(pf)); + ice_vsi_decfg(ice_get_main_vsi(pf)); ++ rtnl_unlock(); + ice_deinit_dev(pf); + } + +-- +2.39.2 + diff --git a/queue-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch b/queue-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch new file mode 100644 index 00000000000..54b6608fdc7 --- /dev/null +++ b/queue-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch @@ -0,0 +1,90 @@ +From d1aeebd398c1fd5efc7811ba8bf4afb8b5eae005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 12:58:13 +0200 +Subject: ice: Unregister netdev and devlink_port only once + +From: Petr Oros + +[ Upstream commit 24a3298ac9e6bd8de838ab79f7868207170d556d ] + +Since commit 6624e780a577fc ("ice: split ice_vsi_setup into smaller +functions") ice_vsi_release does things twice. There is unregister +netdev which is unregistered in ice_deinit_eth also. + +It also unregisters the devlink_port twice which is also unregistered +in ice_deinit_eth(). This double deregistration is hidden because +devl_port_unregister ignores the return value of xa_erase. + +[ 68.642167] Call Trace: +[ 68.650385] ice_devlink_destroy_pf_port+0xe/0x20 [ice] +[ 68.655656] ice_vsi_release+0x445/0x690 [ice] +[ 68.660147] ice_deinit+0x99/0x280 [ice] +[ 68.664117] ice_remove+0x1b6/0x5c0 [ice] + +[ 171.103841] Call Trace: +[ 171.109607] ice_devlink_destroy_pf_port+0xf/0x20 [ice] +[ 171.114841] ice_remove+0x158/0x270 [ice] +[ 171.118854] pci_device_remove+0x3b/0xc0 +[ 171.122779] device_release_driver_internal+0xc7/0x170 +[ 171.127912] driver_detach+0x54/0x8c +[ 171.131491] bus_remove_driver+0x77/0xd1 +[ 171.135406] pci_unregister_driver+0x2d/0xb0 +[ 171.139670] ice_module_exit+0xc/0x55f [ice] + +Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions") +Signed-off-by: Petr Oros +Reviewed-by: Maciej Fijalkowski +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 27 ------------------------ + 1 file changed, 27 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 11ae0e41f518a..284a1f0bfdb54 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -3272,39 +3272,12 @@ int ice_vsi_release(struct ice_vsi *vsi) + return -ENODEV; + pf = vsi->back; + +- /* do not unregister while driver is in the reset recovery pending +- * state. Since reset/rebuild happens through PF service task workqueue, +- * it's not a good idea to unregister netdev that is associated to the +- * PF that is running the work queue items currently. This is done to +- * avoid check_flush_dependency() warning on this wq +- */ +- if (vsi->netdev && !ice_is_reset_in_progress(pf->state) && +- (test_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state))) { +- unregister_netdev(vsi->netdev); +- clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); +- } +- +- if (vsi->type == ICE_VSI_PF) +- ice_devlink_destroy_pf_port(pf); +- + if (test_bit(ICE_FLAG_RSS_ENA, pf->flags)) + ice_rss_clean(vsi); + + ice_vsi_close(vsi); + ice_vsi_decfg(vsi); + +- if (vsi->netdev) { +- if (test_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state)) { +- unregister_netdev(vsi->netdev); +- clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); +- } +- if (test_bit(ICE_VSI_NETDEV_ALLOCD, vsi->state)) { +- free_netdev(vsi->netdev); +- vsi->netdev = NULL; +- clear_bit(ICE_VSI_NETDEV_ALLOCD, vsi->state); +- } +- } +- + /* retain SW VSI data structure since it is needed to unregister and + * free VSI netdev when PF is not in reset recovery pending state,\ + * for ex: during rmmod. +-- +2.39.2 + diff --git a/queue-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch b/queue-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..a8077232de8 --- /dev/null +++ b/queue-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From 47bae22598c4635fb1b9ce70516f7a13ffb75aa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index bb3db387d49cf..ba5e1d1320f67 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9585,6 +9585,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/queue-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch b/queue-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch new file mode 100644 index 00000000000..f5fb3bd8114 --- /dev/null +++ b/queue-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch @@ -0,0 +1,61 @@ +From df3cfe2aab8fbc415d4ae2485e94aa3caa55fbed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 09:36:11 +0200 +Subject: igc: Avoid transmit queue timeout for XDP + +From: Kurt Kanzenbach + +[ Upstream commit 95b681485563c64585de78662ee52d06b7fa47d9 ] + +High XDP load triggers the netdev watchdog: + +|NETDEV WATCHDOG: enp3s0 (igc): transmit queue 2 timed out + +The reason is the Tx queue transmission start (txq->trans_start) is not updated +in XDP code path. Therefore, add it for all XDP transmission functions. + +Signed-off-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Stable-dep-of: 78adb4bcf99e ("igc: Prevent garbled TX queue with XDP ZEROCOPY") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 44aa4342cbbb5..ef4ea46442f21 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2417,6 +2417,8 @@ static int igc_xdp_xmit_back(struct igc_adapter *adapter, struct xdp_buff *xdp) + nq = txring_txq(ring); + + __netif_tx_lock(nq, cpu); ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); + res = igc_xdp_init_tx_descriptor(ring, xdpf); + __netif_tx_unlock(nq); + return res; +@@ -2833,6 +2835,9 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + + __netif_tx_lock(nq, cpu); + ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); ++ + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { +@@ -6385,6 +6390,9 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames, + + __netif_tx_lock(nq, cpu); + ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); ++ + drops = 0; + for (i = 0; i < num_frames; i++) { + int err; +-- +2.39.2 + diff --git a/queue-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch b/queue-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch new file mode 100644 index 00000000000..a98a1d90121 --- /dev/null +++ b/queue-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch @@ -0,0 +1,79 @@ +From ac30745bc06e7ef6e04ae5bc4b2135ca5fcc4df2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 10:54:44 -0700 +Subject: igc: Prevent garbled TX queue with XDP ZEROCOPY + +From: Florian Kauer + +[ Upstream commit 78adb4bcf99effbb960c5f9091e2e062509d1030 ] + +In normal operation, each populated queue item has +next_to_watch pointing to the last TX desc of the packet, +while each cleaned item has it set to 0. In particular, +next_to_use that points to the next (necessarily clean) +item to use has next_to_watch set to 0. + +When the TX queue is used both by an application using +AF_XDP with ZEROCOPY as well as a second non-XDP application +generating high traffic, the queue pointers can get in +an invalid state where next_to_use points to an item +where next_to_watch is NOT set to 0. + +However, the implementation assumes at several places +that this is never the case, so if it does hold, +bad things happen. In particular, within the loop inside +of igc_clean_tx_irq(), next_to_clean can overtake next_to_use. +Finally, this prevents any further transmission via +this queue and it never gets unblocked or signaled. +Secondly, if the queue is in this garbled state, +the inner loop of igc_clean_tx_ring() will never terminate, +completely hogging a CPU core. + +The reason is that igc_xdp_xmit_zc() reads next_to_use +before acquiring the lock, and writing it back +(potentially unmodified) later. If it got modified +before locking, the outdated next_to_use is written +pointing to an item that was already used elsewhere +(and thus next_to_watch got written). + +Fixes: 9acf59a752d4 ("igc: Enable TX via AF_XDP zero-copy") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Kurt Kanzenbach +Acked-by: Vinicius Costa Gomes +Reviewed-by: Simon Horman +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index ef4ea46442f21..496a4eb687b00 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2826,9 +2826,8 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + struct netdev_queue *nq = txring_txq(ring); + union igc_adv_tx_desc *tx_desc = NULL; + int cpu = smp_processor_id(); +- u16 ntu = ring->next_to_use; + struct xdp_desc xdp_desc; +- u16 budget; ++ u16 budget, ntu; + + if (!netif_carrier_ok(ring->netdev)) + return; +@@ -2838,6 +2837,7 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + /* Avoid transmit queue timeout since we share it with the slow path */ + txq_trans_cond_update(nq); + ++ ntu = ring->next_to_use; + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { +-- +2.39.2 + diff --git a/queue-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch b/queue-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch new file mode 100644 index 00000000000..15849e6c1ef --- /dev/null +++ b/queue-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch @@ -0,0 +1,45 @@ +From d7bf48d29d77eb138f5bacd1a9c2891e60d7a754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 11:55:31 +0300 +Subject: iommu/sva: Fix signedness bug in iommu_sva_alloc_pasid() + +From: Dan Carpenter + +[ Upstream commit c20ecf7bb6153149b81a9277eda23398957656f2 ] + +The ida_alloc_range() function returns negative error codes on error. +On success it returns values in the min to max range (inclusive). It +never returns more then INT_MAX even if "max" is higher. It never +returns values in the 0 to (min - 1) range. + +The bug is that "min" is an unsigned int so negative error codes will +be promoted to high positive values errors treated as success. + +Fixes: 1a14bf0fc7ed ("iommu/sva: Use GFP_KERNEL for pasid allocation") +Signed-off-by: Dan Carpenter +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/6b32095d-7491-4ebb-a850-12e96209eaaf@kili.mountain +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu-sva.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c +index 3ebd4b6586b3e..05c0fb2acbc44 100644 +--- a/drivers/iommu/iommu-sva.c ++++ b/drivers/iommu/iommu-sva.c +@@ -34,8 +34,9 @@ static int iommu_sva_alloc_pasid(struct mm_struct *mm, ioasid_t min, ioasid_t ma + } + + ret = ida_alloc_range(&iommu_global_pasid_ida, min, max, GFP_KERNEL); +- if (ret < min) ++ if (ret < 0) + goto out; ++ + mm->pasid = ret; + ret = 0; + out: +-- +2.39.2 + diff --git a/queue-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch b/queue-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch new file mode 100644 index 00000000000..2d1d445c81b --- /dev/null +++ b/queue-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch @@ -0,0 +1,43 @@ +From 695a430cb85dc054be8ebfe3f013f48def52def1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 14:43:55 +0200 +Subject: iov_iter: Mark copy_iovec_from_user() noclone + +From: Peter Zijlstra + +[ Upstream commit 719a937b7003933de1298ffa4b881dd6a234e244 ] + +Extend commit 50f9a76ef127 ("iov_iter: Mark +copy_compat_iovec_from_user() noinline") to also cover +copy_iovec_from_user(). Different compiler versions cause the same +problem on different functions. + +lib/iov_iter.o: warning: objtool: .altinstr_replacement+0x1f: redundant UACCESS disable +lib/iov_iter.o: warning: objtool: iovec_from_user+0x84: call to copy_iovec_from_user.part.0() with UACCESS enabled +lib/iov_iter.o: warning: objtool: __import_iovec+0x143: call to copy_iovec_from_user.part.0() with UACCESS enabled + +Fixes: 50f9a76ef127 ("iov_iter: Mark copy_compat_iovec_from_user() noinline") +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Borislav Petkov (AMD) +Link: https://lkml.kernel.org/r/20230616124354.GD4253@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 960223ed91991..061cc3ed58f5b 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1795,7 +1795,7 @@ static __noclone int copy_compat_iovec_from_user(struct iovec *iov, + return ret; + } + +-static int copy_iovec_from_user(struct iovec *iov, ++static __noclone int copy_iovec_from_user(struct iovec *iov, + const struct iovec __user *uiov, unsigned long nr_segs) + { + int ret = -EFAULT; +-- +2.39.2 + diff --git a/queue-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch b/queue-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch new file mode 100644 index 00000000000..2888b9c887c --- /dev/null +++ b/queue-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch @@ -0,0 +1,104 @@ +From e566bf07b787c98df80e25d78ed32b1cf422af9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 11:19:26 -0700 +Subject: kallsyms: strip LTO-only suffixes from promoted global functions + +From: Yonghong Song + +[ Upstream commit 8cc32a9bbf2934d90762d9de0187adcb5ad46a11 ] + +Commit 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") +stripped all function/variable suffixes started with '.' regardless +of whether those suffixes are generated at LTO mode or not. In fact, +as far as I know, in LTO mode, when a static function/variable is +promoted to the global scope, '.llvm.<...>' suffix is added. + +The existing mechanism breaks live patch for a LTO kernel even if +no .llvm.<...> symbols are involved. For example, for the following +kernel symbols: + $ grep bpf_verifier_vlog /proc/kallsyms + ffffffff81549f60 t bpf_verifier_vlog + ffffffff8268b430 d bpf_verifier_vlog._entry + ffffffff8282a958 d bpf_verifier_vlog._entry_ptr + ffffffff82e12a1f d bpf_verifier_vlog.__already_done +'bpf_verifier_vlog' is a static function. '_entry', '_entry_ptr' and +'__already_done' are static variables used inside 'bpf_verifier_vlog', +so llvm promotes them to file-level static with prefix 'bpf_verifier_vlog.'. +Note that the func-level to file-level static function promotion also +happens without LTO. + +Given a symbol name 'bpf_verifier_vlog', with LTO kernel, current mechanism will +return 4 symbols to live patch subsystem which current live patching +subsystem cannot handle it. With non-LTO kernel, only one symbol +is returned. + +In [1], we have a lengthy discussion, the suggestion is to separate two +cases: + (1). new symbols with suffix which are generated regardless of whether + LTO is enabled or not, and + (2). new symbols with suffix generated only when LTO is enabled. + +The cleanup_symbol_name() should only remove suffixes for case (2). +Case (1) should not be changed so it can work uniformly with or without LTO. + +This patch removed LTO-only suffix '.llvm.<...>' so live patching and +tracing should work the same way for non-LTO kernel. +The cleanup_symbol_name() in scripts/kallsyms.c is also changed to have the same +filtering pattern so both kernel and kallsyms tool have the same +expectation on the order of symbols. + + [1] https://lore.kernel.org/live-patching/20230615170048.2382735-1-song@kernel.org/T/#u + +Fixes: 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") +Reported-by: Song Liu +Signed-off-by: Yonghong Song +Reviewed-by: Zhen Lei +Reviewed-by: Nick Desaulniers +Acked-by: Song Liu +Link: https://lore.kernel.org/r/20230628181926.4102448-1-yhs@fb.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + kernel/kallsyms.c | 5 ++--- + scripts/kallsyms.c | 6 +++--- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 77747391f49b6..4874508bb950e 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -174,11 +174,10 @@ static bool cleanup_symbol_name(char *s) + * LLVM appends various suffixes for local functions and variables that + * must be promoted to global scope as part of LTO. This can break + * hooking of static functions with kprobes. '.' is not a valid +- * character in an identifier in C. Suffixes observed: ++ * character in an identifier in C. Suffixes only in LLVM LTO observed: + * - foo.llvm.[0-9a-f]+ +- * - foo.[0-9a-f]+ + */ +- res = strchr(s, '.'); ++ res = strstr(s, ".llvm."); + if (res) { + *res = '\0'; + return true; +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 0d2db41177b23..13af6d0ff845d 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -346,10 +346,10 @@ static void cleanup_symbol_name(char *s) + * ASCII[_] = 5f + * ASCII[a-z] = 61,7a + * +- * As above, replacing '.' with '\0' does not affect the main sorting, +- * but it helps us with subsorting. ++ * As above, replacing the first '.' in ".llvm." with '\0' does not ++ * affect the main sorting, but it helps us with subsorting. + */ +- p = strchr(s, '.'); ++ p = strstr(s, ".llvm."); + if (p) + *p = '\0'; + } +-- +2.39.2 + diff --git a/queue-6.4/llc-don-t-drop-packet-from-non-root-netns.patch b/queue-6.4/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..4a6e0b72084 --- /dev/null +++ b/queue-6.4/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From ab300723a1ee5601a0a426d0d158f60c650f82d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index c309b72a58779..7cac441862e21 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/queue-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/queue-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..d6817daedd1 --- /dev/null +++ b/queue-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From 80f2228049410e7eff45840000d380b5604945b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 350094f1cb09f..18384251399ab 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4807,11 +4807,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/queue-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/queue-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..b2cb0c775d8 --- /dev/null +++ b/queue-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From ef7e4e57e0ab49f62d54a77d61419b84c4936aff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 9d23963496194..ee75b058438f3 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -920,6 +920,7 @@ static void flush_pending_writes(struct r10conf *conf) + + raid1_submit_write(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1132,6 +1133,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + + raid1_submit_write(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/queue-6.4/mips-dec-prom-address-warray-bounds-warning.patch b/queue-6.4/mips-dec-prom-address-warray-bounds-warning.patch new file mode 100644 index 00000000000..c2f17fc583d --- /dev/null +++ b/queue-6.4/mips-dec-prom-address-warray-bounds-warning.patch @@ -0,0 +1,56 @@ +From c903bed38cada61c448c48520cd02ec55c71c4bb Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 22 Jun 2023 17:43:57 -0600 +Subject: [PATCH AUTOSEL 5.4 10/12] MIPS: dec: prom: Address -Warray-bounds + warning +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] + +Zero-length arrays are deprecated, and we are replacing them with flexible +array members instead. So, replace zero-length array with flexible-array +member in struct memmap. + +Address the following warning found after building (with GCC-13) mips64 +with decstation_64_defconfig: +In function 'rex_setup_memory_region', + inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: +arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] + 72 | if (bm->bitmap[i] == 0xff) + | ~~~~~~~~~~^~~ +In file included from arch/mips/dec/prom/memory.c:16: +./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': +./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' + 73 | unsigned char bitmap[0]; + +This helps with the ongoing efforts to globally enable -Warray-bounds. + +This results in no differences in binary output. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/323 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/dec/prom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/dec/prom.h b/arch/mips/include/asm/dec/prom.h +index 1e1247add1cf8..908e96e3a3117 100644 +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -70,7 +70,7 @@ static inline bool prom_is_rex(u32 magic) + */ + typedef struct { + int pagesize; +- unsigned char bitmap[0]; ++ unsigned char bitmap[]; + } memmap; + + +-- +2.39.2 + diff --git a/queue-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch b/queue-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch new file mode 100644 index 00000000000..258fa77bfad --- /dev/null +++ b/queue-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch @@ -0,0 +1,94 @@ +From a7360bc2cf287cca1717eceba861bb3b9886c55e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:46:22 -0700 +Subject: net: dsa: microchip: correct KSZ8795 static MAC table access + +From: Tristram Ha + +[ Upstream commit 4bdf79d686b49ac49373b36466acfb93972c7d7c ] + +The KSZ8795 driver code was modified to use on KSZ8863/73, which has +different register definitions. Some of the new KSZ8795 register +information are wrong compared to previous code. + +KSZ8795 also behaves differently in that the STATIC_MAC_TABLE_USE_FID +and STATIC_MAC_TABLE_FID bits are off by 1 when doing MAC table reading +than writing. To compensate that a special code was added to shift the +register value by 1 before applying those bits. This is wrong when the +code is running on KSZ8863, so this special code is only executed when +KSZ8795 is detected. + +Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips") +Signed-off-by: Tristram Ha +Reviewed-by: Horatiu Vultur +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 8 +++++++- + drivers/net/dsa/microchip/ksz_common.c | 8 ++++---- + drivers/net/dsa/microchip/ksz_common.h | 7 +++++++ + 3 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index f56fca1b1a222..cc5b19a3d0df2 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -506,7 +506,13 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, + (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> + shifts[STATIC_MAC_FWD_PORTS]; + alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; +- data_hi >>= 1; ++ ++ /* KSZ8795 family switches have STATIC_MAC_TABLE_USE_FID and ++ * STATIC_MAC_TABLE_FID definitions off by 1 when doing read on the ++ * static MAC table compared to doing write. ++ */ ++ if (ksz_is_ksz87xx(dev)) ++ data_hi >>= 1; + alu->is_static = true; + alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; + alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index a4428be5f483c..a0ba2605bb620 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -331,13 +331,13 @@ static const u32 ksz8795_masks[] = { + [STATIC_MAC_TABLE_VALID] = BIT(21), + [STATIC_MAC_TABLE_USE_FID] = BIT(23), + [STATIC_MAC_TABLE_FID] = GENMASK(30, 24), +- [STATIC_MAC_TABLE_OVERRIDE] = BIT(26), +- [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(24, 20), ++ [STATIC_MAC_TABLE_OVERRIDE] = BIT(22), ++ [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(20, 16), + [DYNAMIC_MAC_TABLE_ENTRIES_H] = GENMASK(6, 0), +- [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(8), ++ [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(7), + [DYNAMIC_MAC_TABLE_NOT_READY] = BIT(7), + [DYNAMIC_MAC_TABLE_ENTRIES] = GENMASK(31, 29), +- [DYNAMIC_MAC_TABLE_FID] = GENMASK(26, 20), ++ [DYNAMIC_MAC_TABLE_FID] = GENMASK(22, 16), + [DYNAMIC_MAC_TABLE_SRC_PORT] = GENMASK(26, 24), + [DYNAMIC_MAC_TABLE_TIMESTAMP] = GENMASK(28, 27), + [P_MII_TX_FLOW_CTRL] = BIT(5), +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index 8abecaf6089ef..33d9a2f6af27a 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -569,6 +569,13 @@ static inline void ksz_regmap_unlock(void *__mtx) + mutex_unlock(mtx); + } + ++static inline bool ksz_is_ksz87xx(struct ksz_device *dev) ++{ ++ return dev->chip_id == KSZ8795_CHIP_ID || ++ dev->chip_id == KSZ8794_CHIP_ID || ++ dev->chip_id == KSZ8765_CHIP_ID; ++} ++ + static inline bool ksz_is_ksz88x3(struct ksz_device *dev) + { + return dev->chip_id == KSZ8830_CHIP_ID; +-- +2.39.2 + diff --git a/queue-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch b/queue-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch new file mode 100644 index 00000000000..3a167dfd58f --- /dev/null +++ b/queue-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch @@ -0,0 +1,82 @@ +From 34e9af935105e7093a075c88cfc44a3f7868b627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 00:20:35 +0800 +Subject: net: ethernet: litex: add support for 64 bit stats + +From: Jisheng Zhang + +[ Upstream commit 18da174d865a87d47d2f33f5b0a322efcf067728 ] + +Implement 64 bit per cpu stats to fix the overflow of netdev->stats +on 32 bit platforms. To simplify the code, we use net core +pcpu_sw_netstats infrastructure. One small drawback is some memory +overhead because litex uses just one queue, but we allocate the +counters per cpu. + +Signed-off-by: Jisheng Zhang +Reviewed-by: Simon Horman +Acked-by: Gabriel Somlo +Link: https://lore.kernel.org/r/20230614162035.300-1-jszhang@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/litex/litex_liteeth.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c +index 35f24e0f09349..ffa96059079c6 100644 +--- a/drivers/net/ethernet/litex/litex_liteeth.c ++++ b/drivers/net/ethernet/litex/litex_liteeth.c +@@ -78,8 +78,7 @@ static int liteeth_rx(struct net_device *netdev) + memcpy_fromio(data, priv->rx_base + rx_slot * priv->slot_size, len); + skb->protocol = eth_type_trans(skb, netdev); + +- netdev->stats.rx_packets++; +- netdev->stats.rx_bytes += len; ++ dev_sw_netstats_rx_add(netdev, len); + + return netif_rx(skb); + +@@ -185,8 +184,7 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, + litex_write16(priv->base + LITEETH_READER_LENGTH, skb->len); + litex_write8(priv->base + LITEETH_READER_START, 1); + +- netdev->stats.tx_bytes += skb->len; +- netdev->stats.tx_packets++; ++ dev_sw_netstats_tx_add(netdev, 1, skb->len); + + priv->tx_slot = (priv->tx_slot + 1) % priv->num_tx_slots; + dev_kfree_skb_any(skb); +@@ -194,9 +192,17 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, + return NETDEV_TX_OK; + } + ++static void ++liteeth_get_stats64(struct net_device *netdev, struct rtnl_link_stats64 *stats) ++{ ++ netdev_stats_to_stats64(stats, &netdev->stats); ++ dev_fetch_sw_netstats(stats, netdev->tstats); ++} ++ + static const struct net_device_ops liteeth_netdev_ops = { + .ndo_open = liteeth_open, + .ndo_stop = liteeth_stop, ++ .ndo_get_stats64 = liteeth_get_stats64, + .ndo_start_xmit = liteeth_start_xmit, + }; + +@@ -242,6 +248,11 @@ static int liteeth_probe(struct platform_device *pdev) + priv->netdev = netdev; + priv->dev = &pdev->dev; + ++ netdev->tstats = devm_netdev_alloc_pcpu_stats(&pdev->dev, ++ struct pcpu_sw_netstats); ++ if (!netdev->tstats) ++ return -ENOMEM; ++ + irq = platform_get_irq(pdev, 0); + if (irq < 0) + return irq; +-- +2.39.2 + diff --git a/queue-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch b/queue-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch new file mode 100644 index 00000000000..653b4cbb470 --- /dev/null +++ b/queue-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch @@ -0,0 +1,40 @@ +From 4cb705f4015d47ec6907fcb6d63ca051b0729491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 01:39:36 +0100 +Subject: net: ethernet: mtk_eth_soc: always mtk_get_ib1_pkt_type + +From: Daniel Golle + +[ Upstream commit 9f9d4c1a2e82174a4e799ec405284a2b0de32b6a ] + +entries and bind debugfs files would display wrong data on NETSYS_V2 and +later because instead of using mtk_get_ib1_pkt_type the driver would use +MTK_FOE_IB1_PACKET_TYPE which corresponds to NETSYS_V1(.x) SoCs. +Use mtk_get_ib1_pkt_type so entries and bind records display correctly. + +Fixes: 03a3180e5c09e ("net: ethernet: mtk_eth_soc: introduce flow offloading support for mt7986") +Signed-off-by: Daniel Golle +Acked-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/c0ae03d0182f4d27b874cbdf0059bc972c317f3c.1689727134.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c b/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c +index 316fe2e70fead..1a97feca77f23 100644 +--- a/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c ++++ b/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c +@@ -98,7 +98,7 @@ mtk_ppe_debugfs_foe_show(struct seq_file *m, void *private, bool bind) + + acct = mtk_foe_entry_get_mib(ppe, i, NULL); + +- type = FIELD_GET(MTK_FOE_IB1_PACKET_TYPE, entry->ib1); ++ type = mtk_get_ib1_pkt_type(ppe->eth, entry->ib1); + seq_printf(m, "%05x %s %7s", i, + mtk_foe_entry_state_str(state), + mtk_foe_pkt_type_str(type)); +-- +2.39.2 + diff --git a/queue-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch b/queue-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch new file mode 100644 index 00000000000..07bff9f3a74 --- /dev/null +++ b/queue-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch @@ -0,0 +1,86 @@ +From 8c1eaba2f6d01540a7166c686b9673e70df454c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 03:42:29 +0100 +Subject: net: ethernet: mtk_eth_soc: handle probe deferral + +From: Daniel Golle + +[ Upstream commit 1d6d537dc55d1f42d16290f00157ac387985b95b ] + +Move the call to of_get_ethdev_address to mtk_add_mac which is part of +the probe function and can hence itself return -EPROBE_DEFER should +of_get_ethdev_address return -EPROBE_DEFER. This allows us to entirely +get rid of the mtk_init function. + +The problem of of_get_ethdev_address returning -EPROBE_DEFER surfaced +in situations in which the NVMEM provider holding the MAC address has +not yet be loaded at the time mtk_eth_soc is initially probed. In this +case probing of mtk_eth_soc should be deferred instead of falling back +to use a random MAC address, so once the NVMEM provider becomes +available probing can be repeated. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Signed-off-by: Daniel Golle +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 29 ++++++++------------- + 1 file changed, 11 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 834c644b67db5..2d15342c260ae 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -3846,23 +3846,6 @@ static int mtk_hw_deinit(struct mtk_eth *eth) + return 0; + } + +-static int __init mtk_init(struct net_device *dev) +-{ +- struct mtk_mac *mac = netdev_priv(dev); +- struct mtk_eth *eth = mac->hw; +- int ret; +- +- ret = of_get_ethdev_address(mac->of_node, dev); +- if (ret) { +- /* If the mac address is invalid, use random mac address */ +- eth_hw_addr_random(dev); +- dev_err(eth->dev, "generated random MAC address %pM\n", +- dev->dev_addr); +- } +- +- return 0; +-} +- + static void mtk_uninit(struct net_device *dev) + { + struct mtk_mac *mac = netdev_priv(dev); +@@ -4278,7 +4261,6 @@ static const struct ethtool_ops mtk_ethtool_ops = { + }; + + static const struct net_device_ops mtk_netdev_ops = { +- .ndo_init = mtk_init, + .ndo_uninit = mtk_uninit, + .ndo_open = mtk_open, + .ndo_stop = mtk_stop, +@@ -4340,6 +4322,17 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) + mac->hw = eth; + mac->of_node = np; + ++ err = of_get_ethdev_address(mac->of_node, eth->netdev[id]); ++ if (err == -EPROBE_DEFER) ++ return err; ++ ++ if (err) { ++ /* If the mac address is invalid, use random mac address */ ++ eth_hw_addr_random(eth->netdev[id]); ++ dev_err(eth->dev, "generated random MAC address %pM\n", ++ eth->netdev[id]->dev_addr); ++ } ++ + memset(mac->hwlro_ip, 0, sizeof(mac->hwlro_ip)); + mac->hwlro_ip_cnt = 0; + +-- +2.39.2 + diff --git a/queue-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/queue-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..aa4f166c2e0 --- /dev/null +++ b/queue-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 0734d7075e1b22684e639d53914c1b54e355f26f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index 0c5e783e574c4..64bf22cd860c9 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -106,23 +106,37 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/queue-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch b/queue-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch new file mode 100644 index 00000000000..2fc2df03878 --- /dev/null +++ b/queue-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch @@ -0,0 +1,140 @@ +From dc77ee4a0a97049edbad6c3f13a92c2edc7a6c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 20:33:08 +0800 +Subject: net: hns3: fix strncpy() not using dest-buf length as length issue + +From: Hao Chen + +[ Upstream commit 1cf3d5567f273a8746d1bade00633a93204f80f0 ] + +Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length, +it may result in dest-buf overflow. + +This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0 +compiler. + +The warning reports as below: + +hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on +the length of the source argument [-Wstringop-truncation] + +strncpy(pos, items[i].name, strlen(items[i].name)); + +hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before +terminating nul copying as many bytes from a string as its length +[-Wstringop-truncation] + +strncpy(pos, result[i], strlen(result[i])); + +strncpy() use src-length as copy-length, it may result in +dest-buf overflow. + +So,this patch add some values check to avoid this issue. + +Signed-off-by: Hao Chen +Reported-by: kernel test robot +Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/ +Signed-off-by: Hao Lan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3_debugfs.c | 31 ++++++++++++++----- + .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 29 ++++++++++++++--- + 2 files changed, 48 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index d385ffc218766..32bb14303473b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -438,19 +438,36 @@ static void hns3_dbg_fill_content(char *content, u16 len, + const struct hns3_dbg_item *items, + const char **result, u16 size) + { ++#define HNS3_DBG_LINE_END_LEN 2 + char *pos = content; ++ u16 item_len; + u16 i; + ++ if (!len) { ++ return; ++ } else if (len <= HNS3_DBG_LINE_END_LEN) { ++ *pos++ = '\0'; ++ return; ++ } ++ + memset(content, ' ', len); +- for (i = 0; i < size; i++) { +- if (result) +- strncpy(pos, result[i], strlen(result[i])); +- else +- strncpy(pos, items[i].name, strlen(items[i].name)); ++ len -= HNS3_DBG_LINE_END_LEN; + +- pos += strlen(items[i].name) + items[i].interval; ++ for (i = 0; i < size; i++) { ++ item_len = strlen(items[i].name) + items[i].interval; ++ if (len < item_len) ++ break; ++ ++ if (result) { ++ if (item_len < strlen(result[i])) ++ break; ++ strscpy(pos, result[i], strlen(result[i])); ++ } else { ++ strscpy(pos, items[i].name, strlen(items[i].name)); ++ } ++ pos += item_len; ++ len -= item_len; + } +- + *pos++ = '\n'; + *pos++ = '\0'; + } +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +index a0b46e7d863eb..233c132dc513e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +@@ -88,16 +88,35 @@ static void hclge_dbg_fill_content(char *content, u16 len, + const struct hclge_dbg_item *items, + const char **result, u16 size) + { ++#define HCLGE_DBG_LINE_END_LEN 2 + char *pos = content; ++ u16 item_len; + u16 i; + ++ if (!len) { ++ return; ++ } else if (len <= HCLGE_DBG_LINE_END_LEN) { ++ *pos++ = '\0'; ++ return; ++ } ++ + memset(content, ' ', len); ++ len -= HCLGE_DBG_LINE_END_LEN; ++ + for (i = 0; i < size; i++) { +- if (result) +- strncpy(pos, result[i], strlen(result[i])); +- else +- strncpy(pos, items[i].name, strlen(items[i].name)); +- pos += strlen(items[i].name) + items[i].interval; ++ item_len = strlen(items[i].name) + items[i].interval; ++ if (len < item_len) ++ break; ++ ++ if (result) { ++ if (item_len < strlen(result[i])) ++ break; ++ strscpy(pos, result[i], strlen(result[i])); ++ } else { ++ strscpy(pos, items[i].name, strlen(items[i].name)); ++ } ++ pos += item_len; ++ len -= item_len; + } + *pos++ = '\n'; + *pos++ = '\0'; +-- +2.39.2 + diff --git a/queue-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch b/queue-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch new file mode 100644 index 00000000000..9e2e5f71328 --- /dev/null +++ b/queue-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch @@ -0,0 +1,134 @@ +From eb3d2ceb4d7e11c861c8385f94a0f307e72a546d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 18:14:52 +0200 +Subject: net: ipv4: use consistent txhash in TIME_WAIT and SYN_RECV + +From: Antoine Tenart + +[ Upstream commit c0a8966e2bc7d31f77a7246947ebc09c1ff06066 ] + +When using IPv4/TCP, skb->hash comes from sk->sk_txhash except in +TIME_WAIT and SYN_RECV where it's not set in the reply skb from +ip_send_unicast_reply. Those packets will have a mismatched hash with +others from the same flow as their hashes will be 0. IPv6 does not have +the same issue as the hash is set from the socket txhash in those cases. + +This commits sets the hash in the reply skb from ip_send_unicast_reply, +which makes the IPv4 code behaving like IPv6. + +Signed-off-by: Antoine Tenart +Reviewed-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Stable-dep-of: 5e5265522a9a ("tcp: annotate data-races around tcp_rsk(req)->txhash") +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + net/ipv4/ip_output.c | 4 +++- + net/ipv4/tcp_ipv4.c | 14 +++++++++----- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index acec504c469a0..83a1a9bc3ceb1 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -282,7 +282,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + const struct ip_options *sopt, + __be32 daddr, __be32 saddr, + const struct ip_reply_arg *arg, +- unsigned int len, u64 transmit_time); ++ unsigned int len, u64 transmit_time, u32 txhash); + + #define IP_INC_STATS(net, field) SNMP_INC_STATS64((net)->mib.ip_statistics, field) + #define __IP_INC_STATS(net, field) __SNMP_INC_STATS64((net)->mib.ip_statistics, field) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 61892268e8a6c..a1bead441026e 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1692,7 +1692,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + const struct ip_options *sopt, + __be32 daddr, __be32 saddr, + const struct ip_reply_arg *arg, +- unsigned int len, u64 transmit_time) ++ unsigned int len, u64 transmit_time, u32 txhash) + { + struct ip_options_data replyopts; + struct ipcm_cookie ipc; +@@ -1755,6 +1755,8 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + arg->csum)); + nskb->ip_summed = CHECKSUM_NONE; + nskb->mono_delivery_time = !!transmit_time; ++ if (txhash) ++ skb_set_hash(nskb, txhash, PKT_HASH_TYPE_L4); + ip_push_pending_frames(sk, &fl4); + } + out: +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 434e5f0c8b99d..a64069077e388 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -692,6 +692,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + u64 transmit_time = 0; + struct sock *ctl_sk; + struct net *net; ++ u32 txhash = 0; + + /* Never send a reset in response to a reset. */ + if (th->rst) +@@ -829,6 +830,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ txhash = (sk->sk_state == TCP_TIME_WAIT) ? ++ inet_twsk(sk)->tw_txhash : sk->sk_txhash; + } else { + ctl_sk->sk_mark = 0; + ctl_sk->sk_priority = 0; +@@ -837,7 +840,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + skb, &TCP_SKB_CB(skb)->header.h4.opt, + ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, + &arg, arg.iov[0].iov_len, +- transmit_time); ++ transmit_time, txhash); + + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); +@@ -859,7 +862,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + struct sk_buff *skb, u32 seq, u32 ack, + u32 win, u32 tsval, u32 tsecr, int oif, + struct tcp_md5sig_key *key, +- int reply_flags, u8 tos) ++ int reply_flags, u8 tos, u32 txhash) + { + const struct tcphdr *th = tcp_hdr(skb); + struct { +@@ -935,7 +938,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, + ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, + &arg, arg.iov[0].iov_len, +- transmit_time); ++ transmit_time, txhash); + + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -955,7 +958,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb) + tw->tw_bound_dev_if, + tcp_twsk_md5_key(tcptw), + tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0, +- tw->tw_tos ++ tw->tw_tos, ++ tw->tw_txhash + ); + + inet_twsk_put(tw); +@@ -988,7 +992,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +- ip_hdr(skb)->tos); ++ ip_hdr(skb)->tos, tcp_rsk(req)->txhash); + } + + /* +-- +2.39.2 + diff --git a/queue-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/queue-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch new file mode 100644 index 00000000000..1168758b98d --- /dev/null +++ b/queue-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch @@ -0,0 +1,38 @@ +From 8f4e7983251e6782f216def6e2b47a48976a5841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:59:19 +0800 +Subject: net: ipv4: Use kfree_sensitive instead of kfree + +From: Wang Ming + +[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] + +key might contain private part of the key, so better use +kfree_sensitive to free it. + +Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") +Signed-off-by: Wang Ming +Reviewed-by: Tariq Toukan +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index ba06ed42e4284..2be2d49225573 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -1132,7 +1132,7 @@ static int esp_init_authenc(struct xfrm_state *x, + err = crypto_aead_setkey(aead, key, keylen); + + free_key: +- kfree(key); ++ kfree_sensitive(key); + + error: + return err; +-- +2.39.2 + diff --git a/queue-6.4/net-ipv6-check-return-value-of-pskb_trim.patch b/queue-6.4/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..37d6b8e74ad --- /dev/null +++ b/queue-6.4/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From d0da4855c330577e5a7f752994ed3ff21108a28c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index da80974ad23ae..070d87abf7c02 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -955,7 +955,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/queue-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/queue-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch new file mode 100644 index 00000000000..e4403bc3168 --- /dev/null +++ b/queue-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch @@ -0,0 +1,74 @@ +From e235c3ee00174e1880d74b700a763a90fde32659 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 03:02:31 +0300 +Subject: net: phy: prevent stale pointer dereference in phy_init() + +From: Vladimir Oltean + +[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] + +mdio_bus_init() and phy_driver_register() both have error paths, and if +those are ever hit, ethtool will have a stale pointer to the +phy_ethtool_phy_ops stub structure, which references memory from a +module that failed to load (phylib). + +It is probably hard to force an error in this code path even manually, +but the error teardown path of phy_init() should be the same as +phy_exit(), which is now simply not the case. + +Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") +Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 53598210be6cb..2c4e6de8f4d9f 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3452,23 +3452,30 @@ static int __init phy_init(void) + { + int rc; + ++ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); ++ + rc = mdio_bus_init(); + if (rc) +- return rc; ++ goto err_ethtool_phy_ops; + +- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); + features_init(); + + rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); + if (rc) +- goto err_c45; ++ goto err_mdio_bus; + + rc = phy_driver_register(&genphy_driver, THIS_MODULE); +- if (rc) { +- phy_driver_unregister(&genphy_c45_driver); ++ if (rc) ++ goto err_c45; ++ ++ return 0; ++ + err_c45: +- mdio_bus_exit(); +- } ++ phy_driver_unregister(&genphy_c45_driver); ++err_mdio_bus: ++ mdio_bus_exit(); ++err_ethtool_phy_ops: ++ ethtool_set_ethtool_phy_ops(NULL); + + return rc; + } +-- +2.39.2 + diff --git a/queue-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch b/queue-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch new file mode 100644 index 00000000000..65bbd8b5b76 --- /dev/null +++ b/queue-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch @@ -0,0 +1,165 @@ +From 3f90b408fd41b67b0faf99913c06f69d68098ac1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:13 -0300 +Subject: net: sched: cls_bpf: Undo tcf_bind_filter in case of an error + +From: Victor Nogueira + +[ Upstream commit 26a22194927e8521e304ed75c2f38d8068d55fc7 ] + +If cls_bpf_offload errors out, we must also undo tcf_bind_filter that +was done before the error. + +Fix that by calling tcf_unbind_filter in errout_parms. + +Fixes: eadb41489fd2 ("net: cls_bpf: add support for marking filters as hardware-only") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_bpf.c | 99 +++++++++++++++++++++------------------------ + 1 file changed, 47 insertions(+), 52 deletions(-) + +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index 466c26df853a0..382c7a71f81f2 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -406,56 +406,6 @@ static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, + return 0; + } + +-static int cls_bpf_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_bpf_prog *prog, unsigned long base, +- struct nlattr **tb, struct nlattr *est, u32 flags, +- struct netlink_ext_ack *extack) +-{ +- bool is_bpf, is_ebpf, have_exts = false; +- u32 gen_flags = 0; +- int ret; +- +- is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; +- is_ebpf = tb[TCA_BPF_FD]; +- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) +- return -EINVAL; +- +- ret = tcf_exts_validate(net, tp, tb, est, &prog->exts, flags, +- extack); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_FLAGS]) { +- u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); +- +- if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) +- return -EINVAL; +- +- have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; +- } +- if (tb[TCA_BPF_FLAGS_GEN]) { +- gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); +- if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || +- !tc_flags_valid(gen_flags)) +- return -EINVAL; +- } +- +- prog->exts_integrated = have_exts; +- prog->gen_flags = gen_flags; +- +- ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : +- cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_CLASSID]) { +- prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); +- tcf_bind_filter(tp, &prog->res, base); +- } +- +- return 0; +-} +- + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -463,9 +413,12 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct netlink_ext_ack *extack) + { + struct cls_bpf_head *head = rtnl_dereference(tp->root); ++ bool is_bpf, is_ebpf, have_exts = false; + struct cls_bpf_prog *oldprog = *arg; + struct nlattr *tb[TCA_BPF_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_bpf_prog *prog; ++ u32 gen_flags = 0; + int ret; + + if (tca[TCA_OPTIONS] == NULL) +@@ -504,11 +457,51 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + goto errout; + prog->handle = handle; + +- ret = cls_bpf_set_parms(net, tp, prog, base, tb, tca[TCA_RATE], flags, +- extack); ++ is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; ++ is_ebpf = tb[TCA_BPF_FD]; ++ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ ret = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &prog->exts, ++ flags, extack); ++ if (ret < 0) ++ goto errout_idr; ++ ++ if (tb[TCA_BPF_FLAGS]) { ++ u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); ++ ++ if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; ++ } ++ if (tb[TCA_BPF_FLAGS_GEN]) { ++ gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); ++ if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || ++ !tc_flags_valid(gen_flags)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ } ++ ++ prog->exts_integrated = have_exts; ++ prog->gen_flags = gen_flags; ++ ++ ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : ++ cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); + if (ret < 0) + goto errout_idr; + ++ if (tb[TCA_BPF_CLASSID]) { ++ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); ++ tcf_bind_filter(tp, &prog->res, base); ++ bound_to_filter = true; ++ } ++ + ret = cls_bpf_offload(tp, prog, oldprog, extack); + if (ret) + goto errout_parms; +@@ -530,6 +523,8 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + return 0; + + errout_parms: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &prog->res); + cls_bpf_free_parms(prog); + errout_idr: + if (!oldprog) +-- +2.39.2 + diff --git a/queue-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch b/queue-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch new file mode 100644 index 00000000000..c1618ab1fc3 --- /dev/null +++ b/queue-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch @@ -0,0 +1,98 @@ +From 8bf4268767afc1aceffbef4ebe37fb672dc70de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:10 -0300 +Subject: net: sched: cls_matchall: Undo tcf_bind_filter in case of failure + after mall_set_parms + +From: Victor Nogueira + +[ Upstream commit b3d0e0489430735e2e7626aa37e6462cdd136e9d ] + +In case an error occurred after mall_set_parms executed successfully, we +must undo the tcf_bind_filter call it issues. + +Fix that by calling tcf_unbind_filter in err_replace_hw_filter label. + +Fixes: ec2507d2a306 ("net/sched: cls_matchall: Fix error path") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_matchall.c | 35 ++++++++++++----------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c +index fa3bbd187eb97..c4ed11df62548 100644 +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -159,26 +159,6 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { + [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 }, + }; + +-static int mall_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_mall_head *head, +- unsigned long base, struct nlattr **tb, +- struct nlattr *est, u32 flags, u32 fl_flags, +- struct netlink_ext_ack *extack) +-{ +- int err; +- +- err = tcf_exts_validate_ex(net, tp, tb, est, &head->exts, flags, +- fl_flags, extack); +- if (err < 0) +- return err; +- +- if (tb[TCA_MATCHALL_CLASSID]) { +- head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); +- tcf_bind_filter(tp, &head->res, base); +- } +- return 0; +-} +- + static int mall_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -187,6 +167,7 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + { + struct cls_mall_head *head = rtnl_dereference(tp->root); + struct nlattr *tb[TCA_MATCHALL_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_mall_head *new; + u32 userflags = 0; + int err; +@@ -226,11 +207,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + goto err_alloc_percpu; + } + +- err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], +- flags, new->flags, extack); +- if (err) ++ err = tcf_exts_validate_ex(net, tp, tb, tca[TCA_RATE], ++ &new->exts, flags, new->flags, extack); ++ if (err < 0) + goto err_set_parms; + ++ if (tb[TCA_MATCHALL_CLASSID]) { ++ new->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); ++ tcf_bind_filter(tp, &new->res, base); ++ bound_to_filter = true; ++ } ++ + if (!tc_skip_hw(new->flags)) { + err = mall_replace_hw_filter(tp, new, (unsigned long)new, + extack); +@@ -246,6 +233,8 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + return 0; + + err_replace_hw_filter: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &new->res); + err_set_parms: + free_percpu(new->pf); + err_alloc_percpu: +-- +2.39.2 + diff --git a/queue-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch b/queue-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch new file mode 100644 index 00000000000..9d39b03d79a --- /dev/null +++ b/queue-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch @@ -0,0 +1,49 @@ +From 30ac61ca94fe6221447d2e6ad43c9620bc035240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:12 -0300 +Subject: net: sched: cls_u32: Undo refcount decrement in case update failed + +From: Victor Nogueira + +[ Upstream commit e8d3d78c19be0264a5692bed477c303523aead31 ] + +In the case of an update, when TCA_U32_LINK is set, u32_set_parms will +decrement the refcount of the ht_down (struct tc_u_hnode) pointer +present in the older u32 filter which we are replacing. However, if +u32_replace_hw_knode errors out, the update command fails and that +ht_down pointer continues decremented. To fix that, when +u32_replace_hw_knode fails, check if ht_down's refcount was decremented +and undo the decrement. + +Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index ed358466d042a..5abf31e432caf 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -928,6 +928,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + if (err) { + u32_unbind_filter(tp, new, tb); + ++ if (tb[TCA_U32_LINK]) { ++ struct tc_u_hnode *ht_old; ++ ++ ht_old = rtnl_dereference(n->ht_down); ++ if (ht_old) ++ ht_old->refcnt++; ++ } + __u32_destroy_key(new); + return err; + } +-- +2.39.2 + diff --git a/queue-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch b/queue-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch new file mode 100644 index 00000000000..6454b027c7b --- /dev/null +++ b/queue-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch @@ -0,0 +1,122 @@ +From 30d5f447b9e2287545f1e04059c3a1b974153809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:11 -0300 +Subject: net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode + +From: Victor Nogueira + +[ Upstream commit 9cb36faedeafb9720ac236aeae2ea57091d90a09 ] + +When u32_replace_hw_knode fails, we need to undo the tcf_bind_filter +operation done at u32_set_parms. + +Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index d15d50de79802..ed358466d042a 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -712,8 +712,23 @@ static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = { + [TCA_U32_FLAGS] = { .type = NLA_U32 }, + }; + ++static void u32_unbind_filter(struct tcf_proto *tp, struct tc_u_knode *n, ++ struct nlattr **tb) ++{ ++ if (tb[TCA_U32_CLASSID]) ++ tcf_unbind_filter(tp, &n->res); ++} ++ ++static void u32_bind_filter(struct tcf_proto *tp, struct tc_u_knode *n, ++ unsigned long base, struct nlattr **tb) ++{ ++ if (tb[TCA_U32_CLASSID]) { ++ n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); ++ tcf_bind_filter(tp, &n->res, base); ++ } ++} ++ + static int u32_set_parms(struct net *net, struct tcf_proto *tp, +- unsigned long base, + struct tc_u_knode *n, struct nlattr **tb, + struct nlattr *est, u32 flags, u32 fl_flags, + struct netlink_ext_ack *extack) +@@ -760,10 +775,6 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + if (ht_old) + ht_old->refcnt--; + } +- if (tb[TCA_U32_CLASSID]) { +- n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); +- tcf_bind_filter(tp, &n->res, base); +- } + + if (ifindex >= 0) + n->ifindex = ifindex; +@@ -903,17 +914,20 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + if (!new) + return -ENOMEM; + +- err = u32_set_parms(net, tp, base, new, tb, +- tca[TCA_RATE], flags, new->flags, +- extack); ++ err = u32_set_parms(net, tp, new, tb, tca[TCA_RATE], ++ flags, new->flags, extack); + + if (err) { + __u32_destroy_key(new); + return err; + } + ++ u32_bind_filter(tp, new, base, tb); ++ + err = u32_replace_hw_knode(tp, new, flags, extack); + if (err) { ++ u32_unbind_filter(tp, new, tb); ++ + __u32_destroy_key(new); + return err; + } +@@ -1074,15 +1088,18 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + } + #endif + +- err = u32_set_parms(net, tp, base, n, tb, tca[TCA_RATE], ++ err = u32_set_parms(net, tp, n, tb, tca[TCA_RATE], + flags, n->flags, extack); ++ ++ u32_bind_filter(tp, n, base, tb); ++ + if (err == 0) { + struct tc_u_knode __rcu **ins; + struct tc_u_knode *pins; + + err = u32_replace_hw_knode(tp, n, flags, extack); + if (err) +- goto errhw; ++ goto errunbind; + + if (!tc_in_hw(n->flags)) + n->flags |= TCA_CLS_FLAGS_NOT_IN_HW; +@@ -1100,7 +1117,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + return 0; + } + +-errhw: ++errunbind: ++ u32_unbind_filter(tp, n, tb); ++ + #ifdef CONFIG_CLS_U32_MARK + free_percpu(n->pcpu_success); + #endif +-- +2.39.2 + diff --git a/queue-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/queue-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..8c23502598b --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 1c96f1664cded724709812e0e8e690891772de93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 51909bcc181fa..f3a4aa9054876 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3684,8 +3684,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -3709,6 +3707,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/queue-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/queue-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..eccda340124 --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From f4fcc8395bef8aae868c0a5b93122227e28d956c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 18546f9b2a63a..51909bcc181fa 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10482,6 +10482,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/queue-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/queue-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch new file mode 100644 index 00000000000..7cbdf132e89 --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch @@ -0,0 +1,37 @@ +From 60ac4e0fadccbe1e209e8c149fc44bfce8466f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 20:19:43 +0200 +Subject: netfilter: nf_tables: skip bound chain in netns release path + +From: Pablo Neira Ayuso + +[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] + +Skip bound chain from netns release path, the rule that owns this chain +releases these objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f3a4aa9054876..e3049c7db9041 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10767,6 +10767,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { ++ if (nft_chain_is_bound(chain)) ++ continue; ++ + ctx.chain = chain; + list_for_each_entry_safe(rule, nr, &chain->rules, list) { + list_del(&rule->list); +-- +2.39.2 + diff --git a/queue-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/queue-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch new file mode 100644 index 00000000000..f128b270530 --- /dev/null +++ b/queue-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch @@ -0,0 +1,43 @@ +From dcc7e01ee2a877f6891ba56d1c4572f13efba902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:17:21 +0200 +Subject: netfilter: nf_tables: skip bound chain on rule flush + +From: Pablo Neira Ayuso + +[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] + +Skip bound chain when flushing table rules, the rule that owns this +chain releases these objects. + +Otherwise, the following warning is triggered: + + WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 + RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e3049c7db9041..ccf0b3d80fd97 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4086,6 +4086,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; ++ if (nft_chain_is_bound(chain)) ++ continue; + + ctx.chain = chain; + err = nft_delrule_by_chain(&ctx); +-- +2.39.2 + diff --git a/queue-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/queue-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 00000000000..fc62486e1f3 --- /dev/null +++ b/queue-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From e9898b88b4dcdecf994451f8d9d7f65534108a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +From: Florian Westphal + +[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 0452ee586c1cc..a81829c10feab 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.2 + diff --git a/queue-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/queue-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch new file mode 100644 index 00000000000..0230574a51f --- /dev/null +++ b/queue-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch @@ -0,0 +1,43 @@ +From 8c589aa43ad6305dbe3d9b1288d7a998bb0f2e56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jul 2023 15:07:41 +0530 +Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces + +From: Geetha sowjanya + +[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] + +Current driver enables backpressure for LBK interfaces. +But these interfaces do not support this feature. +Hence, this patch fixes the issue by skipping the +backpressure configuration for these interfaces. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 18284ad751572..384d26bee9b23 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1452,8 +1452,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) + if (err) + goto err_free_npa_lf; + +- /* Enable backpressure */ +- otx2_nix_config_bp(pf, true); ++ /* Enable backpressure for CGX mapped PF/VFs */ ++ if (!is_otx2_lbkvf(pf->pdev)) ++ otx2_nix_config_bp(pf, true); + + /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ + err = otx2_rq_aura_pool_init(pf); +-- +2.39.2 + diff --git a/queue-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch b/queue-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch new file mode 100644 index 00000000000..d7d9ddc2796 --- /dev/null +++ b/queue-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch @@ -0,0 +1,63 @@ +From b31ea69c18255782ee8d005de2dc7f39ca0ab8a2 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 13 Jun 2023 10:13:37 +0200 +Subject: [PATCH AUTOSEL 5.4 06/12] ovl: check type and offset of struct + vfsmount in ovl_entry +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit f723edb8a532cd26e1ff0a2b271d73762d48f762 ] + +Porting overlayfs to the new amount api I started experiencing random +crashes that couldn't be explained easily. So after much debugging and +reasoning it became clear that struct ovl_entry requires the point to +struct vfsmount to be the first member and of type struct vfsmount. + +During the port I added a new member at the beginning of struct +ovl_entry which broke all over the place in the form of random crashes +and cache corruptions. While there's a comment in ovl_free_fs() to the +effect of "Hack! Reuse ofs->layers as a vfsmount array before freeing +it" there's no such comment on struct ovl_entry which makes this easy to +trip over. + +Add a comment and two static asserts for both the offset and the type of +pointer in struct ovl_entry. + +Signed-off-by: Christian Brauner +Signed-off-by: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/overlayfs/ovl_entry.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h +index 28348c44ea5b2..8d81e88f1d1ef 100644 +--- a/fs/overlayfs/ovl_entry.h ++++ b/fs/overlayfs/ovl_entry.h +@@ -27,6 +27,7 @@ struct ovl_sb { + }; + + struct ovl_layer { ++ /* ovl_free_fs() relies on @mnt being the first member! */ + struct vfsmount *mnt; + /* Trap in ovl inode cache */ + struct inode *trap; +@@ -37,6 +38,14 @@ struct ovl_layer { + int fsid; + }; + ++/* ++ * ovl_free_fs() relies on @mnt being the first member when unmounting ++ * the private mounts created for each layer. Let's check both the ++ * offset and type. ++ */ ++static_assert(offsetof(struct ovl_layer, mnt) == 0); ++static_assert(__same_type(typeof_member(struct ovl_layer, mnt), struct vfsmount *)); ++ + struct ovl_path { + struct ovl_layer *layer; + struct dentry *dentry; +-- +2.39.2 + diff --git a/queue-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch b/queue-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch new file mode 100644 index 00000000000..70fa7345751 --- /dev/null +++ b/queue-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch @@ -0,0 +1,94 @@ +From e8950b3996fccc846685515d638f7af34ddfaf5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 16:45:46 +0100 +Subject: perf build: Fix library not found error when using CSLIBS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Clark + +[ Upstream commit 1feece2780ac2f8de45177fe53979726cee4b3d1 ] + +-L only specifies the search path for libraries directly provided in the +link line with -l. Because -lopencsd isn't specified, it's only linked +because it's a dependency of -lopencsd_c_api. Dependencies like this are +resolved using the default system search paths or -rpath-link=... rather +than -L. This means that compilation only works if OpenCSD is installed +to the system rather than provided with the CSLIBS (-L) option. + +This could be fixed by adding -Wl,-rpath-link=$(CSLIBS) but that is less +conventional than just adding -lopencsd to the link line so that it uses +-L. -lopencsd seems to have been removed in commit ed17b1914978eddb +("perf tools: Drop requirement for libstdc++.so for libopencsd check") +because it was thought that there was a chance compilation would work +even if it didn't exist, but I think that only applies to libstdc++ so +there is no harm to add it back. libopencsd.so and libopencsd_c_api.so +would always exist together. + +Testing +======= + +The following scenarios now all work: + + * Cross build with OpenCSD installed + * Cross build using CSLIBS=... + * Native build with OpenCSD installed + * Native build using CSLIBS=... + * Static cross build with OpenCSD installed + * Static cross build with CSLIBS=... + +Committer testing: + + ⬢[acme@toolbox perf-tools]$ alias m + alias m='make -k BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools -C tools/perf install-bin && git status && perf test python ; perf record -o /dev/null sleep 0.01 ; perf stat --null sleep 0.01' + ⬢[acme@toolbox perf-tools]$ ldd ~/bin/perf | grep csd + libopencsd_c_api.so.1 => /lib64/libopencsd_c_api.so.1 (0x00007fd49c44e000) + libopencsd.so.1 => /lib64/libopencsd.so.1 (0x00007fd49bd56000) + ⬢[acme@toolbox perf-tools]$ cat /etc/redhat-release + Fedora release 36 (Thirty Six) + ⬢[acme@toolbox perf-tools]$ + +Fixes: ed17b1914978eddb ("perf tools: Drop requirement for libstdc++.so for libopencsd check") +Reported-by: Radhey Shyam Pandey +Signed-off-by: James Clark +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Radhey Shyam Pandey +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Uwe Kleine-König +Cc: coresight@lists.linaro.org +Closes: https://lore.kernel.org/linux-arm-kernel/56905d7a-a91e-883a-b707-9d5f686ba5f1@arm.com/ +Link: https://lore.kernel.org/all/36cc4dc6-bf4b-1093-1c0a-876e368af183@kleine-koenig.org/ +Link: https://lore.kernel.org/r/20230707154546.456720-1-james.clark@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index a794d9eca93d8..72f068682c9a2 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -155,9 +155,9 @@ FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto + ifdef CSINCLUDES + LIBOPENCSD_CFLAGS := -I$(CSINCLUDES) + endif +-OPENCSDLIBS := -lopencsd_c_api ++OPENCSDLIBS := -lopencsd_c_api -lopencsd + ifeq ($(findstring -static,${LDFLAGS}),-static) +- OPENCSDLIBS += -lopencsd -lstdc++ ++ OPENCSDLIBS += -lstdc++ + endif + ifdef CSLIBS + LIBOPENCSD_LDFLAGS := -L$(CSLIBS) +-- +2.39.2 + diff --git a/queue-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch b/queue-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch new file mode 100644 index 00000000000..f493ccf4f70 --- /dev/null +++ b/queue-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch @@ -0,0 +1,118 @@ +From 4c55d9de4ff4c13926e629a17f4bfa200ad81072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 12:18:58 +0100 +Subject: pinctrl: renesas: rzg2l: Handle non-unique subnode names + +From: Biju Das + +[ Upstream commit bfc374a145ae133613e05b9b89be561f169cb58d ] + +Currently, sd1 and sd0 have unique subnode names 'sd1_mux' and 'sd0_mux'. +If we change these to non-unique subnode names such as 'mux' this can +lead to the below conflict as the RZ/G2L pin control driver considers +only the names of the subnodes. + + pinctrl-rzg2l 11030000.pinctrl: pin P47_0 already requested by 11c00000.mmc; cannot claim for 11c10000.mmc + pinctrl-rzg2l 11030000.pinctrl: pin-376 (11c10000.mmc) status -22 + pinctrl-rzg2l 11030000.pinctrl: could not request pin 376 (P47_0) from group mux on device pinctrl-rzg2l + renesas_sdhi_internal_dmac 11c10000.mmc: Error applying setting, reverse things back + +Fix this by constructing unique names from the node names of both the +pin control configuration node and its child node, where appropriate. + +Based on the work done by Geert for the RZ/V2M pinctrl driver. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230704111858.215278-1-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 28 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index 9511d920565e9..b53d26167da52 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -249,6 +249,7 @@ static int rzg2l_map_add_config(struct pinctrl_map *map, + + static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct device_node *np, ++ struct device_node *parent, + struct pinctrl_map **map, + unsigned int *num_maps, + unsigned int *index) +@@ -266,6 +267,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct property *prop; + int ret, gsel, fsel; + const char **pin_fn; ++ const char *name; + const char *pin; + + pinmux = of_find_property(np, "pinmux", NULL); +@@ -349,8 +351,19 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ if (parent) { ++ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", ++ parent, np); ++ if (!name) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ } else { ++ name = np->name; ++ } ++ + /* Register a single pin group listing all the pins we read from DT */ +- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); ++ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; + goto done; +@@ -360,17 +373,16 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + * Register a single group function where the 'data' is an array PSEL + * register values read from DT. + */ +- pin_fn[0] = np->name; +- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, +- psel_val); ++ pin_fn[0] = name; ++ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); + if (fsel < 0) { + ret = fsel; + goto remove_group; + } + + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; +- maps[idx].data.mux.group = np->name; +- maps[idx].data.mux.function = np->name; ++ maps[idx].data.mux.group = name; ++ maps[idx].data.mux.function = name; + idx++; + + dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); +@@ -417,7 +429,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, + index = 0; + + for_each_child_of_node(np, child) { +- ret = rzg2l_dt_subnode_to_map(pctldev, child, map, ++ ret = rzg2l_dt_subnode_to_map(pctldev, child, np, map, + num_maps, &index); + if (ret < 0) { + of_node_put(child); +@@ -426,7 +438,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, + } + + if (*num_maps == 0) { +- ret = rzg2l_dt_subnode_to_map(pctldev, np, map, ++ ret = rzg2l_dt_subnode_to_map(pctldev, np, NULL, map, + num_maps, &index); + if (ret < 0) + goto done; +-- +2.39.2 + diff --git a/queue-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch b/queue-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch new file mode 100644 index 00000000000..13fece4625d --- /dev/null +++ b/queue-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch @@ -0,0 +1,116 @@ +From 42c475f98a2c3df692cf6e15aa2f9ff1a4451452 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 17:07:06 +0200 +Subject: pinctrl: renesas: rzv2m: Handle non-unique subnode names + +From: Geert Uytterhoeven + +[ Upstream commit f46a0b47cc0829acd050213194c5a77351e619b2 ] + +The eMMC and SDHI pin control configuration nodes in DT have subnodes +with the same names ("data" and "ctrl"). As the RZ/V2M pin control +driver considers only the names of the subnodes, this leads to +conflicts: + + pinctrl-rzv2m b6250000.pinctrl: pin P8_2 already requested by 85000000.mmc; cannot claim for 85020000.mmc + pinctrl-rzv2m b6250000.pinctrl: pin-130 (85020000.mmc) status -22 + renesas_sdhi_internal_dmac 85020000.mmc: Error applying setting, reverse things back + +Fix this by constructing unique names from the node names of both the +pin control configuration node and its child node, where appropriate. + +Reported by: Fabrizio Castro + +Fixes: 92a9b825257614af ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") +Signed-off-by: Geert Uytterhoeven +Tested-by: Fabrizio Castro +Link: https://lore.kernel.org/r/607bd6ab4905b0b1b119a06ef953fa1184505777.1688396717.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzv2m.c | 28 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +index e5472293bc7fb..35b23c1a5684d 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +@@ -209,6 +209,7 @@ static int rzv2m_map_add_config(struct pinctrl_map *map, + + static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct device_node *np, ++ struct device_node *parent, + struct pinctrl_map **map, + unsigned int *num_maps, + unsigned int *index) +@@ -226,6 +227,7 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct property *prop; + int ret, gsel, fsel; + const char **pin_fn; ++ const char *name; + const char *pin; + + pinmux = of_find_property(np, "pinmux", NULL); +@@ -309,8 +311,19 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ if (parent) { ++ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", ++ parent, np); ++ if (!name) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ } else { ++ name = np->name; ++ } ++ + /* Register a single pin group listing all the pins we read from DT */ +- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); ++ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; + goto done; +@@ -320,17 +333,16 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + * Register a single group function where the 'data' is an array PSEL + * register values read from DT. + */ +- pin_fn[0] = np->name; +- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, +- psel_val); ++ pin_fn[0] = name; ++ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); + if (fsel < 0) { + ret = fsel; + goto remove_group; + } + + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; +- maps[idx].data.mux.group = np->name; +- maps[idx].data.mux.function = np->name; ++ maps[idx].data.mux.group = name; ++ maps[idx].data.mux.function = name; + idx++; + + dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); +@@ -377,7 +389,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, + index = 0; + + for_each_child_of_node(np, child) { +- ret = rzv2m_dt_subnode_to_map(pctldev, child, map, ++ ret = rzv2m_dt_subnode_to_map(pctldev, child, np, map, + num_maps, &index); + if (ret < 0) { + of_node_put(child); +@@ -386,7 +398,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, + } + + if (*num_maps == 0) { +- ret = rzv2m_dt_subnode_to_map(pctldev, np, map, ++ ret = rzv2m_dt_subnode_to_map(pctldev, np, NULL, map, + num_maps, &index); + if (ret < 0) + goto done; +-- +2.39.2 + diff --git a/queue-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/queue-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..2930b69c794 --- /dev/null +++ b/queue-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From 8833636766cff05f84668466c87b643c9d37b3fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index 20099268fa257..669e8cff40c74 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -135,7 +135,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index ed3c4a9543982..2d6cf93ca370a 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -140,25 +140,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/queue-6.4/quota-fix-warning-in-dqgrab.patch b/queue-6.4/quota-fix-warning-in-dqgrab.patch new file mode 100644 index 00000000000..c20048bc9c2 --- /dev/null +++ b/queue-6.4/quota-fix-warning-in-dqgrab.patch @@ -0,0 +1,105 @@ +From 75b565477bbbb5a728fa106e0189d9fcb2131bcd Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Mon, 5 Jun 2023 22:07:31 +0800 +Subject: [PATCH AUTOSEL 5.4 04/12] quota: fix warning in dqgrab() +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] + +There's issue as follows when do fault injection: +WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 +Modules linked in: +CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 +RIP: 0010:dquot_disable+0x13b7/0x18c0 +RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 +RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 +RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 +R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 +R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 +FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dquot_load_quota_sb+0xd53/0x1060 + dquot_resume+0x172/0x230 + ext4_reconfigure+0x1dc6/0x27b0 + reconfigure_super+0x515/0xa90 + __x64_sys_fsconfig+0xb19/0xd20 + do_syscall_64+0x39/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue may happens as follows: +ProcessA ProcessB ProcessC +sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_suspend -> suspend all type quota + + sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_resume + ret = dquot_load_quota_sb + add_dquot_ref + do_open -> open file O_RDWR + vfs_open + do_dentry_open + get_write_access + atomic_inc_unless_negative(&inode->i_writecount) + ext4_file_open + dquot_file_open + dquot_initialize + __dquot_initialize + dqget + atomic_inc(&dquot->dq_count); + + __dquot_initialize + __dquot_initialize + dqget + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + ext4_acquire_dquot + -> Return error DQ_ACTIVE_B flag isn't set + dquot_disable + invalidate_dquots + if (atomic_read(&dquot->dq_count)) + dqgrab + WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + -> Trigger warning + +In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when +dqgrab(). +To solve above issue just replace the dqgrab() use in invalidate_dquots() with +atomic_inc(&dquot->dq_count). + +Signed-off-by: Ye Bin +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 44175f37bfeb5..3d1a71d2909bb 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -546,7 +546,7 @@ static void invalidate_dquots(struct super_block *sb, int type) + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { +- dqgrab(dquot); ++ atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* + * Once dqput() wakes us up, we know it's time to free +-- +2.39.2 + diff --git a/queue-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/queue-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch new file mode 100644 index 00000000000..70f07f2596e --- /dev/null +++ b/queue-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch @@ -0,0 +1,45 @@ +From e215781d8a2d612e8bfa6015837e3d0b89231552 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 5 Jun 2023 22:07:30 +0800 +Subject: [PATCH AUTOSEL 5.4 03/12] quota: Properly disable quotas when + add_dquot_ref() fails +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] + +When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want +to disable quotas we are trying to enable. However dquot_disable() call +was passed just the flags we are enabling so in case flags == +DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL +instead of properly disabling quotas. Fix the problem by always passing +DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this +case. + +Reported-and-tested-by: Ye Bin +Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 1d652af48f0b1..44175f37bfeb5 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2415,7 +2415,8 @@ int dquot_load_quota_sb(struct super_block *sb, int type, int format_id, + + error = add_dquot_ref(sb, type); + if (error) +- dquot_disable(sb, type, flags); ++ dquot_disable(sb, type, ++ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); + + return error; + out_fmt: +-- +2.39.2 + diff --git a/queue-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch b/queue-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch new file mode 100644 index 00000000000..6e12fab0d69 --- /dev/null +++ b/queue-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch @@ -0,0 +1,44 @@ +From b3641346909bdc69007b6208b28d795d29f08fe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jul 2023 07:39:36 +0200 +Subject: r8169: fix ASPM-related problem for chip version 42 and 43 + +From: Heiner Kallweit + +[ Upstream commit 162d626f3013215b82b6514ca14f20932c7ccce5 ] + +Referenced commit missed that for chip versions 42 and 43 ASPM +remained disabled in the respective rtl_hw_start_...() routines. +This resulted in problems as described in the referenced bug +ticket. Therefore re-instantiate the previous logic. + +Fixes: 5fc3f6c90cca ("r8169: consolidate disabling ASPM before EPHY access") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217635 +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index ca0140963ff3a..b69122686407d 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -2747,6 +2747,13 @@ static void rtl_hw_aspm_clkreq_enable(struct rtl8169_private *tp, bool enable) + return; + + if (enable) { ++ /* On these chip versions ASPM can even harm ++ * bus communication of other PCI devices. ++ */ ++ if (tp->mac_version == RTL_GIGA_MAC_VER_42 || ++ tp->mac_version == RTL_GIGA_MAC_VER_43) ++ return; ++ + rtl_mod_config5(tp, 0, ASPM_en); + rtl_mod_config2(tp, 0, ClkReqEn); + +-- +2.39.2 + diff --git a/queue-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch b/queue-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch new file mode 100644 index 00000000000..67c2488f9b7 --- /dev/null +++ b/queue-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch @@ -0,0 +1,76 @@ +From c2695efafc87a2ebcdaa8213853f069251cdf6dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 16:05:38 -0700 +Subject: rcu: Mark additional concurrent load from ->cpu_no_qs.b.exp + +From: Paul E. McKenney + +[ Upstream commit 9146eb25495ea8bfb5010192e61e3ed5805ce9ef ] + +The per-CPU rcu_data structure's ->cpu_no_qs.b.exp field is updated +only on the instance corresponding to the current CPU, but can be read +more widely. Unmarked accesses are OK from the corresponding CPU, but +only if interrupts are disabled, given that interrupt handlers can and +do modify this field. + +Unfortunately, although the load from rcu_preempt_deferred_qs() is always +carried out from the corresponding CPU, interrupts are not necessarily +disabled. This commit therefore upgrades this load to READ_ONCE. + +Similarly, the diagnostic access from synchronize_rcu_expedited_wait() +might run with interrupts disabled and from some other CPU. This commit +therefore marks this load with data_race(). + +Finally, the C-language access in rcu_preempt_ctxt_queue() is OK as +is because interrupts are disabled and this load is always from the +corresponding CPU. This commit adds a comment giving the rationale for +this access being safe. + +This data race was reported by KCSAN. Not appropriate for backporting +due to failure being unlikely. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 +- + kernel/rcu/tree_plugin.h | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 3b7abb58157df..8239b39d945bd 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -643,7 +643,7 @@ static void synchronize_rcu_expedited_wait(void) + "O."[!!cpu_online(cpu)], + "o."[!!(rdp->grpmask & rnp->expmaskinit)], + "N."[!!(rdp->grpmask & rnp->expmaskinitnext)], +- "D."[!!(rdp->cpu_no_qs.b.exp)]); ++ "D."[!!data_race(rdp->cpu_no_qs.b.exp)]); + } + } + pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n", +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index 7b0fe741a0886..41021080ad258 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -257,6 +257,8 @@ static void rcu_preempt_ctxt_queue(struct rcu_node *rnp, struct rcu_data *rdp) + * GP should not be able to end until we report, so there should be + * no need to check for a subsequent expedited GP. (Though we are + * still in a quiescent state in any case.) ++ * ++ * Interrupts are disabled, so ->cpu_no_qs.b.exp cannot change. + */ + if (blkd_state & RCU_EXP_BLKD && rdp->cpu_no_qs.b.exp) + rcu_report_exp_rdp(rdp); +@@ -941,7 +943,7 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t) + { + struct rcu_data *rdp = this_cpu_ptr(&rcu_data); + +- if (rdp->cpu_no_qs.b.exp) ++ if (READ_ONCE(rdp->cpu_no_qs.b.exp)) + rcu_report_exp_rdp(rdp); + } + +-- +2.39.2 + diff --git a/queue-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch b/queue-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch new file mode 100644 index 00000000000..a151907eb59 --- /dev/null +++ b/queue-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch @@ -0,0 +1,91 @@ +From 1e5233c6acc983e4260bd78c410a36f74d547a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 01:22:05 +0900 +Subject: rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic() + +From: Shigeru Yoshida + +[ Upstream commit 5fc8cbe4cf0fd34ded8045c385790c3bf04f6785 ] + +pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because +pr_info() calls printk() that might sleep, this will result in BUG +like below: + +[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues. +[ 0.206463] +[ 0.206464] ============================= +[ 0.206464] [ BUG: Invalid wait context ] +[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted +[ 0.206466] ----------------------------- +[ 0.206466] swapper/0/1 is trying to lock: +[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0 +[ 0.206473] other info that might help us debug this: +[ 0.206473] context-{5:5} +[ 0.206474] 3 locks held by swapper/0/1: +[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0 +[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e +[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330 +[ 0.206485] stack backtrace: +[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5 +[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 +[ 0.206489] Call Trace: +[ 0.206490] +[ 0.206491] dump_stack_lvl+0x6a/0x9f +[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe +[ 0.206496] ? stack_trace_save+0x46/0x70 +[ 0.206497] lock_acquire+0xd1/0x2f0 +[ 0.206499] ? serial8250_console_write+0x327/0x4a0 +[ 0.206500] ? __lock_acquire+0x5c7/0x2720 +[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90 +[ 0.206504] ? serial8250_console_write+0x327/0x4a0 +[ 0.206506] serial8250_console_write+0x327/0x4a0 +[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330 +[ 0.206511] console_unlock+0xf7/0x1f0 +[ 0.206512] vprintk_emit+0xf7/0x330 +[ 0.206514] _printk+0x63/0x7e +[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32 +[ 0.206518] rcu_init_tasks_generic+0x5/0xd9 +[ 0.206522] kernel_init_freeable+0x15b/0x2a2 +[ 0.206523] ? rest_init+0x160/0x160 +[ 0.206526] kernel_init+0x11/0x120 +[ 0.206527] ret_from_fork+0x1f/0x30 +[ 0.206530] +[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1. + +This patch moves pr_info() so that it is called without +rtp->cbs_gbl_lock locked. + +Signed-off-by: Shigeru Yoshida +Tested-by: "Zhang, Qiang1" +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 8f08c087142b0..9b9ce09f8f358 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -241,7 +241,6 @@ static void cblist_init_generic(struct rcu_tasks *rtp) + if (rcu_task_enqueue_lim < 0) { + rcu_task_enqueue_lim = 1; + rcu_task_cb_adjust = true; +- pr_info("%s: Setting adjustable number of callback queues.\n", __func__); + } else if (rcu_task_enqueue_lim == 0) { + rcu_task_enqueue_lim = 1; + } +@@ -272,6 +271,10 @@ static void cblist_init_generic(struct rcu_tasks *rtp) + raw_spin_unlock_rcu_node(rtpcp); // irqs remain disabled. + } + raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags); ++ ++ if (rcu_task_cb_adjust) ++ pr_info("%s: Setting adjustable number of callback queues.\n", __func__); ++ + pr_info("%s: Setting shift to %d and lim to %d.\n", __func__, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim)); + } + +-- +2.39.2 + diff --git a/queue-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch b/queue-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch new file mode 100644 index 00000000000..1e71c3257b6 --- /dev/null +++ b/queue-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch @@ -0,0 +1,42 @@ +From 91572c4910ad8526b74672f2e2764d2f86dc2152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 16:36:28 +0200 +Subject: regulator: da9063: fix null pointer deref with partial DT config + +From: Martin Fuzzey + +[ Upstream commit 98e2dd5f7a8be5cb2501a897e96910393a49f0ff ] + +When some of the da9063 regulators do not have corresponding DT nodes +a null pointer dereference occurs on boot because such regulators have +no init_data causing the pointers calculated in +da9063_check_xvp_constraints() to be invalid. + +Do not dereference them in this case. + +Fixes: b8717a80e6ee ("regulator: da9063: implement setter for voltage monitoring") +Signed-off-by: Martin Fuzzey +Link: https://lore.kernel.org/r/20230616143736.2946173-1-martin.fuzzey@flowbird.group +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/da9063-regulator.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/regulator/da9063-regulator.c b/drivers/regulator/da9063-regulator.c +index c5dd77be558b6..dfd5ec9f75c90 100644 +--- a/drivers/regulator/da9063-regulator.c ++++ b/drivers/regulator/da9063-regulator.c +@@ -778,6 +778,9 @@ static int da9063_check_xvp_constraints(struct regulator_config *config) + const struct notification_limit *uv_l = &constr->under_voltage_limits; + const struct notification_limit *ov_l = &constr->over_voltage_limits; + ++ if (!config->init_data) /* No config in DT, pointers will be invalid */ ++ return 0; ++ + /* make sure that only one severity is used to clarify if unchanged, enabled or disabled */ + if ((!!uv_l->prot + !!uv_l->err + !!uv_l->warn) > 1) { + dev_err(config->dev, "%s: at most one voltage monitoring severity allowed!\n", +-- +2.39.2 + diff --git a/queue-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/queue-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..59e6ff34715 --- /dev/null +++ b/queue-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From ecd467dd886c50804703a2c430a0a51d19acb739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index e7391bf310a75..0819d6001b9ab 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -650,20 +650,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -672,7 +660,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index 40052414c7c71..2c1b245dba8e8 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -88,10 +88,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -144,7 +144,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/queue-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch b/queue-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..c3d56f7147f --- /dev/null +++ b/queue-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From 498906b1791b700260f1db996d22a4934185a8f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 4da5f35417626..e427056b440bb 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10762,7 +10762,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = SCHED_NR_MIGRATE_BREAK, + .cpus = cpus, +-- +2.39.2 + diff --git a/queue-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch b/queue-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch new file mode 100644 index 00000000000..12a4c0ab560 --- /dev/null +++ b/queue-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch @@ -0,0 +1,41 @@ +From eb7afb14a34b80e0302a1d23d86f4850e5a83b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 16:07:47 +0800 +Subject: sched/fair: Use recent_used_cpu to test p->cpus_ptr + +From: Miaohe Lin + +[ Upstream commit ae2ad293d6be143ad223f5f947cca07bcbe42595 ] + +When checking whether a recently used CPU can be a potential idle +candidate, recent_used_cpu should be used to test p->cpus_ptr as +p->recent_used_cpu is not equal to recent_used_cpu and candidate +decision is made based on recent_used_cpu here. + +Fixes: 89aafd67f28c ("sched/fair: Use prev instead of new target as recent_used_cpu") +Signed-off-by: Miaohe Lin +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Phil Auld +Acked-by: Mel Gorman +Link: https://lore.kernel.org/r/20230620080747.359122-1-linmiaohe@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index e427056b440bb..dacb56d7e9147 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7174,7 +7174,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + recent_used_cpu != target && + cpus_share_cache(recent_used_cpu, target) && + (available_idle_cpu(recent_used_cpu) || sched_idle_cpu(recent_used_cpu)) && +- cpumask_test_cpu(p->recent_used_cpu, p->cpus_ptr) && ++ cpumask_test_cpu(recent_used_cpu, p->cpus_ptr) && + asym_fits_cpu(task_util, util_min, util_max, recent_used_cpu)) { + return recent_used_cpu; + } +-- +2.39.2 + diff --git a/queue-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch b/queue-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch new file mode 100644 index 00000000000..34898dfaba7 --- /dev/null +++ b/queue-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch @@ -0,0 +1,176 @@ +From 56dc7c53b82c1b75affc5981051b3679cdfd065f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 17:56:12 -0700 +Subject: sched/psi: use kernfs polling functions for PSI trigger polling + +From: Suren Baghdasaryan + +[ Upstream commit aff037078ecaecf34a7c2afab1341815f90fba5e ] + +Destroying psi trigger in cgroup_file_release causes UAF issues when +a cgroup is removed from under a polling process. This is happening +because cgroup removal causes a call to cgroup_file_release while the +actual file is still alive. Destroying the trigger at this point would +also destroy its waitqueue head and if there is still a polling process +on that file accessing the waitqueue, it will step on the freed pointer: + +do_select + vfs_poll + do_rmdir + cgroup_rmdir + kernfs_drain_open_files + cgroup_file_release + cgroup_pressure_release + psi_trigger_destroy + wake_up_pollfree(&t->event_wait) +// vfs_poll is unblocked + synchronize_rcu + kfree(t) + poll_freewait -> UAF access to the trigger's waitqueue head + +Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), +however the same issue exists for synchronous poll() case. +The root cause of this issue is that the lifecycles of the psi trigger's +waitqueue and of the file associated with the trigger are different. Fix +this by using kernfs_generic_poll function when polling on cgroup-specific +psi triggers. It internally uses kernfs_open_node->poll waitqueue head +with its lifecycle tied to the file's lifecycle. This also renders the +fix in [1] obsolete, so revert it. + +[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") + +Fixes: 0e94682b73bf ("psi: introduce psi monitor") +Closes: https://lore.kernel.org/all/20230613062306.101831-1-lujialin4@huawei.com/ +Reported-by: Lu Jialin +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230630005612.1014540-1-surenb@google.com +Signed-off-by: Sasha Levin +--- + include/linux/psi.h | 5 +++-- + include/linux/psi_types.h | 3 +++ + kernel/cgroup/cgroup.c | 2 +- + kernel/sched/psi.c | 29 +++++++++++++++++++++-------- + 4 files changed, 28 insertions(+), 11 deletions(-) + +diff --git a/include/linux/psi.h b/include/linux/psi.h +index ab26200c28033..e0745873e3f26 100644 +--- a/include/linux/psi.h ++++ b/include/linux/psi.h +@@ -23,8 +23,9 @@ void psi_memstall_enter(unsigned long *flags); + void psi_memstall_leave(unsigned long *flags); + + int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); +-struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res, struct file *file); ++struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, ++ enum psi_res res, struct file *file, ++ struct kernfs_open_file *of); + void psi_trigger_destroy(struct psi_trigger *t); + + __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 040c089581c6c..f1fd3a8044e0e 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -137,6 +137,9 @@ struct psi_trigger { + /* Wait queue for polling */ + wait_queue_head_t event_wait; + ++ /* Kernfs file for cgroup triggers */ ++ struct kernfs_open_file *of; ++ + /* Pending event flag */ + int event; + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 4d42f0cbc11ea..3299ec69ce0d1 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3785,7 +3785,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, + } + + psi = cgroup_psi(cgrp); +- new = psi_trigger_create(psi, buf, res, of->file); ++ new = psi_trigger_create(psi, buf, res, of->file, of); + if (IS_ERR(new)) { + cgroup_put(cgrp); + return PTR_ERR(new); +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index e072f6b31bf30..80d8c10e93638 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -494,8 +494,12 @@ static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, + continue; + + /* Generate an event */ +- if (cmpxchg(&t->event, 0, 1) == 0) +- wake_up_interruptible(&t->event_wait); ++ if (cmpxchg(&t->event, 0, 1) == 0) { ++ if (t->of) ++ kernfs_notify(t->of->kn); ++ else ++ wake_up_interruptible(&t->event_wait); ++ } + t->last_event_time = now; + /* Reset threshold breach flag once event got generated */ + t->pending_event = false; +@@ -1272,8 +1276,9 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) + return 0; + } + +-struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res, struct file *file) ++struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, ++ enum psi_res res, struct file *file, ++ struct kernfs_open_file *of) + { + struct psi_trigger *t; + enum psi_states state; +@@ -1333,7 +1338,9 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + + t->event = 0; + t->last_event_time = 0; +- init_waitqueue_head(&t->event_wait); ++ t->of = of; ++ if (!of) ++ init_waitqueue_head(&t->event_wait); + t->pending_event = false; + t->aggregator = privileged ? PSI_POLL : PSI_AVGS; + +@@ -1390,7 +1397,10 @@ void psi_trigger_destroy(struct psi_trigger *t) + * being accessed later. Can happen if cgroup is deleted from under a + * polling process. + */ +- wake_up_pollfree(&t->event_wait); ++ if (t->of) ++ kernfs_notify(t->of->kn); ++ else ++ wake_up_interruptible(&t->event_wait); + + if (t->aggregator == PSI_AVGS) { + mutex_lock(&group->avgs_lock); +@@ -1462,7 +1472,10 @@ __poll_t psi_trigger_poll(void **trigger_ptr, + if (!t) + return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; + +- poll_wait(file, &t->event_wait, wait); ++ if (t->of) ++ kernfs_generic_poll(t->of, wait); ++ else ++ poll_wait(file, &t->event_wait, wait); + + if (cmpxchg(&t->event, 1, 0) == 1) + ret |= EPOLLPRI; +@@ -1532,7 +1545,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, + return -EBUSY; + } + +- new = psi_trigger_create(&psi_system, buf, res, file); ++ new = psi_trigger_create(&psi_system, buf, res, file, NULL); + if (IS_ERR(new)) { + mutex_unlock(&seq->lock); + return PTR_ERR(new); +-- +2.39.2 + diff --git a/queue-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch b/queue-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch new file mode 100644 index 00000000000..e9fb8ddc8c6 --- /dev/null +++ b/queue-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch @@ -0,0 +1,77 @@ +From 16176e2729a460f26254bf143981355bcb83b0a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jun 2023 10:20:02 +0800 +Subject: scsi: sg: fix blktrace debugfs entries leakage + +From: Yu Kuai + +[ Upstream commit db59133e927916d8a25ee1fd8264f2808040909d ] + +sg_ioctl() support to enable blktrace, which will create debugfs entries +"/sys/kernel/debug/block/sgx/", however, there is no guarantee that user +will remove these entries through ioctl, and deleting sg device doesn't +cleanup these blktrace entries. + +This problem can be fixed by cleanup blktrace while releasing +request_queue, however, it's not a good idea to do this special handling +in common layer just for sg device. + +Fix this problem by shutdown bltkrace in sg_device_destroy(), where the +device is deleted and all the users close the device, also grab a +scsi_device reference from sg_add_device() to prevent scsi_device to be +freed before sg_device_destroy(); + +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20230610022003.2557284-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/scsi/sg.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 037f8c98a6d36..0adfbd77437f3 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1496,6 +1496,10 @@ sg_add_device(struct device *cl_dev) + int error; + unsigned long iflags; + ++ error = scsi_device_get(scsidp); ++ if (error) ++ return error; ++ + error = -ENOMEM; + cdev = cdev_alloc(); + if (!cdev) { +@@ -1553,6 +1557,7 @@ sg_add_device(struct device *cl_dev) + out: + if (cdev) + cdev_del(cdev); ++ scsi_device_put(scsidp); + return error; + } + +@@ -1560,6 +1565,7 @@ static void + sg_device_destroy(struct kref *kref) + { + struct sg_device *sdp = container_of(kref, struct sg_device, d_ref); ++ struct request_queue *q = sdp->device->request_queue; + unsigned long flags; + + /* CAUTION! Note that the device can still be found via idr_find() +@@ -1567,6 +1573,9 @@ sg_device_destroy(struct kref *kref) + * any other cleanup. + */ + ++ blk_trace_remove(q); ++ scsi_device_put(sdp->device); ++ + write_lock_irqsave(&sg_index_lock, flags); + idr_remove(&sg_index_idr, sdp->index); + write_unlock_irqrestore(&sg_index_lock, flags); +-- +2.39.2 + diff --git a/queue-6.4/security-keys-modify-mismatched-function-name.patch b/queue-6.4/security-keys-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..ff9e657682b --- /dev/null +++ b/queue-6.4/security-keys-modify-mismatched-function-name.patch @@ -0,0 +1,40 @@ +From 21805edfcc8da6e82b94128693f355e1e10cef54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:25 +0800 +Subject: security: keys: Modify mismatched function name + +From: Jiapeng Chong + +[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] + +No functional modification involved. + +security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. + +Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 +Signed-off-by: Jiapeng Chong +Reviewed-by: Paul Moore +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 2b2c8eb258d5b..bc700f85f80be 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -186,7 +186,7 @@ int tpm2_key_priv(void *context, size_t hdrlen, + } + + /** +- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. ++ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. + * + * @buf: an allocated tpm_buf instance + * @session_handle: session handle +-- +2.39.2 + diff --git a/queue-6.4/series b/queue-6.4/series index 21e8a73caca..530dd09d869 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -74,3 +74,146 @@ kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +quota-fix-warning-in-dqgrab.patch +hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch +ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch +udf-fix-uninitialized-array-access-for-some-pathname.patch +alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch +fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +mips-dec-prom-address-warray-bounds-warning.patch +fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +scsi-sg-fix-blktrace-debugfs-entries-leakage.patch +blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +btrfs-add-xxhash-to-fast-checksum-implementations.patch +btrfs-don-t-check-pageerror-in-__extent_writepage.patch +btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch +erofs-fix-detection-of-atomic-context.patch +acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch +acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch +acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch +acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch +acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +acpi-resource-remove-zen-specific-match-and-quirks.patch +arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch +arm64-mm-fix-va-range-sanity-check.patch +acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch +rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch +rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch +tools-nolibc-ensure-stack-protector-guard-is-never-z.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +bpf-print-a-warning-only-if-writing-to-unprivileged_.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch +bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch +bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch +wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch +bpf-silence-a-warning-in-btf_type_id_size.patch +devlink-make-health-report-on-unregistered-instance-.patch +wifi-ath11k-add-support-default-regdb-while-searchin.patch +wifi-mac80211_hwsim-fix-possible-null-dereference.patch +spi-dw-add-compatible-for-intel-mount-evans-soc.patch +wifi-ath12k-avoid-null-pointer-access-during-managem.patch +wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch +wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch +net-ethernet-litex-add-support-for-64-bit-stats.patch +devlink-report-devlink_port_type_warn-source-device.patch +wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-add-support-for-new-pci-id.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch +asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch +asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch +asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch +asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch +iov_iter-mark-copy_iovec_from_user-noclone.patch +sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch +sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch +pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch +pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +fbdev-imxfb-removed-unneeded-release_mem_region.patch +perf-build-fix-library-not-found-error-when-using-cs.patch +btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch +spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch +kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch +smb-client-fix-missed-ses-refcounting.patch +arm64-fix-hfgxtr_el2-field-naming.patch +dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +bridge-add-extack-warning-when-enabling-stp-in-netns.patch +net-ethernet-mtk_eth_soc-handle-probe-deferral.patch +gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch +iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch +cifs-fix-mid-leak-during-reconnection-after-timeout-.patch +ice-unregister-netdev-and-devlink_port-only-once.patch +ice-prevent-null-pointer-deref-during-reload.patch +asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch +regulator-da9063-fix-null-pointer-deref-with-partial.patch +net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch +net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch +net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch +net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch +net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch +r8169-fix-aspm-related-problem-for-chip-version-42-a.patch +drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch +iavf-fix-use-after-free-in-free_netdev.patch +iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +iavf-use-internal-state-to-free-traffic-irqs.patch +iavf-make-functions-static-where-possible.patch +iavf-wait-for-reset-in-callbacks-which-trigger-it.patch +iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch +iavf-fix-reset-task-race-with-iavf_remove.patch +security-keys-modify-mismatched-function-name.patch +vrf-fix-lockdep-splat-in-output-path.patch +octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch +bpf-repeat-check_max_stack_depth-for-async-callbacks.patch +bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch +igc-avoid-transmit-queue-timeout-for-xdp.patch +igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch +net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch +tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch +tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +netfilter-nft_set_pipapo-fix-improper-element-remova.patch +netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch +bluetooth-hci_event-call-disconnect-callback-before-.patch +bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch +bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch +bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch +bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch +bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +tcp-annotate-data-races-around-tp-tsoffset.patch +tcp-annotate-data-races-around-tp-keepalive_time.patch +tcp-annotate-data-races-around-tp-keepalive_intvl.patch +tcp-annotate-data-races-around-tp-keepalive_probes.patch +tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch diff --git a/queue-6.4/smb-client-fix-missed-ses-refcounting.patch b/queue-6.4/smb-client-fix-missed-ses-refcounting.patch new file mode 100644 index 00000000000..a209fbf914a --- /dev/null +++ b/queue-6.4/smb-client-fix-missed-ses-refcounting.patch @@ -0,0 +1,101 @@ +From 7f47ebc21a8e24962ac932e93de9a7d1e696e3d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 14:15:10 -0300 +Subject: smb: client: fix missed ses refcounting + +From: Paulo Alcantara + +[ Upstream commit bf99f6be2d20146942bce6f9e90a0ceef12cbc1e ] + +Use new cifs_smb_ses_inc_refcount() helper to get an active reference +of @ses and @ses->dfs_root_ses (if set). This will prevent +@ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() +and thus potentially causing an use-after-free bug. + +Fixes: 8e3554150d6c ("cifs: fix sharing of DFS connections") +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/dfs.c | 26 ++++++++++---------------- + fs/smb/client/smb2transport.c | 2 +- + 2 files changed, 11 insertions(+), 17 deletions(-) + +diff --git a/fs/smb/client/dfs.c b/fs/smb/client/dfs.c +index 26d14dd0482ef..cf83617236d8b 100644 +--- a/fs/smb/client/dfs.c ++++ b/fs/smb/client/dfs.c +@@ -66,6 +66,12 @@ static int get_session(struct cifs_mount_ctx *mnt_ctx, const char *full_path) + return rc; + } + ++/* ++ * Track individual DFS referral servers used by new DFS mount. ++ * ++ * On success, their lifetime will be shared by final tcon (dfs_ses_list). ++ * Otherwise, they will be put by dfs_put_root_smb_sessions() in cifs_mount(). ++ */ + static int add_root_smb_session(struct cifs_mount_ctx *mnt_ctx) + { + struct smb3_fs_context *ctx = mnt_ctx->fs_ctx; +@@ -80,11 +86,12 @@ static int add_root_smb_session(struct cifs_mount_ctx *mnt_ctx) + INIT_LIST_HEAD(&root_ses->list); + + spin_lock(&cifs_tcp_ses_lock); +- ses->ses_count++; ++ cifs_smb_ses_inc_refcount(ses); + spin_unlock(&cifs_tcp_ses_lock); + root_ses->ses = ses; + list_add_tail(&root_ses->list, &mnt_ctx->dfs_ses_list); + } ++ /* Select new DFS referral server so that new referrals go through it */ + ctx->dfs_root_ses = ses; + return 0; + } +@@ -244,7 +251,6 @@ static int __dfs_mount_share(struct cifs_mount_ctx *mnt_ctx) + int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) + { + struct smb3_fs_context *ctx = mnt_ctx->fs_ctx; +- struct cifs_ses *ses; + bool nodfs = ctx->nodfs; + int rc; + +@@ -278,20 +284,8 @@ int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) + } + + *isdfs = true; +- /* +- * Prevent DFS root session of being put in the first call to +- * cifs_mount_put_conns(). If another DFS root server was not found +- * while chasing the referrals (@ctx->dfs_root_ses == @ses), then we +- * can safely put extra refcount of @ses. +- */ +- ses = mnt_ctx->ses; +- mnt_ctx->ses = NULL; +- mnt_ctx->server = NULL; +- rc = __dfs_mount_share(mnt_ctx); +- if (ses == ctx->dfs_root_ses) +- cifs_put_smb_ses(ses); +- +- return rc; ++ add_root_smb_session(mnt_ctx); ++ return __dfs_mount_share(mnt_ctx); + } + + /* Update dfs referral path of superblock */ +diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c +index 22954a9c7a6c7..355e8700530fc 100644 +--- a/fs/smb/client/smb2transport.c ++++ b/fs/smb/client/smb2transport.c +@@ -159,7 +159,7 @@ smb2_find_smb_ses_unlocked(struct TCP_Server_Info *server, __u64 ses_id) + spin_unlock(&ses->ses_lock); + continue; + } +- ++ses->ses_count; ++ cifs_smb_ses_inc_refcount(ses); + spin_unlock(&ses->ses_lock); + return ses; + } +-- +2.39.2 + diff --git a/queue-6.4/spi-bcm63xx-fix-max-prepend-length.patch b/queue-6.4/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..5375ee76f78 --- /dev/null +++ b/queue-6.4/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 85db4a1c7589a014ef7e05be2349369ceb31e125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 9aecb77c3d892..07b5b71b23520 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/queue-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch b/queue-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch new file mode 100644 index 00000000000..e4ec977db97 --- /dev/null +++ b/queue-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch @@ -0,0 +1,91 @@ +From a6e25408e4037a4e7c973bcbdc45c46f3e710817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 11:16:05 -0700 +Subject: spi: cadence-quadspi: Add compatible for AMD Pensando Elba SoC + +From: Brad Larson + +[ Upstream commit f5c2f9f9584353bc816d76a65c97dd03dc61678c ] + +The AMD Pensando Elba SoC has the Cadence QSPI controller integrated. + +The quirk CQSPI_NEEDS_APB_AHB_HAZARD_WAR is added and if enabled +a dummy readback from the controller is performed to ensure +synchronization. + +Signed-off-by: Brad Larson +--- + drivers/spi/spi-cadence-quadspi.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index 32449bef4415a..abf10f92415dc 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -40,6 +40,7 @@ + #define CQSPI_SUPPORT_EXTERNAL_DMA BIT(2) + #define CQSPI_NO_SUPPORT_WR_COMPLETION BIT(3) + #define CQSPI_SLOW_SRAM BIT(4) ++#define CQSPI_NEEDS_APB_AHB_HAZARD_WAR BIT(5) + + /* Capabilities */ + #define CQSPI_SUPPORTS_OCTAL BIT(0) +@@ -90,6 +91,7 @@ struct cqspi_st { + u32 pd_dev_id; + bool wr_completion; + bool slow_sram; ++ bool apb_ahb_hazard; + }; + + struct cqspi_driver_platdata { +@@ -1027,6 +1029,13 @@ static int cqspi_indirect_write_execute(struct cqspi_flash_pdata *f_pdata, + if (cqspi->wr_delay) + ndelay(cqspi->wr_delay); + ++ /* ++ * If a hazard exists between the APB and AHB interfaces, perform a ++ * dummy readback from the controller to ensure synchronization. ++ */ ++ if (cqspi->apb_ahb_hazard) ++ readl(reg_base + CQSPI_REG_INDIRECTWR); ++ + while (remaining > 0) { + size_t write_words, mod_bytes; + +@@ -1754,6 +1763,8 @@ static int cqspi_probe(struct platform_device *pdev) + cqspi->wr_completion = false; + if (ddata->quirks & CQSPI_SLOW_SRAM) + cqspi->slow_sram = true; ++ if (ddata->quirks & CQSPI_NEEDS_APB_AHB_HAZARD_WAR) ++ cqspi->apb_ahb_hazard = true; + + if (of_device_is_compatible(pdev->dev.of_node, + "xlnx,versal-ospi-1.0")) { +@@ -1888,6 +1899,10 @@ static const struct cqspi_driver_platdata jh7110_qspi = { + .quirks = CQSPI_DISABLE_DAC_MODE, + }; + ++static const struct cqspi_driver_platdata pensando_cdns_qspi = { ++ .quirks = CQSPI_NEEDS_APB_AHB_HAZARD_WAR | CQSPI_DISABLE_DAC_MODE, ++}; ++ + static const struct of_device_id cqspi_dt_ids[] = { + { + .compatible = "cdns,qspi-nor", +@@ -1917,6 +1932,10 @@ static const struct of_device_id cqspi_dt_ids[] = { + .compatible = "starfive,jh7110-qspi", + .data = &jh7110_qspi, + }, ++ { ++ .compatible = "amd,pensando-elba-qspi", ++ .data = &pensando_cdns_qspi, ++ }, + { /* end of table */ } + }; + +-- +2.39.2 + diff --git a/queue-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch b/queue-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch new file mode 100644 index 00000000000..7e4132d1509 --- /dev/null +++ b/queue-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch @@ -0,0 +1,81 @@ +From 5c7b90ce00cd6f8e21d963c6fe6d85aec915540e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 07:54:01 -0700 +Subject: spi: dw: Add compatible for Intel Mount Evans SoC + +From: Abe Kohandel + +[ Upstream commit 0760d5d0e9f0c0e2200a0323a61d1995bb745dee ] + +The Intel Mount Evans SoC's Integrated Management Complex uses the SPI +controller for access to a NOR SPI FLASH. However, the SoC doesn't +provide a mechanism to override the native chip select signal. + +This driver doesn't use DMA for memory operations when a chip select +override is not provided due to the native chip select timing behavior. +As a result no DMA configuration is done for the controller and this +configuration is not tested. + +The controller also has an errata where a full TX FIFO can result in +data corruption. The suggested workaround is to never completely fill +the FIFO. The TX FIFO has a size of 32 so the fifo_len is set to 31. + +Signed-off-by: Abe Kohandel +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230606145402.474866-2-abe.kohandel@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mmio.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c +index 15f5e9cb54ad4..5a38cb09a650d 100644 +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -236,6 +236,31 @@ static int dw_spi_intel_init(struct platform_device *pdev, + return 0; + } + ++/* ++ * The Intel Mount Evans SoC's Integrated Management Complex uses the ++ * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't ++ * provide a mechanism to override the native chip select signal. ++ * ++ * This driver doesn't use DMA for memory operations when a chip select ++ * override is not provided due to the native chip select timing behavior. ++ * As a result no DMA configuration is done for the controller and this ++ * configuration is not tested. ++ */ ++static int dw_spi_mountevans_imc_init(struct platform_device *pdev, ++ struct dw_spi_mmio *dwsmmio) ++{ ++ /* ++ * The Intel Mount Evans SoC's Integrated Management Complex DW ++ * apb_ssi_v4.02a controller has an errata where a full TX FIFO can ++ * result in data corruption. The suggested workaround is to never ++ * completely fill the FIFO. The TX FIFO has a size of 32 so the ++ * fifo_len is set to 31. ++ */ ++ dwsmmio->dws.fifo_len = 31; ++ ++ return 0; ++} ++ + static int dw_spi_canaan_k210_init(struct platform_device *pdev, + struct dw_spi_mmio *dwsmmio) + { +@@ -405,6 +430,10 @@ static const struct of_device_id dw_spi_mmio_of_match[] = { + { .compatible = "snps,dwc-ssi-1.01a", .data = dw_spi_hssi_init}, + { .compatible = "intel,keembay-ssi", .data = dw_spi_intel_init}, + { .compatible = "intel,thunderbay-ssi", .data = dw_spi_intel_init}, ++ { ++ .compatible = "intel,mountevans-imc-ssi", ++ .data = dw_spi_mountevans_imc_init, ++ }, + { .compatible = "microchip,sparx5-spi", dw_spi_mscc_sparx5_init}, + { .compatible = "canaan,k210-spi", dw_spi_canaan_k210_init}, + { .compatible = "amd,pensando-elba-spi", .data = dw_spi_elba_init}, +-- +2.39.2 + diff --git a/queue-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch b/queue-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch new file mode 100644 index 00000000000..33df33382a5 --- /dev/null +++ b/queue-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch @@ -0,0 +1,40 @@ +From 18195ef4c4ce79e318fb5c779ab1ea8c6a1e88c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 17:20:20 +0900 +Subject: spi: s3c64xx: clear loopback bit after loopback test + +From: Jaewon Kim + +[ Upstream commit 9ec3c5517e22a12d2ff1b71e844f7913641460c6 ] + +When SPI loopback transfer is performed, S3C64XX_SPI_MODE_SELF_LOOPBACK +bit still remained. It works as loopback even if the next transfer is +not spi loopback mode. +If not SPI_LOOP, needs to clear S3C64XX_SPI_MODE_SELF_LOOPBACK bit. + +Signed-off-by: Jaewon Kim +Fixes: ffb7bcd3b27e ("spi: s3c64xx: support loopback mode") +Reviewed-by: Chanho Park +Link: https://lore.kernel.org/r/20230711082020.138165-1-jaewon02.kim@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 7ac17f0d18a95..1a8b31e20baf2 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -668,6 +668,8 @@ static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + + if ((sdd->cur_mode & SPI_LOOP) && sdd->port_conf->has_loopback) + val |= S3C64XX_SPI_MODE_SELF_LOOPBACK; ++ else ++ val &= ~S3C64XX_SPI_MODE_SELF_LOOPBACK; + + writel(val, regs + S3C64XX_SPI_MODE_CFG); + +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/queue-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..c7070edb201 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From 5b09a1d0f89f0fe1f11380b4827375463adc9b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index b4c08ac869835..91a37c99ba665 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -513,7 +513,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c9b955d9d7ace..79f29e138fc9f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -4254,7 +4254,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 45cc7f1ca2961..85e4953f11821 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -296,6 +296,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -308,10 +309,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch new file mode 100644 index 00000000000..8e0c0cc38f6 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch @@ -0,0 +1,69 @@ +From 97078fbe71e9da46eaf0ff1bd216712e9fb816e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:52 +0000 +Subject: tcp: annotate data-races around icsk->icsk_syn_retries + +From: Eric Dumazet + +[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] + +do_tcp_getsockopt() and reqsk_timer_handler() read +icsk->icsk_syn_retries while another cpu might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/tcp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 1386787eaf1a5..3105a676eba76 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1016,7 +1016,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + icsk = inet_csk(sk_listener); + net = sock_net(sk_listener); +- max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cc7966cfad1a3..488cf4ae75fab 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3400,7 +3400,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- inet_csk(sk)->icsk_syn_retries = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); + release_sock(sk); + return 0; + } +@@ -3681,7 +3681,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_SYNCNT) + err = -EINVAL; + else +- icsk->icsk_syn_retries = val; ++ WRITE_ONCE(icsk->icsk_syn_retries, val); + break; + + case TCP_SAVE_SYN: +@@ -4102,7 +4102,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : ++ val = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch new file mode 100644 index 00000000000..67b0bc746df --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch @@ -0,0 +1,54 @@ +From 65a31d1209b2ad2cee321305e50cc53cc92031e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:56 +0000 +Subject: tcp: annotate data-races around icsk->icsk_user_timeout + +From: Eric Dumazet + +[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] + +This field can be read locklessly from do_tcp_getsockopt() + +Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 4556ba6e7d74d..c9b955d9d7ace 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3409,7 +3409,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); + void tcp_sock_set_user_timeout(struct sock *sk, u32 val) + { + lock_sock(sk); +- inet_csk(sk)->icsk_user_timeout = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); + release_sock(sk); + } + EXPORT_SYMBOL(tcp_sock_set_user_timeout); +@@ -3729,7 +3729,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 0) + err = -EINVAL; + else +- icsk->icsk_user_timeout = val; ++ WRITE_ONCE(icsk->icsk_user_timeout, val); + break; + + case TCP_FASTOPEN: +@@ -4250,7 +4250,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_USER_TIMEOUT: +- val = icsk->icsk_user_timeout; ++ val = READ_ONCE(icsk->icsk_user_timeout); + break; + + case TCP_FASTOPEN: +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch b/queue-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..9a5faac4cb3 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From f1ac3daf1c804ebe70383f81c2f4438bf429b0b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0ebe775bde688..c95d8b43390b6 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3703,9 +3703,9 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -4111,8 +4111,9 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch new file mode 100644 index 00000000000..3074c2dd698 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch @@ -0,0 +1,184 @@ +From b7a226c14fd63574e5f9f99c875c51589d9111f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:45 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent + +From: Eric Dumazet + +[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] + +TCP request sockets are lockless, tcp_rsk(req)->ts_recent +can change while being read by another cpu as syzbot noticed. + +This is harmless, but we should annotate the known races. + +Note that tcp_check_req() changes req->ts_recent a bit early, +we might change this in the future. + +BUG: KCSAN: data-race in tcp_check_req / tcp_check_req + +write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: +tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +do_softirq+0x7e/0xb0 kernel/softirq.c:472 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 +local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 +rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] +__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +neigh_hh_output include/net/neighbour.h:528 [inline] +neigh_output include/net/neighbour.h:542 [inline] +ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 +NF_HOOK_COND include/linux/netfilter.h:292 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 +dst_output include/net/dst.h:458 [inline] +ip_local_out net/ipv4/ip_output.c:126 [inline] +__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 +ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 +__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 +tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] +tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 +__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 +tcp_push_pending_frames include/net/tcp.h:1952 [inline] +__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] +tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 +rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 +rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 +rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: +tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x1cd237f1 -> 0x1cd237f2 + +Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_minisocks.c | 9 ++++++--- + net/ipv4/tcp_output.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 52229c75e76f6..5d3e49ceb6917 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -988,7 +988,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, ++ READ_ONCE(req->ts_recent), + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 909f3b4ed2059..62641d42b06b5 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -555,7 +555,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->max_window = newtp->snd_wnd; + + if (newtp->rx_opt.tstamp_ok) { +- newtp->rx_opt.ts_recent = req->ts_recent; ++ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); + newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); + newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; + } else { +@@ -619,7 +619,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); + + if (tmp_opt.saw_tstamp) { +- tmp_opt.ts_recent = req->ts_recent; ++ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); + if (tmp_opt.rcv_tsecr) + tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; + /* We do not store true stamp, but it is not required, +@@ -758,8 +758,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + + /* In sequence, PAWS is OK. */ + ++ /* TODO: We probably should defer ts_recent change once ++ * we take ownership of @req. ++ */ + if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) +- req->ts_recent = tmp_opt.rcv_tsval; ++ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); + + if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { + /* Truncate SYN, it is out of window starting +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 1538b59913777..518cb4abc8b4f 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -876,7 +876,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, + if (likely(ireq->tstamp_ok)) { + opts->options |= OPTION_TS; + opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; +- opts->tsecr = req->ts_recent; ++ opts->tsecr = READ_ONCE(req->ts_recent); + remaining -= TCPOLEN_TSTAMP_ALIGNED; + } + if (likely(ireq->sack_ok)) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index a3c86b714b242..f7c248a7f8d1d 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1130,7 +1130,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, sk->sk_bound_dev_if, ++ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, + READ_ONCE(tcp_rsk(req)->txhash)); +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch b/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch new file mode 100644 index 00000000000..1ddefd6e96d --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch @@ -0,0 +1,170 @@ +From 88776fdbebf0e1811026f988f6a954812ae75b6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:44 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->txhash + +From: Eric Dumazet + +[ Upstream commit 5e5265522a9a7f91d1b0bd411d634bdaf16c80cd ] + +TCP request sockets are lockless, some of their fields +can change while being read by another cpu as syzbot noticed. + +This is usually harmless, but we should annotate the known +races. + +This patch takes care of tcp_rsk(req)->txhash, +a separate one is needed for tcp_rsk(req)->ts_recent. + +BUG: KCSAN: data-race in tcp_make_synack / tcp_rtx_synack + +write to 0xffff8881362304bc of 4 bytes by task 32083 on cpu 1: +tcp_rtx_synack+0x9d/0x2a0 net/ipv4/tcp_output.c:4213 +inet_rtx_syn_ack+0x38/0x80 net/ipv4/inet_connection_sock.c:880 +tcp_check_req+0x379/0xc70 net/ipv4/tcp_minisocks.c:665 +tcp_v6_rcv+0x125b/0x1b20 net/ipv6/tcp_ipv6.c:1673 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +netif_receive_skb_internal net/core/dev.c:5652 [inline] +netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 +tun_rx_batched+0x3bf/0x400 +tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 +tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 +call_write_iter include/linux/fs.h:1871 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x4ab/0x7d0 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff8881362304bc of 4 bytes by task 32078 on cpu 0: +tcp_make_synack+0x367/0xb40 net/ipv4/tcp_output.c:3663 +tcp_v6_send_synack+0x72/0x420 net/ipv6/tcp_ipv6.c:544 +tcp_conn_request+0x11a8/0x1560 net/ipv4/tcp_input.c:7059 +tcp_v6_conn_request+0x13f/0x180 net/ipv6/tcp_ipv6.c:1175 +tcp_rcv_state_process+0x156/0x1de0 net/ipv4/tcp_input.c:6494 +tcp_v6_do_rcv+0x98a/0xb70 net/ipv6/tcp_ipv6.c:1509 +tcp_v6_rcv+0x17b8/0x1b20 net/ipv6/tcp_ipv6.c:1735 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +netif_receive_skb_internal net/core/dev.c:5652 [inline] +netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 +tun_rx_batched+0x3bf/0x400 +tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 +tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 +call_write_iter include/linux/fs.h:1871 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x4ab/0x7d0 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x91d25731 -> 0xe79325cd + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 32078 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller-00033-geb26cbb1a754 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 + +Fixes: 58d607d3e52f ("tcp: provide skb->hash to synack packets") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 3 ++- + net/ipv4/tcp_minisocks.c | 2 +- + net/ipv4/tcp_output.c | 4 ++-- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a64069077e388..52229c75e76f6 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -992,7 +992,8 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +- ip_hdr(skb)->tos, tcp_rsk(req)->txhash); ++ ip_hdr(skb)->tos, ++ READ_ONCE(tcp_rsk(req)->txhash)); + } + + /* +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index dac0d62120e62..909f3b4ed2059 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -528,7 +528,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newicsk->icsk_ack.lrcvtime = tcp_jiffies32; + + newtp->lsndtime = tcp_jiffies32; +- newsk->sk_txhash = treq->txhash; ++ newsk->sk_txhash = READ_ONCE(treq->txhash); + newtp->total_retrans = req->num_retrans; + + tcp_init_xmit_timers(newsk); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index cfe128b81a010..1538b59913777 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3578,7 +3578,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + rcu_read_lock(); + md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); + #endif +- skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4); ++ skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4); + /* bpf program will be interested in the tcp_flags */ + TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK; + tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5, +@@ -4121,7 +4121,7 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) + + /* Paired with WRITE_ONCE() in sock_setsockopt() */ + if (READ_ONCE(sk->sk_txrehash) == SOCK_TXREHASH_ENABLED) +- tcp_rsk(req)->txhash = net_tx_rndhash(); ++ WRITE_ONCE(tcp_rsk(req)->txhash, net_tx_rndhash()); + res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL, + NULL); + if (!res) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 7132eb213a7a2..a3c86b714b242 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1133,7 +1133,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + req->ts_recent, sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, +- tcp_rsk(req)->txhash); ++ READ_ONCE(tcp_rsk(req)->txhash)); + } + + +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch new file mode 100644 index 00000000000..e11dfeec5ce --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch @@ -0,0 +1,68 @@ +From eb1f807c757603fcae643c60d5656a557d7fcf23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:50 +0000 +Subject: tcp: annotate data-races around tp->keepalive_intvl + +From: Eric Dumazet + +[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] + +do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 9a12e8c09ea04..45d50a40795da 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1514,9 +1514,14 @@ void tcp_leave_memory_pressure(struct sock *sk); + static inline int keepalive_intvl_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_intvl); + +- return tp->keepalive_intvl ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); + } + + static inline int keepalive_time_when(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c3b743093d482..514817119bd4d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3454,7 +3454,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); + release_sock(sk); + return 0; + } +@@ -3668,7 +3668,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPINTVL) + err = -EINVAL; + else +- tp->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tp->keepalive_intvl, val * HZ); + break; + case TCP_KEEPCNT: + if (val < 1 || val > MAX_TCP_KEEPCNT) +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch new file mode 100644 index 00000000000..020838dea02 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch @@ -0,0 +1,69 @@ +From 3c544d75eaf9ba69dfea97b2f66579cb211ea2c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:51 +0000 +Subject: tcp: annotate data-races around tp->keepalive_probes + +From: Eric Dumazet + +[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] + +do_tcp_getsockopt() reads tp->keepalive_probes while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 5 +++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 45d50a40795da..f5c20afab6286 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1538,9 +1538,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) + static inline int keepalive_probes(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_probes); + +- return tp->keepalive_probes ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); + } + + static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 514817119bd4d..cc7966cfad1a3 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3466,7 +3466,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_probes = val; ++ /* Paired with READ_ONCE() in keepalive_probes() */ ++ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); + release_sock(sk); + return 0; + } +@@ -3674,7 +3675,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPCNT) + err = -EINVAL; + else +- tp->keepalive_probes = val; ++ WRITE_ONCE(tp->keepalive_probes, val); + break; + case TCP_SYNCNT: + if (val < 1 || val > MAX_TCP_SYNCNT) +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch new file mode 100644 index 00000000000..bb6ff6bcbd7 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch @@ -0,0 +1,58 @@ +From 2eef7f4c025ee2aa146f34a5772cc1b7a238dbca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:49 +0000 +Subject: tcp: annotate data-races around tp->keepalive_time + +From: Eric Dumazet + +[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] + +do_tcp_getsockopt() reads tp->keepalive_time while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 7 +++++-- + net/ipv4/tcp.c | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 5066e4586cf09..9a12e8c09ea04 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1522,9 +1522,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) + static inline int keepalive_time_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; + +- return tp->keepalive_time ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ ++ val = READ_ONCE(tp->keepalive_time); ++ ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); + } + + static inline int keepalive_probes(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 15b1191411ec3..c3b743093d482 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3421,7 +3421,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) + if (val < 1 || val > MAX_TCP_KEEPIDLE) + return -EINVAL; + +- tp->keepalive_time = val * HZ; ++ /* Paired with WRITE_ONCE() in keepalive_time_when() */ ++ WRITE_ONCE(tp->keepalive_time, val * HZ); + if (sock_flag(sk, SOCK_KEEPOPEN) && + !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { + u32 elapsed = keepalive_time_elapsed(tp); +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-linger2.patch b/queue-6.4/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..17e38352929 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From c991ef8d2f78d59e37d46bc34f83543e35380e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 488cf4ae75fab..0ebe775bde688 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3694,11 +3694,11 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -4106,7 +4106,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/queue-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..ed048ebf4ba --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From 4bc5036687890dfe01504c01b2f18fd6df09d832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index f5c20afab6286..182337a8cf94a 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2066,7 +2066,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + bool tcp_stream_memory_free(const struct sock *sk, int wake); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c95d8b43390b6..4556ba6e7d74d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3773,7 +3773,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -4273,7 +4273,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/queue-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..fa3423207b2 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From 6da2c91d66ac6794f97598f35fdc0561132cce52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8d20d9221238c..c0e0add372f75 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3783,7 +3783,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -4263,7 +4263,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch b/queue-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch new file mode 100644 index 00000000000..3b97d04b026 --- /dev/null +++ b/queue-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch @@ -0,0 +1,63 @@ +From 5388118e5be93f20f250500b27911813da339615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:48 +0000 +Subject: tcp: annotate data-races around tp->tsoffset + +From: Eric Dumazet + +[ Upstream commit dd23c9f1e8d5c1d2e3d29393412385ccb9c7a948 ] + +do_tcp_getsockopt() reads tp->tsoffset while another cpu +might change its value. + +Fixes: 93be6ce0e91b ("tcp: set and get per-socket timestamp") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + net/ipv4/tcp_ipv4.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c0e0add372f75..15b1191411ec3 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3765,7 +3765,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (!tp->repair) + err = -EPERM; + else +- tp->tsoffset = val - tcp_time_stamp_raw(); ++ WRITE_ONCE(tp->tsoffset, val - tcp_time_stamp_raw()); + break; + case TCP_REPAIR_WINDOW: + err = tcp_repair_set_window(tp, optval, optlen); +@@ -4267,7 +4267,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TIMESTAMP: +- val = tcp_time_stamp_raw() + tp->tsoffset; ++ val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); + break; + case TCP_NOTSENT_LOWAT: + val = tp->notsent_lowat; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 5d3e49ceb6917..f37d13ee7b4cc 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -307,8 +307,9 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->inet_daddr, + inet->inet_sport, + usin->sin_port)); +- tp->tsoffset = secure_tcp_ts_off(net, inet->inet_saddr, +- inet->inet_daddr); ++ WRITE_ONCE(tp->tsoffset, ++ secure_tcp_ts_off(net, inet->inet_saddr, ++ inet->inet_daddr)); + } + + inet->inet_id = get_random_u16(); +-- +2.39.2 + diff --git a/queue-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch b/queue-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch new file mode 100644 index 00000000000..1fee388a390 --- /dev/null +++ b/queue-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch @@ -0,0 +1,45 @@ +From f43714dfffa897d008f9e65fde3c5aa5e8c9d357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 11:36:31 +0200 +Subject: tools/nolibc: ensure stack protector guard is never zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 88fc7eb54ecc6db8b773341ce39ad201066fa7da ] + +The all-zero pattern is one of the more probable out-of-bound writes so +add a special case to not accidentally accept it. + +Also it enables the reliable detection of stack protector initialization +during testing. + +Signed-off-by: Thomas Weißschuh +Signed-off-by: Willy Tarreau +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/stackprotector.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/include/nolibc/stackprotector.h b/tools/include/nolibc/stackprotector.h +index d119cbbbc256f..9890e86c26172 100644 +--- a/tools/include/nolibc/stackprotector.h ++++ b/tools/include/nolibc/stackprotector.h +@@ -45,8 +45,9 @@ __attribute__((weak,no_stack_protector,section(".text.nolibc_stack_chk"))) + void __stack_chk_init(void) + { + my_syscall3(__NR_getrandom, &__stack_chk_guard, sizeof(__stack_chk_guard), 0); +- /* a bit more randomness in case getrandom() fails */ +- __stack_chk_guard ^= (uintptr_t) &__stack_chk_guard; ++ /* a bit more randomness in case getrandom() fails, ensure the guard is never 0 */ ++ if (__stack_chk_guard != (uintptr_t) &__stack_chk_guard) ++ __stack_chk_guard ^= (uintptr_t) &__stack_chk_guard; + } + #endif // defined(NOLIBC_STACKPROTECTOR) + +-- +2.39.2 + diff --git a/queue-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch b/queue-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch new file mode 100644 index 00000000000..f441b8a81d2 --- /dev/null +++ b/queue-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch @@ -0,0 +1,41 @@ +From 5afab5540afc4763031f025a6abfd3be2b509cbf Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jun 2023 11:32:35 +0200 +Subject: [PATCH AUTOSEL 5.4 07/12] udf: Fix uninitialized array access for + some pathnames +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] + +For filenames that begin with . and are between 2 and 5 characters long, +UDF charset conversion code would read uninitialized memory in the +output buffer. The only practical impact is that the name may be prepended a +"unification hash" when it is not actually needed but still it is good +to fix this. + +Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/unicode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 622569007b530..2142cbd1dde24 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -247,7 +247,7 @@ static int udf_name_from_CS0(struct super_block *sb, + } + + if (translate) { +- if (str_o_len <= 2 && str_o[0] == '.' && ++ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && + (str_o_len == 1 || str_o[1] == '.')) + needsCRC = 1; + if (needsCRC) { +-- +2.39.2 + diff --git a/queue-6.4/vrf-fix-lockdep-splat-in-output-path.patch b/queue-6.4/vrf-fix-lockdep-splat-in-output-path.patch new file mode 100644 index 00000000000..17befa9989a --- /dev/null +++ b/queue-6.4/vrf-fix-lockdep-splat-in-output-path.patch @@ -0,0 +1,156 @@ +From 758179b3adfd2b1b23f1aeb82d8d9fbcdd680dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 18:36:05 +0300 +Subject: vrf: Fix lockdep splat in output path + +From: Ido Schimmel + +[ Upstream commit 2033ab90380d46e0e9f0520fd6776a73d107fd95 ] + +Cited commit converted the neighbour code to use the standard RCU +variant instead of the RCU-bh variant, but the VRF code still uses +rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup +code in its IPv4 and IPv6 output paths, resulting in lockdep splats +[1][2]. Can be reproduced using [3]. + +Fix by switching to rcu_read_lock() / rcu_read_unlock(). + +[1] +============================= +WARNING: suspicious RCU usage +6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted +----------------------------- +include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ping/183: + #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0 + #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030 + +stack backtrace: +CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc1/0xf0 + lockdep_rcu_suspicious+0x211/0x3b0 + vrf_output+0x1380/0x2030 + ip_push_pending_frames+0x125/0x2a0 + raw_sendmsg+0x200d/0x33c0 + inet_sendmsg+0xa2/0xe0 + __sys_sendto+0x2aa/0x420 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +[2] +============================= +WARNING: suspicious RCU usage +6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted +----------------------------- +include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ping6/182: + #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50 + #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310 + +stack backtrace: +CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc1/0xf0 + lockdep_rcu_suspicious+0x211/0x3b0 + vrf_output6+0xd32/0x1310 + ip6_local_out+0xb4/0x1a0 + ip6_send_skb+0xbc/0x340 + ip6_push_pending_frames+0xe5/0x110 + rawv6_sendmsg+0x2e6e/0x3e50 + inet_sendmsg+0xa2/0xe0 + __sys_sendto+0x2aa/0x420 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +[3] +#!/bin/bash + +ip link add name vrf-red up numtxqueues 2 type vrf table 10 +ip link add name swp1 up master vrf-red type dummy +ip address add 192.0.2.1/24 dev swp1 +ip address add 2001:db8:1::1/64 dev swp1 +ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1 +ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1 +ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null +ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null + +Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh") +Reported-by: Naresh Kamboju +Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/ +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index bdb3a76a352e4..6043e63b42f97 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -664,7 +664,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, + skb->protocol = htons(ETH_P_IPV6); + skb->dev = dev; + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr); + neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop); + if (unlikely(!neigh)) +@@ -672,10 +672,10 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, + if (!IS_ERR(neigh)) { + sock_confirm_neigh(skb, neigh); + ret = neigh_output(neigh, skb, false); +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + return ret; + } +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + + IP6_INC_STATS(dev_net(dst->dev), + ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); +@@ -889,7 +889,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s + } + } + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + + neigh = ip_neigh_for_gw(rt, skb, &is_v6gw); + if (!IS_ERR(neigh)) { +@@ -898,11 +898,11 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s + sock_confirm_neigh(skb, neigh); + /* if crossing protocols, can not use the cached header */ + ret = neigh_output(neigh, skb, is_v6gw); +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + return ret; + } + +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + vrf_tx_error(skb->dev, skb); + return -EINVAL; + } +-- +2.39.2 + diff --git a/queue-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch b/queue-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch new file mode 100644 index 00000000000..f161a7312f6 --- /dev/null +++ b/queue-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch @@ -0,0 +1,137 @@ +From 840cfcbe99d98723176ed5ffc3c5bc25c8fa6eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 12:41:06 +0300 +Subject: wifi: ath11k: add support default regdb while searching board-2.bin + for WCN6855 + +From: Wen Gong + +[ Upstream commit 88ca89202f8e8afb5225eb5244d79cd67c15d744 ] + +Sometimes board-2.bin does not have the regdb data which matched the +parameters such as vendor, device, subsystem-vendor, subsystem-device +and etc. Add default regdb data with 'bus=%s' into board-2.bin for +WCN6855, then ath11k use 'bus=pci' to search regdb data in board-2.bin +for WCN6855. + +kernel: [ 122.515808] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262' +kernel: [ 122.517240] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 +kernel: [ 122.517280] ath11k_pci 0000:03:00.0: failed to fetch regdb data for bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262 from ath11k/WCN6855/hw2.0/board-2.bin +kernel: [ 122.517464] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci' +kernel: [ 122.518901] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 +kernel: [ 122.518915] ath11k_pci 0000:03:00.0: board name +kernel: [ 122.518917] ath11k_pci 0000:03:00.0: 00000000: 62 75 73 3d 70 63 69 bus=pci +kernel: [ 122.518918] ath11k_pci 0000:03:00.0: boot found match regdb data for name 'bus=pci' +kernel: [ 122.518920] ath11k_pci 0000:03:00.0: boot found regdb data for 'bus=pci' +kernel: [ 122.518921] ath11k_pci 0000:03:00.0: fetched regdb + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230517133959.8224-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 53 +++++++++++++++++++------- + 1 file changed, 40 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 9de23c11e18bb..8ab1a62351b98 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -962,7 +962,8 @@ int ath11k_core_check_dt(struct ath11k_base *ab) + } + + static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, +- size_t name_len, bool with_variant) ++ size_t name_len, bool with_variant, ++ bool bus_type_mode) + { + /* strlen(',variant=') + strlen(ab->qmi.target.bdf_ext) */ + char variant[9 + ATH11K_QMI_BDF_EXT_STR_LENGTH] = { 0 }; +@@ -973,15 +974,20 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + + switch (ab->id.bdf_search) { + case ATH11K_BDF_SEARCH_BUS_AND_BOARD: +- scnprintf(name, name_len, +- "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", +- ath11k_bus_str(ab->hif.bus), +- ab->id.vendor, ab->id.device, +- ab->id.subsystem_vendor, +- ab->id.subsystem_device, +- ab->qmi.target.chip_id, +- ab->qmi.target.board_id, +- variant); ++ if (bus_type_mode) ++ scnprintf(name, name_len, ++ "bus=%s", ++ ath11k_bus_str(ab->hif.bus)); ++ else ++ scnprintf(name, name_len, ++ "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", ++ ath11k_bus_str(ab->hif.bus), ++ ab->id.vendor, ab->id.device, ++ ab->id.subsystem_vendor, ++ ab->id.subsystem_device, ++ ab->qmi.target.chip_id, ++ ab->qmi.target.board_id, ++ variant); + break; + default: + scnprintf(name, name_len, +@@ -1000,13 +1006,19 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + static int ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + size_t name_len) + { +- return __ath11k_core_create_board_name(ab, name, name_len, true); ++ return __ath11k_core_create_board_name(ab, name, name_len, true, false); + } + + static int ath11k_core_create_fallback_board_name(struct ath11k_base *ab, char *name, + size_t name_len) + { +- return __ath11k_core_create_board_name(ab, name, name_len, false); ++ return __ath11k_core_create_board_name(ab, name, name_len, false, false); ++} ++ ++static int ath11k_core_create_bus_type_board_name(struct ath11k_base *ab, char *name, ++ size_t name_len) ++{ ++ return __ath11k_core_create_board_name(ab, name, name_len, false, true); + } + + const struct firmware *ath11k_core_firmware_request(struct ath11k_base *ab, +@@ -1310,7 +1322,7 @@ int ath11k_core_fetch_bdf(struct ath11k_base *ab, struct ath11k_board_data *bd) + + int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd) + { +- char boardname[BOARD_NAME_SIZE]; ++ char boardname[BOARD_NAME_SIZE], default_boardname[BOARD_NAME_SIZE]; + int ret; + + ret = ath11k_core_create_board_name(ab, boardname, BOARD_NAME_SIZE); +@@ -1327,6 +1339,21 @@ int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd + if (!ret) + goto exit; + ++ ret = ath11k_core_create_bus_type_board_name(ab, default_boardname, ++ BOARD_NAME_SIZE); ++ if (ret) { ++ ath11k_dbg(ab, ATH11K_DBG_BOOT, ++ "failed to create default board name for regdb: %d", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_core_fetch_board_data_api_n(ab, bd, default_boardname, ++ ATH11K_BD_IE_REGDB, ++ ATH11K_BD_IE_REGDB_NAME, ++ ATH11K_BD_IE_REGDB_DATA); ++ if (!ret) ++ goto exit; ++ + ret = ath11k_core_fetch_board_data_api_1(ab, bd, ATH11K_REGDB_FILE_NAME); + if (ret) + ath11k_dbg(ab, ATH11K_DBG_BOOT, "failed to fetch %s from %s\n", +-- +2.39.2 + diff --git a/queue-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch b/queue-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch new file mode 100644 index 00000000000..0535b3157d7 --- /dev/null +++ b/queue-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch @@ -0,0 +1,63 @@ +From 83694f488fc680ab7e911063ae8091119626d81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 14:41:28 +0530 +Subject: wifi: ath11k: fix memory leak in WMI firmware stats + +From: P Praneesh + +[ Upstream commit 6aafa1c2d3e3fea2ebe84c018003f2a91722e607 ] + +Memory allocated for firmware pdev, vdev and beacon statistics +are not released during rmmod. + +Fix it by calling ath11k_fw_stats_free() function before hardware +unregister. + +While at it, avoid calling ath11k_fw_stats_free() while processing +the firmware stats received in the WMI event because the local list +is getting spliced and reinitialised and hence there are no elements +in the list after splicing. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: P Praneesh +Signed-off-by: Aditya Kumar Singh +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230606091128.14202-1-quic_adisi@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 1 + + drivers/net/wireless/ath/ath11k/wmi.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 05920ad413c55..01ff197b017f7 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -9468,6 +9468,7 @@ void ath11k_mac_destroy(struct ath11k_base *ab) + if (!ar) + continue; + ++ ath11k_fw_stats_free(&ar->fw_stats); + ieee80211_free_hw(ar->hw); + pdev->ar = NULL; + } +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index d0b59bc2905a9..42d9b29623a47 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8103,6 +8103,11 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk + rcu_read_unlock(); + spin_unlock_bh(&ar->data_lock); + ++ /* Since the stats's pdev, vdev and beacon list are spliced and reinitialised ++ * at this point, no need to free the individual list. ++ */ ++ return; ++ + free: + ath11k_fw_stats_free(&stats); + } +-- +2.39.2 + diff --git a/queue-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/queue-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch new file mode 100644 index 00000000000..9ce3d807503 --- /dev/null +++ b/queue-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch @@ -0,0 +1,71 @@ +From 897dae6285f339120b727c5a3f8488b3ff25af16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 16:54:45 +0200 +Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full + channel range + +From: Maxime Bizon + +[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] + +Because of what seems to be a typo, a 6Ghz-only phy for which the BDF +does not allow the 7115Mhz channel will fail to register: + + WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 + Modules linked in: ath11k_pci sbsa_gwdt + CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 + Hardware name: Freebox V7R Board (DT) + Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : wiphy_register+0x914/0x954 + lr : ieee80211_register_hw+0x67c/0xc10 + sp : ffffff800b123aa0 + x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 + x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 + x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 + x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f + x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd + x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 + x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 + x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 + x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + wiphy_register+0x914/0x954 + ieee80211_register_hw+0x67c/0xc10 + ath11k_mac_register+0x7c4/0xe10 + ath11k_core_qmi_firmware_ready+0x1f4/0x570 + ath11k_qmi_driver_event_work+0x198/0x590 + process_one_work+0x1b8/0x328 + worker_thread+0x6c/0x414 + kthread+0x100/0x104 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 + ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 + ath11k_pci 0002:01:00.0: failed to create pdev core: -22 + +Signed-off-by: Maxime Bizon +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 1c93f1afccc57..05920ad413c55 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -8892,7 +8892,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, + } + + if (supported_bands & WMI_HOST_WLAN_5G_CAP) { +- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { ++ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { + channels = kmemdup(ath11k_6ghz_channels, + sizeof(ath11k_6ghz_channels), GFP_KERNEL); + if (!channels) { +-- +2.39.2 + diff --git a/queue-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch b/queue-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch new file mode 100644 index 00000000000..b94f627d18f --- /dev/null +++ b/queue-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch @@ -0,0 +1,41 @@ +From 45f055b96df5274a12510ef11de0f670e5e27c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 13:35:15 +0300 +Subject: wifi: ath12k: Avoid NULL pointer access during management transmit + cleanup + +From: Balamurugan S + +[ Upstream commit 054b5580a36e435692c203c19abdcb9f7734320e ] + +Currently 'ar' reference is not added in skb_cb. +Though this is generally not used during transmit completion +callbacks, on interface removal the remaining idr cleanup callback +uses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them +during transmit call for proper usage to avoid NULL pointer dereference. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Balamurugan S +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230518071046.14337-1-quic_bselvara@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index ee792822b4113..58acfe8fdf8c0 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -4425,6 +4425,7 @@ static int ath12k_mac_mgmt_tx_wmi(struct ath12k *ar, struct ath12k_vif *arvif, + int buf_id; + int ret; + ++ ATH12K_SKB_CB(skb)->ar = ar; + spin_lock_bh(&ar->txmgmt_idr_lock); + buf_id = idr_alloc(&ar->txmgmt_idr, skb, 0, + ATH12K_TX_MGMT_NUM_PENDING_MAX, GFP_ATOMIC); +-- +2.39.2 + diff --git a/queue-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch b/queue-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch new file mode 100644 index 00000000000..3c1ae137475 --- /dev/null +++ b/queue-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch @@ -0,0 +1,43 @@ +From 52ee25f8ec39aa349eac6d31f626770d6bd2b068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:03:59 +0300 +Subject: wifi: iwlwifi: Add support for new PCI Id + +From: Mukesh Sisodiya + +[ Upstream commit 35bd6f1d043d089fcb60450e1287cc65f0095787 ] + +Add support for the PCI Id 51F1 without IMR support. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.9800e652e789.Ic06a085832ac3f988c8ef07d856c8e281563295d@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 79115eb1c2852..e9fe6cea891aa 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -495,6 +495,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x7AF0, PCI_ANY_ID, iwl_so_trans_cfg)}, + {IWL_PCI_DEVICE(0x51F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_imr_trans_cfg)}, ++ {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x54F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x7F70, PCI_ANY_ID, iwl_so_trans_cfg)}, + +@@ -544,6 +545,7 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x51F0, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_160_name), + IWL_DEV_INFO(0x51F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), + IWL_DEV_INFO(0x51F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), ++ IWL_DEV_INFO(0x51F1, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), + IWL_DEV_INFO(0x54F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), + IWL_DEV_INFO(0x54F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), + IWL_DEV_INFO(0x7A70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), +-- +2.39.2 + diff --git a/queue-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch b/queue-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch new file mode 100644 index 00000000000..2e4d18afa45 --- /dev/null +++ b/queue-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch @@ -0,0 +1,68 @@ +From 153c633de624c710571fbdd0782a74845b1b2774 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 15:50:08 +0300 +Subject: wifi: iwlwifi: mvm: Add NULL check before dereferencing the pointer + +From: Mukesh Sisodiya + +[ Upstream commit 7dd50fd5478056929a012c6bf8b3c6f87c7e9e87 ] + +While vif pointers are protected by the corresponding "*active" +fields, static checkers can get confused sometimes. Add an explicit +check. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614154951.78749ae91fb5.Id3c05d13eeee6638f0930f750e93fb928d5c9dee@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/power.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/power.c b/drivers/net/wireless/intel/iwlwifi/mvm/power.c +index ac1dae52556f8..19839cc44eb3d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c +@@ -647,30 +647,32 @@ static void iwl_mvm_power_set_pm(struct iwl_mvm *mvm, + return; + + /* enable PM on bss if bss stand alone */ +- if (vifs->bss_active && !vifs->p2p_active && !vifs->ap_active) { ++ if (bss_mvmvif && vifs->bss_active && !vifs->p2p_active && ++ !vifs->ap_active) { + bss_mvmvif->pm_enabled = true; + return; + } + + /* enable PM on p2p if p2p stand alone */ +- if (vifs->p2p_active && !vifs->bss_active && !vifs->ap_active) { ++ if (p2p_mvmvif && vifs->p2p_active && !vifs->bss_active && ++ !vifs->ap_active) { + p2p_mvmvif->pm_enabled = true; + return; + } + +- if (vifs->bss_active && vifs->p2p_active) ++ if (p2p_mvmvif && bss_mvmvif && vifs->bss_active && vifs->p2p_active) + client_same_channel = + iwl_mvm_have_links_same_channel(bss_mvmvif, p2p_mvmvif); + +- if (vifs->bss_active && vifs->ap_active) ++ if (bss_mvmvif && ap_mvmvif && vifs->bss_active && vifs->ap_active) + ap_same_channel = + iwl_mvm_have_links_same_channel(bss_mvmvif, ap_mvmvif); + + /* clients are not stand alone: enable PM if DCM */ + if (!(client_same_channel || ap_same_channel)) { +- if (vifs->bss_active) ++ if (bss_mvmvif && vifs->bss_active) + bss_mvmvif->pm_enabled = true; +- if (vifs->p2p_active) ++ if (p2p_mvmvif && vifs->p2p_active) + p2p_mvmvif->pm_enabled = true; + return; + } +-- +2.39.2 + diff --git a/queue-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/queue-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..134f5d4e344 --- /dev/null +++ b/queue-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From dace976cec6dcc24ea4796d017d381407df57a5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index b85e363544f8b..7f9a809dd081c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2884,7 +2884,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/queue-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch b/queue-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch new file mode 100644 index 00000000000..d1c5e8b417e --- /dev/null +++ b/queue-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch @@ -0,0 +1,51 @@ +From a37efc3bc4885e014924de01edb24e2175627ad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 15:57:21 +0300 +Subject: wifi: iwlwifi: mvm: fix potential array out of bounds access + +From: Gregory Greenman + +[ Upstream commit 637452360ecde9ac972d19416e9606529576b302 ] + +Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying +key_len size in iwl_mvm_sec_key_add(). + +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c +index 8853821b37168..1e659bd07392a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + /* +- * Copyright (C) 2022 Intel Corporation ++ * Copyright (C) 2022 - 2023 Intel Corporation + */ + #include + #include +@@ -179,9 +179,14 @@ int iwl_mvm_sec_key_add(struct iwl_mvm *mvm, + .u.add.key_flags = cpu_to_le32(key_flags), + .u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)), + }; ++ int max_key_len = sizeof(cmd.u.add.key); + int ret; + +- if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key))) ++ if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 || ++ keyconf->cipher == WLAN_CIPHER_SUITE_WEP104) ++ max_key_len -= IWL_SEC_WEP_KEY_OFFSET; ++ ++ if (WARN_ON(keyconf->keylen > max_key_len)) + return -EINVAL; + + if (WARN_ON(!sta_mask)) +-- +2.39.2 + diff --git a/queue-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch b/queue-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch new file mode 100644 index 00000000000..482fbaaa02d --- /dev/null +++ b/queue-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch @@ -0,0 +1,38 @@ +From 34442c9ff04263d558c7a4292daac7e818b44817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 13:12:20 +0300 +Subject: wifi: iwlwifi: pcie: add device id 51F1 for killer 1675 + +From: Yi Kuo + +[ Upstream commit f4daceae4087bbb3e9a56044b44601d520d009d2 ] + +Intel Killer AX1675i/s with device id 51f1 would show +"No config found for PCI dev 51f1/1672" in dmesg and refuse to work. +Add the new device id 51F1 for 1675i/s to fix the issue. + +Signed-off-by: Yi Kuo +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230621130444.ee224675380b.I921c905e21e8d041ad808def8f454f27b5ebcd8b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index e9fe6cea891aa..e086664a4eaca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -684,6 +684,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x2726, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x51F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), + IWL_DEV_INFO(0x51F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), ++ IWL_DEV_INFO(0x51F1, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), ++ IWL_DEV_INFO(0x51F1, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x54F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), + IWL_DEV_INFO(0x54F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x7A70, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), +-- +2.39.2 + diff --git a/queue-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch b/queue-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..e3f1c611b85 --- /dev/null +++ b/queue-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch @@ -0,0 +1,46 @@ +From d130537977b35b9a7ba5591cd4645081cdf732e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 12:11:27 +0300 +Subject: wifi: mac80211_hwsim: Fix possible NULL dereference + +From: Ilan Peer + +[ Upstream commit 0cc80943ef518a1c51a1111e9346d1daf11dd545 ] + +In a call to mac80211_hwsim_select_tx_link() the sta pointer might +be NULL, thus need to check that it is not NULL before accessing it. + +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230604120651.f4d889fc98c4.Iae85f527ed245a37637a874bb8b8c83d79812512@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 89c7a1420381d..ed5af63025979 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -4,7 +4,7 @@ + * Copyright (c) 2008, Jouni Malinen + * Copyright (c) 2011, Javier Lopez + * Copyright (c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2022 Intel Corporation ++ * Copyright (C) 2018 - 2023 Intel Corporation + */ + + /* +@@ -1864,7 +1864,7 @@ mac80211_hwsim_select_tx_link(struct mac80211_hwsim_data *data, + + WARN_ON(is_multicast_ether_addr(hdr->addr1)); + +- if (WARN_ON_ONCE(!sta->valid_links)) ++ if (WARN_ON_ONCE(!sta || !sta->valid_links)) + return &vif->bss_conf; + + for (i = 0; i < ARRAY_SIZE(vif->link_conf); i++) { +-- +2.39.2 + diff --git a/queue-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch b/queue-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch new file mode 100644 index 00000000000..e3b4b1b0414 --- /dev/null +++ b/queue-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch @@ -0,0 +1,93 @@ +From 4357179094d447fe2d49c33c6de95fab7905d53f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 22:24:22 +0200 +Subject: wifi: rtw88: sdio: Check the HISR RX_REQUEST bit in rtw_sdio_rx_isr() + +From: Martin Blumenstingl + +[ Upstream commit e967229ead0e6c5047a1cfd5a0db58ceb930800b ] + +rtw_sdio_rx_isr() is responsible for receiving data from the wifi chip +and is called from the SDIO interrupt handler when the interrupt status +register (HISR) has the RX_REQUEST bit set. After the first batch of +data has been processed by the driver the wifi chip may have more data +ready to be read, which is managed by a loop in rtw_sdio_rx_isr(). + +It turns out that there are cases where the RX buffer length (from the +REG_SDIO_RX0_REQ_LEN register) does not match the data we receive. The +following two cases were observed with a RTL8723DS card: +- RX length is smaller than the total packet length including overhead + and actual data bytes (whose length is part of the buffer we read from + the wifi chip and is stored in rtw_rx_pkt_stat.pkt_len). This can + result in errors like: + skbuff: skb_over_panic: text:ffff8000011924ac len:3341 put:3341 + (one case observed was: RX buffer length = 1536 bytes but + rtw_rx_pkt_stat.pkt_len = 1546 bytes, this is not valid as it means + we need to read beyond the end of the buffer) +- RX length looks valid but rtw_rx_pkt_stat.pkt_len is zero + +Check if the RX_REQUEST is set in the HISR register for each iteration +inside rtw_sdio_rx_isr(). This mimics what the RTL8723DS vendor driver +does and makes the driver only read more data if the RX_REQUEST bit is +set (which seems to be a way for the card's hardware or firmware to +tell the host that data is ready to be processed). + +For RTW_WCPU_11AC chips this check is not needed. The RTL8822BS vendor +driver for example states that this check is unnecessary (but still uses +it) and the RTL8822CS drops this check entirely. + +Reviewed-by: Ping-Ke Shih +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230522202425.1827005-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 24 ++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index 06fce7c3addaa..2c1fb2dabd40a 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -998,9 +998,9 @@ static void rtw_sdio_rxfifo_recv(struct rtw_dev *rtwdev, u32 rx_len) + + static void rtw_sdio_rx_isr(struct rtw_dev *rtwdev) + { +- u32 rx_len, total_rx_bytes = 0; ++ u32 rx_len, hisr, total_rx_bytes = 0; + +- while (total_rx_bytes < SZ_64K) { ++ do { + if (rtw_chip_wcpu_11n(rtwdev)) + rx_len = rtw_read16(rtwdev, REG_SDIO_RX0_REQ_LEN); + else +@@ -1012,7 +1012,25 @@ static void rtw_sdio_rx_isr(struct rtw_dev *rtwdev) + rtw_sdio_rxfifo_recv(rtwdev, rx_len); + + total_rx_bytes += rx_len; +- } ++ ++ if (rtw_chip_wcpu_11n(rtwdev)) { ++ /* Stop if no more RX requests are pending, even if ++ * rx_len could be greater than zero in the next ++ * iteration. This is needed because the RX buffer may ++ * already contain data while either HW or FW are not ++ * done filling that buffer yet. Still reading the ++ * buffer can result in packets where ++ * rtw_rx_pkt_stat.pkt_len is zero or points beyond the ++ * end of the buffer. ++ */ ++ hisr = rtw_read32(rtwdev, REG_SDIO_HISR); ++ } else { ++ /* RTW_WCPU_11AC chips have improved hardware or ++ * firmware and can use rx_len unconditionally. ++ */ ++ hisr = REG_SDIO_HISR_RX_REQUEST; ++ } ++ } while (total_rx_bytes < SZ_64K && hisr & REG_SDIO_HISR_RX_REQUEST); + } + + static void rtw_sdio_handle_interrupt(struct sdio_func *sdio_func) +-- +2.39.2 + diff --git a/queue-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/queue-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..2333f9338d4 --- /dev/null +++ b/queue-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From 63e6efa14f435540aab95084d9ee613a389d4fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index a125fd1fa1342..a161c64d1765e 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -815,6 +815,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 +